P1 — Booking Page Security Assessment
Client: Jean-Marc Rasoanaivo, Baobab Bay Lodge, Nosy Be, Madagascar What you are building: A security assessment of a small eco-lodge's booking website. You will direct Claude through reconnaissance, exploitation, detection review, remediation, hardening, and reporting — the full purple team loop. Tech stack: DVWA (PHP/MySQL), Docker Compose, Nmap, sqlmap, Grafana/Loki/Alloy monitoring stack, Claude Code
File structure
materials/
CLAUDE.md ← This file. Project hub.
docker-compose.yml ← Lab environment (DVWA + monitoring stack)
alloy-config.river ← Log collection pipeline config
grafana-provisioning/ ← Auto-configures Grafana data sources
datasources/loki.yml
scope-document.md ← Assessment boundaries — what you can and cannot test
ttp-selection.md ← Selected attack techniques and rationale
client-email.md ← Jean-Marc's initial email requesting the assessment
attack-methodology.md ← Step-by-step SQL injection testing methodology
sigma-rule-template.yml ← Detection rule for SQL injection in access logs
remediation-guidance.md ← How to fix the SQL injection (approaches and trade-offs)
hardening-checklist.md ← Baseline hardening actions for the lab environment
report-template.md ← Assessment report template for the client deliverable
scripts/
verify-environment.sh ← Health check script for the lab stack
images/ ← Visual assets (populated during media generation)
Tickets
- T1: Lab setup and brief review. Start the Docker environment, verify DVWA and Grafana are accessible, read the client email, scope document, and TTP selection. Done when: DVWA loads at localhost:8080, Grafana shows DVWA log entries at localhost:3000.
- T2: Passive and active reconnaissance. Perform passive recon and run an Nmap scan against the DVWA target. Document findings. Done when: Nmap shows at least port 80 and port 3306 as open; all targets within scope.
- T3: SQL injection exploitation. Run sqlmap against the DVWA SQL injection endpoint, confirm the finding, extract data, map to ATT&CK T1190 and OWASP A03:2021. Done when: sqlmap confirms injectable parameter and extracts data; finding mapped to taxonomies.
- T4: Log analysis and detection review. Find the SQL injection payload in Grafana logs. Read and test the Sigma rule. Evaluate detection quality. Done when: SQL injection payload visible in Grafana logs; Sigma rule fires on replayed attack.
- T5: Remediation and hardening. Fix the SQL injection, verify the fix by re-running sqlmap, apply hardening checklist, verify with Nmap. Done when: sqlmap fails after fix; port 3306 closed after hardening; DVWA still functions.
- T6: Assessment report delivery. Complete the report template for Jean-Marc. Translate findings into non-technical language. Push to GitHub. Done when: Report contains executive summary, finding with evidence, remediation results, hardening results, and recommendations; project pushed to GitHub.
Verification targets
| Target | Unit | How to verify |
|---|---|---|
| SQL injection confirmed | T3 | sqlmap reports parameter as injectable and extracts database records |
| Sigma rule fires | T4 | Replay the attack; the Sigma rule logic matches the injection pattern in log data |
| Fix verified | T5 | sqlmap reports parameter is not injectable after the prepared statement fix |
| Port 3306 closed | T5 | Nmap shows port 3306 as closed/filtered after hardening |
| Report delivered | T6 | Completed report with non-technical executive summary, evidence, and recommendations |
Commit convention
p1-tN: brief description
Examples: p1-t1: set up lab environment and review brief, p1-t3: confirm sql injection and document finding
Key references
The scope document defines what you are authorized to test. The TTP selection defines what attacks are planned. All scanning and exploitation must stay within scope boundaries. If Claude suggests testing something outside the scope document, that is a professional boundary violation — decline and explain why.