Bug Hunting Report (2000 words)
The IT Director of Juice Shop has contracted you to execute a bug -hunt exercise on their new web portal application, before they launch their site. Juice Shop is to be the front end to their sales portal for all their products. The new website is critical to the growth of the business, with anticipated revenue generation for about £1m annually.
The Juice Shop pre-deployment application will be provided to you as a zip file for Virtual box/VMware, available from your lab room.
The high-level communication paths between the client, server and data layer elements in juiceshop are as follows:
Your job is to test for and document the following vulnerabilities:
#1 – Access Handling Test
- Log in with the administrator account, without guessing it
- Log in with Jim’s account, without changing it first
- Log in with Bender’s account
#2 – Input Handling Test
- Test for DOM XSS attack
- Test for persisted XSS attack, on the backend server
#3 – Information Leakage Test
- Obtain Jim’s email address, without being administrator
#4 – Application Logic Test
- Post some feedback as 5 star rating from Jim
- Place something into Bender’s basket and pay £0 for it
- Change Jim’s password to “ARURules0K” without using SQL Injection or Forgot Password
#5 – Bonus Test
- Find and decode the REALEaster Egg
Completion of Tasks 1-5
For each task you are expected to provide a repeatable step-by-step walk-through of the steps to identify and exploit each task. You should provide screen-shot evidence for all tasks exploited. Additionally you should justify why you have chosen the tools you used.
To achieve the full 10% for the bonus task #5, you are expected to provide a detailed description of the attack steps together with evidence of your exploitation method. No evidence, No marks.
Explain the Vulnerabilities
Explain from the point of view of the business why these vulnerabilities matter, including the potential risk to the business. You should link these vulnerabilities into OWASP’s TOP 10 2017. You are expected to provide real world examples for each vulnerability discussed.
Explain the Mitigation
You should explain how you have tested for each vulnerability, and how you exploited each vulnerability. You should also explain why the vulnerability exists, and what is needed to do to mitigate it. Provide fully annotated example code to support your mitigation argument.
Report Presentation and Referencing
The report should outline your test environment, such as an annotate network diagram, and justify the tools selected for testing.
The report should include the following sections
- Cover page
- Contents page
- Executive summary
- Exploit walk-through
- Why the vulnerabilities matter
- Mitigation of vulnerabilities
- Appendix (if needed)
All you work should be supported with full Harvard referencing.
You are to write a 2000 word professional report that details:
- 20% Completion of Tasks 1 – 4
- 10% Completion of Task 5
- 25% Explain why each of the five task vulnerabilities matter
- 25% Explain how to mitigate all vulnerabilities found in the five tasks
- 10% Report presentation
- 10% Harvard references
Note: Appendices, tables, figures, code annotation and references don’t count towards word count.
Note: Walk-through of tasks 1-5 does not count towards word count.