School of Computing and Information
Systems
COMP90074: Web Security
Assignment 3
Due date: No later than 11:59pm on Sunday 21st June 2020
Weight: 25% Marked out of 100
Note: Any challenge with a flag will be explicitly declared. Furthermore, the flag will be
in the format: flag{something_here}

Submission format
All students must submit a single zip file with all their code and a ​PDF version of their
report​. The zip must be named -assignment3.zip (e.g.
testuser1-assignment3.zip).

All code for each challenge must be clearly labelled and stored in a separate file, so it is not
confused with the code for other challenges.

Finally, all code must be referenced within the report. This implies that there will be code in
both the report and the separate code file for each task.

If you have any questions or queries, please feel free to reach out via the discussion board,
or by contacting Sajeeb (the lecturer).

User account credentials
Your user account credentials will be messaged to you via Canvas, so please pay
attention to that.

Challenge: Super Secure Login Page
You have recently graduated from your Cyber Security degree and have formed “We Test
Pens Incorporated”.

Six Degrees of Separation is a startup who is about to launch their admin panel web
application and have hired you to perform an exhaustive penetration test of their web
application prior to go-live. They have strict timelines and would like to publically launch their
product on the Monday following your delivery of the penetration testing report.

Six Degrees of Separation has selected you for this task due to the high reputation of your
Cyber Security degree, and a belief that you will perform with a very high degree of skill. Due
to being a startup, the organisation has a limited budget and was not able to set up a full
testing environment. You will be performing all your testing in a production environment and
therefore must use great care and skill, performing only manual penetration testing, while
being acutely aware of your behaviour in their environment to prevent potential denial of
service attacks ​(this means no automated scanning)​.

As you are now a professional, your goal is to write-up all your findings, with appropriate risk
statements, risk ratings, and business-level explanations into a high quality report for
delivery at the end of this engagement. The quality of your work and the effort that you put in
cannot be judged without a quality report detailing all your findings, potential consequences,
impact, and risk severity. Please see the Submission format section for a further explanation
on what you must submit for this assignment to be marked.

Lastly, as a tip, you will be testing the full web application specified in the “Scope” section,
and are expected to find the following vulnerabilities:
● .git repo leakage -> FLAG{} is available
● SSRF -> FLAG{} is available
● CSRF
● Insecure password policy
● IDOR -> FLAG{} is available
● Username enumeration
Please ensure you write up these findings in a suitable format in your report as you find
them. ​Also make sure to add in your own mitigation recommendations! The
practicality of the remediation is very important (tailor the recommendations to the
application).
Scope
Testing must only be performed on ​http://final-countdown.unimelb.life
Testing must be manual only. Manual tools may be used (Burp, Zap, etc), ​however you may
not use the automated scanning capabilities of these tools​.
No automated scanning or automated tools can be used.
No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks.
Marking Scheme

Vulnerability Name Marks Weightage Flag Available?
Username enumeration 10% No
Insecure password policy 10% No
CSRF 15% No
SSRF 20% Yes
IDOR 20% Yes
.git repo leakage 25% Yes

Technical Finding Vs. Reporting Weightage
● All technical details will be worth 60% of the vulnerability’s total mark
● All reporting will be worth 40% of the vulnerability’s total mark