Homework #6
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
Homework #6
Purpose
The purpose of this assignment is to help you demonstrate your understanding of Security Testing. This assignment will help prepare you for test planning and implementation for finding vulnerabilities in Web applications.
Deliverables
● A PDF file with your test plans in Part 1
● The source code for what you implemented in Part 2
○ make sure to not include caching/venv folders with all the compiled
code/dependencies (that would make the zip file too large for Gradescope to accept).
Task
Machine Requirements:
● This homework requires that you havePythonandDjangoinstalled on your machine. (The code has been developed using Django v3. 1. 13. It should workjust fine on v4.0 too).
● Running the code:
1. Clone the courserepository
2. “cd” into the folder that has the source code for the Django web application
cd HW5/website
3. Run the web application using:
python manage.py runserver
(in your machine, it might be python3.x)
4. Accesshttp://localhost:8000/tasktracker/in your web browser. It will redirect you to a login page. There are three accounts created:
Username: user1 / Password: p*2sfHQP==
Username: user2 / Password: V?vZT+MD4e
If there are no issues with your environment, you’d be able to access the task tracker app.
Part 1: Test Case Planning
Create a test plan for two controls fromASVSrelated to the Web application above (i.e., the Task Management app). One team member creates one test plan whereas the second team member creates another.
Use theOWASP Testing Guideto help you understand how to plan the test case. Each test case must have each of the following:
- A unique test case id that maps to the ASVS.
- Provide the name/description of the ASVS control.
- Indicate the CWE (number and name) for the vulnerability you are testing for.
- Detailed and repeatable instructions for how to execute the test case. Remember: good test plans are detailed enough that the same steps could be done by anyone who reads the instructions. This will be crucial for Part 2.
- Expected results when running the test case (that is, if the test case passes, then it would indicate a secure system).
- Who wrote the test case (i.e., which team member devised the test case plan) → only if the HW was done in pairs, not applicable if you are doing this HW individually
Part 2: Implementing the Test Plans
In this homework part, you will implement the test cases planned in Part 1.
Hints/FAQs:
If your test cases successfully exploit a vulnerability that damages the database, you can recover it by issuing the following commands:
python manage.py migrate --fake tasktracker zero
python3.9 manage.py loaddata fixtures/tasktracker.json
Tutorials on Unit Testing in Django
- Writing and running tests | Django documentation
- Testing tools | Django documentation
Mac Users:
- If the shell complains about the port being used, just kill the process:
sudo lsof -t -i tcp:8000 | xargs kill -9
Grading Rubric
The HW will be evaluated based on the following criteria:
|
Part 1 4 pts |
- Does the test plan contain all the required listed information? - Are the test plans sufficiently detailed such that its steps can be reproduced by anyone? |
|
Part 2 6 pts |
- Is the implemented test cases matching what was in the test plans? |
2023-05-02