Case Study Assignment
5.1 Web Application Vulnerability Detection
As an experienced IT Security Professional, you have been given the project to develop a demonstration model to prove you are competent to be able to utilise a wide range of security and forensic tools and techniques to discover vulnerabilities in typical web applications that your clients and customers might typically use. You are to
a) Write a concise technical report (2000 words) documenting how to successfully install, configure and test a “sample” vulnerable computer system which will incorporate at least 3 of the “Top 10 OWASP Web Application Vulnerabilities” and show how both commercial vulnerability scanning tools and open source tools can be used to detect these vulnerabilities. An important part of the exercise is that you are expected to show in addition how they can be successfully mitigated against. Report should be written in a 3rd Person.
b) Produce a short animated computer screen video using either commercial, open source or freeware tools of how you used a variety of commercial and/or open source tools from particular forensic toolkits or security frameworks to detect vulnerabilities from the selected vulnerable systems.
A vulnerable system must be selected and justified along with a suitable penetration testing environment to be implemented.
You are required to produce a virtual environment with a minimum of three virtual machines as documented above and report on at least 3 of the top 10 vulnerabilities that you can discover with both conventional penetration tools such as NMAP, Backtrack(Kali), VMARE etc and/or commercial vulnerability test tools such as SAINT, to determine the vulnerabilities and present possible mitigating actions or fixes to the top 3 issues you discover. It is required that you document your findings in terms of a test plan with evidence of how the vulnerabilities were discovered and how they should be mitigated against.
The OWASP Top 10 vulnerabilities can be found at
and are summarised over the page.
Assessed work within this range attracts such marks because it demonstrates:
• Analysis at a penetrating level, fluently at ease with the topic.
• Arguments which are based on persuasive evidence and are lucid, coherent and convincing.
• Communication which is fluent and well-organised; if written it will be highly coherent and free of solecisms.
• Research which shows strong evidence of a full exploration of key issues and a critically incisive engagement with relevant secondary issues.
• Presentation which is almost entirely error-free and conforms to acceptable conventions of good scholarly practice (referencing, bibliography, footnotes etc.)
Report Marking Criteria
1. Evidence and Documentation of Virtual Testing Environment (10%)
2. Depth of analysis and understanding of security testing issues (including test plan) (15%)
3. Relevance of security issues found (15%)
4. Prioritisation of vulnerabilities found (!5%)
5. Research into possible exploit mitigation (15%)
6. Report Presentation/Quality (3 rd Person) (10%)
Bonus Marks Examples (10%)
1. Extra Mile References used throughout reports (Harvard Referencing)
2. Supporting evidence of testing, results and operation (hint: graphs, scans and device output)
3. Professional looking documentation (formal report format)
4. Clear and concise configurations with annotation.