CSY203 Week 12 Intermediate

Week Content

Secure Software & Web Security

Track your progress through this week's content

Opening Framing: The Complete Assessment

Over the past eleven weeks, you've built a comprehensive web application security testing toolkit. You've mastered authentication attacks, injection techniques, access control testing, API security, and modern framework vulnerabilities.

Now it's time to bring everything together. This capstone simulates a real web application security assessment—from initial reconnaissance through final reporting. You'll demonstrate not just individual techniques, but the ability to conduct a complete, professional engagement.

The deliverable is a professional security assessment report that you could present to a client. This is what web application security testers produce.

Key insight: Individual vulnerabilities matter less than the overall security posture. A complete assessment tells the full story.

Capstone Scenario: SecureBank Online

You've been engaged to perform a web application security assessment for SecureBank's online banking platform. 

ENGAGEMENT OVERVIEW

Client: SecureBank Financial Services
Application: Online Banking Platform
Type: Web Application Security Assessment
Duration: 1 week (simulated)

SCOPE:
- Web application at target URL
- All authenticated and unauthenticated functionality
- API endpoints
- Client-side JavaScript
- Mobile API (if accessible via same backend)

OUT OF SCOPE:
- Denial of Service testing
- Social engineering
- Physical security
- Third-party integrations (payment processors)
- Infrastructure/network testing

OBJECTIVES:
1. Identify security vulnerabilities
2. Assess risk and business impact
3. Demonstrate exploitability
4. Provide remediation guidance
5. Deliver professional report

TEST ACCOUNTS PROVIDED:
- Standard user: testuser / TestPass123!
- Second user: testuser2 / TestPass456!
- (Admin access not provided - test for escalation)

RULES OF ENGAGEMENT:
- Testing hours: Any (lab environment)
- Do not modify or delete production data
- Document all testing activities
- Report critical findings immediately

Phase 1: Reconnaissance and Mapping

Comprehensive application discovery:

Tasks:

  1. Technology Fingerprinting: Identify stack, frameworks, libraries
  2. Application Mapping: Document all functionality
  3. API Discovery: Find all API endpoints
  4. JavaScript Analysis: Extract endpoints, secrets, logic
  5. Entry Point Inventory: Document all input vectors

Deliverables:

□ Technology stack summary
□ Application sitemap/flowchart
□ Complete API endpoint list
□ JavaScript analysis findings
□ Entry point inventory with parameters
□ Authentication mechanism analysis

Methodology:

# Technology identification
whatweb https://target.com
# Wappalyzer browser extension

# Manual crawling through Burp
# Document all pages, forms, features

# API discovery
# Check /api-docs, /swagger.json
# Extract from JavaScript files
python linkfinder.py -i https://target.com/main.js -o cli

# Entry point documentation
# Every parameter in every request

Phase 2: Authentication and Session Testing

Test identity and session management:

Tasks:

  1. Username Enumeration: Test login, registration, password reset
  2. Password Policy: Assess strength requirements
  3. Brute Force Protection: Test rate limiting, lockout
  4. Session Analysis: Token entropy, cookie flags
  5. Session Lifecycle: Fixation, logout, timeout

Deliverables:

□ Username enumeration findings
□ Password policy assessment
□ Brute force protection analysis
□ Session token analysis (Burp Sequencer)
□ Cookie security audit
□ CSRF protection assessment

Testing Focus:

# Authentication
- Different error messages?
- Account lockout after X attempts?
- Rate limiting present?

# Session
- HttpOnly, Secure, SameSite flags?
- Session regeneration on login?
- Proper logout (server-side invalidation)?

