Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
You have been engaged by BadCorp AS who are the new owners of badstore.net. They acquired
the web property as part of a larger acquisition. Subsequent to this, they recognized that this
system seems to have been sorely neglected and is likely a serious security risk to their
organization. As the CSO mentioned during the preliminary discussions, “we don’t want to be the
next Sony”. As such it has been completely isolated from the rest of their systems and from the
Internet at large. They would, however, like to return this site to a ‘live’ status as soon as possible.
You have been commissioned to spend 40 hours conducting the test and reporting.
You have been engaged to conduct a penetration test of the site. The following have been
defined as part of the engagement as ‘in scope’:
You are required to Undertake a Penetration Test on this target, paying attention to all the items in
scope. You should specifically focus on the web application with a secondary focus on network
exposed services. You should document your approach as a series of ‘notes’ to show your logical
progression through the system. It is especially important to explain WHY you are doing things, and
HOW you progressed through the test. This ‘notebook’ forms the submission for task A. You are
assessed on your logic, and explanation rather than purely on technical proficiency.
As has been discussed during the course, the technical aspect of Penetration Testing is often only
‘half the work’. For the findings, and vulnerabilities to be of any value to the client, the technical
aspects need to be compiled into a report.
Your task is to develop a report (See attached file: Task B - Penetration testing report -) which
presents your findings to the client, BadCorp AS. While BadCorp AS has an internal IT team, they
are stretched thin working on system integration post the acquisition. They have a competent
systems administration team and work closely with an external development company for
maintaining custom codebases. In the preparation of the report, keep the following in mind:
• You should explicitly address each of the areas that have been defined as in scope.
• Your report should be presented in a clearly formatted and consistent manner, which allows for
easy determination of the key issues identified.
• You are required to have an executive summary
• You are strongly encouraged to make use of external resources such as those discussed during
the course, to enhance the detail and quality of your report. Suitable references to
platform/software/application vulnerabilities (outside of the custom web application) are
required.
• Your findings should include appropriate detail to enable validation by the client. You should
also include an appropriate level of detail to guide towards remediation of the findings. This will
be used by the BadCorp AS IT team to either fix or pass on to their partner service providers.
The expected length will depend very much on the format chosen. As a guide, you should have as
minimum at least six (10) findings reported on.