PROJECT INSTRUCTIONS
Overview
In this project, you will perform a security assessment of a hypothetical website and report upon the results of that assessment. You will provide both an executive summary of your findings as well as detailed results of the assessment. You will complete the report in a subsequent paper by providing remediation recommendations and actions you recommend to mitigate against your findings.
Your assessment is to review the website of a hypothetical company, Liberty Beverages, Inc. It is a global corporation specializing as an e-Commerce business in the delivery of beverage products such as specialty coffee and tea products. The business problem that they wish to address is the recent successful attack by a suspected nation state on their website. The attack was able to deface the website as well as access some personal purchasing data by customers. Given its impact on their brand and customer loyalty, this has high visibility with senior management.
Assume that the current web infrastructure consists of a redundant group of web servers running on a Linux platform with Apache web server and ApacheTomcat application server software on which the web application runs. In addition, perimeter security is provided by redundant edge routers for load balancing and redundant firewalls (e.g., Cisco ASA 5000-series) in a demilitarized zone (DMZ) configuration as well as an intrusion detection software (IDS) solution and SIEM for security monitoring. Lastly, the web servers interface with a relational database (e.g., MySQL, SQL Server, Oracle, DB2) and a Storage Area Network (e.g., SAN) for persistent storage. The e-Commerce website is accessible by a variety of devices such as conventional web browsers, tablets, and smart phones. They communicate with the web server using the HTTPS protocol for enhanced security.
For purposes of this assignment, usethe support files for labs 6 and 7 provided as a zip collection, as well as optionally the results from Labs 1, 2, and 6 for inputs - as they have the results from Skipfish, Nessus, and RATS scans. You may also need to drill down into the directory structure in Labs 6 or 7 to assess some items. Of course, these inputs are not as comprehensive as those in a real-world thorough assessment. Your project report can signify those areas that you do not have enough evidence to properly evaluate.
The scope of your assessment is the e-commerce website itself, including the website code and configuration, Linux platform, and Apache web server and application server software. It is not within scope of this assignment to assess other infrastructure components such as the routers, firewalls, IDS, and databases - nor security on remote devices and authentication or authorization mechanisms. The only exception to that would be if there were a vulnerabilitydiscovered in the software directly related to the database. These may be recommended for subsequent follow-up activities.
Instructions
Collect the results of the web vulnerabilities and exploitations from the Support Files in Blackboard for labs 6-7. You may optionally use your work fromLabs 1, 2, and 6. Complete the assessment template (or use your own organization if you include all of the appropriate content listed below) provided for this assignment entitled "Web Application Security Report Template" - including the following sections:
Section 1: Assessment Introduction - Use the overview information from this document to set the context for the report.
Section 1.1: References - Add at least three (3)references.
Section 2: Web Application Description - Leave this section blank for a later remediation project.
Section 3: Assessment Assumptions - Use information from the assignment overview to describe components included in the assessment and components excluded from the assessment (in scope and out of scope). Also note the template instructions in this area.
Section 4: Assessment Approach. Include paragraph in section 4.5 on out of scope items based upon the information provided in the assignment overview (as it mentions what is in and out of scope)- as well as the tools utilized in sections 4.2 and 4.3
Section 5 and corresponding Appendix details. Also note the template instructions in this area- as there is extensive guidance on assessing pass/fail/not assessable status.
Section 5.1 - Include a count of how many high, medium, and low priority items found as well as a one (1)line per item list of high priority items.
Section 5.2 and 5.3 - Provide a pass/fail assessment in the Appendix on each item (including the NIST section) based upon the inputs listed above. You are using your best judgment based upon the assessment and the principles you have learned. For those items that are not directly or indirectly assessed, indicate that as well.There should be enough evidence, however, to assess some of items as pass or fail.
Section 5.5 - List comments about the review of the source code from Labs 1 and 2 and/or the RATS scan results found in the support files zip collection. Note that for purposes of the assignment, this is not a full source code review of all of the web pages but a review of at least one (1)piece of code corresponding to a web vulnerability discovered in the labs.Navigate to the file in the directory structure to research this. Be specific as possible about what you are reviewing. For instance, this could be a review of a web form that has been found to be vulnerable. You mustcomment about what makes the code an issue (e.g., it provides inadequate input validation).
Outputs
This is a five-page research-based paper in current APA format that focuses on the results from a web security assessment. These five or more pages include all of the content in the paper (cover page, table of content, references, all sections of the paper, etc). Since you are adding content to a template that already exceeds the page count, your final paper should exceed the default as well.Use the assessment template "Web Application Security Report Template" as a starting point. You can optionally choose to use your own format, but it must contain all of the elements mentioned above in the instructions. The paper must include at least three (3) referencesin addition to the course textbooks and the Bible.Include relevant screenshots as appropriate and answers to the instruction steps. Be sure to repaginate the table of contents and remove any instructions highlighted in red from the template.
Lab 1: Exploiting Known Web Vulnerabilities
Lab Assessment Questions
1. What are the current OWASP Top 10?
2. What is a brute-force attack and how can the risks of these attacks be mitigated?
3. Explain a scenario where a hacker may use cross-site request forgery (CRFS) to perform authorized transactions.
4. What could be the impact of a successful SQL injection?
5. How would you ensure security between a Web application and a SQL server?
6. What is the underlying cause of a cross-site scripting (XSS) attack?
7. What is the difference between a reflected XSS and a stored, or persistent, XSS?
Challenge Questions
1. What has changed between this year's OWASP Top 10 list and the Top 10 list in 2010? What is the rationale for these changes? List at least five changes.
2. Research any brute-force attack tool (for example, THC Hydra, Brutus, or Burp Intruder). List at least three features of that tool. What method does the tool use in its brute-force attack?
3. What is the purpose of a rainbow table?
Lab 2: Implementing a Security Development Lifecycle (SDL) Plan
Challenge Questions
1. Use the Internet to research the importance of understanding trust boundaries in threat modeling. Summarize your findings. A good resource for this research is the Microsoft SDL Web site.
2. In Part 3 of this lab, you tested five regular expressions to see if they were vulnerable to ReDoS. Two of the five were, in fact, vulnerable. It is possible to conduct these tests without understanding the regular expressions in question. For this challenge, alter the two regular expressions that failed so that they pass. If possible, explain why they failed and why they now pass.
Lab Assessment Questions
1. List and briefly describe the Training phase of the Security Development Lifecycle (SDL).
2. What does the acronym STRIDE stand for?
3. Which of the regular expressions in Part 3 are safe from ReDoS?
4. Why is it necessary for an SDL to include a Response phase? Use the Internet to research at least three components of a typical incident response plan.
5. What are the seven phases in the Microsoft SDL?
6. What is a buffer-overflow or overrun condition?
7. In which phases of the secure software development life cycle might cross-site scripting be discovered?
8. What is ReDoS?
9. What failure did Bin Scope identify in the ActionCenter.dll file? Use the Internet to research the failure and describe its significance.