Task
A web session is a sequence of HTTP request and response transactions associated to the same user. As HTTP is a stateless protocol, web applications must implement session management that retains user state between transactions. The mechanism of establishing and maintaining the session state is effectively a user’s credential, and as such is often the target of attackers seeking to impersonate a user.
This practical task requires you to perform a detailed analysis of a session management mechanism as part of an ethical hacking engagement. You will analyse the session material and information supplied by the client available in i2, and then advise them on the weaknesses discovered. You will also provide recommendations for ways to improve their session management for their web application.
Your tasks are as follows:
Research session management using appropriate online resources (such as OWASP)
Describe the threats to the business, the vulnerabilities that may be exploited and the potential impacts
Analyse the customer environment and session material ( Click here to download )
Report on any weaknesses found in your analysis that increase the likelihood or impact of an attack
Make recommendations for improving session management supported by industry literature
Rationale
This assessment task will assess the following learning outcome/s:
be able to analyse information system weaknesses, and demonstrate how these make an environment vulnerable to attack.
be able to apply reconnaissance tools and techniques to obtain information during this phase of the hacking process.
be able to compare and contrast different techniques used by intruders to penetrate a system and escalate privileges.
be able to implement countermeasures to prevent attackers causing harm to their target, and from covering their tracks.
be able to analyse and compare common web application attack techniques, and justify defences that mitigate these attacks.
Marking criteria and standards