rip

.gitignore

@@ -0,0 +1,3 @@
+*.log
+*.aux
+*.synctex.gz

CLIENT.sh

@@ -0,0 +1,18 @@
+#/bin/bash
+# CONFIGURACAO DO CLIENTE
+# (KALI LINUX)
+
+function instalar() {
+    apt list installed "$1" &>/dev/null && echo "$1 já instalado" || sudo apt install -y "$1"
+}
+
+IP="20.60.0.2"
+
+sudo ifconfig eth1 $IP netmask 255.255.255.0
+sudo route add default gw 20.60.0.1
+
+sudo apt update
+instalar zaproxy
+
+
+# exploits

README.md

@@ -1,6 +1 @@
-# Coisas para leres que sao fixes wowowowowowow !!!!! (Assignment 2)
-- Os slides (duh)
-- Okay  o mais importante é os slides.
-
-- [X.509 (ssl.com)](https://www.ssl.com/faqs/what-is-an-x-509-certificate/)
-- [X.509 (youtube)](https://www.youtube.com/watch?v=kAaIYRJoJkc)
+kys 

SERVER.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# SERVIDOR INTERNO
+# (CentOS 9)
+alias "s"="sudo systemctl"
+
+function instalar() {
+    yum list installed "$1" &>/dev/null && echo "$1 já instalado" || sudo yum install -y "$1"
+}
+
+IP_EXTERNAL="20.60.0.1"
+IP_INTERNAL="10.60.0.1"
+
+sudo ifconfig enp0s8 $IP_EXTERNAL netmask 255.255.255.0
+sudo ifconfig enp0s9 $IP_INTERNAL netmask 255.255.255.0
+
+# instalar packages
+if ! command -v node &> /dev/null || [[ "$(node -v)" != v24.* ]]; then
+    echo "Configurando repositório do Node.js 24..."
+    curl -fsSL https://rpm.nodesource.com/setup_24.x | sudo bash -
+    sudo yum remove -y nodejs
+fi
+instalar nodejs
+
+# instalar mod security e apache
+instalar epel-release
+instalar httpd
+instalar mod_security
+
+instalar iptables-services
+s stop firewalld
+s disable firewalld
+s mask firewalld
+s enable iptables
+sudo iptables -F
+
+# nat
+sudo sysctl -w net.ipv4.ip_forward=1
+sudo iptables -t nat -F
+sudo iptables -A FORWARD -i enp0s9 -o enp0s8 -j ACCEPT
+sudo iptables -A FORWARD -i enp0s8 -o enp0s9 -m state --state ESTABLISHED,RELATED -j ACCEPT
+sudo iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
+sudo iptables-save > /etc/sysconfig/iptables
+
+sudo cp conf/httpd.conf /etc/httpd/conf/httpd.conf
+sudo cp conf/modsecurity.conf /etc/httpd/conf/modsecurity.conf
+sudo mkdir -p /var/log/modsecurity/
+sudo rm -f /etc/httpd/conf.d/mod_security.conf
+sudo rm -f /etc/httpd/modsecurity.d/*.conf
+
+# instalar juice-shop se nao existir
+jspath="/var/juice-shop"
+if [[ ! -f "$jspath/package.json" ]]; then
+    sudo mkdir -p "$jspath"
+    curl -L -o js.tar.gz "https://github.com/juice-shop/juice-shop/releases/download/v20.0.0/juice-shop-20.0.0_node24_linux_x64.tgz"
+    sudo tar -xzvf js.tar.gz -C "$jspath" --strip-components=1
+    rm js.tar.gz
+    sudo chown -R $USER:$USER "$jspath"
+fi
+
+sudo systemctl stop httpd
+
+# correr juice shop via npm
+cd "$jspath"
+npm start &
+
+httpd -X

TODO.md

@@ -1,8 +0,0 @@
-# Objectivos de acordo com o enunciado 
-
-## Goals
-- [X] Configure a tunnel in the "road warrior"
-- [X] Enable two factor authentication with OpenSSL and Apache services
-- [X] Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
-
-

assignment2/conf/httpd.conf

@@ -0,0 +1,20 @@
+ServerRoot "/etc/httpd"
+
+Include conf.modules.d/*.conf
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
+
+User apache
+Group apache
+
+Listen 80
+Listen 443
+
+Include conf.d/*.conf
+
+DocumentRoot "/var/www/html"
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>

assignment2/enunciado.txt

@@ -0,0 +1,143 @@
+FSI 2025/2026
+Practical Assignment #2
+
+1. Goals
+•
+
+Configure a VPN tunnel in the “road warrior” scenario.
+
+•
+
+Enable two-factor user authentication with OpenVPN and Apache services.
+
+•
+
+Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
+
+2. General description
+Figure 1 illustrates the scenario considered for our practical assignment. As illustrated, secure communications are
+supported by a VPN tunnel established between a remote client (road warrior) and the VPN gateway, with the purpose of
+enabling accesses to services in the Internal Network, particularly a web server running Apache. To enable the VPN tunnel,
+we will use OpenVPN (https://openvpn.net).
+
+Figure 1 – Scenario for the Practical Assignment #1
+
+Regarding authentication, the two communication entities participating in the VPN tunnel (road warrior and the VPN
+gateway) should possess valid X.509 certificates, which are created with a private Certification Authority (CA). Users
+establishing remote connections to the VPN gateway (road warriors), as well as users connecting to the Apache server, will
+also use two-factor authentication, as described below. Apache must also implement client authentication via X.509
+certificates. Figure 2 provides an illustration of the interactions between all the entities involved in this setup.
+
+Figure 2 – X.509 mutual authentication and OCSP
+
+As we can observe in Figure 2, the VPN gateway and the Apache web server must verify the status of validity of certificates
+using OCSP (Online Certificate Status Protocol) and revocation information from the CA. OCSP verification in not
+required for the road warrior. Next, we describe the configuration requirements for the various components of the
+assignment.
+
+3. Configuration requirements
+VPN tunnel for remote access (road warriors)
+As illustrated in Figure 1, remote clients (road warriors) are able to connect to the Coimbra VPN gateway, and using the
+tunnel remotely access hosts in the Internal network. The following configuration requirements should be considered:
+•
+
+In order to establish a VPN tunnel with the Coimbra gateway, the road warrior must be in the possession of a valid
+X.509 certificate, issued by the private CA of the scenario.
+
+•
+
+The road warrior and the Coimbra VPN gateway must perform mutual authentication using X.509 digital certificates.
+
+•
+
+The Coimbra VPN gateway should verify the validity of the X.509 certificate presented by the road warrior using OCSP
+and, in case the certificate is revoked, the gateway should refuse the connection.
+
+•
+
+In order to authorize the remote user, the Coimbra gateway should also enforce two other authentication steps: the user
+must present a valid username and password, plus a one-time password (OTP, or an authentication token).
+
+Web server
+2
+
+The road warrior user should be able to contact the Apache web server with HTTPS through the VPN tunnel. The
+following configuration requirements should be considered:
+•
+
+Apache should enforce two-factor authentication in order to authorize accesses from clients: the client (browser) should
+present a valid X.509 certificate (issued with the private CA of the scenario) and the user should also present a valid onetime password (or authentication token).
+
+•
+
+As in the VPN, the validity of the X.509 certificate presented by the client should be checked in the CA using OCSP.
+
+Two-factor user authentication
+As previously discussed, VPN establishment and HTTPS accesses to Apache make use of one-time passwords
+(authentication tokens), which may be generated by an appropriate application. One-time passwords may be generated using
+the TOTP (Time-based One-time Password Algorithm). This algorithm employs a secret key shared between the user
+(client) and the remote service, plus a timestamp (obtained from the current system time), to obtain a one-time password.
+In order to generate a one-time password, the user may use an application such as Google Authenticator, illustrated in
+Figure 3. This application periodically generates a new one-time password that can be used to authenticate the user with the
+remote service. This application is available for iOS and Android 1.
+Certification authority
+As already discussed, the goal is to use OpenSSL to configure a private Certification Authority, as well as to issue and revoke
+X.509 digital certificates for the VPN gateways and remote users. The following configuration requirements should be
+considered:
+•
+
+The Certification Authority is used to issue certificates for the VPN gateway, VPN client and Apache web server.
+
+•
+
+The Certification Authority allows the revocation of certificates previously issued.
+
+•
+
+The Certification Authority also supports a OCSP responder.
+
+For Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en and
+for Apple iOS: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
+1
+
+3
+
+Figure 3 – Google Authenticator app, to generate a one-time password to access services enabled with two-factor authentication
+
+4. Delivery of the Practical Assignment
+With the assignment, please deliver also a report, containing the following information:
+•
+
+Descriptions of the configurations for the implementation of the previous requirements.
+
+•
+
+A description of how the private Certification Authority was created using OpenSSL.
+
+•
+
+A description of how X.509 certificates were issued and revoked using the private Certification Authority.
+
+•
+
+A description of the tests performed to validate the functionalities implemented.
+
+•
+
+Remaining information considered relevant.
+
+For the delivery of the assignment, put your report, as well as the relevant configuration files, in a single archive. This archive
+should be signed using your PGP key and encrypted using the PGP key of your PL teacher.
+Note: Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
+Delivery deadline:
+•
+
+The deadline for the delivery of the assignment (configuration files and report) is May 3rd 2026.
+
+•
+
+Submission via Inforestudante.
+
+4
+
+

assignment2/relatorio/relatorio.aux

@@ -0,0 +1,27 @@
+\relax 
+\providecommand \babel@aux [2]{\global \let \babel@toc \@gobbletwo }
+\@nameuse{bbl@beforestart}
+\catcode `"\active 
+\providecommand\hyper@newdestlabel[2]{}
+\providecommand\HyField@AuxAddToFields[1]{}
+\providecommand\HyField@AuxAddToCoFields[2]{}
+\babel@aux{portuguese}{}
+\@writefile{toc}{\contentsline {section}{\numberline {1}Introdução}{3}{section.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.1.1}Testes}{12}{subsubsection.5.1.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{13}{section.6}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{13}{section.7}\protected@file@percent }
+\gdef \@abspage@last{13}

