Learn by Directing AI
All materials

scope-document.md

Security Assessment Scope Document

Engagement: Web Application Security Assessment — Baobab Bay Lodge Booking System Client: Jean-Marc Rasoanaivo, Owner and Manager, Baobab Bay Lodge Assessor: [Your name] Date: [Assessment start date]

Engagement Overview

Baobab Bay Lodge has commissioned a security assessment of its online booking system. The owner has concerns about the security of guest data following a similar business in Mauritius suffering a data breach through its booking platform. The assessment will determine whether the booking website is vulnerable to common web application attacks and provide findings, remediation actions, and hardening recommendations.

Target System

The target is the Baobab Bay Lodge booking website, accessible at:

  • URL: http://localhost:8080
  • Technology: PHP web application with MySQL database backend
  • Function: Guest booking management — collects names, email addresses, phone numbers, booking dates, and passport numbers for immigration reporting
  • Hosting: Single server (represented in this assessment by the Docker lab environment)

In Scope

The following systems and activities are authorized for this assessment:

  • The web application running on port 80/8080 (HTTP)
  • Any database services the application exposes to the network
  • The application's authentication mechanism
  • The booking form and all user-facing input fields
  • Port scanning of the target host to identify exposed services
  • SQL injection testing against identified input parameters
  • Manual inspection of the web application's behavior and responses
  • Log analysis via the monitoring stack to review attack evidence

Out of Scope

The following are explicitly excluded from this assessment:

  • The host operating system
  • Other services in the infrastructure (Grafana, Loki, Alloy monitoring stack)
  • External networks, third-party services, or upstream providers
  • The lodge's Wi-Fi network or any wireless infrastructure
  • Denial-of-service testing or any activity that disrupts availability
  • Social engineering of staff or guests
  • Physical security assessment
  • Payment gateway systems (handled by a third-party provider)

Authorized Activities

Activity Tool Purpose
Port and service scanning Nmap Identify exposed services and attack surface
SQL injection testing sqlmap Test input fields for injection vulnerabilities
Manual web application testing Browser, curl Inspect application behavior and responses
Log analysis Grafana (via Loki) Review access logs for attack evidence and detection

Constraints

  • Testing must not disrupt the booking system's availability. Jean-Marc's guests are actively using the site during whale season.
  • All findings must be documented with evidence (tool output, screenshots, log entries).
  • Testing is limited to the techniques and tools listed in the TTP selection document.
  • Any discovered vulnerability must be reported to the client with remediation guidance.

Client Contact

Jean-Marc Rasoanaivo, Owner — available for questions via email during business hours. Response time is typically within a few hours during the day, slower in the evening.