Overview
The aim of this individual R002 assignment is for you to code a secure
usable and accessible web-based movie blog system that mitigates, at a
minimum, the five most common security vulnerabilities of account
enumeration, session hijacking, SQL injection, cross-site scripting and
cross-site request forgery.
iuww520iuww520iuww520iuww520iuww520iuww520iuww520iuww520
You will work individually to code and secure the web-based blog using
JavaScript and Node.js, with a MySQL database .
At minimum, the movie blog system will require registration and login
authentication (via 2FA of username/password and email One-Time
Passwords (OTP)), search functionality, and the ability to add, edit and
delete posts. You can use pre-built security libraries, but you must clearly
and concisely explain how they work and how they improve security for
your movie blog system.
To evidence your system’s security mitigations working, you need to create a
maximum 15-minute MP4 (max 720P) video demonstration , showing both the front-end (user website view) and back-end (code and database) elements of your system and try attacking the system yourself to evidence that you have protected your system from a threat actor attacking each vulnerability/element. A OneDrive link to the working video should be sent via email to the MO ( Debbie.taylor@uea.ac.uk ), before the submission deadline.
Description
You are required to individually develop a small, secure, usable and
accessible, web-based move blog site that mitigates various security
vulnerabilities.
Development coding of web-based movie blog:
At a minimum, your code should defend against the five most common
vulnerabilities of:
• Account enumeration
• Session hijacking
• SQL injection
• Cross-site scripting
• Cross-site request forgery
You need to concentrate on coding the security, usability and
accessibility aspects of the web-based movie blog and not on web
development, as you only need to produce a basic usable and accessible
front-end. This will be used to evidence your security processes and
mitigations during a 15-minute MP4 video demonstration. Functionality of
the front-end should be prioritised over aesthetics, but you still need to
consider usability and accessibility.
You must code your website using JavaScript and Node.js , with a MySQL
database. Any Node framework, such as Express, is acceptable but you
cannot use any other types of SQL databases, as you are restricted to
using MySQL.
To secure your movie blog you must include hashing and/or salting,
encryption and a 2FA authentication of username/password and email One
Time Password (OTP).
The movie blog should not sacrifice security or usability and accessibility,
but there will be some trade-offs needed. You must discuss and justify any
trade-offs you have chosen, during your video demonstration.
You can use any pre-built security libraries you believe will be useful, but
these must be clearly and concisely explained as to how they work, what
they secure against and exactly how they provide security protection
specifically for this movie blog. If you cannot or do not fully explain your
library use, you will not attain any marks for that mitigation. You should also
consider coding some of your own processes, as extra marks are available
for self-coded mitigations.
Each mitigation must be valid across the whole web-blog site, e.g., you
cannot mitigate SQL injection and then break it later when mitigating
another vulnerability.