assignment2/relatorio/relatorio.listing

@@ -0,0 +1 @@
+openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt

assignment2/relatorio/relatorio.out

@@ -0,0 +1,18 @@
+\BOOKMARK [1][-]{section.1}{\376\377\000I\000n\000t\000r\000o\000d\000u\000\347\000\343\000o}{}% 1
+\BOOKMARK [1][-]{section.2}{\376\377\000P\000r\000e\000p\000a\000r\000a\000\347\000\343\000o\000\040\000I\000n\000i\000c\000i\000a\000l}{}% 2
+\BOOKMARK [2][-]{subsection.2.1}{\376\377\000C\000r\000i\000a\000\347\000\343\000o\000\040\000d\000e\000\040\000C\000e\000r\000t\000i\000f\000i\000c\000a\000d\000o\000s}{section.2}% 3
+\BOOKMARK [2][-]{subsection.2.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000g\000e\000r\000a\000l}{section.2}% 4
+\BOOKMARK [1][-]{section.3}{\376\377\000V\000P\000N\000\040\000G\000a\000t\000e\000w\000a\000y}{}% 5
+\BOOKMARK [2][-]{subsection.3.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.3}% 6
+\BOOKMARK [2][-]{subsection.3.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000o\000\040\000S\000e\000r\000v\000i\000\347\000o\000\040\000O\000p\000e\000n\000V\000P\000N}{section.3}% 7
+\BOOKMARK [2][-]{subsection.3.3}{\376\377\000E\000r\000r\000o\000s}{section.3}% 8
+\BOOKMARK [2][-]{subsection.3.4}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000r\000\040\000o\000\040\000u\000t\000i\000l\000i\000z\000a\000d\000o\000r\000\040\000c\000o\000m\000\040\000T\000O\000T\000P}{section.3}% 9
+\BOOKMARK [1][-]{section.4}{\376\377\000V\000P\000N\000\040\000C\000l\000i\000e\000n\000t\000\040\000\050\000R\000o\000a\000d\000\040\000W\000a\000r\000r\000i\000o\000r\000\051}{}% 10
+\BOOKMARK [2][-]{subsection.4.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.4}% 11
+\BOOKMARK [2][-]{subsection.4.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000o\000\040\000C\000l\000i\000e\000n\000t\000e\000\040\000O\000p\000e\000n\000V\000P\000N}{section.4}% 12
+\BOOKMARK [2][-]{subsection.4.3}{\376\377\000T\000e\000s\000t\000e\000s}{section.4}% 13
+\BOOKMARK [1][-]{section.5}{\376\377\000S\000e\000r\000v\000i\000d\000o\000r\000\040\000A\000p\000a\000c\000h\000e\000\040\000e\000\040\000O\000C\000S\000P}{}% 14
+\BOOKMARK [2][-]{subsection.5.1}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000\347\000\343\000o\000\040\000d\000a\000\040\000M\000\341\000q\000u\000i\000n\000a}{section.5}% 15
+\BOOKMARK [3][-]{subsubsection.5.1.1}{\376\377\000T\000e\000s\000t\000e\000s}{subsection.5.1}% 16
+\BOOKMARK [1][-]{section.6}{\376\377\000T\000e\000s\000t\000e\000\040\000I\000n\000t\000e\000g\000r\000a\000d\000o}{}% 17
+\BOOKMARK [1][-]{section.7}{\376\377\000C\000o\000n\000c\000l\000u\000s\000\343\000o}{}% 18

