Report on Web Application Penetration Testing and Incident Response

Module name: Penetration Testing & Incident Response
Module code: CECT5804
Title of the Assignment: Report on Web Application Penetration
Testing and Incident Response
This coursework item is: Summative
This summative coursework will be marked anonymously No
The learning outcomes that are assessed by this coursework are:
1. Demonstrate the ability to produce Penetration Testing plans.
2. Apply Penetration Testing techniques to identify vulnerabilities.
3. Propose an appropriate incident/intrusion response to a computer security
incident.
4. Critically evaluate a range of computer security solutions.
This coursework is: Individual
This coursework constitutes 100 % to the overall modulemark.
Date Set: 11/05/2019
Date & Time Due: 11/08/2019
Your marked coursework and feedback will be
available to you on:
4 weeks of submission
When completed you are required to submit your coursework to:
1. Blackboard shell via TurnitIn;
2. Email to [email protected]
Late submission of coursework policy: Late submissions will be processed in accordance
with current University regulations which state:
“the time period during which a student may submit a piece of work late without authorisation and have
the work capped at 40% [50% at PG level] if passed is 14 calendar days. Work submitted unauthorised
more than 14 calendar days after the original submission date will receive a mark of 0%. These
regulations apply to a student’s first attempt at coursework. Work submitted late without authorisation
which constitutes reassessment of a previously failed piece of coursework will always receive a mark of
0%.”
Academic Offences and Bad Academic Practices:
These include plagiarism, cheating, collusion, copying work and reuse of your own work, poor
referencing or the passing off of somebody else’s ideas as your own. If you are in any doubt aboutwhat
constitutes an academic offence or bad academic practice you must check with your tutor. Further
information and details of how DSU can support you, if needed, is available at:
http://www.dmu.ac.uk/dmu-students/the-student-gateway/academic-support-office/academic
offences.aspx and
http://www.dmu.ac.uk/dmu-students/the-student-gateway/academic-support-office/bad-academic
practice.aspx
Tasks to be undertaken:
Analyse the given web application (via URL/port 80/port 443) for vulnerabilities, and
produce a report summarising your findings.

Objective
Web developers working for a commercial client have implemented a new web
application. The company has requested that a penetration testing is carried out
against the web-site, and that a report is prepared of the findings, to be returned to the
client.
You will need to download a compressed file (ctec5804_cwk.zip) from
http://146.227.150.225/ctec5804/cwk/
The VM is a samurai machine with the password of samurai. The website that you
need to pen test is located at 127.0.0.1/cwk. The scope of your pen test is limitedto
the website as seen to the outside world, this means that you should not look at the
files directly in a terminal.
You will need VM Player (or VM Workstation) to run the Virtual Machine containing the
web-application. VM Player is available to download from:
https://vmware.tech.dmu.ac.uk/ (works best in IE)
You are to plan and execute a penetration testing of this web-application. Youwill
describe the tools and techniques that you used to carry out the test. Your findings will
be prepared as a report (Executive Summary) for the web-site owner, followed by a
fuller discussion of the tools and techniques that you used.
Please note that the coursework is to assess your abilities in findingvulnerabilities
using only port 80 and or port 443, ie via web-page forms or the addressbox.
Perform the pentest yourself – do not discuss your findings with anyone else. All
sections of the report MUST be an individual piece of work.
Section 1 – Penetration Testing Planning Stage
To plan for the penetration testing, you will need to research techniques and tools to
carry out the test. You should consider the use of a web application pen testing
methodology and discuss this in your plan. When discussing the tools andtechniques,
you should also consider the likely outcomes and methods of analysis fromeach.
Section 2 – Penetration Testing Implementation Stage
Your investigation may or may not discover any problems with the web-site. Youmust
ensure that you have thoroughly documented all tools and processes used in your
investigations. You are also expected to critically analyse your penetration test in
relation to your test plan, highlighting areas of strength and areas where work
deviated from the original design.
The executive summary (a maximum of 600 words) should address the OWASP Top
10 vulnerabilities for 2013 (http://www.owasp.org/index.php/Top_10). The severityof
each uncovered vulnerability should be assessed. The writing style of thesummary
should be suitable for a busy MD or CEO who is non-technical.

Section 3 – Preventative Recommendation Stage
Finally, you need to provide preventative recommendations to react appropriately.You
need to discuss different security solutions to address the identified vulnerabilitiesand
critically evaluate these security solutions.
Section 4 – Incident/Intrusion Response Plan
In this stage, you also need to propose the essential preparations before theincidents
occur. For example, what processes and procedures you will put in place, how you
plan to detect and analyse incidents, how you plan to collect data and evidence, howto
build an incident response team, how to perform an initial response, incidenthandling
and analysis, incident reporting, etc.
Deliverables to be submitted for assessment:
You will have to submit a single report containing all sections listed below..
1: Executive Summary
o The vulnerabilities you uncovered, recommendations to for mitigation,incident
response plan, together with likely cost areas.
2: Penetration Testing Plan
o Include your plan.
3: Penetration Testing Implementation Report
o The report of the implementation stage comprising:
§ an overview of your penetration test, highlighting any findings.
§ a critical analysis of your investigation including but not limited to how the
real process matched the test plan along with any advantages orlimitations
of tools used.
4: Preventative Recommendation Report
o The report of the preventative recommendations stage comprising:
§ the preventative recommendations to address the identified vulnerabilities
§ a discussion of different security solutions
5: Incident/Intrusion Response Plan
o The report of the Incident/Intrusion Response Plan stage comprising:
§ your incident response team structure.
§ your plan to detect and analyze incidents
§ your plan to collect data and evidence
§ the processes and procedures you will put in place
Your document will include an introduction, summary and reference/bibliography.
Ensure all imported/referenced material is properlycross-referenced.
Your report should not exceed 5000 words.
Policy on Word Limits:
Word limits are set as appropriate to individual modules. The policy is to usually
to allow answers to exceed the word limit by up to 10% without penalty, and then
a penalty of up to 20% of the marks for answers that exceeded the word limit by
up to 30%. Any content that exceeds the word limit by over 30% would not be
marked and hence not contribute to the final mark.
How the work will be marked:
In order to achieve a 70%+ (Distinction) grade, the work must be excellent in almost
all respects, only very minor limitations.
In order to achieve a 60-69% (Merit) grade, the work should show strength in most
respects. Whilst there may have some limitations in one or two areas, it is still a very
good piece of work.
In order to achieve a 50-59% (Pass) grade, the work should be of a satisfactory
standard, showing strength in some areas, but typically let down by some other
aspects.
A 0-49% (Fail) grade will be given where the work contains seriouserrors/limitations.
(0% is used either when nothing is correct or no attempt is made.)
Please refer to the criteria marking grid for the details of the assessment of thework.
Module leader/tutor name: Ying He
Contact details: [email protected]