首页 > 其他分享 >COMP90074 Web Security

COMP90074 Web Security

时间:2023-05-23 09:00:27浏览次数:48  
标签:Web use COMP90074 testing will report Security your must


School of Computing and Information Systems

COMP90074: Web Security Assignment 3 - Project Plutus

Due date: No later than 11:59pm on Sunday 4th June 2023

Weight: 25% Marked out of 100

Note: All challenges have a flag in the format: FLAG{something_here}

Note: None of the challenges are related to each other. They are entirely independent.

Submission format

All students must submit a zip file with all their code. A PDF version of their penetration testing report and threat modelling report should be submitted separately. The PDF must be named <username>-assignment3-threat-modelling.pdf and <username>-assignment3-penetration-test-report.pdf. The zip must be named <username>-assignment3.zip (e.g. testuser1-assignment3.zip).

All code for each challenge must be clearly labelled and stored in a separate file, so it is not confused with the code for other challenges.

Finally, all code must be referenced within the report. This implies that there will be code in both the report and the separate code file for each task.

If you have any questions or queries, please feel free to reach out via the discussion board, or by contacting Sajeeb, Maleehah, or John.

Mandatory deliverable:

1. Threat modelling PDF report

2. Penetration test PDF report

3. Zip containing all code used

Scenario (Common for All Sections)

Bank of UniMelb has just come to market and provides an easy, self-service banking solution to its clients. Users can open new accounts (with proper identity verification measures), perform banking transactions (such as money transfers and bill payments) with existing accounts, or close their accounts all from the comfort of their own laptop or computer. Branch managers have higher privileges than users, and can communicate and interact with their clients (users assigned to them), see their accounts, and freeze them.

 COVID-19 restrictions and the need to work from home have meant Bank of UniMelb wants a rapid migration to this new digital system. Executives have selected you to ensure the system is penetration tested and secure before it is deployed. They love the innovation you have brought to the penetration testing game with your business “We Test Pens Incorporated” and have high expectations of you.

(Note: the web application you are testing will not have these features implemented, but you can assume they exist and are functioning correctly.)

Threat Modelling (20%)

Using STRIDE, threat model the application and identify the possible vulnerabilities (at least two per letter of the acronym). Also, make sure you state who the relevant threat actor is (e.g. state actor, external attacker, bank client, internal employee, etc.). We expect some descriptions around the vulnerabilities, diving into some details, alongside the remediation for them. Should you require knowing the development stack for your remediations, please assume it is LAMP (Linux Apache MySQL PHP).

Required sections of the report:

1. Vulnerabilities / threats

2. Correlating threats to threat actors

3. Remediations

Please use the sample report template provided. There will be marks deducted for anyone who does not use this template.

There is no set word limit for this exercise, but an example has been provided in the template for you to use as a guide. (Please remove this example prior to submission.)

Testing Scenario (40%)

Bank of UniMelb has selected you for this task due to the high reputation of your cyber security degree, and a belief that you will perform with a very high degree of skill. Due to the aforementioned COVID restrictions, the organisation has a limited budget, limited time, and was not able to set up a full testing environment. You will be performing all your testing in a production environment and therefore must use great care and skill, performing only manual penetration testing, while being acutely aware of your behaviour in the organisation's environment to prevent potential denial of service attacks (this means no automated scanning).

As you are now a professional,   your goal is to present your findings in a high quality report for delivery at the end of this engagement. The quality of your work and the effort that you put in cannot be judged without a quality report detailing all your findings, potential consequences, and recommended remediations. Please see the “Submission format” section for a further explanation on what you must submit for this assignment to be marked.
 Lastly, as a tip, you will be testing the full web application specified in the “Scope” section, and are expected to find the following vulnerabilities:

     Vulnerability

Flag Format

Marks Weighting

Bypassing client-side authentication

FLAG{}

5

IDOR via a hidden parameter

FLAG{}

7.5

Authentication weakness leading to account takeover

FLAG{}

7.5

Privilege escalation

FLAG{}

10

Sensitive files / directories left behind during testing / development

FLAG{}

10

      For this assignment some tasks will require automation. We recommend using Burp’s Intruder, but the same thing can be accomplished with Python.

The final vulnerability, Sensitive files / directories left behind during testing / development, will require the use of an automated tool to brute force directories. We will allow DirBuster, which can be cloned from https://gitlab.com/kalilinux/packages/dirbuster. You are free to use external wordlists but you must limit the number of threads to 5.

Please ensure you write up these findings in a suitable format in your report as you find them. Also make sure to add in your own mitigation recommendations! The practicality of the remediation is very important (tailor the recommendations to the application).

Note: There are branch managers created for each student with usernames in the format <username>-branch-manager. You should attempt to compromise these accounts and no others.

BONUS MARKS: If you are able to identify vulnerabilities that have not been listed, please report them for a chance at bonus marks. Bonus marks will be provided at the discretion of the lecturer based on complexity of the finding and quality of the writeup.

