Posted: January 31st, 2023

WebGoat – In Part A, you are required to answer the questions with justifiable implementations

In Part A, you are required to answer the questions with justifiable implementations.
These implementations need to be documented in detail. The document must have step by-step details on what you did to solve the question, including any script codes used to answer the requirements. You are also required to provide images (screen dumps) to show the key steps leading to your solution. These images can be taken using print screen or any other screen capture method. These images must be embedded in the
document with appropriate labelling and descriptions.

You are required to complete the WebGoat Challenge questions. The tasks to be completed is provided in WebGoat. You need to click on the Challenges menu item and solve all challenges within the WebGoat challenge (CTF) as you can see. This part of the assignment requires you to know different application penetration testing techniques to complete successfully. An important note to remember is that you are attacking the WebGoat web server from a client (web browser). This means that the attacker does not have any write access to the server, thus you will not be able to modify the java source files to complete the
Challenge questions. Any modification of the WebGoat source code to complete the Challenge questions will result in loss of marks.

Once you have finalised the challenges, it is time for you to launch a different attack to WebGoat page or other local or networked systems. Two options provided here for you to finalise this section, you can take either one of the options:
Option 1: If you select to attack the WebGoat page, your WebScarab with the tampering process works in your computer, then, this will suffice.
Option 2: Alternatively, in some occasions, if your WebGoat does not work in your computer, you are given the option to attack other web system, however, you need to select and choose ONE (1) of the many tools available in the open-sourced domain, including tools which we have not covered but you may find useful, for example, Nmap (http://sectools.org/tag/port-scanners/ ). Once chosen, a detailed description should be
attached, including the reason for selecting this tool, the applied scenario, and supporting theory in behind. You will also provide a complete run through the activity by providing screenshots of how the attack was launched and also an evaluation of the data collected from the victim machine, such as the traffic packet data from the Wireshark.

In Part A, you are required to include the following two sections:
Section 1: For the WebGoat challenges –
• Description of the scenarios in each stage, including the comparison and analysis against real-world cases.
• Theoretical description of the possible methods on launching attacks. You may
list the possible methods that you may use to test the problems posed by the question of each stage?
• A brief explanation of the method used (a couple of paragraphs) followed by details on how you used that method to test the problem. What are the results of those methods that you actually tested the problems posed by the question of each stage? (Analyse either successful or unsuccessful methods).
• Any script codes and images (screen captures) showing the successful completion of the tasks in this part of the assignment.