# CSRF
- Tokens present on state-changing requests?
- Tokens properly validated?

Phase 3: Authorization and Access Control

Test who can access what:

Tasks:

  1. IDOR/BOLA: Test all object references
  2. Privilege Escalation: Access admin functions
  3. Mass Assignment: Add unauthorized properties
  4. Function-Level Access: Test API authorization
  5. Business Logic: Workflow and process flaws

Deliverables:

□ IDOR findings with evidence
□ Privilege escalation attempts
□ Mass assignment test results
□ Horizontal access control findings
□ Vertical access control findings
□ Business logic flaw documentation

Testing Approach:

# With two accounts:
# Access User B's data with User A's session

# All object references:
/api/accounts/123 → Try /api/accounts/124
/api/transactions/ABC → Try /api/transactions/DEF

# Admin functionality:
# Find admin endpoints in JS
# Try accessing directly

# Mass assignment:
POST /api/profile
{"name": "Test", "role": "admin", "balance": 999999}

Phase 4: Injection Testing

Test all input for injection vulnerabilities:

Tasks:

  1. SQL Injection: All parameters, all techniques
  2. XSS: Reflected, stored, DOM-based
  3. Command Injection: Any system interaction
  4. Other Injection: XXE, SSTI, LDAP if applicable
  5. Header Injection: CRLF, Host header

Deliverables:

□ SQL injection findings with payloads
□ XSS findings with PoC
□ Other injection testing results
□ Filter bypass techniques used
□ Impact assessment for each finding

Testing Methodology:

# Every parameter tested:
# - URL parameters
# - POST body
# - Headers (User-Agent, Referer, etc.)
# - Cookies

# SQL injection
' OR '1'='1
' UNION SELECT NULL--
'; WAITFOR DELAY '0:0:5'--

# XSS (context-aware)

">
javascript:alert(1)

# Command injection (if applicable)
; whoami
| id
$(whoami)

Phase 5: Server-Side and API Testing

Test backend and API-specific issues:

Tasks:

  1. SSRF: Any URL fetching functionality
  2. File Upload: If file upload exists
  3. Path Traversal: File access parameters
  4. API Security: OWASP API Top 10
  5. Information Disclosure: Errors, debug info

Deliverables:

□ SSRF testing results
□ File upload assessment
□ Path traversal findings
□ API-specific vulnerability findings
□ Information disclosure inventory
□ Security header assessment

Phase 6: Client-Side and Modern Framework

Test client-side security:

Tasks:

  1. JavaScript Analysis: Secrets, endpoints, logic
  2. DOM XSS: Client-side sinks
  3. Prototype Pollution: If applicable
  4. Dependencies: Vulnerable libraries
  5. Storage: Sensitive data in localStorage

Deliverables:

□ JavaScript security analysis
□ DOM XSS findings
□ Client-side storage audit
□ Dependency vulnerability list
□ PostMessage security assessment

Phase 7: Reporting

Create professional deliverable:

Report Structure:

WEB APPLICATION SECURITY ASSESSMENT REPORT
==========================================

1. EXECUTIVE SUMMARY (1-2 pages)
   - Engagement overview
   - Scope and methodology
   - Key findings summary
   - Overall risk rating
   - Top recommendations

2. METHODOLOGY (1 page)
   - Testing approach
   - Tools used
   - Standards referenced (OWASP, etc.)
   - Limitations

3. FINDINGS SUMMARY
   - Vulnerability statistics
   - Risk distribution chart
   - Finding categories

4. DETAILED FINDINGS
   For each vulnerability:
   ┌─────────────────────────────────────┐
   │ FINDING: [Title]                    │
   │ Severity: Critical/High/Medium/Low  │
   │ CVSS: [Score]                       │
   │ Location: [URL/Endpoint]            │
   │                                     │
   │ DESCRIPTION:                        │
   │ [Technical explanation]             │
   │                                     │
   │ EVIDENCE:                           │
   │ [Request/response, screenshots]     │
   │                                     │
   │ IMPACT:                             │
   │ [Business impact]                   │
   │                                     │
   │ REMEDIATION:                        │
   │ [Specific fix guidance]             │
   │                                     │
   │ REFERENCES:                         │
   │ [OWASP, CWE, etc.]                 │
   └─────────────────────────────────────┘

5. REMEDIATION ROADMAP
   - Prioritized action items
   - Quick wins
   - Long-term improvements

6. APPENDICES
   - Detailed scan results
   - Full request/response logs
   - Tools and versions used

Severity Rating:

CRITICAL (CVSS 9.0-10.0):
- Remote code execution
- SQL injection with data access
- Authentication bypass
- Admin account takeover

