CTEC3410 Web Application Penetration Testing
Penetration Test Coursework Specification
Web Application Penetration Testing
Please read all sections of this specification carefully before starting to work.
You may work on the pentest coursework in pairs. You must make it clear in your report who your partner is. I will assume that each partner has contributed equally unless you tell me otherwise. Include a brief appendix that describes how the work was divided. After reading this coursework specification, I strongly suggest you make yourself a check-list of the submission requirements.
Learning outcomes
On successful completion of this module the student will be able to:
1 Understand penetration testing strategies and methodologies
2 Implement penetration testing methodologies to perform a penetration test
3 Explain the role and importance of a scoping document
4 Craft a suitable technical report outlining discovered problems and suggest mitigation
Objectives
• Write a scoping document outlining what can and cannot be tested in the pentest. Include all information that is relevant.
• Analyse the given web application (via URL/port 80/port 443) for vulnerabilities.
• Produce a report describing and analysing the processes you used, the vulnerabilities you found and the exploits you used.
• Produce an executive summary summarising your findings.
Background
You have been approached by a nascent e-commerce business (BozBits PLC) who have had a web application created to support and facilitate their business. However, the business’ management has become suspicious of the quality of the application produced by a web development bureau, and have approached you, as a pentesting consultant, to conduct a web application penetration test. The business has no expertise in webtech and the CEO is technically illiterate.
Requirements
You will prepare, for signing, a scoping contract document, covering the above requirements (any other requirements you identify are for you to create).
You will then plan, execute and document a penetration test of the given web application, following a formal methodology. Which methodology you choose is up to you, but you must give a brief rationale as to why you have selected it. The report will also include details of both successful and unsuccessful tests. There should be sufficient detail for another tester to reproduce your findings.
CTEC3410 Web Application Penetration Testing Penetration Test Coursework Specification
Finally, you have to prepare an Executive Summary of your findings and the implications to the business, remembering that the target reader, the CEO, is not technically capable. Please note that the coursework is to assess your abilities in finding and documenting vulnerabilities using only port 80 and or port 443, ie via web-page forms or the address box. Platform You will need to download a compressed file (ctec3410_victim.vmware.zip) from the Lecturer drive – ie the same directory from which you downloaded the lab virtual machine. The compressed file contains a Virtual Machine which implements a complete operating system hosting a web-application accessible via a browser on port 80. You will need VM Player (or VM Workstation) to run the Virtual Machine containing the web-application. VM
Player is available to download from:
http://downloads.vmware.com/d/info/desktop_end_user_computing/vmware_player/4_0
https://vmware.dmu.ac.uk/
Sections
The workflow is divided into three main sections:
Process 1 – Planning
To aid in planning for the pentest, you will need to start by creating a scoping contract document that defines the shape and process of the pentest. This needs to briefly summarise the extent and limitations of the pentest. Remember that this is a legal document that gives you permission to perform the test. You will also need to select a pentest methodology. Process 2 – Implementation Your investigation may or may not discover any problems with the web-site. However, you must ensure that you have thoroughly documented all processes used in your investigations.
Process 3 – Reporting You have to submit (via Turnitin) a single PDF file containing three documents:
Scoping Contract
• Legal document outlining the expectations and limitations of the pentest. This should contain clauses that include all of the details discussed, and should be a maximum of 600 words.
Technical Report
• Brief rationale of the chosen methodology.
• The report of the implementation stage comprising:
discussion of the processes undertaken to complete the investigation
brief descriptions of the tools used and the commands implemented
©cfi/dmu 2
ctec3410_wapt_2021-2022_coursework-specification
CTEC3410 Web Application Penetration Testing
Penetration Test Coursework Specification
discussion of the vulnerabilities discovered
explanation as to how the vulnerabilities were exploited
• The technical report should be a maximum of 3000 words
not including appendices.
NB extra details can be included as appendices.
Executive Summary
• a brief summary of the vulnerabilities you uncovered and recommendations for mitigation, together with likely cost areas and times, couched in non-technical terms, suitable for a busy MD or CEO who is technically illiterate. This summary should be a maximum of 400 words. Submission
You have to submit the three documents as a single PDF file via the Turnitin link. Each document should be standalone, ie there can be no cross referencing between the documents. You must display the word count for each on the cover page.
• Document 1: Scoping Contract – maximum 600 words
• Document 2: Technical Report – maximum 3000 words
• Document 3: Executive Summary – maximum 400 words
The Technical Report document will include (as a minimum) an introduction, summary and reference/bibliography. Ensure all imported/referenced material is correctly cross-referenced with a recognised methodology. Diagrams/screenshots should also be labelled and
referenced. See the Coursework Specification Coversheet document for date and time of submission.
Notes
• Read this specification in conjunction with the marking scheme, available as a
separate document.
• Always attempt to implement exploits against any vulnerability you discover.
• Make copious notes of everything that you do. It will make writing the report easier.
You should include these notes as an appendix to your report document.
• Take screenshots as you progress. Use these to illustrate your report.
• Credit will only be given for exploits accessed via ports 80 and/or 443.
• If you work as a pair, only one of you needs to submit a the report.
◦ However, you must make it very clear with whom you completed the work.
NB There is an assumption that each partner has contributed equally. If this is not the case,
please include an appendix to your report detailing who has done what.
After reading this coursework specification, I strongly suggest you make yourself a checklist of the submission requirements.
©cfi/dmu 3
ctec3410_wapt_2021-2022_coursework-specification
Get expert help for CTEC3410 Web Application Penetration Testing Assignment and many more. 100% safe, Plag free, Order Online Now!
No Fields Found.