COMP90074 – Web Security Final Examination
Duration: 120 minutes (2 hours)
This exam contains two major components, namely, practical and theoretical. The practical component is worth 30% of the total mark, whereas the theoretical component is worth 70%. Both components are compulsory. You must attempt the practical component prior to attempting the theoretical component as the theoretical component is based on your practical findings. When submitting the exam, please submit it as a PDF, using the format Exam-username.pdf
Set up instructions
Burp Suite Python3
Practical component (30 marks)
The practical component contains two challenges. Each stage of the challenge will contain a flag in the format FLAG{…}. The documentation expectation for this component is simple dot points displaying the method followed in completing the task and any code (if written), alongside screenshots to accompany the text. Only brief comments and appropriate file names are expected for any code provided. Please ensure that you specify the challenge related to any attachments. Note that code is not an expectation, but can be provided if used.
Testing must be manual only. Manual tools may be used (Burp, Zap, etc), however you may not use the automated scanning capabilities of these tools.
No automated scanning or automated tools can be used (despite Burp¡¯s intruder and python within reason).
No load testing, denial of service (DOS) or distributed denial of service (DDOS) attacks.
Q.1. (23 marks)
You work as a customer support officer for Outsourced Call Centers Pty. Ltd. Your call centre accepts inbound support calls on behalf of several organisations, a couple being: Big Bank Corp, and Startup Telecoms.
Using an internal Customer Relationship Management system (CRM), you have access to the customer records of Big Bank Corp. This CRM is accessed every time you receive a phone call so that you can look up the bank¡¯s customers details and assist them with their query.
The CRM has multiple account access levels:
¡ñ Client Login (in this case, the client is Big Bank Corp)
¡ð This allows: configuration of client side documentation for the support staff to see, as well as administrative access over all client information under that account, i.e: payment information for the account, report metrics/dashboard, and exporting the client¡¯s information)
¡ñ Support Officer Login (in this case, you)
¡ð This allows for: read access to end-user information, with limited write access
for support purposes (e.g: updating an address, etc).
We have a suspicion that there is an IDOR related weakness in the CRM which allows access to data that you would normally not be authorised to see. We also believe that there is a weakness within the MFA implementation.
Please investigate the endpoint below and document any vulnerabilities you identify:
http://exam-exploit-31337-rand.unimelb.life
Credentials:
User: support_officer
Password: passCode4986-1337-all-the-best! User role: support
Target user role: admin
There are two flags for this challenge. A flag will be provided after successfully exploiting the IDOR and the weak MFA functionality. Please make sure to add in screenshots of the flag. Flag format is FLAG{}
Answer here with bullet points for how you found the vulnerability, with a screenshot of the flag (and any accompanying screenshots to help explain your finding)
Q. 2. (7 marks)
The CRM software described in Question 1 above is actually under development! Not too sure why it has been publicly released, but we have reason to believe that some sensitive information has been leaked. Can you help us find this information?
A flag will be provided within the information leakage of the application. Flag format is FLAG{}
Answer here with bullet points for how you found the vulnerability, with a screenshot of the flag (and any accompanying screenshots to help explain your finding)
CS Help, Email: tutorcs@163.com
Theoretical component (70 marks)
Scenario A – CISO of Big Bank Corp, using Sentinel Accounting.
You have recently been promoted to the Chief Information Security Officer (CISO) position at Big Bank Corp, and one of your first tasks is to assess the security posture of your main accounting software, Sentinel Accounting. Being a business partner, Sentinel Accounting have shared with you the recent penetration test report that they have commissioned on their main, cloud-based accounting system.
When specified, the following questions must be answered from the point of view of the CISO of Big Bank Corp, whilst keeping in mind that Big Bank Corp customer data is being stored in the Outsourced Call Centers Pty. Ltd. CRM – meaning security of the data is important!
Scenario B – CISO of Startup Telecoms, using Sentinel Accounting.
In this scenario, everything stays the same as Scenario A, except that you are now the CISO of Startup Telecoms, who also uses Sentinel Accounting as your business partner to handle your customer service capability.
When specified, the following questions must be answered from the point of view of the CISO of Startup Telecoms.
Q. 3. (10 marks)
Using the threat modelling techniques taught in class (using STRIDE and the 4 questions of threat modelling), assess the above-mentioned application for possible vulnerabilities and their remediations. Please answer this question from the point of view of Scenario A – CISO of Big Bank Corp.
A. 3. Answer here
Q. 4. (4 marks)
Write risk statements for the four most critical vulnerabilities you identified in the penetration test (completed in the practical component).
A. 4. Answer here
Q. 5. (2 marks)
Write two risk appetite statements, one as Scenario A and one as Scenario B (theoretical component).
浙大学霸代写 加微信 cstutorcs
A. 5. Answer here
Q. 6. (4 x 2 x 2 = 16 marks)
Evaluate the risks of the four risk statements identified in Question 4.
Please answer this question from the point of view of Scenario A and Scenario B. You must write the four risk evaluations twice. The first time, as the CISO of Big Bank Corp, and the second time as the CISO of Startup Telecoms. (We expect a total of 8 evaluations)
A. 6. Answer here
Q. 7. (4 x 2 x 2 = 16 marks)
As a CISO, you must often talk to the board in order to obtain budget, for improving the security posture of the organisation. For the four most significant vulnerabilities from the penetration test, provide justification to the board, reasoning why they should pay to resolve these issues.
Please answer this question from the point of view of Scenario A and Scenario B. You must write the four justifications twice. The first time, as the CISO of Big Bank Corp, and the second time as the CISO of Startup Telecoms. (We expect a total of 8 paragraphs, one per finding, per Scenario)
A. 7. Answer here
Q. 8. (15 marks)
Describe your method of testing an application end to end. (max 750 words)
A. 8. Answer here
Q. 9. (4 marks)
Describe the process – end to end, from identifying a risk to entering it into the enterprise risk register and how that risk is re-assessed over time.
Computer Science Tutoring
A. 9. Answer here
Q. 10. (3 marks)
Define and explain reflected XSS and HTTP Request Smuggling, and explain how they can be used in unison. (max 250 words)
A. 10. Answer here