School of Computing and Information
Systems
COMP90074: Web Security
Assignment 3 - Project Zeus
Due date: No later than 11:59pm on Sunday 6th June 2021
Weight: 25% Marked out of 100
Note: All challenges have a flag in the format: FLAG{something_here}
Note: None of the challenges are related to each other. They are entirely independent.
Submission format
All students must submit a zip file with all their code. A PDF version of their penetration
testing report and threat modelling report should be submitted separately. The PDF must be
named -assignment3-threat-modelling.pdf and
-assignment3-penetration-test-report.pdf. The zip must be named
-assignment3.zip (e.g. testuser1-assignment3.zip).
All code for each challenge must be clearly labelled and stored in a separate file, so it is not
confused with the code for other challenges.
Finally, all code must be referenced within the report. This implies that there will be code in
both the report and the separate code file for each task.
If you have any questions or queries, please feel free to reach out via the discussion board,
or by contacting Sajeeb or Ashley.
Mandatory deliverable:
1. Threat modelling PDF report
2. Penetration test PDF report
3. Zip containing all code used
Scenario (Common for All Sections)
Bank of UniMelb has just come to market and provides an easy, self-service banking
solution to its clients. Users can open new accounts (with proper identity verification
measures), perform banking transactions (such as money transfers and bill payments) with
existing accounts, or close their accounts all from the comfort of their own laptop or
computer. Branch managers have higher privileges than users, and can communicate and
interact with their clients (users assigned to them), see their accounts, and freeze them.
COVID-19 restrictions and the need to work from home have meant Bank of UniMelb wants
a rapid migration to this new digital system. Executives have selected you to ensure the
system is penetration tested and secure before it is deployed. They love the innovation you
have brought to the penetration testing game with your business “We Test Pens
Incorporated” and have high expectations of you.
(Note: the web application you are testing will not have these features implemented, but you
can assume they exist and are functioning correctly.)
Threat Modelling (20%)
Using STRIDE, threat model the application and identify the possible vulnerabilities (at least
two per letter of the acronym). Also, make sure you state who the relevant threat actor is
(e.g. state actor, external attacker, bank client, internal employee, etc.). We expect some
descriptions around the vulnerabilities, diving into some details, alongside the remediation
for them. Should you require knowing the development stack for your remediations, please
assume it is LAMP.
Required sections of the report:
1. Vulnerabilities / threats
2. Correlating threats to threat actors
3. Remediations
Please use the sample report template provided. There will be marks deducted for
anyone who does not use this template.
There is no set word limit for this exercise, but an example has been provided in the
template for you to use as a guide. (Please remove this example prior to submission.)
Testing Scenario (40%)
Bank of UniMelb has selected you for this task due to the high reputation of your cyber
security degree, and a belief that you will perform with a very high degree of skill. Due to the
aforementioned COVID restrictions, the organisation has a limited budget, limited time, and
was not able to set up a full testing environment. You will be performing all your testing in a
production environment and therefore must use great care and skill, performing only manual
penetration testing, while being acutely aware of your behaviour in the organisation's
environment to prevent potential denial of service attacks (this means no automated
scanning).
As you are now a professional, your goal is to present your findings in a high quality report
for delivery at the end of this engagement. The quality of your work and the effort that you
put in cannot be judged without a quality report detailing all your findings, potential
consequences, and recommended remediations. Please see the “Submission format”
section for a further explanation on what you must submit for this assignment to be marked.
Lastly, as a tip, you will be testing the full web application specified in the “Scope” section,
and are expected to find the following vulnerabilities:
Vulnerability Flag Format Marks Weighting
Bypassing client-side
authentication
FLAG{} 5
IDOR via a hidden
parameter
FLAG{} 7.5
Authentication weakness
leading to account takeover
FLAG{} 7.5
Privilege escalation FLAG{} 10
Sensitive files / directories
left behind during testing /
development
FLAG{} 10
For this assignment some tasks will require automation. We recommend using Burp’s
Intruder, but the same thing can be accomplished with Python.
The final vulnerability, Sensitive files / directories left behind during testing / development,
will require the use of an automated tool to brute force directories. We will allow DirBuster,
which can be cloned from https://gitlab.com/kalilinux/packages/dirbuster. You are free to use
external wordlists but you must limit the number of threads to 5.
Please ensure you write up these findings in a suitable format in your report as you find
them. Also make sure to add in your own mitigation recommendations! The
practicality of the remediation is very important (tailor the recommendations to the
application).
Note: There are branch managers created for each student with usernames in the
format -branch-manager. You should attempt to compromise these
accounts and no others.
BONUS MARKS: If you are able to identify vulnerabilities that have not been listed,
please report them for a chance at bonus marks. Bonus marks will be provided at the
discretion of the lecturer based on complexity of the finding and quality of the
writeup.
Out of Scope
The following vulnerabilities are known to the developer and must not be submitted within
the penetration testing report (no marks will be awarded for these findings):
1. Insufficient password policies
2. Sensitive information over HTTP
3. Directory listing enabled
4. Lack of rate limiting on the login page
5. Server-status exposed
Scope
Testing must only be performed on http://assignment-zeus.unimelb.life/
Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may
not use the automated scanning capabilities of these tools.
No automated scanning or automated tools can be used.
No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks.
You may use Burp’s Intruder, but use less than 30 payloads per minute.
You may also use DirBuster, but you must limit the number of threads to 5.
User Credentials
Use your Melbourne University username as the username and password, for logging
into the application.
Report Writing (40%)
For this assignment, we expect a professionally written report, provided to the client
(teaching staff), explaining and specifying each vulnerability you identified by discussing
the vulnerability, the process of exploitation (steps to reproduce the exploits), the
potential impact to the organisation, overall risk, and the remediation (making sure to
tailor it to the application). The vulnerabilities must be listed in order of remediation
priority, based on the risk posed. We expect an overall assessment of the risk posture
for the application, using the findings from your penetration test. Also, please ensure
that the flag is displayed in a screenshot at the end of each challenge’s writeup. We
will not be accepting any flags that are not displayed in a screenshot.
Please use the sample report template provided. There will be marks deducted for
anyone who does not use this template.

欢迎咨询51作业君