Web Application Penetration Testing Technical Report

Task 1 [15 marks]

Following a web application penetration testing engagement you have identified the following  issues.

You must complete the issue justification/explanation/CVEs/Vurnerability type as required and write appropriate recommendations for addressing each of the issues identified. You will need to conduct research on the nature and implications of these issues in order to complete the justification/explanation and recommendations. You must use the following issue templates provided. Assume that under “Results” section an actual screen capture or other evidence exists obtained during the assessment exists.

During a build review one of your colleagues acquired the following evidence but did not have time to write up the actual issues (there are two issues). Your task is to write up these issues using the template from Task 1. Hint: These are low rated issues.

As part of this engagement your lecturer will provide you with access to a group of systems (VM based or actual systems or both). You will have, depending on the scenario details, to assess the security of these systems within a given timeframe. There might be certain rules that you might need to follow during testing and these will be provided with the scenario details. An example of this might be ”Perform a non-intrusive test” or “Keep bandwidth within or below a certain threshold”. Failing to adhere to any of these scenario rules will result to an automatic mark penalty, details of which will be provided with the scenario.

During the assessment period you will have to run various tools (as required), verify your results and gather all required evidence as needed (e.g. take screen captures, save the output of any tools used etc) so that later you can complete your report (a technical report with your findings using the template that you lecturer will provide). Automated tools such as Nessus, Quallys etc. should not be used for the reporting of the vulnerabilities.

Deliverables

Task 1,2 & 3: A completed professional technical report based on the template that will be provided by your lecturer.

Task 1 [15 Marks]

Task 2 [20 Marks]

Task 3 [65 Marks]

Marks may be deducted for: 

Lack of technical depth, poor presentation, lack of tables, screen captures that do not provide adequate information or with relevant sections not highlighted as needed, screenshots that are not cropped appropriately, poor tool options, poor tool output explanation, poor recommendation, lack of professionalism in the answers provided, poor spelling/grammar, lack of integration/poor flow, poor references/appendices.

Marks will be awarded for: 

Completeness, good technical content and depth and good report writing (including good use of English). Please make sure that you proofread your work. An appropriate professional report structure and presentation is expected.

Grading Criteria

+70%: An excellent report (complete) answering all questions, demonstrating an understanding of the concepts and with an excellent conclusion.

+60%: A good report (complete), answering all questions, showing some understanding of the concepts and with a good conclusion

+50%: A reasonable report (complete), answering all questions and with a conclusion

+40%: Report mostly complete, most questions answered and showing only a basic understanding of the concepts

+30%: Report incomplete, or demonstrates little or no understanding of the concepts poor conclusions