TASK A – Penetration Test

You have been engaged by BadCorp AS who are the new owners of badstore.net. They acquired
the web property as part of a larger acquisition. Subsequent to this, they recognized that this
system seems to have been sorely neglected and is likely a serious security risk to their
organization. As the CSO mentioned during the preliminary discussions, “we don’t want to be the
next Sony”. As such it has been completely isolated from the rest of their systems and from the
Internet at large. They would, however, like to return this site to a ‘live’ status as soon as possible.
You have been commissioned to spend 40 hours conducting the test and reporting.
You have been engaged to conduct a penetration test of the site. The following have been
defined as part of the engagement as ‘in scope’:

• The web application

• The host operating system (and by extension the system platform as a whole)
• The web application framework (including webserver and backend database)
• You are authorized to elevate privileges should you find suitable vulnerabilities.
• While the system source code is not provided, should you obtain this, you may use it to
further enhance your report. The primary focus of the penetration test is on the security of
internet-facing services, rather than access via the system console.
• No external systems other than the badstore.net may be considered
• This is a purely technical engagement. There is to be no phishing or social engineering of staff
or vendors
• You may conduct testing at any time.

You are required to Undertake a Penetration Test on this target, paying attention to all the items in
scope. You should specifically focus on the web application with a secondary focus on network
exposed services. You should document your approach as a series of ‘notes’ to show your logical
progression through the system. It is especially important to explain WHY you are doing things, and
HOW you progressed through the test. This ‘notebook’ forms the submission for task A. You are
assessed on your logic, and explanation rather than purely on technical proficiency.

TASK B – Penetration Testing Report

As has been discussed during the course, the technical aspect of Penetration Testing is often only
‘half the work’. For the findings, and vulnerabilities to be of any value to the client, the technical
aspects need to be compiled into a report.
Your task is to develop a report (See attached file: Task B - Penetration testing report -) which
presents your findings to the client, BadCorp AS. While BadCorp AS has an internal IT team, they
are stretched thin working on system integration post the acquisition. They have a competent
systems administration team and work closely with an external development company for
maintaining custom codebases. In the preparation of the report, keep the following in mind:
• You should explicitly address each of the areas that have been defined as in scope.
• Your report should be presented in a clearly formatted and consistent manner, which allows for
easy determination of the key issues identified.
• You are required to have an executive summary
• You are strongly encouraged to make use of external resources such as those discussed during
the course, to enhance the detail and quality of your report. Suitable references to
platform/software/application vulnerabilities (outside of the custom web application) are
required.
• Your findings should include appropriate detail to enable validation by the client. You should
also include an appropriate level of detail to guide towards remediation of the findings. This will
be used by the BadCorp AS IT team to either fix or pass on to their partner service providers.

Bear in mind your audiences for this report:

o BadCorp Executives
o BadCorp Security & IT teams
o BadCorp Risk management team (who commissioned the security test)
o Potentially third parties who may be assisting in remediation

The expected length will depend very much on the format chosen. As a guide, you should have as
minimum at least six (10) findings reported on.