A2: Session Management Analysis
Value: 30%
Due Date: 09-Jan-2023
Return Date: 31-Jan-2023
Length: 1500
Group Assessment: No
Submission method options: Turnitin with Blackboard (Interact 2)
Task
A web session is a sequence of HTTP request and response transactions
associated to the same user. As HTTP is a stateless protocol, web
applications must implement session management that retains user state
between transactions. The mechanism of establishing and maintaining the
session state is effectively a user's credential, and as such is often the target
of attackers seeking to impersonate a user.
This practical task requires you to perform a detailed analysis of a session
management mechanism as part of an ethical hacking engagement. You will
analyse the session material and information supplied by the client available
in i2, and then advise them on the weaknesses discovered. You will also
provide recommendations for ways to improve their session management for
their web application.
Your tasks are as follows:
Research session management using appropriate online resources
(such as OWASP)
Describe the threats to the business, the vulnerabilities that may be
exploited and the potential impacts
Analyse the customer environment and session material ( Click here to
download )
Report on any weaknesses found in your analysis that increase the
likelihood or impact of an attack
Make recommendations for improving session management supported
by industry literature
Rationale
This assessment task will assess the following learning outcome/s:
be able to analyse information system weaknesses, and demonstrate
how these make an environment vulnerable to attack.
be able to apply reconnaissance tools and techniques to obtain
information during this phase of the hacking process.
be able to compare and contrast different techniques used by intruders
to penetrate a system and escalate privileges.
be able to implement countermeasures to prevent attackers causing
harm to their target, and from covering their tracks.
be able to analyse and compare common web application attack
techniques, and justify defences that mitigate these attacks.
Marking criteria and standards
Criteria HD DI CR PS FL Ma
rks
Describe
the
principles
of web
application
session
managem
ent
including
common
attacks
and
defences.
Web
applicatio
n session
managem
ent has
been
accurately
,
comprehe
nsively,
and
succinctly
explained,
and an
appropriat
e range of
attacks
and
Web
applicatio
n session
managem
ent has
been
accurately
explained,
and an
appropriat
e range of
attacks
and
defences
have been
accurately
described.
Web
applicatio
n session
managem
ent has
been
explained,
and an
appropriat
e range of
attacks
and
defences
have been
accurately
described.
Some
factual
Web
application
session
managem
ent has
been
mostly
explained,
and some
attacks
and
defences
have been
somewhat
described.
Significant
factual
inaccuraci
Web
application
session
managem
ent has
not been
accurately
explained
and/or
appropriat
e attacks
and
defences
have not
been
accurately
described.
Significant
/30
defences
have been
accurately
and
succinctly
described.
inaccuraci
es may
exist.
es may
exist.
inaccuraci
es exist.
Critique
the
existing
session
managem
ent
solution,
identifying
any
vulnerabilit
ies and
explaining
threats
and faced
by the
business.
The
existing
solution
has been
accurately
,
comprehe
nsively,
and
succinctly
explained,
and a
range of
appropriat
e threats
and
vulnerabili
ties have
been
identified,
accurately
explained,
and
related to
the
business
scenario.
The
existing
solution
has been
accurately
explained,
and a
range of
appropriat
e threats
and
vulnerabili
ties have
been
identified,
explained,
and
related to
the
business
scenario.
The
existing
solution
has been
explained,
and some
appropriat
e threats
and
vulnerabili
ties have
been
identified,
explained,
and
related to
the
business
scenario.
Some
factual
inaccuraci
es may
exist.
The
existing
solution
has been
mostly
explained,
and some
threats
and
vulnerabilit
ies have
been
identified,
explained,
and
somewhat
related to
the
business
scenario.
Significant
factual
inaccuraci
es may
exist.
The
existing
solution is
poorly
explained,
and/or the
security
flaws are
poorly or
inaccuratel
y
described.
Significant
inaccuraci
es exist.
/30
Make
suitable
recommen
dations for
improving
web
application
session
managem
ent.
Creative,
insightful,
and
appropriat
e
recommen
dations
are
proposed,
and
succinctly
and
clearly
explained,
that will
improve
the overall
security
posture of
the web
applicatio
n.
Appropriat
e
recommen
dations
are
proposed,
and
clearly
explained,
that will
improve
the overall
security
posture of
the web
applicatio
n.
Clear
recommen
dations
are
proposed
and
explained
that will
improve
the overall
security
posture of
the web
applicatio
n. Some
factual
inaccuraci
es may
exist.
Recomme
ndations
are
proposed
and
explained
that will
somewhat
improve
the overall
security
posture of
the web
application
.
Significant
factual
inaccuraci
es may
exist.
Recomme
ndations
are not
clear or
appropriat
e or will
not
improve
the
security
posture.
Significant
inaccuraci
es exist.
/30
Present
the
informatio
n in a neat
and
profession
al format
using
appropriat
e literature
to support
your
Presentati
on and
formatting
are
profession
al and
communic
ate with
the reader
very
clearly.
Appropriat
Presentati
on and
formatting
are
profession
al and
communic
ate well
with the
reader.
Appropriat
e literature
Presentati
on and
formatting
are clear
and
communic
ate well
with the
reader.
Appropriat
e literature
has been
Presentati
on and
formatting
are mostly
clear and
communic
ate
reasonabl
y well with
the reader.
Somewhat
appropriat
Presentati
on and
formatting
are not
clear or
effective,
and/or the
literature
sourced is
inappropri
ate or not
effectively
/10
recommen
dations.
e literature
has been
sourced
and
effectively
used to
support
the
proposals.
has been
sourced
and
effectively
used to
support
the
proposals.
sourced
and used
to support
the
proposals.
e literature
has been
sourced
and used
to support
the
proposals.
used to
support
the
proposals.
Presentation
Use a report format, with correct grammatical protocols and accurate spelling,
punctuation and word count.
Feel free to use headings and bullet-lists where you think this is appropriate.
APA referencing should be used unless students have made prior
arrangements with the subject mentor.
Requirements
Word count for this assignment is taken seriously. The word count
reflects the level of detail you are required to put into your assignment.
Students who exceed the word count by more than 10% will be penalised, and
students who exceed wordcounts by an excessive amount may not have their
assignment marked beyond a certain point to ensure fairness to other
students who have completed the assignment within the guidelines given.
Administrative sections of your assignment such as the cover page, table of
contents, and reference list are not included in the word count. In-text citations