Out of Scope

The following vulnerabilities are known to the developer and must not be submitted within the penetration testing report (no marks will be awarded for these findings):

1. Insufficient password policies

2. Sensitive information over HTTP

3. Directory listing enabled

 

 4. Lack of rate limiting on the login page

5. Server-status exposed

Scope

Testing must only be performed on http://assignment-plutus.unimelb.life/

Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools.

No automated scanning or automated tools can be used.

No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. You may use Burp’s Intruder, but use less than 30 payloads per minute.

You may also use DirBuster, but you must limit the number of threads to 5.

User Credentials

Use your Melbourne University username as the username and password, for logging into the application.

Report Writing (40%)

For this assignment, we expect a professionally written report, provided to the client (teaching staff), explaining and specifying each vulnerability you identified by discussing the vulnerability, the process of exploitation (steps to reproduce the exploits), the potential impact to the organisation, overall risk, and the remediation (making sure to tailor it to the application). The vulnerabilities must be listed in order of remediation priority, based on the risk posed. We expect an overall assessment of the risk posture for the application, using the findings from your penetration test. Also, please ensure that the flag is displayed in a screenshot at the end of each challenge’s writeup. We will not be accepting any flags that are not displayed in a screenshot.

Please use the sample report template provided. There will be marks deducted for anyone who does not use this template.

 

标签:Web,use,COMP90074,testing,will,report,Security,your,must
From: https://www.cnblogs.com/messagejava/p/17422288.html

相关文章

  • webgpu_红色三角形_学习_wgsl
    /Users/song/Code/webgpu_learn/webgpu-for-beginners/webgpu_learn_typescript/index.html<!DOCTYPEhtml><htmllang="en"><head><metacharset="UTF-8"/><linkrel="icon"type="image/svg+xml&......
  • webpack-安装html-webpack-plugin
    安装html-webpack-plugin运行如下的命令,即可在项目中安装此插件:npminstallhtml-webpack-plugin-D配置html-webpack-plugin//导入html插件,得到一个构造函数constHtmlPlugin=require('html-webpack-plugin')//创建HTML插件的实例对象consthtmlPlugin=newHtmlPlug......
  • hadoop集群搭建后,启动集群后网络畅通,却无法访问web页面的解决办法
    hadoop集群搭建后,启动集群后网络畅通,却无法访问web页面的解决办法问题引入:在学习hadoop搭建完全分布式集群时,已经集群配置了4个核心文件,并且启动所有相关进程,在使用jps命令检查进程,该集群启动完整正常,但是无法访问hdfsweb页面和yarnweb页面,我尝试了ping通所有集群的网络,正常;检查......
  • webpack-安装和配置webpack-dev-server这个插件
    webpack插件的作用通过安装和配置第三方的插件,可以拓展webpack的能力,从而让webpack用起来更方便。最常用的webpack插件有如下两个:webpack-dev-server类似于node.js阶段用到的nodemon工具每当修改了源代码,webpack会自动进行项目的打包和构建html-webpack-pluginwebpack......
  • 微信小程序web-view与H5 通信方式探索
    小程序简介小程序是一种全新的连接用户与服务的方式,它可以在微信内被便捷地获取和传播,同时具有出色的使用体验。需求微信小程序H5混合开发就是 在一个小程序中,采用部分小程序原生页面,部分通过Webview内嵌H5页面¹,二者配合实现完整业务逻辑的方案。image.png 为什么需......
  • 即时通讯(IM)开源项目OpenIM对WebAssembly支持,提升web端体验
    WebAssembly是什么?2019年12月,W3C标准批准了第四种官方语言:WebAssembly(Wasm)。这种语言在结构、使用和功能方面与以前的语言有很大不同。WebAssembly是一种新的编码方式,可以在现代的Web浏览器中运行-它是一种低级的类汇编语言,具有紧凑的二进制格式,可以接近原生的性能运行,并......
  • Xcode7 无证书真机调试 "Could not launch 'test' process launch failed: Security"
    iOS8,iOS7真机测试的时候遇到这样的提示,烦请各位兄弟姐妹帮助解决,万分感谢!运行程序后提示如下......
  • JavaWeb
    htmlcssjavascriptjQueryxmldomjdomdom4jsaxpullServlet处理前端发送过来的请求Servlet容器,处理servlet的运行和管理它的生命周期以及共享数据jsp跳转servlet需要注意的一些问题jsp中的action和servlet中的注解@WebServlet("/firstServlet")应保持一致......
  • WebUploader中实现文件上传下载的三种解决方案(推荐)
    ​ 这里只写后端的代码,基本的思想就是,前端将文件分片,然后每次访问上传接口的时候,向后端传入参数:当前为第几块文件,和分片总数下面直接贴代码吧,一些难懂的我大部分都加上注释了:上传文件实体类:看得出来,实体类中已经有很多我们需要的功能了,还有实用的属性。如MD5秒传的信息。pub......
  • day103- javaweb-cookie,session
    cookie,session1.会话session用户打开浏览器,点击链接,访问web资源,关闭浏览器,称为一次会话2.保存会话的技术cookie:客户端技术,相应请求session:服务器技术,将信息和数据放在session中 session与cookie的区别:cookie是吧用户的数据写给用户的浏览器,浏览器保存,可以保存多个s......