comeÃo

CLIENT.sh

@@ -0,0 +1,11 @@
+#/bin/bash
+
+source CONFIG.sh
+
+IP="20.60.0.2"
+
+sudo ifconfig enp0s8 $IP netmask 255.255.255.0
+sudo route add default gw 20.60.0.1
+
+# exploits
+

CONFIG.sh

@@ -0,0 +1,7 @@
+# firewall configuration
+sudo yum install -y iptables-services
+sudo systemctl stop firewalld
+sudo systemctl disable firewalld
+sudo systemctl mask firewalld
+sudo systemctl enable iptables
+sudo iptables -F

FIREWALL.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+source CONFIG.sh
+
+IP_EXTERNAL="20.60.0.1"
+IP_INTERNAL="10.60.0.1"
+
+sudo ifconfig enp0s8 $IP_EXTERNAL netmask 255.255.255.0
+sudo ifconfig enp0s9 $IP_INTERNAL netmask 255.255.255.0
+
+# instalar mod security e apache
+function instalar() {
+    yum list installed "$1" &>/dev/null && return || sudo yum install -y "$1"
+}
+
+instalar epel_release
+instalar httpd
+instalar mod_security
+instalar mod_security_crs
+
+# nat
+sudo sysctl -w net.ipv4.ip_forward=1
+
+sudo iptables -t nat -F
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
+sudo iptables-save > /etc/sysconfig/iptables
+
+cp conf/httpd.conf /etc/httpd/httpd.conf 

WEB_SERVER.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+source CONFIG.sh
+
+# interfaces
+IP="10.60.0.2"
+sudo ifconfig enp0s8 $IP netmask 255.255.255.0
+sudo route add default gw 10.60.0.1
+
+# instalar node
+yum list installed nodejs &>/dev/null && echo "Node already installed..." || sudo yum install -y nodejs
+
+# instalar juice-shop se nao existir
+if [[ ! -d $HOME/juice-shop ]]; then
+	curl -o js.tar.gz "https://github.com/juice-shop/juice-shop/releases/download/v20.0.0/juice-shop-20.0.0_node24_linux_x64.tgz"
+	tar -xzvf js.tar.gz $HOME/juice-shop
+fi
+
+# correr juice shop via npm
+cd $HOME/juice-shop
+npm install
+npm start

conf/httpd.conf

@@ -0,0 +1,76 @@
+ServerRoot "/etc/httpd"
+Listen 420
+User apache
+Group apache
+
+Include conf.modules.d/*.conf
+IncludeOptional modsecurit.d/*.conf
+IncludeOptional modsecurit.d/activated_rules/*.conf
+
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+DocumentRoot "/var/www/html"
+
+<Directory "/var/www">
+    AllowOverride None
+    Require all granted # Allow open access:
+</Directory>
+
+# Further relax access to the default document root:
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+<Files ".ht*">
+    Require all denied
+</Files>
+
+ErrorLog "logs/error_log"
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+
+# EnableMMAP off
+# EnableSendfile on
+# IncludeOptional conf.d/*.conf
+ServerAdmin jeevacation@gmail.com
+# ServerName www.coimbravpn.com:420

