Learn by Directing AI
All materials

CLAUDE.md

P2 -- Multi-Vulnerability Assessment

Client: Ruta Kazlauskiene, Gintaro Kelias (Klaipeda, Lithuania) Project: Security assessment of an amber jewelry online store after a customer received a phishing email

What you're building

A multi-vulnerability security assessment of a WooCommerce-style e-commerce application. The assessment covers reconnaissance with version detection, exploitation of multiple vulnerability types (XSS, command injection, credential testing), Sigma rule authoring for each finding, priority-based remediation, web application hardening with security headers, and a multi-finding report for the client.

Tech stack

  • WooCommerce-style vulnerable application (PHP 8.1, MySQL, Apache)
  • Docker Compose (lab environment + monitoring)
  • Nmap (with -sV, -sC for version detection)
  • sqlmap (SQL injection testing)
  • Hydra (credential testing)
  • ZAP (passive scanning for missing headers)
  • pySigma (Sigma rule to LogQL conversion)
  • Grafana/Loki/Alloy (monitoring and detection)
  • curl (header verification)
  • Claude Code (AI agent)

File structure

materials/
  CLAUDE.md              -- this file
  docker-compose.yml     -- lab environment definition
  scope-document.md      -- assessment boundaries
  ttp-selection.md       -- vulnerability types and testing methods
  client-email.md        -- Ruta's initial email
  sigma-rule-starter.yml -- Sigma rule template (structure only)
  report-template.md     -- multi-finding report template
  vulnerable-app/        -- Docker application and configs
  scripts/               -- generation and verification scripts
  images/                -- placeholder for generated images

Tickets

  • T1: Environment setup and brief review -- lab running, client understood, scope read
  • T2: Reconnaissance with version detection -- Nmap -sV/-sC, banner interpretation, defender's view
  • T3: Multi-vulnerability exploitation -- XSS (reflected + stored), command injection, Hydra credentials
  • T4: Sigma rule authoring and alert deployment -- write rules per finding, convert to LogQL, deploy, test
  • T5: Priority-based remediation and hardening -- fix by risk order, security headers, information disclosure
  • T6: Multi-finding assessment report -- executive summary, priority-ranked findings, recommendations

Verification targets

  • Nmap -sV returns version data for at least two services (T2)
  • At least two vulnerability types confirmed with evidence (T3)
  • At least two Sigma rules fire on corresponding attack replay (T4)
  • All previously successful exploits fail after remediation (T5)
  • Security headers present in curl response (T5)
  • Report contains executive summary, 3+ priority-ranked findings, verification evidence (T6)

Commit convention

p2-tN: brief description (e.g., p2-t1: set up lab and review brief)

Key references

  • Scope document defines what you can test. Nothing outside scope, ever.
  • TTP selection lists the vulnerability types and tools for each.
  • All exploitation must stay within scope boundaries.
  • The staging site at port 8081 is in scope.