Course Title: Expose website security vulnerabilities

Part B: Course Detail

Teaching Period: Term2 2024

Course Code: INTE5062

Course Title: Expose website security vulnerabilities

School: 520T Future Technologies

Campus: City Campus

Program: C4424 - Certificate IV in Cyber Security

Course Contact: Ajay Shiv Sharma

Course Contact Phone: +61 3 9925 1409

Course Contact Email: ajay.shiv.sharma@rmit.edu.au


Name and Contact Details of All Other Relevant Staff

Nominal Hours: 40

Regardless of the mode of delivery, represent a guide to the relative teaching time and student effort required to successfully achieve a particular competency/module. This may include not only scheduled classes or workplace visits but also the amount of effort required to undertake, evaluate and complete all assessment requirements, including any non-classroom activities.

Pre-requisites and Co-requisites

None

Course Description

In the is course you will gain the knowledge of the performance outcomes knowledge and skills required to maintain the security of an organisation’s website by utilising the outcomes of the Open Web Application Security Project (OWASP


National Codes, Titles, Elements and Performance Criteria

National Element Code & Title:

VU23222 Expose website security vulnerabilities

Element:

1 Explain the Hypertext Transfer Protocol (HTTP) and web server architectures

Performance Criteria:

1.1    Web application server architecture is explained
1.2    Structure and operation of the HTTP protocol is described
1.3    Function and role of HTTP Headers is identified
1.4    Typical HTTP Headers are examined
1.5    Securing HTTP using headers is identified
1.6    OWASP Secure Headers Project tools are examined

Element:

2 Identify web site content

Performance Criteria:

2.1    Technology stack of a web application and web server are identified
2.2    Web server scanner software and web content scanner software are demonstrated
2.3    Spiderling for web applications and websites are described and demonstrated

Element:

3 Install web application proxy testing tools

Performance Criteria:

3.1    Example of web application proxy testing tools are described and demonstrated
3.2    Proxy testing tools for a proxy server are configured and installed
3.3    Web application traffic is intercepted and logged with a web application testing tool suite

Element:

4 Use current frameworks that identify common software vulnerabilities

Performance Criteria:

4.1    Existing frameworks that identify common software vulnerabilities are investigated
4.2    Most common web security vulnerabilities are identified
4.3    Methods to determine injection weaknesses (SQLite) for web applications are described and demonstrated
4.4    Methods for basic Broken Authentication and Session Management weaknesses for web applications are described and demonstrated
4.5    Methods for basic Cross Site Scripting (XSS) weaknesses for web applications are described and demonstrated
4.6    Methods for Insecure Direct Object Reference (IDOR) weaknesses for web applications are described and demonstrated

Element:

5 Report web application vulnerabilities

Performance Criteria:

5.1    Technical issues and assigning risk are identified
5.2    Detailed reproduction steps are outlined
5.3    Remediation steps are identified
5.4    Penetration test report is written and presented to relevant technical persons
5.5    Executive summary is prepared and provided to appropriate persons.

Learning Outcomes


On successful completion of this course you will have developed and applied the skills and knowledge required to demonstrate competency in the above elements


Details of Learning Activities

This unit describes the performance outcomes knowledge and skills required to maintain the security of an organisation’s website by utilising the outcomes of the Open Web Application Security Project (OWASP).

It requires the ability to apply penetration testing tools to determine the vulnerabilities of a web site, assess the vulnerabilities and report to appropriate personnel.


Teaching Schedule

  WeekDateTopicAssessment / Learning activities
Week 1 15-21 July Web application server architecture is explained
  • Submit the Survey
  • Take part in class activities
  • Complete the Labs /activities
Week 2 22-28 July

Structure and operation of the HTTP protocol is described

Function and role of HTTP Headers is identified

Typical HTTP Headers are examined
  • Submit the Survey
  • Take part in class activities
  • Complete the Labs /activities
Week 3 29 July - 4 August OWASP Secure Headers Project
  • Complete Week 1 to 2 Activities, if not done previously
  • Complete Week 3 Labs/Activities
Week 4 5-11 August Web server scanner software Demonstration
  • Complete Week 1 to 3 Activities, if not done previously
  • Complete Week 4 Labs/Activities (Include commentary for each screenshot)
Week 5 12-18 August Spiderling for web applications
  • Complete Week 1 to 4 Activities, if not done previously
  • Complete Week 5 Labs/Activities (Include commentary for each screenshot)
Week 6 19-25 August Web application proxy testing tools
  • Complete Week 1 to 5 Activities, if not done previously
  • Complete Week 6 Labs/Activities (Include commentary for each screenshot)
Week 7 26 August - 1 September Methods to determine injection weaknesses 
  • Complete Week 1 to 6 Activities, if not done previously
  • Complete Week 7 Labs/Activities (Include commentary for each screenshot)
   