HIGH (CVSS 7.0-8.9):
- Stored XSS
- IDOR with sensitive data
- Privilege escalation
- SSRF to internal services

MEDIUM (CVSS 4.0-6.9):
- Reflected XSS
- CSRF on sensitive functions
- Information disclosure
- Missing security headers

LOW (CVSS 0.1-3.9):
- Minor information disclosure
- Verbose error messages
- Missing best practices

Capstone Deliverables

Your complete submission must include:

1. Reconnaissance Package (15 points)

  • Technology stack analysis
  • Application map/sitemap
  • API endpoint inventory
  • JavaScript analysis results

2. Testing Evidence (25 points)

  • Authentication testing results
  • Authorization/IDOR findings
  • Injection testing results
  • All vulnerabilities with PoC

3. Professional Report (40 points)

  • Executive summary
  • Detailed findings (properly formatted)
  • Evidence and screenshots
  • Remediation recommendations

4. Testing Methodology Documentation (10 points)

  • Tools used
  • Testing timeline
  • Coverage documentation

5. Reflection (10 points)

  • What you learned
  • Challenges faced
  • Areas for improvement

Evaluation Criteria

Your capstone will be evaluated on:

Criteria Points
Coverage: Comprehensive testing across all areas 20
Technical Depth: Thorough exploitation and analysis 25
Report Quality: Professional, clear, actionable 30
Evidence: Clear PoCs and documentation 15
Recommendations: Practical, prioritized remediation 10

Total: 100 points. Projects scoring 80+ demonstrate professional competency.

Lab Environment Options

Choose a target for your capstone: 

Option 1: OWASP Juice Shop
- Modern JavaScript application
- 100+ vulnerabilities
- Covers all OWASP Top 10
- docker run -p 3000:3000 bkimminich/juice-shop

Option 2: DVWA + bWAPP Combination
- Traditional vulnerabilities
- Good for injection practice
- Multiple difficulty levels

Option 3: PortSwigger Practice Exam
- Realistic web application
- Timed assessment simulation
- Professional difficulty

Option 4: HackTheBox Web Challenges
- Multiple web applications
- Varying difficulty
- Real-world scenarios

Recommended: OWASP Juice Shop
- Most comprehensive
- Modern architecture
- Excellent for portfolio

Tips for Success

Planning:
- Create testing checklist before starting
- Allocate time for each phase
- Save reporting time (30%+ of effort)
- Document continuously, not at end

Technical:
- Test systematically, not randomly
- Screenshot everything important
- Note exact reproduction steps
- Try multiple techniques per category

Reporting:
- Write for technical AND executive audience
- Evidence must be clear to reviewers
- Recommendations must be actionable
- Prioritize by business impact

Common Mistakes:
- Skipping reconnaissance
- Testing only obvious parameters
- Poor evidence collection
- Vague remediation guidance
- Underestimating report time

Week 12 Quiz

Test your understanding of the Web Application Security Assessment methodology.

Format: 10 multiple-choice questions. Passing score: 70%. Time: Untimed.

Take Quiz

Week 12 Outcome Check

By completing this capstone, you will have demonstrated:

  • Complete web application testing methodology
  • Technical exploitation across vulnerability classes
  • Professional documentation and reporting
  • Risk assessment and prioritization
  • Actionable remediation guidance
  • Integration of all course concepts

Congratulations! Completing this capstone demonstrates the skills expected of a professional web application security tester.

🎯 Capstone: Full Web Application Assessment

Put everything you've learned into practice with comprehensive penetration testing challenges. This is your final exam—demonstrate complete web security mastery!

🧃 OWASP Juice Shop: Complete All Challenges

What you'll do: Systematically test Juice Shop and exploit ALL vulnerabilities across all OWASP Top 10 categories. Demonstrate complete web security testing methodology from reconnaissance to exploitation to reporting.

Why it matters: This is your capstone project. Completing all Juice Shop challenges proves you can find and exploit real vulnerabilities without guidance—the exact skill needed for professional pentesting.
Time estimate: 8-12 hours (comprehensive assessment)

Start Juice Shop Full Assessment →

📦 HackTheBox: Easy Web Challenges

What you'll do: Complete 5+ "Easy" rated web challenges on HackTheBox. Apply your web security knowledge to realistic vulnerable applications and capture flags.

