Application Security Assessment

Question 1: Please explain three (3) tiers of a modern web application and use a diagram to demonstrate the interaction between between them. (2 mark)

Question 2: Please provide an example of a threat scenario (an attack) for broken access control and explain how you would mitigate it. (2 mark)

Question 3: Please provide an example to use RSA encryption algorithm to encrypt “MCBS”. You may need to show the steps to calculate the public and private keys as well as how each letter of the plaintext can be encrypted and decrypted successfully. (5 mark)

Question 4 (practical): Your friend, the network manager of an Internet service provider, approached you because he knows you are studying information/cybersecurity at MCBS and wanted your viewpoint on a recent incident that occurred in their company. He explained what happened by saying that his browser showed a strange message when he logged into his admin account and tried to read comments that customers had left. Following this, his account was compromised, and someone else was able to gain access to his administrator account and add a specific account to the database.

Based on the explanation and your preliminary investigation, you suspect that this is a "cross-site scripting (XSS)" attack. Please demonstrate (using explanation and images) how you identified this vulnerability, how the attacker exploited it, and how you mitigated it against future attacks. (3 mark)

Question 5: Consider a simple web application with a login page to implement threat modeling, the goal of which is to protect the same website from OS command attack. Then, using Microsoft threat modeling, answer the following questions. (3 mark)

1. Identify the assets/scope
2. Create a data flow diagrams/architecture
3. Identify the vulnerability
4. Identify the threat, by considering STRIDE
5. Document the threat
6. Rate the threat