Universidad Nacional Abierta y a Distancia

Vicerrectoría Académica y de Investigación

Course: Information Security
Code: 202016905

Activity Guide and Evaluation Rubric – Task 4 - Penetration Test

1. Activity Description
Type of activity: Collaborative
Evaluation moment: Intermediate Unit 3
Highest score of the activity: 100 points
The activity starts on: Monday, April 17,
The activity ends on: Sunday, May 14, 2023
2023
With this activity, you are expected to achieve the following learning outcomes:

Formulate information security risk mitigation measures in software products in

accordance with secure development methodologies, techniques, and good practices.

The activity consists of:

The activity consists of:

Collaborative work

Make a review of the readings corresponding to Unit 3 that are in the learning
environment. The topics are:

• Standards for application security

• Secure Coding of Applications
• Security vulnerability in web applications (OWASP 2017)
• Online security and testing of web applications
• Security in the S-SDLC phases

Each student chooses one of the following questions, the question and the reasoned
answer are documented and published in the activity forum, based on the readings made
and their personal criteria.

Questions:

1. Identify at least three standards for information security?

1
2. What is secure encryption of applications?
3. What is a Penetration Test?
4. What are the good and bad practices of safe development?
5. What is risk-based security testing?

Each student chooses one of the questions mentioned above, the question and the
reasoned answer are documented and published in the activity forum, based on the
readings made and their personal criteria. Additionally, she must make a comment to at
least one response from a colleague, to express her support, complement or disagreement
in a respectful and reasoned manner.

It is important to cite the sources that support the opinions in APA 7 format, so that
colleagues can consult them for further information.

Based on the participations made in the forum, the group prepares an online electronic
presentation, presenting the relevant information on the topics developed in the
questions. This structure is the next one:

Slide 1: Cover
Slide 2: Standards for Information Security.
Slide 3: Secure Coding of Applications.
Slide 4: Penetration Test.
Slide 5: Good and bad safe development practices.
Slide 6: Risk-Based Security Testing.
Slide 7. Conclusions.
Slide 8. References

Individual work

In this activity, a penetration test must be carried out on the BADSTORE web application.
To carry out the activity you must download the following tools:

• Download ORACLE, you must access through the following web address:
https://www.virtualbox.org

• You will also have to download and install ZAP. You must access through the following
web address: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

2
• Download the virtual machine with the BADSTORE application. You must access
through the following web address:
https://www.dropbox.com/sh/7ewzuosszqslkok/AADL6CSiXkoFPWdmfnwjHDLYa?dl=0

• Imports the virtualized badstore.ova service from ORACLE virtualbox.

• In configuration - storage, associate the BadStore-212.iso image in the IDE controller

(cdrom) and configure the virtual machine to boot from the cdrom first.

Figure 1. BadStore-212.iso storage configuration

• Create a virtualbox HOST ONLY network in VIRTUALBOX → (File → Host only networks
administration) or (File- preferences- network- host only networks- add a network-
enable DCHP) according to version and configure as follows:

3
 Figure 2. Create a virtualbox HOST ONLY network

Figure 3. DHCP server

• Configure the host-only network adapter with the following addresses:

4
 Figure 4. Configure network adapter

• Check in the BADSTORE → RED virtual machine configuration that ADAPTER 1 is

enabled and connected to ADAPTER ONLY HOST.

• Boot the virtual machine and run ifconfig -a to check the IP address associated with
the eth0 device.

• Include in the HOST file of the host machine the entry corresponding to the IP address
of ETH0. For example, if the IP address obtained by DHCP for the ETH0 device is
192.168.56.110: 192.168.56.110, www.badstore.net

• Perform the BADSTORE application penetration test with the ZAP vulnerability scanner
attacking the name associated with the eth0 device address obtained in the previous
step: www.badstore.net/cgi-bin/badstore.cgi

• Manually audit at least three vulnerabilities to verify the veracity of the alerts by ZAP
and indicate how to mitigate it.

• Save the ZAP tool report in html format.

The student must deliver the document of the individual work with the following structure:

1. Cover
2. Objectives
3. Documentation of how the Test procedure has been carried out:
3.1. Virtual machine configuration (evidence)
3.2. Installation of the OWASP ZAP tool (evidence)
3.3. Network configuration of the BADSTORE machine (evidence)
5
3.4. Penetration test (evidence)
3.5. Proxy browser settings (evidence)
3.6. ATTACK 1: Spider (evidence)
3.7. ATTACK 2: scan (evidence)
3.8. ATTACK 3: SQL injection (evidence)
4. Results of the vulnerabilities found and the way to mitigate each vulnerability.
5. Bibliographic references

Additionally, you must attach the ZAP tool report in html format.

For the development of the activity consider that:

In the initial Information environment, you must:

• Check the course agenda to check the delivery dates of the activity

In the Learning environment you must:

• Read the suggested readings for Unit 3.
• Enter the forum of the activity to debate with colleagues about the issues referred to.
• Share progress of individual activity.

In the Assessment environment you must:

• Each student sends a digital document (a Word or PDF document) that contains the
link of the online electronic presentation and the individual work document.

Evidences of individual work:

The individual evidence to be submitted is:

• Individual final work

• ZAP tool report in html format.
• Contributions in the forum

Evidences of collaborative work:

The collaborative evidence to be submitted is:

• Participation in the forum of the activity.

