Testing Framework and Basic Security Controls
1
Homework 2
Testing Framework and Basic Security Controls
Overview:
This homework will demonstrate your knowledge of creating a testing framework and using that
framework to conduct some basic server and web application security controls.
Assignment:
Develop a testing framework with these phases as guidelines for your organization or an organization you would like to work for in the future.
• Before development begins
• During definition and design
• During development
• During deployment
• Maintenance and operations
You will need to fill in the details for each phase by 1) describing what each phase encompasses and 2) 3
or more activities you will engage in for each phase. In addition, you will apply part of this framework in
the phase “During development” by engaging in three tests/security controls outlined below:
1. Fingerprint Web Server (OTG-INFO-002)
The following command was run from a sample website:
nc localhost 80
HEAD / HTTP/1.0
This output was received:
HTTP/1.1 200 OK
Date: Mon, 15 Jul 2019 01:40:42 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Sun, 10 Aug 2014 22:02:57 GMT
ETag: "2cf6-5004d99d98b8a"
Accept-Ranges: bytes
Content-Length: 11510
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Connection: close
Content-Type: text/html
Perform online research about the discovered software vendor and release. Report upon documented
vulnerabilities with the release.
Report upon how you would mitigate any documented vulnerabilities
2
2. Review webpage comments and metadata for information leakage (OTG-INFO-005). Manually
review the sample HTML/PHP application provided in the zip file attached in this project.
Based upon online research, what are three or more categories of information that would be considered
unacceptable information leakage?
After unzipping the file, you will need to review each file possible leakage of sensitive information.
Summarize upon what you have discovered, your method of discovery and what recommendations you
have for mitigating the issues.
3. Test HTTP Methods (OTG-CONFIG-006) – See which HTTP methods are available on the sample
website.
The following command was run from a sample website:
nc localhost 80
OPTIONS / HTTP/1.1
This output was received:
HTTP/1.1 200 OK
Date: Mon, 15 Jul 2019 01:46:37 GMT
Server: Apache/2.4.7 (Ubuntu)
Allow: GET,HEAD,POST,OPTIONS,TRACE
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 0
Connection: close
Content-Type: text/html
What HTTP methods are enabled and disabled on this site? Which methods potentially pose a security
risk for a web application. Describe how these pose a risk.
Deliverables:
You should submit your source testing framework document along with the results testing the three
security controls listed above.
Your document should be well-organized, well-written using paragraph style, includes page numbers,
includes all references used and contains minimal spelling and grammar errors.