Why it matters: HTB challenges simulate real-world scenarios. Success here demonstrates you can apply knowledge to unfamiliar applications—exactly what employers and clients need.
Time estimate: 5-8 hours

Start HackTheBox Web Challenges →

📝 Write Professional Penetration Test Report

What you'll do: Document your Juice Shop assessment in a professional pentest report. Include executive summary, methodology, findings (with severity ratings), proof-of-concept exploits, and remediation recommendations.

Why it matters: Finding vulnerabilities is only half the job—communicating findings effectively is equally critical. Professional reports are what clients pay for and what gets vulns fixed.
Time estimate: 3-4 hours

View Report Template Example →

💡 Capstone Strategy: Complete Juice Shop systematically using methodology from Week 2 (recon → testing → exploitation). Then tackle HTB challenges to prove skills transfer. Finally, write a professional report to demonstrate communication skills. This capstone proves you're job-ready: 1,200 total XP, 16-24 hours of comprehensive assessment!

🛡️ Defensive Architecture & Secure Design Patterns

The capstone ends with remediation. Defensive architecture turns findings into risk reduction through verified fixes, retesting, and a prioritized remediation roadmap.

Security Architecture Review

Review checklist:
- Trust boundaries and data flows
- Authentication and session controls
- Authorization enforcement points
- Input validation across entry points
- Secure defaults and logging/monitoring

Remediation Planning

Remediation workflow:
1. Rank findings by impact + exploitability (CVSS)
2. Define fix owners and deadlines (SLAs)
3. Implement controls and regression tests
4. Retest to verify closure
5. Track residual risk and compensating controls

Real-World Incident: Log4Shell 2021

Log4Shell exposed how slow patching and weak inventory create systemic risk. Lessons learned: maintain asset inventories, automate dependency scanning, set patch SLAs, and deploy compensating controls when immediate fixes are not possible.

Defensive Labs

Lab: Conduct a Security Architecture Review

Map trust boundaries, identify high-risk flows, and document top five architecture-level risks.

Lab: Build a Remediation Roadmap

Create a prioritized plan with owners, deadlines, and verification steps for each critical finding.

Lab: Validate Fixes with Retesting

Reproduce two critical findings after fixes and document evidence that the vulnerabilities are closed.

📚 Building on CSY101 Week-13: Use threat modeling to validate that fixes reduce attacker paths. CSY101 Week-14: Map remediation to CIS Controls and NIST 800-53. CSY104 Week-11: Use CVSS to prioritize fixes.

Reading Resources (Free + Authoritative)

Reference these resources for your capstone.

Final Reflection

Reflection Prompt (400-500 words):

This capstone represents the culmination of your web application security journey in CSY203. You've progressed from understanding HTTP to conducting complete security assessments.

Reflect on these questions:

  • Compare your skills now versus Week 1. What vulnerabilities can you find that you couldn't before? What's still challenging?
  • What was the most difficult part of conducting a complete assessment? How did you handle it?
  • How did writing a professional report change your perspective on security testing?
  • Which vulnerability class do you find most interesting? Why?
  • Where do you want to go from here? Bug bounty? Consulting? Product security? Research?

A strong final reflection will honestly assess growth, identify continued learning areas, and articulate your security career direction.

What's Next?

Completing CSY203 opens doors to specialization:

  • Bug Bounty Programs: HackerOne, Bugcrowd, Intigriti—apply skills on real targets
  • Certifications: OSWE (Offensive Security Web Expert), BSCP (Burp Suite Certified Practitioner)
  • Specialization: API security, mobile app security, cloud security
  • Career Paths: Penetration tester, application security engineer, security consultant

Continued Learning:

  • PortSwigger Web Security Academy (complete all labs)
  • HackTheBox Web Challenges
  • Real-world bug bounty hunting
  • Security conferences and research

Congratulations on completing CSY203: Web Application Security! You now have the foundation to test real applications, find real vulnerabilities, and make the web more secure. The journey continues—there's always more to learn, new techniques to master, and new challenges to tackle. Welcome to the web security community!

← Previous: Week 11 Next: Week 13 →