assignment2/relatorio/relatorio.tex

@@ -0,0 +1,575 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage[portuguese]{babel}
+\usepackage[lining]{ebgaramond}
+\usepackage{style}
+
+\setlength{\parindent}{0em}
+\setlength{\parskip}{2ex}
+
+\title{Practical Assignment \#2}
+\author{
+    João Neto -- 2023234004\\[1em]
+    Vasco Alves -- 2022228207
+}
+
+\begin{document}
+\maketitle
+
+\newpage
+\tableofcontents
+
+\newpage
+
+\section{Introdução}
+
+Este projeto tem como âmbito implementar, uma rede virtual privada (VPN) num cenário
+de road-warrior, configurar \textit{two-factor authentication} (2FA) com os serviços
+OpenVPN e Apache, e gerir certificados X.509 utilizando OCSP.
+
+% NOTE(vasco): Eu acho que basta explicar o cenario e explicar como decidimos 
+% implementar <- yeah agree, also esta introdução acho que é boa fala sobre o objetivo
+% e o cenario, e porque é que o nosso cenario é como é. Não sei se a parte das razões de
+%segurança devia estar nesta parte ou na conclusão como perpetiva futura e reflexão, mas aqui
+%também não está mal.
+
+% Para tal, foi implementado um servidor e um cliente OpenVPN, certificados por uma
+% autoridade central (CA) que em si é \textit{self-signed}. Para além disto, foi implementado
+% um sistema de autenticação de dois factores através do plugin
+% \textit{google-authenticator} para o OpenVPN e para o servidor de Apache.
+
+Decidimos utilizar apenas três máquinas virtuais: o cliente (ou \textit{road warrior}),
+a \textit{gateway} que utiliza OpenVPN e um servidor interno com OpenSSL e Apache. 
+Isto simplifica a elaboração do projecto, mas por razões de segurança poderia querer
+separar a máquina de OpenSSL de outras máquinas destinadas a serviços da rede interna,
+pois esta contém o \textit{certificate authority} (CA). 
+
+% Ambos o OpenVPN eo  servidor Apache utilizam 2FA,
+% recebendo o utilizador, e uma password que é uma concatenação da palavra-passe do utilizador
+% e de uma password temporária (TOTP) de 6 dígitos. O servidor de Apache implementa a mesma autenticação.
+
+\begin{tabular}{l l l}
+   {\bf Nome} & {\bf Script} & {\bf Rede} \\\toprule
+   Road Warrior & VM\_ROAD\_WARRIOR.sh & Rede Externa 193.168.0.0/24 \\
+   VPN Gateway & VM\_OPENVPN\_GATEWAY.sh & Router \\
+   OpenSSL / Apache & VM\_OPENSSL\_APACHE.sh & Rede Interna 10.60.0.0/24 \\
+\end{tabular}
+
+\section{Preparação Inicial}
+
+\subsection{Criação de Certificados}
+
+Os certificados utilizados foram auto-certificados por uma autoridade central que ``pertence''
+à máquina de OpenSSL. Esta mesma faz a gestão da lista de revogação.
+
+Todas as chaves foram criadas no mesmo computador, com as variáveis que estão
+neste código. Aspetos importantes para mais tarde serão os parâmetros de Comon Name (CN)
+pois servem para a validação do certificado ambos pelo OpenSSL e pelo browser.
+
+Nós optamos por assumir que num cenário real, teríamos acesso físico às máquinas, por isso em vez 
+de utilizar, por exemplo SCP ou FTP, escolhemos partilhar os ficheiros a partir da máquina host. No entanto, outra abordagem também estaria correta.
+
+\begin{codeblock}[bash]{create\_all\_keys.sh}
+cert_ca="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=CoimbraVPN"
+cert_vpn="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=gateway"
+cert_user="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=warrior"
+cert_apache="/C=PT/ST=Coimbra/L=Coimbra/O=UC/CN=apache.coimbra"
+
+openssl genrsa -out "ca.key" 2048
+openssl req -x509 -nodes -days 365 -key "ca.key" -out "ca.crt" -subj "$cert_ca"
+openssl genrsa -out "vpn.key" 2048
+openssl req -new -key "vpn.key" -out "vpn.csr" -subj "$cert_vpn"
+openssl ca -batch -in "vpn.csr" -cert "ca.crt" -keyfile "ca.key" -out "vpn.crt" -config cheese.cfg
+openssl dhparam -out "dh2048.pem" 2048
+openvpn --genkey secret "ta.key"
+openssl genrsa -out user.key
+openssl req -new -key user.key -out user.csr -subj "$cert_user"
+openssl ca -batch -in "user.csr" -cert "ca.crt" -keyfile "ca.key" -out "user.crt" -config cheese.cfg
+openssl genrsa -out apache.key
+openssl req -new -key apache.key -out apache.csr -subj "$cert_apache" -addext "subjectAltName = IP:10.60.0.1,DNS:apache"
+openssl ca -batch -in "apache.csr" -cert "ca.crt" -keyfile "ca.key" -out "apache.crt" -config cheese.cfg
+openssl --genkey secret ta.key
+\end{codeblock}
+
+Como o CA foi criado ``\textit{in place}'', e não na sua pasta prédefinida, foi necessário utilizar 
+um configuração própria para definir os ficheiros \textit{index.txt} e \textit{serial}.
+
+\begin{codeblock}[bash]{cheese.cfg}
+[ ca ]
+default_ca = CA_default
+[ CA_default ]
+default_days = 365
+database = index.txt
+serial = serial
+copy_extensions = copy
+new_certs_dir = .
+default_md = sha256
+policy = policy_any
+[ policy_any ]
+commonName = supplied
+\end{codeblock}
+
+\subsection{Configuração geral}
+Para evitar repetição e redundancia; e para garantir consistencia na elaboração do projeto criamos varios shell scripts, um destinado a cada maquina virtual.
+
+Para configurar as VMs era preciso introduzir os mesmos comandos várias vezes, o que levava muitas vezes a erros de escrita,
+ou a correr o mesmo comando várias vezes, por isso criamos vários ficheiros .sh para conseguir facilitar o processo.
+A utilização de ficheiros .sh também vem com outros positivos pois facilita a testagem, e a recriação do cenário rapidamente.
+
+No entanto para os serviços que configuramos, instalar, desativar e dar flush às iptables não foi suficiente, tivemos que criar
+pastas e sincronizar os relógios de todas as VMs visto que elas estarem ligeiramente atrasadas nunca conseguíamos acertar na 
+password do google-authenticator visto que utiliza o tempo local para calcular a sua chave.
+
+\begin{codeblock}[bash]{VM\_CONFIG.sh}
+yum install -y epel-release
+yum install -y openvpn iptables-services dhcp-client
+systemctl stop firewalld
+systemctl disable firewalld
+systemctl mask firewalld
+systemctl enable iptables
+iptables -F
+
+CA_DIR="/etc/pki/CA"
+mkdir -p "${CA_DIR}/newcerts"
+mkdir -p "${CA_DIR}/private"
+touch "${CA_DIR}/index.txt"
+cp ca/serial "${CA_DIR}/serial"
+
+mkdir -p /etc/openvpn/server
+mkdir -p /etc/openvpn/client
+
+# NOTE(vasco): tive problemas com a sincronizacao de tempo
+# se nao tiver sincronizado, o TOTP nao funciona
+systemctl stop chronyd
+ntpdate pool.ntp.org
+systemctl start chronyd
+\end{codeblock}
+
+
+\section{VPN Gateway}
+
+\subsection{Configuração da Máquina}
+
+Como já foi dito anteriormente, cada máquina vem com um \textit{script}
+que instala toda a configuração necessária.
+
+Para que a gateway funcione como router entre a rede externa e a rede interna,
+foi necessário ativar o \textit{IP forwarding} no kernel e configurar as regras
+de \textit{iptables} para permitir o tráfego da VPN e realizar o mascaramento
+de IP (NAT).
+
+% NOTA(vasco): Não temos regras de DROP a packets
+% talvez deviamos mudar isso nao sei <- não diz nada no enunciado ¯\_(ツ)_/¯
+% também o trabalho não é sobre ip tables por isso it does make sense não fazer drop
+%e utilizar as regras apenas para encaminhar corretamente.
+% Colocar isso na conclusão tho
+
+\begin{codeblock}[bash]{VM\_VPN\_GATEWAY.sh}
+#!/bin/bash
+
+# --- configuracao --- #
+source VM_CONFIG.sh
+yum install -y google-authenticator qrencode ntpsec
+
+# --- forwarding --- #
+if_fora="enp0s8"
+ip_fora="193.136.212.1"
+if_dentro="enp0s9"
+ip_dentro="10.60.0.3"
+mega_tunel="tun0"
+ip_mega_tunel="10.8.0.0/24"
+
+ifconfig $if_fora $ip_fora netmask 255.255.255.0
+ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
+
+echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
+
+iptables -I INPUT 1  -p udp --dport 1194 -j ACCEPT
+iptables -I FORWARD 1 -i $mega_tunel -o $if_dentro -j ACCEPT
+iptables -I FORWARD 1 -i $if_dentro -o $mega_tunel -j ACCEPT
+iptables -I FORWARD 1 -i $mega_tunel -o $if_fora -j ACCEPT
+iptables -I FORWARD 1 -i $if_fora -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -t nat -A POSTROUTING -s $ip_mega_tunel -o $if_fora -j MASQUERADE
+iptables-save > /etc/sysconfig/iptables
+
+# --- vpn server --- #
+vpn_dir="/etc/openvpn/server"
+cp ca/ta.key $vpn_dir 
+cp ca/ca.crt $vpn_dir 
+cp ca/vpn.key $vpn_dir 
+cp ca/vpn.crt $vpn_dir 
+cp ca/dh2048.pem $vpn_dir 
+cp conf/vpn.conf $vpn_dir 
+cp conf/ocsp-verify.sh $vpn_dir
+cp conf/totp /etc/pam.d/
+
+# --- utilizador --- #
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+
+openvpn --config /etc/openvpn/server/vpn.conf
+\end{codeblock}
+
+\subsection{Configuração do Serviço OpenVPN}
+
+
+O servidor OpenVPN utiliza um certificado X.509 assinado pelo nosso \textit{Certificate Authority} (CA).
+E faz uso de um script \texttt{oscp-verify.sh} para validar ou revogar os certificados através do servidor OCSP.
+
+\begin{codeblock}{vpn.conf}
+local 193.136.212.1
+port 1194
+proto udp
+dev tun
+
+verb 4
+
+ca /etc/openvpn/server/ca.crt
+cert /etc/openvpn/server/vpn.crt
+key /etc/openvpn/server/vpn.key
+dh /etc/openvpn/server/dh2048.pem
+
+topology subnet
+server 10.8.0.0 255.255.255.0
+push "route 10.60.0.0 255.255.255.0"
+
+# ocsp and revocation
+script-security 2
+tls-verify /etc/openvpn/server/ocsp-verify.sh
+# auth
+cipher AES-256-GCM
+auth SHA256
+
+plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so totp
+tls-auth /etc/openvpn/server/ta.key 0
+\end{codeblock}
+
+Foi criado o ficheiro \texttt{totp} com a configuração de autenticação a 
+ser utilizada pelo plugin de PAM para o openvpn.
+
+\begin{codeblock}{totp}
+auth    required    pam_google_authenticator.so forward_pass
+auth    required    pam_unix.so use_first_pass
+account required    pam_unix.so
+\end{codeblock}
+
+Este script simplesmente comunica com o servidor OpenSSl
+e verifica o resultado.
+
+\begin{codeblock}{ocsp\_verify.sh}
+#!/bin/bash
+depth=$1
+if [ "$depth" -eq 0 ]; then
+    if [ -n "$tls_serial_0" ]; then
+        # e preciso converter o serial para hexadecimal porque o openssl espera em hex
+        hex_serial=$(printf '%x' "$tls_serial_0")
+        status=$(openssl ocsp -issuer /etc/openvpn/server/ca.crt -serial "0x$hex_serial" -url http://10.60.0.1:8888 -CAfile /etc/openvpn/server/ca.crt 2>/dev/null)
+        if echo "$status" | grep -q "good"; then
+            exit 0 # sucesso
+        fi
+        exit 1 # revogado ou nao encontrado
+    fi
+    exit 1
+fi
+\end{codeblock}
+
+\subsection{Erros}
+
+Um dos erros que encontramos pelo caminho foi que o OpenSSL OCSP espera que o 
+\textit{serial} esteja num formato diferente do que o esperado. Foi necessário
+converter para hexadecimal primeiro.
+
+Adicionalmente, devido às restrições de segurança do \textit{systemd},
+tentamos desativar o \texttt{ProtectHome} no serviço do OpenVPN
+para que o plugin PAM consiga ler os ficheiros de segredo do Google Authenticator
+localizados nas diretorias \textit{home} dos utilizadores. Mas isto não 
+foi suficiente, por isso acabamos por correr os serviços pela linha
+de comandoos.
+
+\subsection{Configurar o utilizador com TOTP}
+
+Primeiro, na gateway, entramos como o utilizador desejado e obtemos a chave
+do gerador de palavras passes temporárias. Ao inserir a chave no 
+\texttt{google authenticator} podemos obter um código QR,  a nossa primeira
+chave de 6 dígitos.
+
+\begin{figure}[h]
+    \centering
+    \includegraphics[width=8em]{google-authenticator}
+\end{figure}
+
+\begin{codeblock}[bash]{}
+su john
+google-authenticator
+\end{codeblock}
+
+\section{VPN Client (Road Warrior)}
+
+\subsection{Configuração da Máquina}
+Para a configuração da Máquina, configuramos o edereço, o default gateway e adicionamos apache aos Hosts:
+
+\begin{codeblock}{VM\_ROAD\_WARRIOR.sh}
+#!/bin/bash
+
+# --- configuracao --- #
+source VM_CONFIG.sh
+ifconfig enp0s8 193.136.212.10 netmask 255.255.255.0
+route add default gw 193.136.212.1 
+
+if ! grep -q "apache" /etc/hosts; then
+    echo "10.60.0.1 apache" >> /etc/hosts
+fi
+
+# --- vpn client --- #
+vpn_dir="/etc/openvpn/client/"
+cp ca/ta.key $vpn_dir 
+cp ca/ca.crt $vpn_dir 
+cp ca/user.key $vpn_dir 
+cp ca/user.crt $vpn_dir 
+cp conf/client.conf $vpn_dir 
+
+openvpn --config "${vpn_dir}/client.conf"
+\end{codeblock}
+
+
+% Esta configuração foi necessaria, porque sem edereço a VM não conseguia-se identificar na rede. Sem o default gateway
+% os edereços desconhecidos seriam enviados para a porta da internet, e adicionamos apache aos Hosts para que fosse igual
+% ao domain para não haver erros.
+%(I dunno about this Apache part??) Also sinto que ainda precisa de mais um bocado.
+Também foram movidos os certificados e chaves necessarias para as pastas do serviço openvpn, para que o Road Warrior
+consiga comunicar e ser validado pela gateway.
+
+
+\subsection{Configuração do Cliente OpenVPN}
+
+O cliente encontra-se na rede externa (\texttt{193.136.212.10}) e liga-se à VPN
+gateway na porta 1194. Para garantir a segurança, utilizamos autenticação mútua (os certificados X.509)
+e um \textit{two factor authentication} (2FA) como palavras-passe temporárias, geradas através do
+\textit{Google Authenticator}.
+
+\begin{codeblock}{client.conf}
+client
+dev tun
+proto udp
+remote 193.136.212.1 1194
+ca ca.crt
+cert user.crt
+key user.key
+auth-user-pass
+cipher AES-256-GCM
+auth SHA256
+\end{codeblock}
+
+\subsection{Testes}
+Para verificar que a autenticação foi corretamente implementada, inserimos a password de um utilizador sem os digitos do TOTP, e identificamos que utilizar somente a password não é suficiente para autenticar. Igualmente ao utilizar ambos a autenticação é bem sucedida. 
+
+Para verificar que o tunel foi estabelecido, primeiro corremos na linha de comandos \texttt{ip a}. Observamos a existencia de uma nova interface tun0, ou seja o tunel foi corretamente establecido. Depois demos ping ao route e depois ao servidor interno, que resultou em pacotes devolvidos para ambos. 
+
+
+
+% TODO: screenshots? dizer que erros exatos nos obtemos a cada etapa
+% TODO: erros ortograficos lol 
+
+Para verificar que o OCSP funciona correctamente, o cliente conectou ao servidor OpenVPN:
+primeiro, sem o servidor OCSP a correr, uma segunda vez com ele a correr e com o certificado correcto
+e uma terceira vez com um certificado revogado. Fizemos estes testes sabendo que o 
+cliente e o servidor já estavam correctamente configurados.
+
+Verificamos que, como é suposto: sem OCSP não é possivel autenticar; com OCSP e com certificado válido,
+podemos autenticar; e com OCSP mas com certificado revogado, a autenticação falha.
+
+\section{Servidor Apache e OCSP}
+Para a configuração da ultima maquina, temos o OpenSSL e Apache no mesmo servidor, por isso temos de configurar
+as pastas necessarias, os utilizadores do serviço, configurar os edereços e uma route:
+\begin{codeblock}{VM\_OPENSSL\_APACHE.sh}
+#!/bin/bash
+# configuracao
+source VM_CONFIG.sh
+
+sudo yum install -y epel-release
+sudo yum install -y openssl httpd mod_ssl mod_authnz_pam google-authenticator 
+sudo yum install -y mod_session
+
+# utilizador
+id -u john &>/dev/null || useradd john
+echo "password" | passwd --stdin john
+
+if_dentro="enp0s8"
+ip_dentro="10.60.0.1"
+ifconfig $if_dentro $ip_dentro netmask 255.255.255.0
+
+# route de volta para comunicar com o warrior
+route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.60.0.3
+
+cp conf/openssl.cnf /etc/pki/tls/
+
+# copiar ca para esta VM
+cp ca/index.txt $CA_DIR
+cp ca/ca.crt $CA_DIR
+cp ca/ca.key $CA_DIR
+cp ca/serial $CA_DIR
+cp ca/dh2048.pem $CA_DIR
+
+# correr oscp
+killall openssl 2>/dev/null
+openssl ocsp -index $CA_DIR/index.txt -port 8888 -rsigner $CA_DIR/ca.crt -rkey $CA_DIR/ca.key -CA $CA_DIR/ca.crt -text &
+
+# apache
+mkdir -p /etc/httpd/ssl
+cp ca/ca.crt /etc/httpd/ssl/
+cp ca/apache.crt /etc/httpd/ssl/
+cp ca/apache.key /etc/httpd/ssl/
+cp conf/ssl.conf /etc/httpd/conf.d/ssl.conf
+cp conf/httpd.conf /etc/httpd/conf/httpd.conf
+cp conf/httpd-totp /etc/pam.d/httpd-totp
+
+echo "LoadModule session_module modules/mod_session.so" > /etc/httpd/conf.modules.d/01-session.conf
+echo "LoadModule session_cookie_module modules/mod_session_cookie.so" >> /etc/httpd/conf.modules.d/01-session.conf
+echo "LoadModule auth_form_module modules/mod_auth_form.so" > /etc/httpd/conf.modules.d/01-auth_form.conf
+
+cp -r www/* /var/www/html/
+chown -R apache:apache /var/www/html/
+
+httpd -X
+\end{codeblock}
+
+\subsection{Configuração da Máquina}
+
+Como já referimos a Máquina tem ambos o serviço OpenSSL e Apache, por isso vai precisar de dois .conf files para
+configurar-los. O httpd.conf tem as portas e modulos enquanto o ssl.conf tem a configuração da autenticação mútua, e o OCSP:
+\begin{codeblock}{httpd.conf}
+ServerRoot "/etc/httpd"
+
+Include conf.modules.d/*.conf
+LoadModule authnz_pam_module modules/mod_authnz_pam.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
+
+User apache
+Group apache
+
+Listen 80
+Listen 443
+
+Include conf.d/*.conf
+
+DocumentRoot "/var/www/html"
+<Directory "/var/www/html">
+    Options Indexes FollowSymLinks
+    AllowOverride None
+    Require all granted
+</Directory>
+\end{codeblock}
+
+\begin{codeblock}{ssl.conf}
+<VirtualHost *:443>
+    ServerName 10.60.0.1
+    DocumentRoot /var/www/html
+
+    SSLEngine on
+    SSLCertificateFile /etc/httpd/ssl/apache.crt
+    SSLCertificateKeyFile /etc/httpd/ssl/apache.key
+    SSLCACertificateFile /etc/httpd/ssl/ca.crt
+
+    # mutual authentication
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+
+    # ocsp validation
+    SSLOCSPEnable on
+    SSLOCSPDefaultResponder "http://10.60.0.1:8888"
+    SSLOCSPOverrideResponder on
+    SSLOCSPUseRequestNonce off
+
+    # session management 
+    Session On
+    SessionCookieName session path=/;HttpOnly;Secure
+
+    # proteger
+    <Location "/">
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        AuthFormLoginRequiredLocation "/login.html"
+        Require valid-user
+    </Location>
+
+    # public login page
+    <Location "/login.html">
+        AuthType None
+        Require all granted
+    </Location>
+
+    # login handler
+    <Location "/dologin">
+        SetHandler form-login-handler
+        AuthType Form
+        AuthName "Coimbra VPN"
+        AuthFormProvider PAM
+        AuthPAMService httpd-totp
+        Require all granted
+        AuthFormLoginSuccessLocation "/index.html"
+        AuthFormLoginRequiredLocation "/login.html?error=1"
+    </Location>
+
+    # logout handler
+    <Location "/logout">
+        SetHandler form-logout-handler
+        AuthFormLogoutLocation "/login.html?loggedout=1"
+    </Location>
+
+</VirtualHost>
+
+# redirect para https
+<VirtualHost *:80>
+    ServerName 10.60.0.1
+    Redirect permanent / https://10.60.0.1/
+</VirtualHost>
+\end{codeblock}
+
+\subsubsection{Testes}
+\begin{itemize}
+    \item \textbf{Domínio:} Verificou-se que o acesso só é permitido utilizando o endereço correto, pois se for inserido outro dominio, não é direcionado para o site do Apache.
+    \item \textbf{Redirecionamento HTTPS:} Ao testar quando colocamos http, e o dominio certo, era redirecionado para https.
+    \item \textbf{Autenticação com o Certificado:} O acesso foi negado ao apresentar certificados inválidos ou ausentes no browser, devolvendo um erro com sobre não conseguir establecer connexão porque falta de certificado.
+\end{itemize}
+
+Para testar o OCSP, fizemos os seguintes paços:
+
+\begin{enumerate}
+    \item Estabelecer a ligação VPN e verificar a conectividade à rede interna.
+    \item No diretório da autoridade de certificação (máquina \textit{host}), revogar o certificado do utilizador:
+\begin{codeblock}[bash]{revoke.sh}
+openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
+\end{codeblock}
+    \item Atualizar o ficheiro \texttt{index.txt} no servidor OCSP e reiniciar o serviço para carregar o novo estado de revogação.
+    \item Tentar estabelecer uma nova ligação VPN e verificar que a autenticação falha devido à resposta \texttt{revoked} do responder OCSP.
+\end{enumerate}
+
+
+\section{Teste Integrado}
+
+Para validar, efetuámos um teste integrado englobando todos os requisitos:
+\begin{enumerate}
+    \item Começamos por iniciar todas as máquinas com os devidos \textit{scripts}.
+    \item Na máquina \textit{Road Warrior}, iniciámos a ligação OpenVPN com o utilizador, a sua password e o \textit{token} TOTP.
+    \item O \textit{Gateway} OpenVPN verifica as credenciais e verifica o certificado cliente contra o servidor OCSP.
+    \item Antes de acedermos ao firefox, temos que verificar que já adicionámos a nossa a nossa CA e o certificado \texttt{p12}.
+    \item Através do túnel VPN, acedemos agora ao endereço \texttt{https://apache.coimbra} no browser.
+    \item O servidor Apache solicitou o certificado X.509 do utilizador e validou a sua autenticidade e estado de revogação no OCSP.
+    \item Finalmente, o Apache apresentou a página de login, onde inserimos as credenciais e o código TOTP.
+\end{enumerate}
+
+
+\section{Conclusão}
+
+Atingimos o objetivo deste trabalho: conseguimos configurar o túnel VPN,
+o \textit{two-factor authentication} em múltiplos serviços, e conseguimos gerir o ciclo de vida dos
+certificados emitidos através de uma CA própria e OCSP. Utilizar mais máquinas para simular um cenário
+maior seria redundante e apenas exigiria a emissão de mais certificados, não acrescentando muito ao nível de aprendizagem. 
+
+Aplicando conhecimentos de trabalhos anteriores,
+poderíamos aplicar políticas mais restritas nas \textit{iptables} (ex: regras de DROP aos pacotes indesejados),
+e implementar ferramentas como o Suricata para identificar possíveis anomalias e ataques aos serviços.
+
+\end{document}

