Professional Documents
Culture Documents
Practical Test - FC - Ver1
Practical Test - FC - Ver1
Practical Test - FC - Ver1
DIPLOMA PROGRAMME
PRACTICAL TEST
Academic Period: July 2023
1. Content of report 2 4 3
2. Demonstration 2 4 3
3. Knowledge of the Topic 2 4 3
4. Fluency & Clarity 3 4 3
5. Defence ability (Q&A 3 4 3
Total 15
Total Marks /20
Total PO 4 /10
Signature
NTC1062 NETWORK VULNERABILITY ASSESSMENT
Instruction:
Pick one topic of Top 10 OWASP as below. Prepare a report, slide, and demonstration.
Contents of slide:
1) Introduction of the web application vulnerability and topic that you choose.
2) How is it occurring 🡪 any diagram/architecture showing examples of attack
3) Countermeasures/recommendations that can be taken into consideration.
4) Extra information on the topics
5) References
6) Any relevant diagrams/ figures
Submission:
1) Slide (in pdf format) – Max 10 pages
2) Report (in pdf format)
Grading:
1) Report
2) Demonstration & Presentation
Project Presentations:
Each team has 10 minutes’ presentations & Demo + 5 minutes Q&A (total 15 minutes per
team)
Group:
2 students per group
Main Reference
https://owasp.org/Top10/
Page 2 of 15
Copyright of German-Malaysian Institute. All rights reserved.
Rubric for Practical Test
NO. CRITERIA APPROACHES EXPECTATIONS [1] MEETS EXPECTATIONS [2] EXCELLENT [3] WEIGHT MARKS
The content was minimally The content was generally The content was very relevant to
1 Content of report M/3*20
relevant to the given task relevant to the given task the given task
Able to slightly demo the Able to demo the most of the Able to demo all the
2. Demonstration of tools M/3*30
demonstrations details demonstration’s details demonstration’s details
Fluency and Most of the group members are All group members are very
None of the group members
Clarity fluent and voices are slightly fluent, and voices are easy to be
4 fluent and voice is not clear. M/3*10
easy to be heard clearly. heard clearly.
Defence ability/ Able to answer questions but Able to all answer questions very
Not able to answer questions, not
5 presentation with little preparation and well and confidently. Very well M/3*10
prepared and no confidence at all
confidence prepared
TOTAL 100
NTC1062 NETWORK VULNERABILITY ASSESSMENT
TABLE OF CONTENTS
Page 4 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
It's worth noting that web application vulnerabilities differ from other
common vulnerability types, such as those related to networks or assets. These
vulnerabilities emerge because web applications must interact with numerous users
across various networks, providing ample opportunities for exploitation by hackers.
In this document, we will discuss and explore the chosen topic, A02: 2021 –
Cryptographic Failures, with the aim of enhancing the security of web applications.
Page 5 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
Moving up to the second position in the OWASP list, we encounter what was
previously known as Sensitive Data Exposure. This issue is more of a general symptom
rather than a root cause, with the primary focus on failures related to cryptography or the
lack of it. These failures frequently result in the exposure of sensitive data, and some
notable Common Weakness Enumerations (CWEs) associated with this include CWE-259
(Use of Hard-coded Password), CWE-327 (Broken or Risky Crypto Algorithm), and CWE-331
(Insufficient Entropy).
It is crucial to understand that when managing sensitive data, both data at rest and
data in transit need to be considered.
Page 6 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
Data at rest refers to data that is not actively used by any application but remains
important. Examples of such data include:
- Stored passwords
- User information for accessing applications
- Unpublished offline data
- Old archives of an organization.
Data in transit, on the other hand, is data currently being processed or used by
an application. For instance, banking details sent through an encrypted channel during a
payment process can be vulnerable to attacks like man-in-the-middle attacks.
Page 7 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
- Due to the database using unsalted hashes for password encryption, the
intruder can employ a rainbow table to reveal the passwords.
The passwords in this database are encrypted using unsalted hashes. "Unsalted"
means that additional random data, known as a "salt," wasn't added to the
encryption process. Without a salt, passwords are more susceptible to decryption
using precomputed tables called rainbow tables.
The attacker uses a rainbow table—a large precomputed list of potential password
hashes—to quickly match encrypted passwords and reveal the original passwords.
Page 8 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
Page 9 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
3) Example of attacks
Scenario#1:
Imagine an application that employs automated database encryption to protect credit card
information but encounters difficulties when attempting to automatically decrypt the data
upon retrieval. This situation opens up the possibility of SQL injection attacks. In the event
of a successful SQL injection attack, a malicious actor could gain access to stored credit
card details and exploit them at their discretion.
Scenario#2:
When it comes to websites, a significant security risk arises from inadequate encryption and
the absence of TLS encryption across all web pages. Such websites become highly
attractive targets for attackers, as they can effortlessly eavesdrop on traffic, intercept all
requests, pilfer cookies, and coerce the connection to shift from HTTPS to less secure HTTP.
However, the problems don't stop there. Threat actors can exploit these stolen cookies to
gain unauthorized access to a user's sensitive data. Additionally, websites with subpar
encryption provide attackers with opportunities to tamper with transmitted data.
Scenario#3:
Password databases commonly store password data using basic, unsalted hashes. Any
occurrence of a file upload error in these databases presents an opening for attackers to
steal passwords for their own advantage. In such a scenario, passwords stored with
unsalted hashes are vulnerable to precomputed hash attacks, while even salted passwords
stored using simple hashes can be cracked by the computational power of GPUs.
Page 10 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
To mitigate the risk of cryptographic failures and the exposure of sensitive data in web
applications, consider implementing the following countermeasures:
● Encrypt data in transit using protocols like TLS/SSL. Ensure that all sensitive
communication between the client and the server is encrypted.
● Employ perfect forward secrecy (PFS) to protect data even if long-term keys
are compromised.
Page 11 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
6. Security Testing:
7. Access Controls:
Page 12 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
Page 13 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
6) Conclusion
Page 14 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT
7) References
[1]
“Common Web Application Vulnerabilities Explained | Rapid7,” Rapid7, 2022.
https://www.rapid7.com/fundamentals/web-application-vulnerabilities/#:~:text=We
b%20application%20vulnerabilities%20involve%20a,to%20compromise%20the%2
0application's%20security. (accessed Oct. 26, 2023).
[2]
Products, “Cryptographic Failures - A02 OWASP Top 10 in 2021
Wallarm.com, Mar. 29, 2022.
,” 👁🗨
https://www.wallarm.com/what/a02-2021-cryptographic-failures#:~:text=What%2
0is%20A02%3A2021%20%E2%80%93%20Cryptographic,and%20poor%20key%2
0management%20practices. (accessed Oct. 26, 2023).
[3]
“A02 Cryptographic Failures - OWASP Top 10:2021,” Owasp.org, 2021.
https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ (accessed Oct. 26,
2023).
Page 15 of 15
Copyright of German-Malaysian Institute. All rights reserved.