enunciado.txt

@@ -0,0 +1,153 @@
+FSI 2025/2026
+Practical Assignment #3
+
+1. Goals
+•
+
+Explore the WSTG (Web Security Testing Guide)1 web security testing guidelines.
+
+•
+
+Configure and explore the usage of ModSecurity reverse proxy as a WAF (Web Application Firewall)
+
+2. General description
+The main goals of this assignment are to explore web application security and to implement a web application firewall to
+secure a web application against application-layer attacks. The web application to be used in this assignment is the OWASP
+JuiceShop2 3. This assignment is split in two phases: the first phase is dedicated to exploring the security of the JuiceShop
+web application, and the second phase aims at monitor, filter, and block HTTP traffic to the JuiceShop, through the
+implementation of a WAF using ModSecurity, with the aim to address the security issues identified in the first phase. Figure
+1 illustrates the two phases of the assignment, depicting the JuiceShop web server, the penetration testing client and the
+WAF.
+
+Figure 1 – Security testing and WAF phases of the Assignment
+
+1
+
+WSTG with v42 is available at: https://owasp.org/www-project-web-security-testing-guide/
+
+2
+
+OWASP JuiceShop: https://owasp.org/www-project-juice-shop/
+For this assignment, it is recommended to use the most recent version of the JuiceShop. At the time of writing this document it is v17.2.0
+
+3
+
+3. Phase 1 - Web application security testing
+In this phase the goal is to explore web application security using the JuiceShop website following the relevant and applicable
+WSTG web security testing guidelines, and for this purpose any security tools can be used. In this context, OWASP ZAP
+and security tools already available in Kali Linux are particularly relevant. This web security testing phase is described in
+Figure 1, where the client has direct communications to the web server. As part of your tests, the OWASP ZAP penetration
+tests must, at least:
+a. Perform an automated scan to the website.
+b. Perform an active scan to the website (explore the most effective policies).
+c. Manage add-on required to improve the test and maximize threats identification.
+d. Perform a Fuzz attack to the login form.
+e. Perform a manual penetration test to explore logged in threats.
+f.
+
+Configure OWASP ZAP active scan to explore authenticated area.
+
+The JuiceShop application can be installed via source code or using docker, as follows:
+•
+
+Installation through source code in one of the virtual machines
+
+•
+
+Using a docker approach (requires Docker Desktop)
+
+As a result of your tests, you should prepare a web application security report, structured along the WSTG guidelines. The
+report must document the identified vulnerabilities and on how these can be exploited (e.g., weak passwords, insecure
+configurations).
+
+4. Phase 2 – Setup and testing of a WAF (web application firewall)
+Based on the web application security report produced in the first phase of the assignment, deploy an WAF between the
+client and the web server, as depicted in Figure 1. The goals of this WAF are to monitor, filter, and block HTTP traffic to
+the Juice Shop. This WAF server should be composed of an Apache 2 service with ModSecurity, and the WAF
+configuration should be optimized to prevent all possible attacks.
+As a result of this phase of the Assignment, you should repeat all penetration tests performed in the previous task and assess
+the performance of the WAF in detecting and blocking the attacks. You should update the web application security report
+accordingly, by including the configurations, description of the tests and performance results in a separate section.
+5. Delivery of the Practical Assignment
+2
+
+•
+
+The deadline for the delivery of the assignment (configuration files and report, via Inforestudante) is 31/5/2026.
+
+•
+
+Notes:
+o
+
+Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
+
+o
+
+Submissions via Inforestudante.
+
+The delivery of the practical assignment can document aspects regarding the methodology of testing, the analysis of results
+and can be structured as follows:
+
+1) Introduction
+2) Arquitecture considered for the PA#3 (for both scenarios 1 and 2)
+- Network structure
+- Servers
+- Services
+3) Web application security testing
+1 Information Gathering
+2 Configuration and Deployment Management Testing
+3 Identity Management Testing
+4 Authentication Testing
+5 Authorization Testing
+6 Session Management Testing
+7 Input Validation Testing
+8 Testing for Error Handling
+9 Testing for Weak Cryptography
+10 Business Logic Testing
+11 Client Side Testing
+4) Web application security firewall
+1 Information Gathering
+2 Configuration and Deployment Management Testing
+3 Identity Management Testing
+4 Authentication Testing
+5 Authorization Testing
+6 Session Management Testing
+7 Input Validation Testing
+8 Testing for Error Handling
+9 Testing for Weak Cryptography
+10 Business Logic Testing
+11 Client Side Testing
+5) Conclusions
+
+3
+
+6. Important/relevant aspects
+The Web Application Security Testing document includes several sections, providing guidelines for testing. The guideline
+applicable to this assignment is mainly in Section 4, which must be analysed carefully, since testing tools may be suggested in
+each section.
+The practical assignment targets black-box testing, which is according to OWASP in WSTG “the art of testing a system or
+application remotely to find security vulnerabilities, without knowing the inner workings of the target itself”. Thus, in this
+type of testing strategy we focus on tools such as web application security scanners, vulnerability scanners and penetration
+testing software.
+The following aspects are relevant in what respects the WSTG guidelines and structure:
+1. Section 4.7 should be considered as a whole, which can be tested with OWASP ZAP or a similar tool. There are
+some subsections, that do not apply in this assignment. For instance, the Juice Shop does not include any support
+for LDAP, so subsection 4.7.6 – “Testing for LDAP injection” does not require any action/testing.
+2. Section 4.11 should be considered as a whole, which can be tested with OWASP ZAP or a similar tool.
+3. Section 4.9 should not be considered since communications with Juice Shop are not over HTTPS.
+4. Section 4.10 should not be considered as well, as it is out of scope of this assignment.
+5. Other subsections are out of scope of this assignment, and students should identify these in the report (and explain
+why). For instance. subsection 4.2.9, 4.2.10 and 4.2.11 are not applicable in this assignment.
+Regarding the second phase of the work, with the Web Application Firewall, the following aspects should be considered:
+1. The main goal of the project in the second phase is to enable detection and prevention of the issues identified in the
+first phase. Nonetheless, all the detection and prevention actions must be possible using Apache and ModSecurity
+(with OWASP CRS), no other tools should be considered for this purpose.
+2. The issues identified Section 4.3 of WSTG cannot be detected and solved with ModSecurity (with OWASP CRS),
+so no action is required. ModSecurity is a WAF that operates at the HTTP level — it analyzes HTTP requests and
+responses and blocks traffic based on patterns (malicious payloads, suspicious headers, etc.). Identity Management
+issues are application logic flaws, not attacks with detectable patterns in HTTP traffic.
+
+4
+
+

