SDEV 460 Authentication, Authorization and Session Management Security Controls

Overview:

This homework will demonstrate your knowledge of testing security controls aligned with Authentication, Authorization and Session Management

Assignment:

Using the readings from weeks 5 and 6 as a baseline, analyze, test and document the results for the tutoring web application found on the SDEV virtual machine. Specific tests to be conducted include:

1. Test Role Definitions (OTG-IDENT-001)

  • Be sure to create a test matrix for the Roles you see in the application

2. Test User Registration Process (OTG-IDENT-002)

  • Be sure to the answer the questions found in the OWASP testing guide for the user registration process and make recommendations for improvements for this aspect of the application

3. Testing for Credentials Transported overun Encrypted Channel (OTG-AUTHN-001)

  • Note since HTTPS is not implemented this will fail. But what recommendations do you have to improve? What do other sites do for Authentication?

4. Testing for default credentials (OTG-AUTHN-002)

  • Are you able to guess a username and default email address?

5. Testing for Weak lock out mechanism (OTG-AUTHN-003)

  • Will the system lock-out after X attempts. If not what issues are associated with this and how could it be remedied?

6. Testing for Weak password policy (OTG-AUTHN-007)

  • Are passwords weak? If so, what do you recommend for improvement?

7. Testing Directory traversal/file include (OTG-AUTHZ-001)

  • Are you able to traverse to another directory? If so, what can be done to fix this?

8. Testing for Bypassing Authorization Schema (OTG-AUTHZ-002)

  • Can obtain Admin rights through the non-admin path?

9. Testing for cookies attributes (OTG-SESS-002)

  • Are cookies present? Are they expired? Are they easy to guess?

10. Testing for logout functionality (OTG-SESS-006)

  • Can a user logout of their session properly. If not, what recommendations do you have to improve the session security?

You should document the results for the tests and your comments, and recommendations for improved security for each security control tested in a word or PDF document. Provide screen captures and descriptions of your tests conducted. Discuss any issues found and possible mitigations.

Note: The SDEV Virtual Machine you downloaded and used for SDEV 300. The URL is here if you need to download it again:

https://citeapps.umuc.edu/SDEV/

The VM runs on the latest version of Oracle Virtual Box.

The directions to reinstall the Tutoring Web Application are also included in the course resources.

Academic Honesty!
It is not our intention to break the school's academic policy. Posted solutions are meant to be used as a reference and should not be submitted as is. We are not held liable for any misuse of the solutions. Please see the frequently asked questions page for further questions and inquiries.
Kindly complete the form. Please provide a valid email address and we will get back to you within 24 hours. Payment is through PayPal, Buy me a Coffee or Cryptocurrency. We are a nonprofit organization however we need funds to keep this organization operating and to be able to complete our research and development projects.