SDEV 460 Input Validation and Business Logic Security Controls

Overview:

This homework will demonstrate your knowledge of testing security controls aligned with Input validation and business logic. You will also use the recommended OWASP testing guide reporting format to report your test findings.

Assignment:

Using the readings from weeks 7 and 8 as a baseline, analyze, test and document the results for the tutoring web application found on the SDEV virtual machine. Specific tests to be conducted include:

1. Testing for Reflected Cross site scripting (OTG-INPVAL-001)

• Can you place a simple JavaScript alert?

2. Testing for Stored Cross site scripting (OTG-INPVAL-002)

• Can you introduce Stored Cross site scripting?

3. Testing for SQL Injection (OTG-INPVAL-005)

• Test and fix any issues found
• Hint: prepared statements?

4. Testing for Code Injection (OTG-INPVAL-012)

• Can you input some simple html code?

5. Test business logic data validation (OTG-BUSLOGIC-001)

• Any noticeable Logic errors?

6. Test integrity checks (OTG-BUSLOGIC-003)

• Do Drop down menus exist and are they sufficient for the application?

7. Test defenses against application misuse (OTG-BUSLOGIC-007)

• Can add additional characters to cause unexpected results?

You should document the results for the tests and your comments, and recommendations for improved security for each security control tested in a word or PDF document. The format of your document should be the format that is recommended in chapter 5 of the OWASP testing guide. Provide screen captures and descriptions of your tests conducted. Discuss any issues found and possible mitigations.

Note: The SDEV Virtual Machine you downloaded and used for SDEV 300. The URL is here if you need to download it again:

https://citeapps.umuc.edu/SDEV/

The VM runs on the latest version of Oracle Virtual Box.

The directions to reinstall the Tutoring Web Application are also included in the course resources.