CW 1: Security Audit
Assessment brief
View as Coursework BriefSubmission Informtion
| Handout Date | 20/9/2021 |
| Due Date | 3/12/2021 |
| Estimated Effort | 20 Hours |
| Percentage of Module Mark | 100% |
ILO's Assessed
- 1. Interact with the protocols that define the World Wide Web
- 2. Demonstrate practical knowledge of digital certification and TLS
- 3. Perform a security audit of a web application
- 4. Recommend security measures to protect web applications
Task and Mark Distribution
In this assessment you are required to write a report on the security of a web application of up to 2000 words.
This report should consists of two elements:
- Short report demonstrating successful exploitation of common web vulnerabilities (CTF Style)
- Discussion of ONE topic from the OWSAP top 10
Security Assessment
For the first element of the report you will need to complete a series of hacking tasks on a virtual machine.
The machine will allow you to demonstrate your ability to exploit common web application flaws including topics like:
- Directory Scanning
- Cross Site Scripting
- SQL Injection
For the report you are expected to write a brief summary of how you exploited the flaw. For example, a description of the attack, and any payloads used.
This element of the report can be screenshots or code samples, some discussion of the thought process used for exploitation, along with any flags gained during the process.
OWASP Topic Discussion
For the second element of the report you are required to write a short report on ONE element of the OWASP top 10. You are free to chose any element, either one of the topics we study in the lab sessions such as XSS or SQLi, or another element that interests you.
- Introduction to the topic: What it is, and why it is of interest in Cyber security
- Discussion of this topic including:
- Technical discussion of the topic (How does this flaw happen)
- Discussion of the topic in the wider security context (What does it mean in terms of security, how common is it, how "dangerous" is the vulnerability)
- Example of the topic in the "Real world"
- Considerations for mitigating this problem.
- Social, Legal and Ethical considerations with this particular topic
Marking Scheme
| Element | Marks Available |
|---|---|
| Introduction / Conclusions / Structure | 10 |
| Audit | 50 |
| Discussion | 40 |
| (Consisting of) | |
| - Technical Implementation | (15) |
| - Context / Example | (10) |
| - Mitigation | (10) |
| - Legal and Ethical Considerations | (5) |
Suggested Report Structure
The recommended structure for the report is
- Introduction
- Results of the Security Audit
- Discussion of OWASP topic
- Summary
- References
Marking Matrix
| Grade | Mark | Description |
|---|---|---|
| No submission | 0 | No work submitted |
| Fail | 0-25 | Clear failure demonstrating little understanding of relevant theories, concepts and issues. Minimal evidence of research and use of established methodologies and incomplete knowledge of the area. Serious and fundamental errors and aspects missing. No evidence of research. |
| Near Fail | 25-39 | Very limited understanding of relevant theories, concepts and. Little evidence of research and use of established methodologies. Some relevant material will be present. Deficiencies evident in analysis. Fundamental errors and some misunderstanding likely to be present. |
| Pass | 40-49 | Meets the learning outcomes with a basic understanding of relevant theories, concepts and issues.. Demonstrates an understanding of knowledge and subject-specific theories sufficient to deal with concepts. Assessment may be incomplete and with some errors. Research scope sufficient to evidence use of some established methodologies. Some irrelevant material likely to be present |
| 2:2 | 50-59 | Good understanding of relevant theories, concepts and issues with some critical analysis. Research undertaken accurately using established methodologies, enquiry beyond that recommended may be present. Some errors may be present and some inclusion of irrelevant material. Good understanding, with evidence of breadth and depth, of knowledge and subject-specific theories with indications of originality and autonomy |
| 2:1 | 60-69 | Very good work demonstrating strong understanding of theories, concepts and issues with clear critical analysis. Thorough research, using established methodologies accurately, beyond the recommended minimum with little, if any, irrelevant material present. Very good understanding, evidencing breadth and depth, of knowledge and subject-specific theories with some originality and autonomy. |
| First | 70-79 | Excellent work with clear evidence of understanding, creativity and critical/analytical skills. Thorough research well beyond the minimum recommended using methodologies beyond the usual range. Excellent understanding of knowledge and subject-specific theories with evidence of considerable originality and autonomy. |
| Outstanding | 80-90 | Outstanding work with high degree of understanding, creativity and critical/analytical skills. Outstanding understanding of knowledge and subject-specific theories. Evidence of outstanding research well beyond minimum recommended using a range of methodologies. Demonstrates creative flair, originality and autonomy. |
| Exceptional | 90-100 | Exceptional work with very high degree of understanding, creativity and critical/analytic skills. Evidence of exceptional research well beyond minimum recommended using a range of methodologies. . Exceptional understanding of knowledge and subject-specific theories. Demonstrates creative flair, a high degree of originality and autonomy. |