assignment2/relatorio/relatorio.toc

@@ -0,0 +1,19 @@
+\babel@toc {portuguese}{}\relax 
+\contentsline {section}{\numberline {1}Introdução}{3}{section.1}%
+\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}%
+\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}%
+\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}%
+\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}%
+\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}%
+\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}%
+\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}%
+\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}%
+\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}%
+\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}%
+\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}%
+\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}%
+\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}%
+\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}%
+\contentsline {subsubsection}{\numberline {5.1.1}Testes}{12}{subsubsection.5.1.1}%
+\contentsline {section}{\numberline {6}Teste Integrado}{13}{section.6}%
+\contentsline {section}{\numberline {7}Conclusão}{13}{section.7}%

assignment2/relatorio/style.sty

@@ -0,0 +1,64 @@
+\usepackage[margin=1in]{geometry}
+\usepackage{raleway}
+\renewcommand{\familydefault}{\sfdefault}
+\usepackage{ulem}
+\usepackage{wrapfig}
+\usepackage{graphicx,tabularx,booktabs}
+\usepackage{paracol}
+\usepackage[dvipsnames]{xcolor}
+\usepackage{enumitem,amssymb}
+\usepackage[colorlinks=true,urlcolor=blue,linkcolor=MidnightBlue]{hyperref}
+\graphicspath{{./img/}}
+
+\usepackage{enumitem,amssymb}
+\newlist{todolist}{itemize}{2}
+\setlist[todolist]{noitemsep, topsep=0pt,label=$\square$}
+
+\usepackage{pifont}
+\usepackage{amssymb}
+
+\usepackage[most]{tcolorbox}
+\tcbuselibrary{listings, skins, breakable}
+
+\lstdefinestyle{mystyle}{
+    basicstyle=\ttfamily\footnotesize,
+    breakatwhitespace=false,         
+    breaklines=true,                 
+    captionpos=b,                    
+    keepspaces=true,                 
+    numbers=left,                    
+    numbersep=5pt,                  
+    showspaces=false,                
+    showstringspaces=false,
+    showtabs=false,                  
+    tabsize=2,
+    commentstyle=\color{gray},
+    keywordstyle=\color{MidnightBlue}\bfseries,
+    stringstyle=\color{ForestGreen}
+}
+
+\newtcblisting{codeblock}[2][]{
+    enhanced,
+    breakable,
+    colback=gray!2!white,
+    colframe=gray!20!black,
+    attach boxed title to top left={yshift*=-\tcboxedtitleheight/2, xshift=4mm},
+    boxed title style={
+        colback=gray!20!black,
+        outer arc=0pt,
+        arc=0pt,
+        top=1pt,
+        bottom=1pt,
+    },
+    fonttitle=\bfseries\ttfamily\footnotesize,
+    title={#2},
+    listing only,
+    listing options={
+        style=mystyle,
+        language=#1,
+    }
+}
+
+\setlength{\parskip}{1em}%
+\setlength{\parindent}{0em}%
+

conf/httpd.conf

@@ -1,20 +1,90 @@
 ServerRoot "/etc/httpd"
+ServerName "10.60.0.1"
 
-Include conf.modules.d/*.conf
-LoadModule authnz_pam_module modules/mod_authnz_pam.so
-LoadModule mpm_event_module modules/mod_mpm_event.so
-
+Listen 80
 User apache
 Group apache
 
-Listen 80
-Listen 443
+Include conf.modules.d/*.conf
+Include conf/modsecurity.conf
 
-Include conf.d/*.conf
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
 
 DocumentRoot "/var/www/html"
+
+<Directory "/var/www">
+    AllowOverride None
+    Require all granted
+</Directory>
+
+# Further relax access to the default document root:
 <Directory "/var/www/html">
     Options Indexes FollowSymLinks
     AllowOverride None
     Require all granted
 </Directory>
+
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+<Files ".ht*">
+    Require all denied
+</Files>
+
+ErrorLog "logs/error_log"
+LogLevel warn
+
+<IfModule log_config_module>
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule mime_module>
+    TypesConfig /etc/mime.types
+
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    MIMEMagicFile conf/magic
+</IfModule>
+
+# reverse proxy for juice shop
+ProxyRequests Off
+ProxyPreserveHost On
+
+<VirtualHost 10.60.0.1:80>
+    <IfModule mod_headers.c>
+        RequestHeader unset Accept-Encoding
+    </IfModule>
+
+    ProxyPass / http://127.0.0.1:3000/
+    ProxyPassReverse / http://127.0.0.1:3000/
+</VirtualHost>
+
+# EnableMMAP off
+# EnableSendfile on
+IncludeOptional conf.d/*.conf
+ServerAdmin jeevacation@gmail.com
+# ServerName www.coimbravpn.com:80

conf/modsecurity.conf

@@ -0,0 +1,38 @@
+SecRuleEngine On
+SecRequestBodyAccess On
+SecResponseBodyAccess On
+SecDebugLog /var/log/modsecurity/debug.log
+SecDebugLogLevel 0
+SecAuditLogParts ABIJ
+SecAuditLogType Serial
+SecAuditLog /var/log/modsecurity/audit.log
+SecRequestBodyJsonParser On
+
+# sql injection
+SecRule REQUEST_BODY "['\"].*--" \
+    "id:950001,phase:2,deny,status:403,msg:'SQL Injection: quote and comment',log"
+
+# xss / html injection
+SecRule REQUEST_URI|ARGS "(<.*>)|(%3C.*%3E)" \
+    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML INJECTION DETECTED!!!',log"
+
+# command injection
+SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
+    "id:950006,phase:2,deny,status:403,msg:'COMMAND INJECTION DETECTED!!!',log"
+
+# path traversal
+SecRule REQUEST_URI|ARGS "\%00|\%2500|\.\./|ftp|metrics|api-docs" \
+    "id:950007,phase:2,deny,status:403,msg:'PATH TRAVERSAL ATTEMPT!!!',log"
+
+# exposed stuff (redundante ?)
+SecRule REQUEST_URI|ARGS "\%00|\%2500|ftp|metrics|api-docs" \
+    "id:950008,phase:2,deny,status:500,msg:'ATTEMPT TO ACCESS FTP, METRICS, API-DOCS!!!',log"
+
+# rate limiting on login endpoint
+# (max 5 requests per 30s per IP)
+SecAction \
+    "id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
+SecRule REQUEST_URI "@streq /rest/user/login" \
+    "id:950010,phase:2,pass,nolog,setvar:ip.login_count=+1,expirevar:ip.login_count=30"
+SecRule IP:LOGIN_COUNT "@gt 5" \
+    "id:950011,phase:2,deny,status:429,msg:'Rate Limit Exceeded on Login',log"

enunciado.txt

@@ -1,142 +1,152 @@
 FSI 2025/2026
-Practical Assignment #2
+Practical Assignment #3
 
 1. Goals
 •
 
-Configure a VPN tunnel in the “road warrior” scenario.
+Explore the WSTG (Web Security Testing Guide)1 web security testing guidelines.
 
