Although the course textbook and other resources discuss several specific network attack vulnerabilities, it is not feasible to cover all of them. New vulnerabilities are being discovered all of the time, and there are hundreds of currently known vulnerabilities. Professional network administrators have to keep themselves current with all possible threat possibilities. One way of doing this is by performing personal research. In this hypothetical case study, you should use the Internet to assist you in developing responses to the three questions. Use of the course textbook and supplied resources only is not sufficient to award full marks. You should use your research skills and go beyond these resources.
James has just completed his first year at university in a Bachelor of Information Technology degree. One of the courses that James studied was Web Programming 101. In that course James learnt the basics of using HTML, CSS and PHP to create dynamic web pages.
As a favour to James’ good friend Kirandeep, he designed and implemented a simple dynamic blog site using the skills he had gained in Web Programming 101. After testing the web site on a local secure network, and fixing a number of scripting errors. James delivered the implementation files to Kirandeep, who uploaded them to an ISP web hosting site. Both James and Kirandeep were ecstatic to see people from across the Globe using the web site to share their personal experiences.
Within a few hours of the blog site going live, Kirandeep received an urgent email from the ISP Manager informing her that the blog site had to be closed down because it had been used by unknown hackers to send spam emails to thousands of addresses around the world. The Manager told Kirandeep that she could only reactivate the blog site when the problem had been fixed and it could be guaranteed that it would not happen again.
Kirandeep quickly phoned James and told him of the dilemma. James spent the rest of the day and most of the next night examining his PHP scripts and doing research on the Internet to find out what might have caused the problem. After many hours James tracked the problem down to the simple web page contact form that he had used so that people could send emails to Kirandeep without letting them know what Kirandeep’s email address was.
Users fill out the form by supplying their email addresses, a brief subject line, followed by the message to be sent to Kirandeep. When the submit button is clicked, the contents of the form fields are sent to the web server, where a PHP script receives the field information and uses it to initiate an email to Kirandeep. Kirandeep’s email address is stored in the PHP script, so the form user never gets to see it. That way Kirandeep’s email address is kept secret. Unknown to James, the use of simple contact forms is a well-known vulnerability that threat agents can exploit. He also discovered that it is not only PHP scripts that are vulnerable to this type of exploitation – all of the several available server-side scripting languages are vulnerable.
You are required to answer the following questions. Please reference all sources – do not copy directly from sources.
a) Based on the information provided, what type of attack has been performed by the hackers using Kirandeep’s blog? You need to fully justify your answer, not just state the type of attack.
b) Describe in detail how the attack may have occurred – you will need to provide sample form field data such as:
You don’t need to provide a detailed explanation of how PHP or other server-side scripting languages work; but you need to provide sufficient information to explain how malicious field data entered by a hacker could trick the web server into generating multiple spam emails.
c) How would James need to change the PHP script to prevent such attacks? You don’t need to provide the actual PHP code – just describe what measures James would have to implement to ensure that malicious field data could not be used to generating multiple spam emails.
d) What limitations does this form of attack have?
Hint: Would this attack only have to be performed once to generate thousands of spam emails?