2-8 September

Mid-semester break 
Week 8 9-15 September SQL injection using (SQLMAP)
  • Complete Week 1 to 7 Activities, if not done previously
  • Complete Week 8 Labs/Activities (Include commentary for each screenshot)
Week 9 16-22 September Broken Authentication and Session Management weaknesses
  • Complete Week 1 to 8 Activities, if not done previously
  • Complete Week 9 Labs/Activities (Include commentary for each screenshot)
Week 10 23-29 September Methods for basic Cross Site Scripting (XSS)
  • Complete Week 1 to 9 Activities, if not done previously
  • Complete Week 10 Labs/Activities (Include commentary for each screenshot)
Week 11 30 September - 6 October Methods for Insecure Direct Object Reference (IDOR) weaknesses
  • Complete Week 1 to 10 Activities, if not done previously
  • Complete Week 11 Labs/Activities (Include commentary for each screenshot)
Week 12 7-13 October Methods for Session Cookies weaknesses
  • Complete Week 1 to 11 Activities, if not done previously
  • Complete Week 12 Labs/Activities (Include commentary for each screenshot)
Week 13 14-20 October Report web application vulnerabilities
  • Complete Week 1 to 12 Activities, if not done previously
  • Complete Week 13 Labs/Activities (Include commentary for each screenshot)
Week 14 21-27 October Revision - Recap Overview of Submission and Final Submission - Question and Answer with Teacher
Week 15 28 October - 3 November Revision - Recap Final Submission - Question and Answer with Teacher
Week 16 4-10 November Revision - Recap Final Submission - Question and Answer with Teacher
Week 17 11-17 November Re-submissions, if required Re-submissions, if required
Week 18 18-24 November Re-submissions, if required Re-submissions, if required


Learning Resources

Prescribed Texts


References


Other Resources

OWASP Top 10


Overview of Assessment

Assessment for this course is ongoing throughout the semester. Your knowledge and understanding of course content is assessed through participation in class exercises, oral/written presentations and through the application of learned skills and insights. Full assessment briefs will be provided and can be found on CANVAS


Assessment Tasks

PRACTICAL ASSESSMENT TASK


Assessment Matrix

Element

  

Performance criteria

  

 

  

 

  

 

  

Assessment

Task 1: AT 1

  

1. Explain the Hypertext

Transfer Protocol

(HTTP) and web server

architectures

  

1.1 Web application server architecture is explained

 

  

X

  

1.2 Structure and operation of the HTTP protocol is

described

 

  

X

  

1.3 Function and role of HTTP Headers is identified

 

  

X

  

1.4 Typical HTTP Headers are examined

 

  

X

  

1.5 Securing HTTP using headers is identified

 

  

X

  

1.6 OWASP Secure Headers Project tools are examined

 

  

X

  

2. Identify web site

content

  

2.1 Technology stack of a web application and web

server are identified

 

  

X

  

2.2 Web server scanner software and web content

scanner software are demonstrated

 

  

X

  

2.3 Spiderling for web applications and websites are

described and demonstrated

 

  

X

  

3. Install web application

proxy testing tools

  

3.1 Example of web application proxy testing tools are

described and demonstrated

 

  

X

  

3.2 Proxy testing tools for a proxy server are configured

and installed

 

  

X

  

3.3 Web application traffic is intercepted and logged with

a web application testing tool suite 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  

X

  

4. Use current

frameworks that

identify common

software vulnerabilities

 

  

4.1 Existing frameworks that identify common software

vulnerabilities are investigated

 

  

X

  

4.2 Most common web security vulnerabilities are identified

 

  

X

  

4.3 Methods to determine injection weaknesses (SQLite) for web applications are described and demonstrated

 

  

X

  

4.4 Methods for basic Broken Authentication and Session Management weaknesses for web applications are described and demonstrated

 

  

X

  

4.5 Methods for basic Cross Site Scripting (XSS) weaknesses for web applications are described and

demonstrated

 

  

X

  

4.6 Methods for Insecure Direct Object Reference (IDOR) weaknesses for web applications are described and demonstrated

 

  

X

  

5. Report web application

vulnerabilities

 

  

5.1 Technical issues and assigning risk are identified

 

  

X

  

5.2 Detailed reproduction steps are outlined

 

  

X

  

5.3 Remediation steps are identified

 

  

X

  

5.4 Penetration test report is written and presented to relevant technical persons

 

  

X

  

5.5 Executive summary is prepared and provided to appropriate persons.

  

X

  

Other Information

Assessments
To be deemed competent students must demonstrate an understanding of all aspects required
of this course and must achieve a satisfactory standard in each assessment. Assessment
methods have been designed to measure student's competency in each course over multiple
tasks.
Resubmissions
For each assessment submitted by the due date in this course students will be given feedback
within 2 weeks of the assessment submission. If you do not submit your assessment by the
due date or if your first attempt is not satisfactory you will be allowed a single resubmission
attempt for each assessment in this course. You will be provided with a new due date by your
teacher for your resubmission attempt if a resubmission is required.
Due dates
All assessment tasks will have a due date provided and published in Canvas. Assessments
submitted after the due date will not be accepted unless an extension has been provided or
special consideration has been granted.
Extensions
If you will not be able to meet the due date for an assessment you may apply to your teacher
for an extension of up to seven days by completing the Application of Time to Submit
Assessment Work Form at
https://www.rmit.edu.au/content/dam/rmit/documents/Students/Student_forms/Application-
for-extension-of-time-to-submit-work.pdf Applications for an extension of time must be
received before the due date for an assessment.
Special Consideration
If unforeseen circumstances beyond your control prevent you from submitting your work on
time you may be eligible to apply for special consideration. For further information regarding
special consideration, please refer to the RMIT Special Consideration page at
https://www.rmit.edu.au/students/student-essentials/assessment-and-results/special-
consideration

Course Overview: Access Course Overview