 •
 
-Enable two-factor user authentication with OpenVPN and Apache services.
-
-•
-
-Manage PKI: certification authorities, X.509 certificates, revocation and OCSP.
+Configure and explore the usage of ModSecurity reverse proxy as a WAF (Web Application Firewall)
 
 2. General description
-Figure 1 illustrates the scenario considered for our practical assignment. As illustrated, secure communications are
-supported by a VPN tunnel established between a remote client (road warrior) and the VPN gateway, with the purpose of
-enabling accesses to services in the Internal Network, particularly a web server running Apache. To enable the VPN tunnel,
-we will use OpenVPN (https://openvpn.net).
+The main goals of this assignment are to explore web application security and to implement a web application firewall to
+secure a web application against application-layer attacks. The web application to be used in this assignment is the OWASP
+JuiceShop2 3. This assignment is split in two phases: the first phase is dedicated to exploring the security of the JuiceShop
+web application, and the second phase aims at monitor, filter, and block HTTP traffic to the JuiceShop, through the
+implementation of a WAF using ModSecurity, with the aim to address the security issues identified in the first phase. Figure
+1 illustrates the two phases of the assignment, depicting the JuiceShop web server, the penetration testing client and the
+WAF.
 
-Figure 1 – Scenario for the Practical Assignment #1
+Figure 1 – Security testing and WAF phases of the Assignment
 
-Regarding authentication, the two communication entities participating in the VPN tunnel (road warrior and the VPN
-gateway) should possess valid X.509 certificates, which are created with a private Certification Authority (CA). Users
-establishing remote connections to the VPN gateway (road warriors), as well as users connecting to the Apache server, will
-also use two-factor authentication, as described below. Apache must also implement client authentication via X.509
-certificates. Figure 2 provides an illustration of the interactions between all the entities involved in this setup.
+1
 
-Figure 2 – X.509 mutual authentication and OCSP
+WSTG with v42 is available at: https://owasp.org/www-project-web-security-testing-guide/
 
-As we can observe in Figure 2, the VPN gateway and the Apache web server must verify the status of validity of certificates
-using OCSP (Online Certificate Status Protocol) and revocation information from the CA. OCSP verification in not
-required for the road warrior. Next, we describe the configuration requirements for the various components of the
-assignment.
-
-3. Configuration requirements
-VPN tunnel for remote access (road warriors)
-As illustrated in Figure 1, remote clients (road warriors) are able to connect to the Coimbra VPN gateway, and using the
-tunnel remotely access hosts in the Internal network. The following configuration requirements should be considered:
-•
-
-In order to establish a VPN tunnel with the Coimbra gateway, the road warrior must be in the possession of a valid
-X.509 certificate, issued by the private CA of the scenario.
-
-•
-
-The road warrior and the Coimbra VPN gateway must perform mutual authentication using X.509 digital certificates.
-
-•
-
-The Coimbra VPN gateway should verify the validity of the X.509 certificate presented by the road warrior using OCSP
-and, in case the certificate is revoked, the gateway should refuse the connection.
-
-•
-
-In order to authorize the remote user, the Coimbra gateway should also enforce two other authentication steps: the user
-must present a valid username and password, plus a one-time password (OTP, or an authentication token).
-
-Web server
 2
 
-The road warrior user should be able to contact the Apache web server with HTTPS through the VPN tunnel. The
-following configuration requirements should be considered:
-•
-
-Apache should enforce two-factor authentication in order to authorize accesses from clients: the client (browser) should
-present a valid X.509 certificate (issued with the private CA of the scenario) and the user should also present a valid onetime password (or authentication token).
-
-•
-
-As in the VPN, the validity of the X.509 certificate presented by the client should be checked in the CA using OCSP.
-
-Two-factor user authentication
-As previously discussed, VPN establishment and HTTPS accesses to Apache make use of one-time passwords
-(authentication tokens), which may be generated by an appropriate application. One-time passwords may be generated using
-the TOTP (Time-based One-time Password Algorithm). This algorithm employs a secret key shared between the user
-(client) and the remote service, plus a timestamp (obtained from the current system time), to obtain a one-time password.
-In order to generate a one-time password, the user may use an application such as Google Authenticator, illustrated in
-Figure 3. This application periodically generates a new one-time password that can be used to authenticate the user with the
-remote service. This application is available for iOS and Android 1.
-Certification authority
-As already discussed, the goal is to use OpenSSL to configure a private Certification Authority, as well as to issue and revoke
-X.509 digital certificates for the VPN gateways and remote users. The following configuration requirements should be
-considered:
-•
-
-The Certification Authority is used to issue certificates for the VPN gateway, VPN client and Apache web server.
-
-•
-
-The Certification Authority allows the revocation of certificates previously issued.
-
-•
-
-The Certification Authority also supports a OCSP responder.
-
-For Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en and
-for Apple iOS: https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8
-1
+OWASP JuiceShop: https://owasp.org/www-project-juice-shop/
+For this assignment, it is recommended to use the most recent version of the JuiceShop. At the time of writing this document it is v17.2.0
 
 3
 
-Figure 3 – Google Authenticator app, to generate a one-time password to access services enabled with two-factor authentication
+3. Phase 1 - Web application security testing
+In this phase the goal is to explore web application security using the JuiceShop website following the relevant and applicable
+WSTG web security testing guidelines, and for this purpose any security tools can be used. In this context, OWASP ZAP
+and security tools already available in Kali Linux are particularly relevant. This web security testing phase is described in
+Figure 1, where the client has direct communications to the web server. As part of your tests, the OWASP ZAP penetration
+tests must, at least:
+a. Perform an automated scan to the website.
+b. Perform an active scan to the website (explore the most effective policies).
+c. Manage add-on required to improve the test and maximize threats identification.
+d. Perform a Fuzz attack to the login form.
+e. Perform a manual penetration test to explore logged in threats.
+f.
 
-4. Delivery of the Practical Assignment
-With the assignment, please deliver also a report, containing the following information:
+Configure OWASP ZAP active scan to explore authenticated area.
+
+The JuiceShop application can be installed via source code or using docker, as follows:
 •
 
-Descriptions of the configurations for the implementation of the previous requirements.
+Installation through source code in one of the virtual machines
 
 •
 
-A description of how the private Certification Authority was created using OpenSSL.
+Using a docker approach (requires Docker Desktop)
+
+As a result of your tests, you should prepare a web application security report, structured along the WSTG guidelines. The
+report must document the identified vulnerabilities and on how these can be exploited (e.g., weak passwords, insecure
+configurations).
+
+4. Phase 2 – Setup and testing of a WAF (web application firewall)
+Based on the web application security report produced in the first phase of the assignment, deploy an WAF between the
+client and the web server, as depicted in Figure 1. The goals of this WAF are to monitor, filter, and block HTTP traffic to
+the Juice Shop. This WAF server should be composed of an Apache 2 service with ModSecurity, and the WAF
+configuration should be optimized to prevent all possible attacks.
+As a result of this phase of the Assignment, you should repeat all penetration tests performed in the previous task and assess
+the performance of the WAF in detecting and blocking the attacks. You should update the web application security report
+accordingly, by including the configurations, description of the tests and performance results in a separate section.
+5. Delivery of the Practical Assignment
+2
+
+•
+
+The deadline for the delivery of the assignment (configuration files and report, via Inforestudante) is 31/5/2026.
 
 •
 
-A description of how X.509 certificates were issued and revoked using the private Certification Authority.
+Notes:
+o
 
-•
+Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
 
-A description of the tests performed to validate the functionalities implemented.
+o
 
-•
+Submissions via Inforestudante.
 
-Remaining information considered relevant.
+The delivery of the practical assignment can document aspects regarding the methodology of testing, the analysis of results
+and can be structured as follows:
 
-For the delivery of the assignment, put your report, as well as the relevant configuration files, in a single archive. This archive
-should be signed using your PGP key and encrypted using the PGP key of your PL teacher.
-Note: Assignments without PGP will be accepted, although with a discount of 5% in the final grade.
-Delivery deadline:
-•
+1) Introduction
+2) Arquitecture considered for the PA#3 (for both scenarios 1 and 2)
+- Network structure
+- Servers
+- Services
+3) Web application security testing
+1 Information Gathering
+2 Configuration and Deployment Management Testing
+3 Identity Management Testing
+4 Authentication Testing
+5 Authorization Testing
+6 Session Management Testing
+7 Input Validation Testing
+8 Testing for Error Handling
+9 Testing for Weak Cryptography
+10 Business Logic Testing
+11 Client Side Testing
+4) Web application security firewall
+1 Information Gathering
+2 Configuration and Deployment Management Testing
+3 Identity Management Testing
+4 Authentication Testing
+5 Authorization Testing
+6 Session Management Testing
+7 Input Validation Testing
+8 Testing for Error Handling
+9 Testing for Weak Cryptography
+10 Business Logic Testing
+11 Client Side Testing
+5) Conclusions
 
-The deadline for the delivery of the assignment (configuration files and report) is May 3rd 2026.
+3
 
-•
-
-Submission via Inforestudante.
+6. Important/relevant aspects
+The Web Application Security Testing document includes several sections, providing guidelines for testing. The guideline
+applicable to this assignment is mainly in Section 4, which must be analysed carefully, since testing tools may be suggested in
+each section.
+The practical assignment targets black-box testing, which is according to OWASP in WSTG “the art of testing a system or
+application remotely to find security vulnerabilities, without knowing the inner workings of the target itself”. Thus, in this
+type of testing strategy we focus on tools such as web application security scanners, vulnerability scanners and penetration
+testing software.
+The following aspects are relevant in what respects the WSTG guidelines and structure:
+1. Section 4.7 should be considered as a whole, which can be tested with OWASP ZAP or a similar tool. There are
+some subsections, that do not apply in this assignment. For instance, the Juice Shop does not include any support
+for LDAP, so subsection 4.7.6 – “Testing for LDAP injection” does not require any action/testing.
+2. Section 4.11 should be considered as a whole, which can be tested with OWASP ZAP or a similar tool.
+3. Section 4.9 should not be considered since communications with Juice Shop are not over HTTPS.
+4. Section 4.10 should not be considered as well, as it is out of scope of this assignment.
+5. Other subsections are out of scope of this assignment, and students should identify these in the report (and explain
+why). For instance. subsection 4.2.9, 4.2.10 and 4.2.11 are not applicable in this assignment.
+Regarding the second phase of the work, with the Web Application Firewall, the following aspects should be considered:
+1. The main goal of the project in the second phase is to enable detection and prevention of the issues identified in the
+first phase. Nonetheless, all the detection and prevention actions must be possible using Apache and ModSecurity
+(with OWASP CRS), no other tools should be considered for this purpose.
+2. The issues identified Section 4.3 of WSTG cannot be detected and solved with ModSecurity (with OWASP CRS),
+so no action is required. ModSecurity is a WAF that operates at the HTTP level — it analyzes HTTP requests and
+responses and blocks traffic based on patterns (malicious payloads, suspicious headers, etc.). Identity Management
+issues are application logic flaws, not attacks with detectable patterns in HTTP traffic.
 
