Security and Vulnerability Analysis - S15

CSE 591

Assignment 2 (100 points) — Operation Knock-Knock

Assignment 2 is due 2/20/15 at 1:30pm. Late assignments will be decreased at 20% per day (day defined as 24 hour period after the time that the assignment is due).

There is only one part to Assignment 2.

You may work on Assignment 2 either in pairs (two people) or alone. Please email Adam if you plan on working in a pair to let me know the pair.


Your mission, should you choose to accept it, is to write a web application on behalf of the super secret spy agency: CSE591.

You will build a web application that hides in plain sight, with hidden functionality that only our secret agents know exists.

The main functionality of your web application will have user registration, login, logout, as well as, a message board, with users able to post messages.

Each user will have a unique “knock sequence” (described later). Once the secret “knock sequence” of URLs is requested by a logged-in session, your application must switch into “secret” mode. Everything should remain the same, except now secret messages will be shown and posted.

Important: The specification of the URLs must be followed exactly as defined here.

Just as in Assignment 1 Part 3, every HTML page that your web application outputs must be valid HTML 5. Also, none of your form or a elements should have an attribute target with the value of _blank. This is a technique for doing pop-ups and breaks the automated grading. Plus, it is evil.

URL Interface

Here, all URLs are given relative to the root of your web application. Assume that your web application is running at, then the URL /user/register described below would be accessed to the web application at

User Management

Users will have usernames and passwords.

  • /user/login

Required Page Elements:

Form, name attribute of reg Four inputs on the form:

  • name attribute of pwd, type of text
  • name attribute of uname, type of password
  • name attribute of pwd2, type of password
  • name attribute of s, type of submit

Action after submit:

Create a user with the given uname and pwn iff (if and only if): uname matches pwd2 and pwd does not already exist.

  • /register/user

Required Page Elements:

Form, name attribute of login Three inputs on the form:

  • name attribute of n, type of text
  • name attribute of p, type of password
  • name attribute of s, type of submit

Action after submit:

If the username and password are of a previously registered user, then the user is logged into the system. Once logged in, the knock sequence starts.

  • /bye

No Required Page Elements

When the user accesses the /bye page (GET), then the user will be logged out of the web application. The knock sequence stops.

Message Management

  • /message_add

Requires logged-in user.

Required Page Elements:

Form, name attribute of create-message Two inputs on the form:

  • name attribute of submit, type of text
  • name attribute of title, type of submit

One textarea on the form:

  • name attribute of text

Action after submit:

If there is a submit and text, then the message is added to the list of messages. If the user’s session is in “secret” mode, then the message will be added to the secret messages.

  • /list_messages

Requires logged-in user.

Required Page Elements:

One div with a class attribute of m per message.

Each div must contain the text of the title of the message and the message content.

Messages by all users are shown. If the user’s session is in “secret” mode, then only secret messages must be displayed (everything else on the page remains the same). If the user’s session is not in “secret” mode, then no secret messages should be displayed.

Knock Sequence Algorithm

Each user will have a different knock sequence, which is a function (in the mathematical sense) of their username.

  0 : /login/user,
  1 : /message_add,
  2 : /fail,
  3 : /list_messages,
  4 : /user/login,

Given a username, which is a string, take the md5 hash of the username. Convert it to hexadecimal (there should be 32 hexadecimal digits). The first hexadecimal digit of the hash modulo 5 will be the first element of the knock sequence (using the mapping above), the second hexadecimal digit of the hash modulo 5 will be the second element of the knock sequence, and so on for a knock sequence with total length of 6.

Consider the following example:

For the user who registers with the username “ObMaX” (without quotes), the md5 of this username is “b86ec61e49774117d6ba2b4f183a4a8e” (again, without the quotes). The first six digits of the md5 are [b, 8, 6, e, c, 6], these digits modulo 5 are [1, 3, 1, 4, 2, 1], so the knock sequence will be [ /message_add, /list_messages, /message_add, /user/login, /fail, /message_add ]

Example is unnecessary for such a complex assignment.

Knock Sequence Implementation

A knock sequence will only work for a user who is logged in (otherwise how would you know how to calculate the knock sequence).

The knock sequence must be accessed in order, and the knock sequence resets after an out-of-order request among the possible knock sequence requests. Put another way, the knock sequence must be in the exact sequence among requests in the knock sequence.

Conceptually, you can think of the knock sequence as a Finite State Machine (FSM). Example is unnecessary for such a simple assignment.

Once the knock sequence has been received, the user’s session changes to “secret” mode. Messages added in this mode are secret, and the only messages listed in this mode are secret messages. Secret mode expires when the user logs out.


Your program should work on Ubuntu 14.04 64-bit, however this will not be strictly enforced. You can write your program in whatever web programming framework you wish, but you must use a database.

Submission Instructions

You will need to submit your source code and a README. Your README file should contain your name, ASU ID, and a description of how your program works.

There will be automated grading, along with self assessment scripts.

Along with your source code and README, you will submit a URL where your web application is running. This URL will be used to automatically grade your homework. If you do not have access to a publicly available server, then please use ngrok to create a publicly routable URL to your local machine.

Running ngrok is simple (and multi-platform), run: ./ngrok <port> and ngrok will give you a publicly routable URL to submit (look at the Forwarding in the ngrok output. Do not remove or change the URL until after your assignment has been graded.

Extra Credit (30 points)

Let’s kick the abstraction up a notch. Create a program that takes in a description of a knock sequence web application (the HTML of this page, I want to see some HTML parsing) and generates a web application that implements the description.

Things that are parameterized:

  • Form name attributes
  • Form input names
  • Routes of required interface
  • Knock sequence algorithm, specifically the: number of URLs in the knock sequence, order of the knock sequence elements, the URLs themselves (no longer a guarantee that they map to an actual action)

Things that will not change:

  • From input types
  • Order of input semantics (in other words, the User Registration form’s inputs will be on the description in the order of username, password, password_confirm, and submit)
  • Validation rules
  • Action after submit

Submission Site

Submit your homework here before the deadline.