• Digital document with the link of the electronic presentation

6
6. General Guidelines for the Development of Evidences to Submit

For Collaborative evidences, consider the following:

• All members of the group must participate with their contributions in the
development of the activity.

• In each group a single member will be chosen to submit the requested product in
the environment indicated by the teacher.

• Before submitting the requested product, students should check that it meets all
the requirements mentioned in this activity guide.

• Only the members of the group that participated with contributions during the time
assigned for the activity should be included as authors of the submitted product.

Please keep in mind that all individual or collaborative written products must comply
with the spelling rules and presentation conditions defined in this activity guide.
Regarding the use of references, consider that the product of this activity must comply
with APA style.
In any case, make sure you comply with the rules and avoid academic plagiarism. You
can review your written products using the Turnitin tool found in the virtual campus.

Under the Academic Code of Conduct, the actions that infringe the academic order,
among others, are the following: paragraph e) Plagiarism is to present as your own
work all or part of a written report, task or document of invention carried out by
another person. It also implies the use of citations or lack of references, or it includes
citations where there is no match between these and the reference and paragraph f)
To reproduce, or copy for profit, educational resources or results of research products,
which have rights reserved for the University. (Acuerdo 029 - 13 de diciembre de
2013, artículo 99)

The academic penalties students will face are:

a) In case of academic fraud demonstrated in the academic work or evaluation, the
score obtained will be zero (0.0) without any disciplinary measures being derived.
b) In case of proven plagiarism in academic work of any nature, the score obtained
will be zero (0.0), without any disciplinary measures being derived.

7. Evaluation Rubric Template

7
Type of activity: Collaborative
Evaluation moment: Intermediate Unit 3
The highest score in this activity is 100 points
First evaluation High level: Appropriates the concepts of standards for
criterion: information security, secure coding, Penetration Testing, secure
development practices, and risk-based testing and reflects it in
Contents: online electronic submission.
Appropriation of If your work is at this level, you can get between 21 points
concepts from and 30 points.
standards for
security, secure Medium Level: Some ideas expressed in the electronic
coding, Penetration presentation are not coherent or not all of the requested
Testing, secure concepts are presented.
development, and If your work is at this level, you can get between 11 and
risk-based testing. 20 points.

This criterion Low level: The ideas embodied in the presentation do not
represents 30 present an understanding of the concept of the concepts of
points of the total standards for information security, secure coding, Penetration
of 100 points of Testing, secure development practices and risk-based tests.
the activity. If your work is at this level, you can get between 0 and
10 points.
Second evaluation High level: The presentation is structured appropriately, is
criterion: carried out using online electronic presentation software and
includes references in APA format.
Form: If your work is at this level, you can get between 4 and 5
Presentation of the points.
document.
Medium Level: The presentation does not include references,
This criterion is not structured in a totally orderly manner, or is not done in
represents 5 online electronic presentation software.
points of the total If your work is at this level, you can get between 2 and 3
of 100 points of points.
the activity.
Low level: The presentation is not structured in a way.
organized If your work is at this level you can get
between 0 points and 1 point.

8
Third evaluation High level: Promotes the generation of different points of view
criterion: related to the topic, enriching the discussion and adding value
to it.
Participation: If your work is at this level, you can get between 4 and 5
Participation in the points.
forum.
Medium Level: The content of some messages is not coherent
This criterion with the subject matter, not all of them are original or they do
represents 5 not always promote the generation of different points of view,
points of the total enriching the discussion and adding value to it.
of 100 points of If your work is at this level, you can get between 2 and 3
the activity. points.

Low level: The contents of the messages are not coherent with
the subject matter, they are not original or they do not promote
the generation of different points of view for the discussion and
adding value to it.
If your work is at this level, you can get between 0 points
and 1 point.
Fourth evaluation High level: Each student performs the Penetration Test of a
criterion: proposed application with the evidence of the application
configuration, the attacks and the vulnerabilities found.
Contents: If her work is at this level, she can get between 26 points
Perform the and 50 points.
Penetration Test in a
WEB application. Medium Level: The student partially performs the Penetration
Test of a proposed application with some of the evidence of the
This criterion application configuration, the attacks and the vulnerabilities
represents 50 found.
points of the total If your work is at this level, you can get between 10 and
of 100 points of 25 points.
the activity.
Low level: The student does not perform the Penetration Test
adequately or does not complete the activity.
If your work is at this level, you can get between 0 and 9
points.
Fifth evaluation High level: The student presents a document in Word or PDF
criterion: with all the elements: Cover, objectives, Cover, Objectives,
Documentation of how the Test procedure has been carried out,
Form: results of vulnerabilities and safeguards, and includes

9
Presentation of the bibliographic references in APA format and no spelling errors and
independent work good writing.
document. If your work is at this level, you can get between 6 and
10 points.
This criterion
represents 10 Medium Level: The student presents a document in Word or
points of the total PDF with some of the requested elements and includes
of 100 points of bibliographic references in APA format and / or with spelling
the activity. errors and / or good writing.
If your work is at this level, you can get between 3 and 5
points.

Low level: The document is not structured in an organized way,

has spelling errors and bad writing, does not include APA
standards or the activity was not carried out.
If your work is at this level, you can get between 0 and 2
points.

10