 4
 

relatorio/relatorio.aux

@@ -6,25 +6,47 @@
 \providecommand\HyField@AuxAddToFields[1]{}
 \providecommand\HyField@AuxAddToCoFields[2]{}
 \babel@aux{portuguese}{}
-\@writefile{toc}{\contentsline {section}{\numberline {1}Introdução}{3}{section.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{10}{subsection.5.2}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.2.1}Testes}{10}{subsubsection.5.2.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{11}{subsection.5.3}\protected@file@percent }
-\@writefile{toc}{\contentsline {subsubsection}{\numberline {5.3.1}Testes}{11}{subsubsection.5.3.1}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {6}Teste Integrado}{11}{section.6}\protected@file@percent }
-\@writefile{toc}{\contentsline {section}{\numberline {7}Conclusão}{11}{section.7}\protected@file@percent }
-\gdef \@abspage@last{11}
+\@writefile{toc}{\contentsline {section}{\numberline {1}Introduction}{3}{section.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {2}Architecture Considered for Both Stages}{3}{section.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.1}Network structure}{3}{subsection.2.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.2}Servers}{3}{subsection.2.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {2.3}Services}{3}{subsection.2.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {3}Web application security testing}{4}{section.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.1}Information Gathering}{4}{subsection.3.1}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {1}{\ignorespaces ftp}}{4}{figure.1}\protected@file@percent }
+\newlabel{fig:ftp}{{1}{4}{ftp}{figure.1}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.2}Configuration and Deployment Management Testing}{4}{subsection.3.2}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {2}{\ignorespaces metrics}}{5}{figure.2}\protected@file@percent }
+\newlabel{fig:metrics}{{2}{5}{metrics}{figure.2}{}}
+\@writefile{lof}{\contentsline {figure}{\numberline {3}{\ignorespaces swagger}}{5}{figure.3}\protected@file@percent }
+\newlabel{fig:swagger}{{3}{5}{swagger}{figure.3}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{6}{subsection.3.3}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {4}{\ignorespaces email-unique}}{7}{figure.4}\protected@file@percent }
+\newlabel{fig:email-unique}{{4}{7}{email-unique}{figure.4}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.4}Authentication Testing}{7}{subsection.3.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.5}Authorization Testing}{7}{subsection.3.5}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {5}{\ignorespaces email-invalido}}{8}{figure.5}\protected@file@percent }
+\newlabel{fig:email-invalido}{{5}{8}{email-invalido}{figure.5}{}}
+\@writefile{lof}{\contentsline {figure}{\numberline {6}{\ignorespaces suspiciouserrors}}{8}{figure.6}\protected@file@percent }
+\newlabel{fig:suspiciouserrors}{{6}{8}{suspiciouserrors}{figure.6}{}}
+\@writefile{lof}{\contentsline {figure}{\numberline {7}{\ignorespaces suspiciouserrors2}}{9}{figure.7}\protected@file@percent }
+\newlabel{fig:suspiciouserrors2}{{7}{9}{suspiciouserrors2}{figure.7}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.6}Session Management Testing}{9}{subsection.3.6}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{9}{subsection.3.7}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{10}{subsubsection.3.7.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{10}{subsection.3.8}\protected@file@percent }
+\@writefile{lof}{\contentsline {figure}{\numberline {8}{\ignorespaces stack-trace}}{11}{figure.8}\protected@file@percent }
+\newlabel{fig:stack-trace}{{8}{11}{stack-trace}{figure.8}{}}
+\@writefile{toc}{\contentsline {subsection}{\numberline {3.9}Client Side Testing}{11}{subsection.3.9}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {4}Web Application Security Firewall}{11}{section.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{13}{subsection.4.3}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.4}Authentication Testing}{13}{subsection.4.4}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.5}Authorization Testing}{13}{subsection.4.5}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.6}Session Management Testing}{13}{subsection.4.6}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{13}{subsection.4.7}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{14}{subsection.4.8}\protected@file@percent }
+\@writefile{toc}{\contentsline {subsection}{\numberline {4.9}Client Side Testing}{14}{subsection.4.9}\protected@file@percent }
+\@writefile{toc}{\contentsline {section}{\numberline {5}Conclusions}{14}{section.5}\protected@file@percent }
+\gdef \@abspage@last{14}

relatorio/relatorio.listing

@@ -1 +1,38 @@
-openssl ca -revoke user.crt -config cheese.cfg -keyfile ca.key -cert ca.crt
+SecRuleEngine On
+SecRequestBodyAccess On
+SecResponseBodyAccess On
+SecDebugLog /var/log/modsecurity/debug.log
+SecDebugLogLevel 0
+SecAuditLogParts ABIJ
+SecAuditLogType Serial
+SecAuditLog /var/log/modsecurity/audit.log
+
+# sql injection
+SecRule REQUEST_URI|ARGS "['\";]|--" \
+SecRule REQUEST_URI|ARGS "(?i:(?:select|insert|update|delete|drop|union|create|alter|truncate)\s+.+\s+from|'[^']*'|--|;|\b(or|and)\b\s+\d+\s*=\s*\d+)" \
+    "id:950001,phase:1,deny,status:403,msg:'SQL INJECTION ATTACK DETECTED!!!',log,t:urlDecode,t:sqlHexDecode,t:lowercase"
+
+# xss / html injection
+SecRule REQUEST_URI|ARGS "(<.*>)|(%3C.*%3E)" \
+    "id:950003,phase:1,deny,status:403,msg:'XSS/HTML INJECTION DETECTED!!!',log"
+
+# command injection
+SecRule ARGS "(\"role\".*:.*\"admin\")|exec|cat|more|ls|dir|/etc/passwd" \
+    "id:950006,phase:2,deny,status:403,msg:'COMMAND INJECTION DETECTED!!!',log"
+
+# path traversal
+SecRule REQUEST_URI|ARGS "\%00|\%2500|\.\./|ftp|metrics|api-docs" \
+    "id:950007,phase:2,deny,status:403,msg:'PATH TRAVERSAL ATTEMPT!!!',log"
+
+# exposed stuff (redundante ?)
+SecRule REQUEST_URI|ARGS "\%00|\%2500|ftp|metrics|api-docs" \
+    "id:950008,phase:2,deny,status:500,msg:'ATTEMPT TO ACCESS FTP, METRICS, API-DOCS!!!',log"
+
+# rate limiting on login endpoint
+# (max 5 requests per 30s per IP)
+SecAction \
+    "id:950009,phase:1,initcol:ip=%{REMOTE_ADDR},pass,nolog"
+SecRule REQUEST_URI "@streq /rest/user/login" \
+    "id:950010,phase:2,pass,nolog,setvar:ip.login_count=+1,expirevar:ip.login_count=30"
+SecRule IP:LOGIN_COUNT "@gt 5" \
+    "id:950011,phase:2,deny,status:429,msg:'Rate Limit Exceeded on Login',log"

relatorio/relatorio.log

@@ -1,9 +1,9 @@
-This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.4.13)  28 APR 2026 11:20
+This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.5.3)  2 JUN 2026 23:18
 entering extended mode
- \write18 enabled.
+ restricted \write18 enabled.
  %&-line parsing enabled.
-**/home/raw/uni/fsi/trabalho/relatorio/relatorio
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.tex
+**relatorio.tex
+(./relatorio.tex
 LaTeX2e <2025-11-01>
 L3 programming layer <2026-01-19>
 (/usr/share/texmf-dist/tex/latex/base/article.cls
@@ -100,8 +100,7 @@ Already applied: [0000-00-00] Fall back to v1 on input line 76.
 LaTeX Info: Redefining \oldstylenums on input line 163.
 LaTeX Info: Redefining \textsw on input line 173.
 )
-(/home/raw/uni/fsi/trabalho/relatorio/style.sty
-(/usr/share/texmf-dist/tex/latex/geometry/geometry.sty
+(./style.sty (/usr/share/texmf-dist/tex/latex/geometry/geometry.sty
 Package: geometry 2020/01/02 v5.9 Page Geometry
 
 (/usr/share/texmf-dist/tex/generic/iftex/ifvtex.sty
@@ -1020,7 +1019,7 @@ LaTeX Font Info:    Font shape `T1/Raleway-OsF/m/n' will be
 File: l3backend-pdftex.def 2025-10-09 L3 backend support: PDF output (pdfTeX)
 \l__color_backend_stack_int=\count371
 )
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.aux
+(./relatorio.aux
 Package babel Info: 'portuguese' activates 'portuges' shorthands.
 (babel)             Reported on input line 8.
 )
@@ -1043,8 +1042,7 @@ LaTeX Font Info:    ... okay on input line 15.
 LaTeX Font Info:    Checking defaults for LY1/ptm/m/n on input line 15.
 LaTeX Font Info:    Trying to load font information for LY1+ptm on input line 1
 5.
-
-(/usr/share/texmf-dist/tex/latex/ly1/ly1ptm.fd
+ (/usr/share/texmf-dist/tex/latex/ly1/ly1ptm.fd
 File: ly1ptm.fd 2001/02/01 font definitions for LY1/ptm using Berry names.
 )
 LaTeX Font Info:    ... okay on input line 15.
@@ -1112,6 +1110,8 @@ File: epstopdf-sys.cfg 2010/07/13 v1.3 Configuration of (r)epstopdf for TeX Liv
 e
 ))
 Package hyperref Info: Link coloring ON on input line 15.
+
+(./relatorio.out) (./relatorio.out)
 \@outlinefile=\write4
 \openout4 = `relatorio.out'.
 
@@ -1147,7 +1147,7 @@ LaTeX Font Info:    Font shape `T1/Raleway-OsF/bold/n' aliased to
 (Font)              `T1/Raleway-OsF/b/n' on input line 19.
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/b/n' will be
 (Font)              scaled to size 14.4pt on input line 19.
- (/home/raw/uni/fsi/trabalho/relatorio/relatorio.toc
+ (./relatorio.toc
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/bold/n' aliased to
 (Font)              `T1/Raleway-OsF/b/n' on input line 2.
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/b/n' will be
@@ -1158,124 +1158,170 @@ LaTeX Font Info:    Font shape `T1/Raleway-OsF/b/n' will be
 
  [2]
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/m/it' will be
-(Font)              scaled to size 10.95pt on input line 26.
+(Font)              scaled to size 10.95pt on input line 28.
+LaTeX Font Info:    Trying to load font information for TS1+Raleway-OsF on inpu
+t line 54.
+
+(/usr/share/texmf-dist/tex/latex/raleway/TS1Raleway-OsF.fd
+File: TS1Raleway-OsF.fd 2025/04/09 (autoinst) Font definitions for TS1/Raleway-
+OsF.
+)
+LaTeX Font Info:    Font shape `TS1/Raleway-OsF/m/n' will be
+(Font)              scaled to size 10.95pt on input line 54.
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/bold/n' aliased to
-(Font)              `T1/Raleway-OsF/b/n' on input line 59.
+(Font)              `T1/Raleway-OsF/b/n' on input line 62.
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/b/n' will be
-(Font)              scaled to size 12.0pt on input line 59.
+(Font)              scaled to size 12.0pt on input line 62.
+ [3{/usr/share/texmf-dist/fonts/enc/dvips/raleway/a_2drkug.enc}{/usr/share/texm
+f-dist/fonts/enc/dvips/cm-super/cm-super-t1.enc}]
 \g__tcobox_out_iow=\write6
 \openout6 = `relatorio.listing'.
 
