This unit provides the knowledge and skills to expand the testing capability for web vulnerabilities. The unit includes skills in using advance features of current toolsets in order identify weaknesses in the security of an organisation's website. It also includes the development of a penetration (PEN) test report which will identify the root cause of the issues and includes mitigation strategies for the identified web site weaknesses.
This unit utilises the current security framework Open Web Application Security Project (OWASP) security methodology and open source tools provide a sound foundation to develop these skills.

Unit details

Study level:
Vocational and further education (TAFE)
Unit code:
VU22254

Assessment

Assessment tasks will be designed to reinforce and extend knowledge and skill competence within set and controlled parameters in accordance with each unit's learning outcomes and performance criteria requirements, including the setting of work based practical application tasks designed to provide evidence of competence outcomes, within periodic and scheduled timelines. Students will be expected to demonstrate the following required skills: - Performing calculations in binary and hexadecimal number systems - Reading and accurately interpreting documents and reports - Operating a personal computer - Interpreting network diagrams - Assembling, participating in and coordinating a work team - Problem solving within a team environment - Evaluating the performance of a work team - Contributing to the process of enhancing team performance - Developing a project implementation plan including realistic timelines and allocation of tasks for team members - Establishing project risk assessment - Gathering, testing and allocating project resources - Using Penetration testing concepts and procedures for testing a cyber security infrastructure - Installing and using software packages - Using basic Linux commands - Interpret and writing scripts - Preparing technical documentation - Making presentation to clients Students will also be expected to demonstrate the following knowledge: - Web application development practices (e.g. waterfall, agile) - Web application development environment - Web architectures - Web frameworks - Secure development lifecycle - Web application enumeration tools (Nikto, dirb, wfuzz, cadaver, wp-scan skipfish etc) - Custom wordlists for spidering - User agent string values - Web application technology stack - Web application proxy tools eg (burp) - Spider and scanning tools (eg burp spider) - Penetration testing frameworks (eg OWASP) - Common web site vulnerabilities such as: o Injection weaknesses o Broken Authentication and Session Management weakness o Cross Site Scripting (XSS) weaknesses o Insecure Direct Object References weaknesses o Identify Security Misconfiguration weaknesses o Identify Sensitive Data Exposure weaknesses o Missing function level access control weaknesses o Identify Cross Site Request Forgery (CSRF) weaknesses o Using known vulnerable components weaknesses o Invalidate redirects and forwards weaknesses

Where to next?

VU takes care to ensure the accuracy of this unit information, but reserves the right to change or withdraw courses offered at any time. Please check that unit information is current with the Student Contact Centre.