Testing Framework and Basic Security Controls

profilefijunkie
Homework2.pdf

1

Homework 2

Testing Framework and Basic Security Controls

Overview:

This homework will demonstrate your knowledge of creating a testing framework and using that

framework to conduct some basic server and web application security controls.

Assignment:

Develop a testing framework with these phases as guidelines for your organization or an organization you would like to work for in the future.

• Before development begins

• During definition and design

• During development

• During deployment

• Maintenance and operations

You will need to fill in the details for each phase by 1) describing what each phase encompasses and 2) 3

or more activities you will engage in for each phase. In addition, you will apply part of this framework in

the phase “During development” by engaging in three tests/security controls outlined below:

1. Fingerprint Web Server (OTG-INFO-002)

The following command was run from a sample website:

nc localhost 80

HEAD / HTTP/1.0

This output was received:

HTTP/1.1 200 OK

Date: Mon, 15 Jul 2019 01:40:42 GMT

Server: Apache/2.4.7 (Ubuntu)

Last-Modified: Sun, 10 Aug 2014 22:02:57 GMT

ETag: "2cf6-5004d99d98b8a"

Accept-Ranges: bytes

Content-Length: 11510

Vary: Accept-Encoding

X-Content-Type-Options: nosniff

X-Frame-Options: sameorigin

Connection: close

Content-Type: text/html

Perform online research about the discovered software vendor and release. Report upon documented

vulnerabilities with the release.

Report upon how you would mitigate any documented vulnerabilities

2

2. Review webpage comments and metadata for information leakage (OTG-INFO-005). Manually

review the sample HTML/PHP application provided in the zip file attached in this project.

Based upon online research, what are three or more categories of information that would be considered

unacceptable information leakage?

After unzipping the file, you will need to review each file possible leakage of sensitive information.

Summarize upon what you have discovered, your method of discovery and what recommendations you

have for mitigating the issues.

3. Test HTTP Methods (OTG-CONFIG-006) – See which HTTP methods are available on the sample

website.

The following command was run from a sample website:

nc localhost 80

OPTIONS / HTTP/1.1

This output was received:

HTTP/1.1 200 OK

Date: Mon, 15 Jul 2019 01:46:37 GMT

Server: Apache/2.4.7 (Ubuntu)

Allow: GET,HEAD,POST,OPTIONS,TRACE

X-Content-Type-Options: nosniff

X-Frame-Options: sameorigin

Content-Length: 0

Connection: close

Content-Type: text/html

What HTTP methods are enabled and disabled on this site? Which methods potentially pose a security

risk for a web application. Describe how these pose a risk.

Deliverables:

You should submit your source testing framework document along with the results testing the three

security controls listed above.

Your document should be well-organized, well-written using paragraph style, includes page numbers,

includes all references used and contains minimal spelling and grammar errors.