Learn by Directing AI
All materials

scope-document.md

Security Assessment Scope Document

Engagement Overview

Security assessment of the Gintaro Kelias online jewelry store, commissioned by the owner Ruta Kazlauskiene after a customer received a suspicious phishing email that appeared to originate from the shop. The assessment will determine whether the online store has vulnerabilities that could have allowed unauthorized access to customer data.

Target System

The online store is a WooCommerce-style application running in a Docker lab environment:

  • Main application: http://localhost:8080 -- the primary e-commerce shop
  • Staging application: http://localhost:8081 -- the test/staging version of the shop
  • Database: MySQL service accessible to the application containers

In Scope

  • The web application on ports 8080 and 8081 (HTTP), including all pages and functionality
  • All input fields: search forms, product review submissions, login forms, contact forms, any administrative interfaces
  • The WordPress-style admin panel and authentication mechanisms
  • Customer account creation and login functionality
  • Database services the application exposes to the network
  • The staging site and its relationship to the main application

Out of Scope

  • The host operating system
  • Other containers in the Docker network (Grafana, Loki, Alloy) -- these are monitoring tools, not assessment targets
  • Any external networks or services
  • Denial-of-service testing
  • Social engineering
  • The Stripe payment integration (payments are handled by a third party)
  • Physical security

Authorized Activities

  • Port scanning with version detection (Nmap, including -sV and -sC flags)
  • Cross-site scripting (XSS) testing -- reflected and stored
  • Command injection testing
  • SQL injection testing (sqlmap)
  • Credential testing (Hydra against authentication endpoints)
  • Passive web application scanning (OWASP ZAP in passive mode)
  • Log analysis via the Grafana/Loki monitoring stack
  • Security header analysis (curl, browser developer tools)

Constraints

  • Testing must not disrupt the shop's availability. Ruta has holiday orders coming in.
  • All findings must be documented with evidence and impact assessment.
  • Credential testing should use reasonable wordlists, not exhaustive brute-force that could lock accounts.
  • Any discovered vulnerability must be reported, even if exploitation was not fully demonstrated.