 LaTeX Font Info:    Font shape `T1/cmtt/bx/n' in size <10.95> not available
-(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 91.
+(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 101.
 LaTeX Font Info:    Font shape `T1/cmtt/bx/n' in size <9> not available
-(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 91.
-
-(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
-File: lstlang1.sty 2025/11/14 1.11b listings language file
-)
-(/usr/share/texmf-dist/tex/latex/listings/lstlang1.sty
-File: lstlang1.sty 2025/11/14 1.11b listings language file
-)
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing
+(Font)              Font shape `T1/cmtt/m/n' tried instead on input line 101.
+ (./relatorio.listing
 LaTeX Font Info:    Font shape `T1/Raleway-OsF/m/n' will be
 (Font)              scaled to size 9.0pt on input line 1.
-) [3{/usr/share/texmf-dist/fonts/enc/dvips/cm-super/cm-super-t1.enc}]
+)
+<./imgs/ftp.png, id=201, 1587.9325pt x 401.5pt>
+File: ./imgs/ftp.png Graphic file (type png)
+<use ./imgs/ftp.png>
+Package pdftex.def Info: ./imgs/ftp.png  used on input line 119.
+(pdftex.def)             Requested size: 452.9679pt x 114.5267pt.
+<./imgs/metrics.png, id=202, 1927.2pt x 1010.77625pt>
+File: ./imgs/metrics.png Graphic file (type png)
+<use ./imgs/metrics.png>
+Package pdftex.def Info: ./imgs/metrics.png  used on input line 125.
+(pdftex.def)             Requested size: 452.9679pt x 237.5633pt.
+
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+<./imgs/swagger.png, id=203, 1923.185pt x 995.72pt>
+File: ./imgs/swagger.png Graphic file (type png)
+<use ./imgs/swagger.png>
+Package pdftex.def Info: ./imgs/swagger.png  used on input line 131.
+(pdftex.def)             Requested size: 452.9679pt x 234.5108pt.
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[4 <./imgs/ftp.png (PNG copy)>] [5 <./imgs/metrics.png (PNG copy)> <./imgs/swag
+ger.png (PNG copy)>]
 \openout6 = `relatorio.listing'.
 
-
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
-\openout6 = `relatorio.listing'.
+ (./relatorio.listing)
+<./imgs/email-unique.png, id=220, 475.7775pt x 361.35pt>
+File: ./imgs/email-unique.png Graphic file (type png)
+<use ./imgs/email-unique.png>
+Package pdftex.def Info: ./imgs/email-unique.png  used on input line 214.
+(pdftex.def)             Requested size: 317.07614pt x 240.82956pt.
 
 
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [4]
-\openout6 = `relatorio.listing'.
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[6]
+<./imgs/email-invalido.png, id=243, 504.88625pt x 541.02126pt>
+File: ./imgs/email-invalido.png Graphic file (type png)
+<use ./imgs/email-invalido.png>
+Package pdftex.def Info: ./imgs/email-invalido.png  used on input line 235.
+(pdftex.def)             Requested size: 317.07614pt x 339.772pt.
 
 
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [5]
-\openout6 = `relatorio.listing'.
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[7 <./imgs/email-unique.png (PNG copy)>]
+<./imgs/suspiciouserrors.png, id=251, 1150.2975pt x 568.1225pt>
+File: ./imgs/suspiciouserrors.png Graphic file (type png)
+<use ./imgs/suspiciouserrors.png>
+Package pdftex.def Info: ./imgs/suspiciouserrors.png  used on input line 266.
+(pdftex.def)             Requested size: 317.07614pt x 156.60258pt.
+<./imgs/suspiciouserrors2.png, id=252, 900.36375pt x 471.7625pt>
+File: ./imgs/suspiciouserrors2.png Graphic file (type png)
+<use ./imgs/suspiciouserrors2.png>
+Package pdftex.def Info: ./imgs/suspiciouserrors2.png  used on input line 272.
+(pdftex.def)             Requested size: 317.07614pt x 166.13432pt.
 
 
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
-\openout6 = `relatorio.listing'.
+LaTeX Warning: `!h' float specifier changed to `!ht'.
 
-
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [6]
-\openout6 = `relatorio.listing'.
-
-
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
-Overfull \hbox (30.82649pt too wide) in paragraph at lines 281--287
-[]\T1/Raleway-OsF/m/n/10.95 Adicionalmente, de-vido às res-tri-ções de se-gu-ra
-nça do \T1/Raleway-OsF/m/it/10.95 sys-temd\T1/Raleway-OsF/m/n/10.95 , ten-ta-mo
-s de-sa-ti-var o \T1/cmtt/m/n/10.95 ProtectHome
- []
-
-<google-authenticator.jpg, id=244, 225.84375pt x 447.6725pt>
-File: google-authenticator.jpg Graphic file (type jpg)
-<use google-authenticator.jpg>
-Package pdftex.def Info: google-authenticator.jpg  used on input line 297.
-(pdftex.def)             Requested size: 87.59998pt x 173.64207pt.
-
-LaTeX Warning: `h' float specifier changed to `ht'.
-
-\openout6 = `relatorio.listing'.
-
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing)
-\openout6 = `relatorio.listing'.
-
-
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [7]
-\openout6 = `relatorio.listing'.
-
-
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [8 </home/raw/uni/fsi/
-trabalho/relatorio/google-authenticator.jpg>]
-Overfull \hbox (2.06862pt too wide) in paragraph at lines 373--377
-[]\T1/Raleway-OsF/m/n/10.95 Para ve-ri-fi-car que o OCSP fun-ci-ona cor-rec-ta-
-mente, o cli-ente co-nec-tou ao ser-vi-dor OpenVPN:
+[8 <./imgs/email-invalido.png (PNG copy)> <./imgs/suspiciouserrors.png (PNG cop
+y)>]
+Overfull \hbox (6.24345pt too wide) in paragraph at lines 297--298
+[]\T1/Raleway-OsF/b/n/10.95 Tentativa com Script Di-reto: \T1/Raleway-OsF/m/n/1
+0.95 In-se-ri-mos o pay-load tra-di-ci-o-nal \T1/cmtt/m/n/10.95 <script>alert("
+someones
  []
 
 \openout6 = `relatorio.listing'.
 
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [9] [10]
+(./relatorio.listing) [9 <./imgs/suspiciouserrors2.png (PNG copy)>]
 \openout6 = `relatorio.listing'.
 
 
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.listing) [11]
-(/home/raw/uni/fsi/trabalho/relatorio/relatorio.aux)
+(./relatorio.listing)
+<./imgs/stack-trace.png, id=270, 643.90562pt x 378.91562pt>
+File: ./imgs/stack-trace.png Graphic file (type png)
+<use ./imgs/stack-trace.png>
+Package pdftex.def Info: ./imgs/stack-trace.png  used on input line 361.
+(pdftex.def)             Requested size: 317.07614pt x 186.59535pt.
+
+
+LaTeX Warning: `!h' float specifier changed to `!ht'.
+
+[10]
+\openout6 = `relatorio.listing'.
+
+ (./relatorio.listing)
+\openout6 = `relatorio.listing'.
+
+ (./relatorio.listing) [11 <./imgs/stack-trace.png>]
+Overfull \hbox (2.16914pt too wide) in paragraph at lines 446--449
+\T1/Raleway-OsF/m/n/10.95 com tags HTML nos cam-pos de \T1/Raleway-OsF/m/it/10.
+95 in-put\T1/Raleway-OsF/m/n/10.95 , como \T1/cmtt/m/n/10.95 <h1>STRONG\T1/Rale
+way-OsF/m/n/10.95 , de-vol-vendo um erro \T1/cmtt/m/n/10.95 403 Forbidden
+ []
+
+[12]
+Overfull \hbox (51.12938pt too wide) in paragraph at lines 450--456
+\T1/Raleway-OsF/m/n/10.95 corpo JSON do re-gisto) \T1/Raleway-OsF/b/n/10.95 é m
+i-ti-gada pela re-gra id:950006\T1/Raleway-OsF/m/n/10.95 , que de-teta a se-quê
+n-cia \T1/cmtt/m/n/10.95 "role".*:.*"admin"
+ []
+
+[13]
+Overfull \hbox (111.73438pt too wide) in paragraph at lines 509--513
+\T1/Raleway-OsF/m/n/10.95 O pay-load de ex-fil-tra-ção do to-ken JWT via XSS (\
+T1/cmtt/m/n/10.95 <img src="x"onerror="alert(localStorage.getItem('token'))^^T\
+T1/Raleway-OsF/m/n/10.95 )
+ []
+
+[14] (./relatorio.aux)
  ***********
 LaTeX2e <2025-11-01>
 L3 programming layer <2026-01-19>
  ***********
-
-
-Package rerunfilecheck Warning: File `relatorio.out' has changed.
-(rerunfilecheck)                Rerun to get outlines right
-(rerunfilecheck)                or use package `bookmark'.
-
-Package rerunfilecheck Info: Checksums for `relatorio.out':
-(rerunfilecheck)             Before: <no file>
-(rerunfilecheck)             After:  FCCD2EDF8B7B6A2528F85719166C3546;3316.
+Package rerunfilecheck Info: File `relatorio.out' has not changed.
+(rerunfilecheck)             Checksum: 71F23F30E8D22A202B518A954FE83332;4897.
  ) 
 Here is how much of TeX's memory you used:
- 32120 strings out of 469495
- 630845 string characters out of 5470098
- 1463188 words of memory out of 5000000
- 59935 multiletter control sequences out of 15000+600000
- 790677 words of font info for 87 fonts, out of 8000000 for 9000
+ 31813 strings out of 469495
+ 627922 string characters out of 5470099
+ 1260894 words of memory out of 5000000
+ 59761 multiletter control sequences out of 15000+600000
+ 791342 words of font info for 89 fonts, out of 8000000 for 9000
  16 hyphenation exceptions out of 8191
- 113i,8n,122p,500b,1792s stack positions out of 10000i,1000n,20000p,200000b,200000s
+ 113i,8n,122p,697b,1727s stack positions out of 10000i,1000n,20000p,200000b,200000s
 </usr/share/texmf-dist/fonts/type1/impallari/raleway/Raleway-Bold.pfb></usr/s
 hare/texmf-dist/fonts/type1/impallari/raleway/Raleway-Italic.pfb></usr/share/te
 xmf-dist/fonts/type1/impallari/raleway/Raleway-Regular.pfb></usr/share/texmf-di
 st/fonts/type1/public/cm-super/sftt0900.pfb></usr/share/texmf-dist/fonts/type1/
 public/cm-super/sftt1095.pfb>
-Output written on /home/raw/uni/fsi/trabalho/relatorio/relatorio.pdf (11 pages,
- 176542 bytes).
+Output written on relatorio.pdf (14 pages, 883965 bytes).
 PDF statistics:
- 465 PDF objects out of 1000 (max. 8388607)
- 412 compressed objects within 5 object streams
- 274 named destinations out of 1000 (max. 500000)
- 162 words of extra memory for PDF output out of 10000 (max. 10000000)
+ 427 PDF objects out of 1000 (max. 8388607)
+ 363 compressed objects within 4 object streams
+ 149 named destinations out of 1000 (max. 500000)
+ 413 words of extra memory for PDF output out of 10000 (max. 10000000)
 

