Reference no: EM132822117
CTEC5804 Penetration Testing and Incident Response - De Montfort University
Penetration Testing & Incident Response
Assignment: Web Application Penetration Testing and Incident Response
Learning outcome 1 Understand penetration testing strategies and methodologies
Learning outcome 2 Application of penetration testing tactics and techniques to assess vulnerabilities
Learning outcome 3 Implement appropriate incident response plan to computer security events
Learning outcome 4 Create a written report for a penetration test to a high standard
Objectives
• Analyse the given Website to identify vulnerabilities.
• Apply penetration testing tactics and techniques to exploit vulnerabilities.
• Summarise the findings, processes, recommendations and incident response plan.
• Demonstrate the ability to conduct a Final Pen Test Report to a high standard.
• Critically evaluate a range of computer security solutions.
• Propose an appropriate incident response to a computer security incident.
Background
Web developers working for a commercial client have implemented a new web application. The company has requested that a penetration test is carried out against the web-site, and that a Final Penetration Test Report is prepared of the findings, to be returned to the client.
Objective
You will need to take notes and produce a report based upon the techniques you used, as well as the results of your exploitations. Provide evidence (i.e. screenshots, test outputs) of all the steps you carry out, and document the commands you use during the test. Critically evaluate a range of security solutions, and propose an appropriate incident response to security events.
The scope of your pen test is limited to the website as seen to the outside world, this means that you should not look at the files directly in a terminal.
The Virtual Machine (VM) is a samurai machine with the password of samurai. The website that you need to pen test is located at 127.0.0.1/cwk.
You will need VMWare Player to run the VM containing the web-application. VMWare Player is available to download from:
You should have VM Player/Workstation installed on your caddy for working on your own machine. NB this VM may work with VirtualBox, but that is at your own risk.
Structure
Your report will include (as a minimum) a title page, table of content, introduction, executive summary and reference/bibliography. Ensure all imported/referenced material is properly cross-referenced, pages and sub/sections heading are numbered, and figures include caption.
• The report will contain:
o An executive summary.
o A brief rationale of the chosen Pen Test methodology.
o Details of the vulnerabilities you have discovered.
o Descriptions of the exploits you used to test the discovered vulnerabilities.
o Details of unsuccessful tests.
o The process and techniques used, including the tools and commands.
o Possible mitigations for each of the vulnerabilities.
o Incident Response plan
• Your contemporaneous notes must be included as an appendix.
• Other appendices will include scan results, screenshots, etc.
Suggested sections:
Section 1 - Executive Summary
The executive summary (a maximum of 600 words) should address the OWASP Top 10 vulnerabilities for 2017.
The risk level of each uncovered vulnerability should be presented. The writing style of the summary should be suitable for a busy MD or CEO who is non-technical.
Section 2 - Penetration Testing Planning
To plan for the penetration testing, you will need to research techniques and tools to carry out the test. You should consider the use of a web application pen testing methodology and discuss this in your plan. When discussing the tools and techniques, you should also consider the likely outcomes and methods of analysis from each.
Section 3 - Penetration Testing Implementation
You must ensure that you have thoroughly documented all tools and processes used in your investigations. You are also expected to critically analyse your penetration test in relation to your test plan, highlighting areas of strength and areas where work deviated from the original design. Your investigation may or may not discover any problems with the web-site.
Section 4 - Preventative Recommendations
Finally, you need to provide preventative recommendations to react appropriately. You need to discuss different security solutions to address the identified vulnerabilities and critically evaluate these security solutions.
Section 5 - Incident Response Plan
In this stage, you also need to propose the essential preparations before the incidents occur. For example, what processes and procedures you will put in place, how you plan to detect and analyse incidents, how you plan to collect data and evidence, how to build an incident response team, how to perform an initial response, incident handling and analysis, incident reporting, etc.
Harvard referencing style
Attachment:- Web Application Penetration Testing.rar