relatorio/relatorio.aux

@@ -0,0 +1,8 @@
+\relax 
+\providecommand \babel@aux [2]{\global \let \babel@toc \@gobbletwo }
+\@nameuse{bbl@beforestart}
+\catcode `"\active 
+\providecommand\hyper@newdestlabel[2]{}
+\providecommand\HyField@AuxAddToFields[1]{}
+\providecommand\HyField@AuxAddToCoFields[2]{}
+\babel@aux{portuguese}{}

relatorio/relatorio.listing

@@ -0,0 +1 @@
+openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

relatorio/relatorio.tex

@@ -0,0 +1,56 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage[portuguese]{babel}
+\usepackage[lining]{ebgaramond}
+\usepackage{style}
+
+\setlength{\parindent}{0em}
+\setlength{\parskip}{2ex}
+
+\title{Practical Assignment \#2}
+\author{
+    João Neto -- 2023234004\\[1em]
+    Vasco Alves -- 2022228207
+}
+
+\begin{document}
+\maketitle
+
+\newpage
+\tableofcontents
+
+\newpage
+
+\section{Introduction}
+\section{Arquitecture considered for the PA#3 (for both scenarios 1 and 2)}
+\subsection{Network structure}
+\subsection{Servers}
+\subsection{Services}
+
+\section{Web application security testing}
+\subsection{Information Gathering}
+\subsection{Configuration and Deployment Management Testing}
+\subsection{Identity Management Testing}
+\subsection{Authentication Testing}
+\subsection{Authorization Testing}
+\subsection{Session Management Testing}
+\subsection{Input Validation Testing}
+\subsection{Testing for Error Handling}
+\subsection{Testing for Weak Cryptography}
+\subsection{Business Logic Testing}
+\subsection{Client Side Testing}
+\section{Web application security firewall}
+\subsection{Information Gathering}
+\subsection{Configuration and Deployment Management Testing}
+\subsection{Identity Management Testing}
+\subsection{Authentication Testing}
+\subsection{Authorization Testing}
+\subsection{Session Management Testing}
+\subsection{Input Validation Testing}
+\subsection{Testing for Error Handling}
+\subsection{Testing for Weak Cryptography}
+\subsection{Business Logic Testing}
+\subsection{Client Side Testing}
+\section{Conclusions}
+
+
+\end{document}

relatorio/style.sty

@@ -0,0 +1,64 @@
+\usepackage[margin=1in]{geometry}
+\usepackage{raleway}
+\renewcommand{\familydefault}{\sfdefault}
+\usepackage{ulem}
+\usepackage{wrapfig}
+\usepackage{graphicx,tabularx,booktabs}
+\usepackage{paracol}
+\usepackage[dvipsnames]{xcolor}
+\usepackage{enumitem,amssymb}
+\usepackage[colorlinks=true,urlcolor=blue,linkcolor=MidnightBlue]{hyperref}
+\graphicspath{{./img/}}
+
+\usepackage{enumitem,amssymb}
+\newlist{todolist}{itemize}{2}
+\setlist[todolist]{noitemsep, topsep=0pt,label=$\square$}
+
+\usepackage{pifont}
+\usepackage{amssymb}
+
+\usepackage[most]{tcolorbox}
+\tcbuselibrary{listings, skins, breakable}
+
+\lstdefinestyle{mystyle}{
+    basicstyle=\ttfamily\footnotesize,
+    breakatwhitespace=false,         
+    breaklines=true,                 
+    captionpos=b,                    
+    keepspaces=true,                 
+    numbers=left,                    
+    numbersep=5pt,                  
+    showspaces=false,                
+    showstringspaces=false,
+    showtabs=false,                  
+    tabsize=2,
+    commentstyle=\color{gray},
+    keywordstyle=\color{MidnightBlue}\bfseries,
+    stringstyle=\color{ForestGreen}
+}
+
+\newtcblisting{codeblock}[2][]{
+    enhanced,
+    breakable,
+    colback=gray!2!white,
+    colframe=gray!20!black,
+    attach boxed title to top left={yshift*=-\tcboxedtitleheight/2, xshift=4mm},
+    boxed title style={
+        colback=gray!20!black,
+        outer arc=0pt,
+        arc=0pt,
+        top=1pt,
+        bottom=1pt,
+    },
+    fonttitle=\bfseries\ttfamily\footnotesize,
+    title={#2},
+    listing only,
+    listing options={
+        style=mystyle,
+        language=#1,
+    }
+}
+
+\setlength{\parskip}{1em}%
+\setlength{\parindent}{0em}%
+