Course Title: Expose website security vulnerabilities
Part B: Course Detail
Teaching Period: Term1 2024
Course Code: INTE5062
Course Title: Expose website security vulnerabilities
School: 520T Future Technologies
Campus: City Campus
Program: C4424 - Certificate IV in Cyber Security
Course Contact: Ajay Shiv Sharma
Course Contact Phone: +61 3 9925 1409
Course Contact Email: ajay.shiv.sharma@rmit.edu.au
Name and Contact Details of All Other Relevant Staff
Nominal Hours: 40
Regardless of the mode of delivery, represent a guide to the relative teaching time and student effort required to successfully achieve a particular competency/module. This may include not only scheduled classes or workplace visits but also the amount of effort required to undertake, evaluate and complete all assessment requirements, including any non-classroom activities.
Pre-requisites and Co-requisites
None
Course Description
In the is course you will gain the knowledge of the performance outcomes knowledge and skills required to maintain the security of an organisation’s website by utilising the outcomes of the Open Web Application Security Project (OWASP
National Codes, Titles, Elements and Performance Criteria
National Element Code & Title: |
VU23222 Expose website security vulnerabilities |
Element: |
1 Explain the Hypertext Transfer Protocol (HTTP) and web server architectures |
Performance Criteria: |
1.1 Web application server architecture is explained |
Element: |
2 Identify web site content |
Performance Criteria: |
2.1 Technology stack of a web application and web server are identified |
Element: |
3 Install web application proxy testing tools |
Performance Criteria: |
3.1 Example of web application proxy testing tools are described and demonstrated |
Element: |
4 Use current frameworks that identify common software vulnerabilities |
Performance Criteria: |
4.1 Existing frameworks that identify common software vulnerabilities are investigated |
Element: |
5 Report web application vulnerabilities |
Performance Criteria: |
5.1 Technical issues and assigning risk are identified |
Learning Outcomes
On successful completion of this course you will have developed and applied the skills and knowledge required to demonstrate competency in the above elements
Details of Learning Activities
This unit describes the performance outcomes knowledge and skills required to maintain the security of an organisation’s website by utilising the outcomes of the Open Web Application Security Project (OWASP).
It requires the ability to apply penetration testing tools to determine the vulnerabilities of a web site, assess the vulnerabilities and report to appropriate personnel.
Teaching Schedule
Week 1 | Web application server architecture is explained |
|
Week 2 |
Structure and operation of the HTTP protocol is described Function and role of HTTP Headers is identified Typical HTTP Headers are examined |
|
Week 3 | OWASP Secure Headers Project |
|
Week 4 | Web server scanner software Demonstration |
|
Week 5 | Spiderling for web applications |
|
Week 6 | Web application proxy testing tools |
|
Week 7 | Methods to determine injection weaknesses |
|
29 March - 7 April |
Mid-semester break |
|
Week 8 | SQL injection using (SQLMAP) |
|
Week 9 | Broken Authentication and Session Management weaknesses |
|
Week 10 | Methods for basic Cross Site Scripting (XSS) |
|
Week 11 | Methods for Insecure Direct Object Reference (IDOR) weaknesses |
|
Week 12 | Methods for Session Cookies weaknesses |
|
Week 13 | Report web application vulnerabilities |
|
Week 14 | Final Submission | Overview of Submission and Final Submission - Question and Answer with Teacher |
Week 15 | Final Submission | Final Submission |
Week 16, 17 and 18 | Re-submissions, if required | Re-submissions, if required |
Learning Resources
Prescribed Texts
References
Other Resources
OWASP Top 10
Overview of Assessment
Assessment for this course is ongoing throughout the semester. Your knowledge and understanding of course content is assessed through participation in class exercises, oral/written presentations and through the application of learned skills and insights. Full assessment briefs will be provided and can be found on CANVAS
Assessment Tasks
PRACTICAL ASSESSMENT TASK
Assessment Matrix
Element |
Performance criteria |
|
|
|
Assessment Task 1: AT 1 |
1. Explain the Hypertext Transfer Protocol (HTTP) and web server architectures |
1.1 Web application server architecture is explained
|
X |
1.2 Structure and operation of the HTTP protocol is described
|
X |
|
1.3 Function and role of HTTP Headers is identified
|
X |
|
1.4 Typical HTTP Headers are examined
|
X |
|
1.5 Securing HTTP using headers is identified
|
X |
|
1.6 OWASP Secure Headers Project tools are examined
|
X |
|
2. Identify web site content |
2.1 Technology stack of a web application and web server are identified
|
X |
2.2 Web server scanner software and web content scanner software are demonstrated
|
X |
|
2.3 Spiderling for web applications and websites are described and demonstrated
|
X |
|
3. Install web application proxy testing tools |
3.1 Example of web application proxy testing tools are described and demonstrated
|
X |
3.2 Proxy testing tools for a proxy server are configured and installed
|
X |
|
3.3 Web application traffic is intercepted and logged with a web application testing tool suite
|
X |
|
4. Use current frameworks that identify common software vulnerabilities
|
4.1 Existing frameworks that identify common software vulnerabilities are investigated
|
X |
4.2 Most common web security vulnerabilities are identified
|
X |
|
4.3 Methods to determine injection weaknesses (SQLite) for web applications are described and demonstrated
|
X |
|
4.4 Methods for basic Broken Authentication and Session Management weaknesses for web applications are described and demonstrated
|
X |
|
4.5 Methods for basic Cross Site Scripting (XSS) weaknesses for web applications are described and demonstrated
|
X |
|
4.6 Methods for Insecure Direct Object Reference (IDOR) weaknesses for web applications are described and demonstrated
|
X |
|
5. Report web application vulnerabilities
|
5.1 Technical issues and assigning risk are identified
|
X |
5.2 Detailed reproduction steps are outlined
|
X |
|
5.3 Remediation steps are identified
|
X |
|
5.4 Penetration test report is written and presented to relevant technical persons
|
X |
|
5.5 Executive summary is prepared and provided to appropriate persons. |
X |
Other Information
Assessments
To be deemed competent students must demonstrate an understanding of all aspects required
of this course and must achieve a satisfactory standard in each assessment. Assessment
methods have been designed to measure student's competency in each course over multiple
tasks.
Resubmissions
For each assessment submitted by the due date in this course students will be given feedback
within 2 weeks of the assessment submission. If you do not submit your assessment by the
due date or if your first attempt is not satisfactory you will be allowed a single resubmission
attempt for each assessment in this course. You will be provided with a new due date by your
teacher for your resubmission attempt if a resubmission is required.
Due dates
All assessment tasks will have a due date provided and published in Canvas. Assessments
submitted after the due date will not be accepted unless an extension has been provided or
special consideration has been granted.
Extensions
If you will not be able to meet the due date for an assessment you may apply to your teacher
for an extension of up to seven days by completing the Application of Time to Submit
Assessment Work Form at
https://www.rmit.edu.au/content/dam/rmit/documents/Students/Student_forms/Application-
for-extension-of-time-to-submit-work.pdf Applications for an extension of time must be
received before the due date for an assessment.
Special Consideration
If unforeseen circumstances beyond your control prevent you from submitting your work on
time you may be eligible to apply for special consideration. For further information regarding
special consideration, please refer to the RMIT Special Consideration page at
https://www.rmit.edu.au/students/student-essentials/assessment-and-results/special-
consideration
Course Overview: Access Course Overview