Black Box Web Application Audit


This is not the domain available on the internet. This was an assignment for CSEC 731: Web Server Application Security Audits. Not all of the information in the final report was included in this version to protect the integrity of the assignment in case the environment is used in future classes.

The most important aspect of an audit is the scope. If the tester tests features that are out of scope, then they could be subject to lawsuits and damage to organization reputation.

For this specific exercise, this was a development environment, so HTTPS and weak passwords were out of scope.

The structure of the document is as follows:

  • An executive summary that is approximately one page geared towards C-level executives e.g. CEO, CTO, or COO.
  • A detailed summary that describes the attack narrative and summarizes the results. This section should be about two or three pages and should be geared towards a project manager
  • A technical results section that summarizes each specific vulnerability found. This section should have a well developed, standardized, template that can be used for each vulnerability rather than writing out a full narrative.

