room3

Policy

Rules of Engagement for Penetration Testing Exercise


1. Scope of the Exercise

  • Target Systems:
    • The server hosting WordPress.
    • Web server and its configurations.
    • WordPress application, including plugins and themes.
    • Services running on the server.
  • Out-of-Scope Systems:
    • Any systems or networks not explicitly listed as part of the target environment.
    • Third-party services or external systems not hosted on the target server.

2. Authorized Activities

  • Allowed Actions:
    • Exploiting vulnerabilities in the WordPress application
    • Testing for common web application vulnerabilities.
    • Attempting to bypass security mechanisms.
    • Testing server access
    • Attempting to escalate privileges on the server.
  • Prohibited Actions:
    • Testing outside the defined scope or targeting systems not explicitly authorized.

3. Legal and Ethical Guidelines

  • Authorization:
    • All testing activities are authorized
  • Compliance:
    • Testing must comply with all applicable laws, regulations, and organizational policies.
    • Students must adhere to ethical hacking principles and avoid any malicious intent.

4. Reporting and Documentation

Findings: All vulnerabilities discovered must be documented, including:

  • Description of the vulnerability.
  • Steps to reproduce the issue.
  • Potential impact of the vulnerability.
  • Recommended mitigation strategies.
  • Reporting Format:
  • A formal report must be submitted at the end of the exercise, including:
  • Executive summary.
  • Detailed technical findings.
  • Risk assessment and prioritization of vulnerabilities.
  • Remediation recommendations.

5. Communication Protocols

  • Point of Contact (POC):
    • Designated POC for reporting issues or emergencies during the exercise:
  • Incident Reporting:
    • Any unintended consequences, such as server downtime or data corruption, must be reported immediately to the POC.

6. Safety Measures

  • Backups:
    • A full backup of the server and WordPress application must be taken before the exercise begins.
  • Containment:
    • All testing must be confined to the designated lab environment.
    • No testing activities should impact production systems or external networks.

8. Post-Testing Actions

  • Restoration:
    • After the exercise, the server must be restored to its original state using the pre-test backup.
  • Debriefing:
    • A debriefing session will be held to discuss findings, lessons learned, and improvements for future exercises.

Acknowledgment
All participants must read and understand, this Rules of Engagement document before beginning the penetration testing exercise. 

POC: room3@tuta.com