relatorio/relatorio.out

@@ -0,0 +1,27 @@
+\BOOKMARK [1][-]{section.1}{\376\377\000I\000n\000t\000r\000o\000d\000u\000c\000t\000i\000o\000n}{}% 1
+\BOOKMARK [1][-]{section.2}{\376\377\000A\000r\000c\000h\000i\000t\000e\000c\000t\000u\000r\000e\000\040\000C\000o\000n\000s\000i\000d\000e\000r\000e\000d\000\040\000f\000o\000r\000\040\000B\000o\000t\000h\000\040\000S\000t\000a\000g\000e\000s}{}% 2
+\BOOKMARK [2][-]{subsection.2.1}{\376\377\000N\000e\000t\000w\000o\000r\000k\000\040\000s\000t\000r\000u\000c\000t\000u\000r\000e}{section.2}% 3
+\BOOKMARK [2][-]{subsection.2.2}{\376\377\000S\000e\000r\000v\000e\000r\000s}{section.2}% 4
+\BOOKMARK [2][-]{subsection.2.3}{\376\377\000S\000e\000r\000v\000i\000c\000e\000s}{section.2}% 5
+\BOOKMARK [1][-]{section.3}{\376\377\000W\000e\000b\000\040\000a\000p\000p\000l\000i\000c\000a\000t\000i\000o\000n\000\040\000s\000e\000c\000u\000r\000i\000t\000y\000\040\000t\000e\000s\000t\000i\000n\000g}{}% 6
+\BOOKMARK [2][-]{subsection.3.1}{\376\377\000I\000n\000f\000o\000r\000m\000a\000t\000i\000o\000n\000\040\000G\000a\000t\000h\000e\000r\000i\000n\000g}{section.3}% 7
+\BOOKMARK [2][-]{subsection.3.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000t\000i\000o\000n\000\040\000a\000n\000d\000\040\000D\000e\000p\000l\000o\000y\000m\000e\000n\000t\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 8
+\BOOKMARK [2][-]{subsection.3.3}{\376\377\000I\000d\000e\000n\000t\000i\000t\000y\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 9
+\BOOKMARK [2][-]{subsection.3.4}{\376\377\000A\000u\000t\000h\000e\000n\000t\000i\000c\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 10
+\BOOKMARK [2][-]{subsection.3.5}{\376\377\000A\000u\000t\000h\000o\000r\000i\000z\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 11
+\BOOKMARK [2][-]{subsection.3.6}{\376\377\000S\000e\000s\000s\000i\000o\000n\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 12
+\BOOKMARK [2][-]{subsection.3.7}{\376\377\000I\000n\000p\000u\000t\000\040\000V\000a\000l\000i\000d\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 13
+\BOOKMARK [3][-]{subsubsection.3.7.1}{\376\377\000T\000e\000s\000t\000i\000n\000g\000\040\000f\000o\000r\000\040\000S\000Q\000L\000\040\000I\000n\000j\000e\000c\000t\000i\000o\000n}{subsection.3.7}% 14
+\BOOKMARK [2][-]{subsection.3.8}{\376\377\000T\000e\000s\000t\000i\000n\000g\000\040\000f\000o\000r\000\040\000E\000r\000r\000o\000r\000\040\000H\000a\000n\000d\000l\000i\000n\000g}{section.3}% 15
+\BOOKMARK [2][-]{subsection.3.9}{\376\377\000C\000l\000i\000e\000n\000t\000\040\000S\000i\000d\000e\000\040\000T\000e\000s\000t\000i\000n\000g}{section.3}% 16
+\BOOKMARK [1][-]{section.4}{\376\377\000W\000e\000b\000\040\000A\000p\000p\000l\000i\000c\000a\000t\000i\000o\000n\000\040\000S\000e\000c\000u\000r\000i\000t\000y\000\040\000F\000i\000r\000e\000w\000a\000l\000l}{}% 17
+\BOOKMARK [2][-]{subsection.4.1}{\376\377\000I\000n\000f\000o\000r\000m\000a\000t\000i\000o\000n\000\040\000G\000a\000t\000h\000e\000r\000i\000n\000g}{section.4}% 18
+\BOOKMARK [2][-]{subsection.4.2}{\376\377\000C\000o\000n\000f\000i\000g\000u\000r\000a\000t\000i\000o\000n\000\040\000a\000n\000d\000\040\000D\000e\000p\000l\000o\000y\000m\000e\000n\000t\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 19
+\BOOKMARK [2][-]{subsection.4.3}{\376\377\000I\000d\000e\000n\000t\000i\000t\000y\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 20
+\BOOKMARK [2][-]{subsection.4.4}{\376\377\000A\000u\000t\000h\000e\000n\000t\000i\000c\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 21
+\BOOKMARK [2][-]{subsection.4.5}{\376\377\000A\000u\000t\000h\000o\000r\000i\000z\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 22
+\BOOKMARK [2][-]{subsection.4.6}{\376\377\000S\000e\000s\000s\000i\000o\000n\000\040\000M\000a\000n\000a\000g\000e\000m\000e\000n\000t\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 23
+\BOOKMARK [2][-]{subsection.4.7}{\376\377\000I\000n\000p\000u\000t\000\040\000V\000a\000l\000i\000d\000a\000t\000i\000o\000n\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 24
+\BOOKMARK [2][-]{subsection.4.8}{\376\377\000T\000e\000s\000t\000i\000n\000g\000\040\000f\000o\000r\000\040\000E\000r\000r\000o\000r\000\040\000H\000a\000n\000d\000l\000i\000n\000g}{section.4}% 25
+\BOOKMARK [2][-]{subsection.4.9}{\376\377\000C\000l\000i\000e\000n\000t\000\040\000S\000i\000d\000e\000\040\000T\000e\000s\000t\000i\000n\000g}{section.4}% 26
+\BOOKMARK [1][-]{section.5}{\376\377\000C\000o\000n\000c\000l\000u\000s\000i\000o\000n\000s}{}% 27

relatorio/relatorio.toc

@@ -1,22 +1,28 @@
 \babel@toc {portuguese}{}\relax 
-\contentsline {section}{\numberline {1}Introdução}{3}{section.1}%
-\contentsline {section}{\numberline {2}Preparação Inicial}{3}{section.2}%
-\contentsline {subsection}{\numberline {2.1}Criação de Certificados}{3}{subsection.2.1}%
-\contentsline {subsection}{\numberline {2.2}Configuração geral}{4}{subsection.2.2}%
-\contentsline {section}{\numberline {3}VPN Gateway}{5}{section.3}%
-\contentsline {subsection}{\numberline {3.1}Configuração da Máquina}{5}{subsection.3.1}%
-\contentsline {subsection}{\numberline {3.2}Configuração do Serviço OpenVPN}{6}{subsection.3.2}%
-\contentsline {subsection}{\numberline {3.3}Erros}{7}{subsection.3.3}%
-\contentsline {subsection}{\numberline {3.4}Configurar o utilizador com TOTP}{7}{subsection.3.4}%
-\contentsline {section}{\numberline {4}VPN Client (Road Warrior)}{8}{section.4}%
-\contentsline {subsection}{\numberline {4.1}Configuração da Máquina}{8}{subsection.4.1}%
-\contentsline {subsection}{\numberline {4.2}Configuração do Cliente OpenVPN}{8}{subsection.4.2}%
-\contentsline {subsection}{\numberline {4.3}Testes}{9}{subsection.4.3}%
-\contentsline {section}{\numberline {5}Servidor Apache e OCSP}{9}{section.5}%
-\contentsline {subsection}{\numberline {5.1}Configuração da Máquina}{10}{subsection.5.1}%
-\contentsline {subsection}{\numberline {5.2}Configuração do Serviço Apache}{10}{subsection.5.2}%
-\contentsline {subsubsection}{\numberline {5.2.1}Testes}{10}{subsubsection.5.2.1}%
-\contentsline {subsection}{\numberline {5.3}Configuração do Serviço OpenSSL}{11}{subsection.5.3}%
-\contentsline {subsubsection}{\numberline {5.3.1}Testes}{11}{subsubsection.5.3.1}%
-\contentsline {section}{\numberline {6}Teste Integrado}{11}{section.6}%
-\contentsline {section}{\numberline {7}Conclusão}{11}{section.7}%
+\contentsline {section}{\numberline {1}Introduction}{3}{section.1}%
+\contentsline {section}{\numberline {2}Architecture Considered for Both Stages}{3}{section.2}%
+\contentsline {subsection}{\numberline {2.1}Network structure}{3}{subsection.2.1}%
+\contentsline {subsection}{\numberline {2.2}Servers}{3}{subsection.2.2}%
+\contentsline {subsection}{\numberline {2.3}Services}{3}{subsection.2.3}%
+\contentsline {section}{\numberline {3}Web application security testing}{4}{section.3}%
+\contentsline {subsection}{\numberline {3.1}Information Gathering}{4}{subsection.3.1}%
+\contentsline {subsection}{\numberline {3.2}Configuration and Deployment Management Testing}{4}{subsection.3.2}%
+\contentsline {subsection}{\numberline {3.3}Identity Management Testing}{6}{subsection.3.3}%
+\contentsline {subsection}{\numberline {3.4}Authentication Testing}{7}{subsection.3.4}%
+\contentsline {subsection}{\numberline {3.5}Authorization Testing}{7}{subsection.3.5}%
+\contentsline {subsection}{\numberline {3.6}Session Management Testing}{9}{subsection.3.6}%
+\contentsline {subsection}{\numberline {3.7}Input Validation Testing}{9}{subsection.3.7}%
+\contentsline {subsubsection}{\numberline {3.7.1}Testing for SQL Injection}{10}{subsubsection.3.7.1}%
+\contentsline {subsection}{\numberline {3.8}Testing for Error Handling}{10}{subsection.3.8}%
+\contentsline {subsection}{\numberline {3.9}Client Side Testing}{11}{subsection.3.9}%
+\contentsline {section}{\numberline {4}Web Application Security Firewall}{11}{section.4}%
+\contentsline {subsection}{\numberline {4.1}Information Gathering}{12}{subsection.4.1}%
+\contentsline {subsection}{\numberline {4.2}Configuration and Deployment Management Testing}{12}{subsection.4.2}%
+\contentsline {subsection}{\numberline {4.3}Identity Management Testing}{13}{subsection.4.3}%
+\contentsline {subsection}{\numberline {4.4}Authentication Testing}{13}{subsection.4.4}%
+\contentsline {subsection}{\numberline {4.5}Authorization Testing}{13}{subsection.4.5}%
+\contentsline {subsection}{\numberline {4.6}Session Management Testing}{13}{subsection.4.6}%
+\contentsline {subsection}{\numberline {4.7}Input Validation Testing}{13}{subsection.4.7}%
+\contentsline {subsection}{\numberline {4.8}Testing for Error Handling}{14}{subsection.4.8}%
+\contentsline {subsection}{\numberline {4.9}Client Side Testing}{14}{subsection.4.9}%
+\contentsline {section}{\numberline {5}Conclusions}{14}{section.5}%

relatorio/style.sty

@@ -8,7 +8,7 @@
 \usepackage[dvipsnames]{xcolor}
 \usepackage{enumitem,amssymb}
 \usepackage[colorlinks=true,urlcolor=blue,linkcolor=MidnightBlue]{hyperref}
-\graphicspath{{./img/}}
+\graphicspath{{./imgs/}}
 
 \usepackage{enumitem,amssymb}
 \newlist{todolist}{itemize}{2}

relatorio/texput.log

@@ -0,0 +1,21 @@
+This is pdfTeX, Version 3.141592653-2.6-1.40.29 (TeX Live 2026/Arch Linux) (preloaded format=pdflatex 2026.5.3)  29 MAY 2026 20:43
+entering extended mode
+ restricted \write18 enabled.
+ %&-line parsing enabled.
+**
+
+! Emergency stop.
+<*> 
+    
+End of file on the terminal!
+
+ 
+Here is how much of TeX's memory you used:
+ 4 strings out of 469495
+ 118 string characters out of 5470099
+ 433756 words of memory out of 5000000
+ 28764 multiletter control sequences out of 15000+600000
+ 627721 words of font info for 40 fonts, out of 8000000 for 9000
+ 16 hyphenation exceptions out of 8191
+ 0i,0n,0p,1b,6s stack positions out of 10000i,1000n,20000p,200000b,200000s
+!  ==> Fatal error occurred, no output PDF file produced!