Learn by Directing AI
All materials

scope-document.md

Security Assessment Scope Document

Engagement Overview

Client: Todorovi Wines (Dimitar Todorov, Owner and Winemaker) Location: Plovdiv, Bulgaria Assessment type: Web application and API security assessment Engagement duration: As needed within lab environment Assessor authorization: Full authorization to test all in-scope systems within the lab environment

In-Scope Systems

Consumer Web Platform

  • Application: Juice Shop instance (port 3000)
  • Description: Online ordering platform for direct consumer purchases. Customer accounts with order history, product catalog, shopping cart, checkout.
  • Testing authorized: Web application vulnerability scanning, manual exploitation, authentication testing, session management testing, input validation testing.

Restaurant Wholesale API

  • Application: REST API endpoints at /api/ path (port 3000)
  • Description: Wholesale ordering API used by 12 restaurant partners. API key authentication. Partner-specific pricing. Order management and invoicing.
  • Testing authorized: API endpoint enumeration, authorization testing (BOLA, mass assignment), authentication testing, input validation, JWT handling if present.

DVWA Instance

  • Application: DVWA (port 8080) at Medium/High difficulty
  • Description: Deliberately vulnerable web application for exploitation testing at elevated difficulty levels.
  • Testing authorized: All vulnerability categories at Medium and High difficulty settings.

Monitoring Stack

  • Application: Grafana (port 3001), Loki (log storage), Alloy (log collection)
  • Description: Log collection, storage, and visualization infrastructure.
  • Testing authorized: Read access for log analysis and detection rule development. Dashboard creation and modification.

Docker Infrastructure

  • Description: Container environment hosting all applications and services.
  • Testing authorized: Container configuration assessment, CIS Docker Benchmark evaluation, image analysis.

Out-of-Scope Systems

System Reason
Mobile application Dimitar's nephew built a wine club mobile app that connects to the same backend. This is a separate engagement. If discovered during assessment, flag the connection as a finding but do not test the mobile app.
Stripe payment processing Referenced in the platform but not testable in the lab environment. Payment card handling is a PCI DSS concern to be noted in recommendations, not tested.
Production systems All testing occurs in the lab environment. Do not attempt to access any production infrastructure.
External DNS/hosting Domain registration, DNS configuration, and hosting infrastructure are outside this engagement.

Rules of Engagement

  1. No denial-of-service testing. Do not intentionally disrupt service availability. Automated scanning tools must be configured to avoid overwhelming targets.
  2. No data exfiltration beyond proof-of-concept. Demonstrate data access with minimal records. Do not extract, store, or transmit large volumes of data.
  3. All findings documented immediately. Each confirmed vulnerability must be recorded with evidence at the time of discovery.
  4. Scope amendments require written client approval. If testing reveals systems or services not listed in this document, document the discovery and request scope amendment from Dimitar before testing.
  5. Scanner scope must be configured before execution. ZAP, Nuclei, and any automated tools must have explicit scope boundaries matching this document. Verify scope configuration before each scan.

Authorized Testing Windows

Lab environment available 24/7. No restrictions on testing times.

Reporting Requirements

  • Executive summary in non-technical language for Dimitar
  • Technical findings section with CIS/ASVS item references for the platform maintainer
  • Findings prioritized by combined CVSS/EPSS/environmental risk
  • Remediation status for each finding (fixed, compensating control, recommended)
  • Detection rules deployed for each exploitation pattern