辅导案例-COMP90074: -Assignment 3
School of Computing and Information Systems COMP90074: Web Security Assignment 3 Due date: No later than 11:59pm on Sunday 21st June 2020 Weight: 25% Marked out of 100 Note: Any challenge with a flag will be explicitly declared. Furthermore, the flag will be in the format: flag{something_here} Submission format All students must submit a single zip file with all their code and a PDF version of their report. The zip must be named -assignment3.zip (e.g. testuser1-assignment3.zip). All code for each challenge must be clearly labelled and stored in a separate file, so it is not confused with the code for other challenges. Finally, all code must be referenced within the report. This implies that there will be code in both the report and the separate code file for each task. If you have any questions or queries, please feel free to reach out via the discussion board, or by contacting Sajeeb (the lecturer). User account credentials Your user account credentials will be messaged to you via Canvas, so please pay attention to that. Challenge: Super Secure Login Page You have recently graduated from your Cyber Security degree and have formed “We Test Pens Incorporated”. Six Degrees of Separation is a startup who is about to launch their admin panel web application and have hired you to perform an exhaustive penetration test of their web application prior to go-live. They have strict timelines and would like to publically launch their product on the Monday following your delivery of the penetration testing report. Six Degrees of Separation has selected you for this task due to the high reputation of your Cyber Security degree, and a belief that you will perform with a very high degree of skill. Due to being a startup, the organisation has a limited budget and was not able to set up a full testing environment. You will be performing all your testing in a production environment and therefore must use great care and skill, performing only manual penetration testing, while being acutely aware of your behaviour in their environment to prevent potential denial of service attacks (this means no automated scanning). As you are now a professional, your goal is to write-up all your findings, with appropriate risk statements, risk ratings, and business-level explanations into a high quality report for delivery at the end of this engagement. The quality of your work and the effort that you put in cannot be judged without a quality report detailing all your findings, potential consequences, impact, and risk severity. Please see the Submission format section for a further explanation on what you must submit for this assignment to be marked. Lastly, as a tip, you will be testing the full web application specified in the “Scope” section, and are expected to find the following vulnerabilities: ● .git repo leakage -> FLAG{} is available ● SSRF -> FLAG{} is available ● CSRF ● Insecure password policy ● IDOR -> FLAG{} is available ● Username enumeration Please ensure you write up these findings in a suitable format in your report as you find them. Also make sure to add in your own mitigation recommendations! The practicality of the remediation is very important (tailor the recommendations to the application). Scope Testing must only be performed on http://final-countdown.unimelb.life Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools. No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. Marking Scheme Vulnerability Name Marks Weightage Flag Available? Username enumeration 10% No Insecure password policy 10% No CSRF 15% No SSRF 20% Yes IDOR 20% Yes .git repo leakage 25% Yes Technical Finding Vs. Reporting Weightage ● All technical details will be worth 60% of the vulnerability’s total mark ● All reporting will be worth 40% of the vulnerability’s total mark