Software Vulnerabilities | XVWA Penetration Testing Assignment Report

Assignment:

1. Executive Summary

Provide a non-technical overview of the test. Include key findings, risk levels, and high-level recommendations.

2. Methodology

Describe the tools, techniques, and methodologies used (e.g., PTES, OWASP). Include ethical considerations and rules of engagement.

3. Information Gathering

Summarize scanning results (e.g., Nmap, Nikto). Document open ports, services, technologies, and exposed endpoints.

4. Threat Analysis

Apply STRIDE to identify potential threats. Include a STRIDE matrix. Use the DREAD model to rate at least 3 key threats. Include a DREAD scoring table.

5. Vulnerability Analysis

Document each vulnerability found in the application. Include type, location, description, severity rating (e.g., CVSS), and screenshots or logs as evidence.

6. Exploitation

Provide step-by-step execution of at least 3 different exploits. Include payloads used, technical evidence, and potential impact.

7. Recommendations

For each vulnerability, provide remediation guidance based on best practices (e.g., secure coding, access control, patching).

8. Appendix

Include scan logs, payload scripts, tool versions, and references.

Certainly! Below is the penetration testing assignment adapted for XVWA (Xtreme Vulnerable Web Application). XVWA contains a broader range of modern vulnerabilities and is suitable for practicing advanced testing techniques alongside OWASP Top 10 risks.

Practical XVWA Penetration Testing Assignment

Objective:

Students will conduct a structured web application penetration test on XVWA in a controlled lab setup. The exercise covers Information Gathering, Threat Analysis (STRIDE & DREAD), Vulnerability Identification, and Exploitation, culminating in a professional-grade pentest report.

Test Environment Setup:

• Target App: XVWA (Xtreme Vulnerable Web Application)
• Environment: Hosted locally (XAMPP, Docker, or Kali prebuilt)
• Security Level: XVWA does not use security levels; students may test all modules
• Tools Allowed: Nmap, Burp Suite, OWASP ZAP, Nikto, Dirb, WhatWeb, etc.
• Boundaries: Testing must remain within the assigned test machine. No DoS attacks.

Student Tasks:

1. Information Gathering – Scanning (Reconnaissance)

• Identify open ports and services using Nmap
• Detect software and framework versions (e.g., Apache, PHP)
• Run Nikto or Dirb to enumerate web directories and files
• Analyze HTTP headers, cookies, and session management
• Document the attack surface with findings

2. Threat Identification & Analysis (STRIDE And DREAD)

• Apply STRIDE to key components (e.g., login page, file upload, API endpoints):
• Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
• Rate 3–5 threat scenarios using the DREAD model:
• Damage, Reproducibility, Exploitability, Affected Users, Discoverability
• Justify scores with contextual reasoning

3. Vulnerability Identification & Analysis

• Test for a variety of vulnerabilities offered by XVWA modules:
• SQL Injection
• Cross-Site Scripting (Reflected, Stored)
• XML External Entity (XXE)
• Cross-Site Request Forgery (CSRF)
• File Upload Bypass
• Command Injection
• Server-Side Request Forgery (SSRF)
• Insecure Direct Object References (IDOR)

Provide:

• Description of vulnerability
• Screenshot or payload proof
• Risk severity using CVSS or qualitative scoring

4. Exploitation

• Demonstrate exploitation of at least 3 different vulnerabilities, for example:
• Stealing session cookies using XSS
• Reading system files via XXE
• Gaining reverse shell access through File Upload or Command Injection

Include:

• Payloads used
• Step-by-step process
• Proof of impact (screenshots, data exfiltration, access gained)

Pentest Report Template (To Be Submitted)

“Penetration Testing Report – XVWA”

1. Executive Summary

• Non-technical overview for stakeholders
• Key findings, risks, and security recommendations

2. Methodology

• Outline of tools and techniques used
• Penetration testing phases followed (e.g., PTES or OWASP)
• Statement of ethical practice

3. Information Gathering

• IP, hostname, service detection
• HTTP/HTTPS analysis
• Web structure and technology stack

4. Threat Analysis

• STRIDE matrix for selected components
• DREAD scoring table with rationale

5. Vulnerability Analysis

• Full detail of identified vulnerabilities
• Proof (screenshots, logs, payloads)
• Severity ratings and impact

6. Exploitation

• Exploit demonstration with description
• Technical steps and screenshots
• Description of actual vs. potential damage

7. Recommendations

• Remediation advice: code fixes, configurations, or policies
• Suggested OWASP or NIST guidelines

8. Appendix

• Tools used and versions
• Nmap/Nikto/Burp/ZAP outputs
• References and links

Grading Criteria