School of Computing and Information Systems COMP90074: Web Security Assignment 1 - Project Artemis Due date: No later than 11:59pm on Sunday 11th April 2021 Weight: 12.5% Marked out of 100 Note: All challenges have a flag in the format: FLAG{something_here} Submission format All students must submit a single zip file with all their code and a PDF version of their report. The zip must be named
-assignment1.zip (e.g. testuser1-assignment1.zip). All code for each challenge must be clearly labelled and stored in a separate file, so it is not confused with the code for other challenges. Finally, all code must be referenced within the report. This implies that there will be code in both the report and the separate code file for each task. If you have any questions or queries, please feel free to reach out via the discussion board, or by contacting Sajeeb or Ashley. Report Writing (25%) For this assignment, we expect a professionally written report, provided to the client (teaching staff), explaining and specifying each vulnerability you identified by discussing the vulnerability, the process of exploitation (steps to reproduce the exploits), the potential impact to the organisation, and the remediation (making sure to tailor it to the application). Also, please ensure that the flag is displayed in a screenshot at the end of each challenge’s writeup. We will not be accepting any flags that are not displayed in a screenshot. Please use the sample report template provided. There will be marks deducted for anyone who does not use this template. Testing Scenario (75%) You have recently graduated from your cyber security degree and have formed “We Test Pens Incorporated”. InHR is a startup that is about to launch an HR portal and has hired you to perform an exhaustive penetration test of its web application prior to go-live. The organisation has strict timelines and would like to publically launch the product on the Monday following your delivery of the penetration testing report. InHR has selected you for this task due to the high reputation of your cyber security degree, and a belief that you will perform with a very high degree of skill. Due to being a startup, the organisation has a limited budget and was not able to set up a full testing environment. You will be performing all your testing in a production environment and therefore must use great care and skill, performing only manual penetration testing, while being acutely aware of your behaviour in the organisation's environment to prevent potential denial of service attacks (this means no automated scanning). As you are now a professional, your goal is to present your findings in a high quality report for delivery at the end of this engagement. The quality of your work and the effort that you put in cannot be judged without a quality report detailing all your findings, potential consequences, and recommended remediations. Please see the “Submission format” section for a further explanation on what you must submit for this assignment to be marked. Lastly, as a tip, you will be testing the full web application specified in the “Scope” section, and are expected to find the following vulnerabilities: ● LFI -> FLAG{} is available ● SQL Injection -> FLAG{} is available ● XSS -> FLAG{} is available ● Information Disclosure -> FLAG{} is available Please ensure you write up these findings in a suitable format in your report as you find them. Also make sure to add in your own mitigation recommendations! The practicality of the remediation is very important (tailor the recommendations to the application). BONUS MARKS: If you are able to identify vulnerabilities that have not been listed, please report them for a chance at bonus marks. Bonus marks will be provided at the discretion of the lecturer based on complexity of the finding and quality of the writeup. Scope Testing must only be performed on http://assignment-artemis.unimelb.life/ Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools. No automated scanning or automated tools can be used. No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks. You may use Burp’s Intruder, but use less than 30 payloads per minute. User Credentials Each of these users are identical, however feel free to use whichever you please. Username Password user1 Randompassword123 user2 SecurePass654 user3 TotallyLegit357 欢迎咨询51作业君