_____ ____________ __ __ _________
/ _/ | / / ____/ __ \ / // /< / ____/
/ // |/ / /_ / / / / / // /_/ /___ \
_/ // /| / __/ / /_/ / /__ __/ /___/ /
/___/_/ |_/_/ \____/ /_/ /_/_____/
This course will cover the ins and outs of web application security from the perspectives of the developer, administrator, and attacker. We will cover attacks from the all too common Cross-Site Scripting attack through Cross-Site Request Forgery, SQL Injection, all the way to more advanced topics such as hash length extension attacks, cookie tossing, and specialized vulnerabilities against common web frameworks.
The goals of this course center around familiarizing students with how to recognize a possible vulnerability, write a proof-of-concept in order to demonstrate the issue, and provide helpful remediation so that a developer can properly mitigate the threat. The emphasis will be on hands on learning and the students will be expected to think creatively as they face common defenses and work with unfamiliar frameworks and languages.
Grade breakdown:
- midterm: 20%
- final: 30%
- hw: 45%
- participation: 5%
Late penalty:
- 10% daily
- stops at 30% deduction
- who I am and what I do
- teaching methodology
- class overview
- github
- where web application security fits into information security
- online resources for security in general
- bug bounties
- responsible disclosure
- general tips and tricks
- books
- Web Application Hacker's Handbook
- The Browsers Hacker's Handbook
- Tangled Web
- Hacking: The Art of Exploitation
- Bug Hunter's Diary
- anatomy of a web application
- frontend
- middle layer
- database
- cookies
- authentication
- lay of the web application land
- web 2.0 hotness
- MVC
- HTML5
- the internet
- DNS
- routing
- SSL/TLS
- HTTP
- CAs
- browsers
- linux
- command line stuff
- git
- how to use it
- threat modeling
- typical pentest
- information security in general
- puzzle
- read WAHH XSS chapter
- cross-site scripting (XSS)
- how it works
- why it's so common
- why it's bad
- how to find it
- how to mitigate
- special tactics
- reflective XSS
- stored XSS
- DOM XSS
- XSS demos and challenges
- filter bypass techniques
- no spaces (encoding and slashes)
- no script tag
- xss via images
- other weirdness
- do stuff
- XSS exfiltration
- filter bypassing
- beef hooks
- XSS challenges
- 10-15 challenges of increasing difficulty
- XSS exfiltration payload
- pentest report
- read CSRF and Clickjacking WAHH chapters
- due next thursday
- CSRF
- how it works
- why it's bad
- how to find it
- how to mitigate
- special tactics
- CSRF with flash
- CSRF examples
- demo simple CSRF
- demo CSRF in the wild
- create your own!
- CSRF Lab
- finish creating your own
- find one in the wild
- CSRF your friends
- go over homework
- Clickjacking
- how it works
- why it's bad
- how to mitigate
- special tactics
- CSRF proof of concept
- clickjacking proof of concept
- pentest report
- bonus: csrf and clickjacking in the wild
- read SQLi WAHH chapter
- due next thursday
- SQL injection
- how it works
- why it's bad
- how to find it
- how to mitigate
- special tactics
- blind SQL injection
- xp_cmdshell
- SQLi demos
- regular
- blind
- xp_cmdshell
- SQLi practice
- discovery
- filter bypass
- exfiltration
- blind exfiltration
- own the server
- go over homework
- SQL injection w/ DMBS
- hibernate
- demo
- practice
- 5 SQL injections
- regular 1
- regular 2
- filtered
- blind
- hibernate
- exfiltrate passwords
- pentest report
- read crypto chapters?
- due next thursday
- cryptography
- public/private key
- forward secrecy
- hashes
- stream vs block cipher
- algorithm modes: ECB, CBC, others
- authentication
- walk through typical auth scheme
- password hashing
- set cookie
- where attacks come in
- session fixation, session invalidation, CSRF
- sql injection, password cracking
- do stuff
- ssl scan
- hash cracking
- do stuff
- bitflipping ECB auth cookie
- ecb mode challenge?
- ssl scan continued
- hash cracking continued
- go over homework
- info leakage
- HTTP methods
- cookie entropy
- cookie settings
- combine XSS, HttpOnly cookies, and HTTP Trace
- do stuff
- vulnerable site demoing insecure settings + XSS
- burp repeater for entropy check
- midterm
- due next tuesday
- go over midterm
- authentication issues
- timing attacks
- 2 factor auth
- single signon
- cookie tossing
- do stuff
- timing attack
- practice
- hash length extension attacks
- detailed explanation
- live demo walkthrough
- do stuff
- hash length extension attacks
- hash length extension attack
- basic timing attack
- info leakage in the wild
- << reading >>
- due next thursday
- MVC frameworks
- demo a small MVC app
- mass assignment attack
- XSS worms
- go over homework
- deserialization attacks
- two mass assignment attacks
- two deserialization attacks
- build your own web worm
- << reading >>
- due next thursday
- race conditions
- tricking password managers
- remote file inclusion (RFI)
- local file inclusion (LFI)
- do stuff
- trick a password manager
- LFI/RFI walkthrough
- exploit LFI/RFI
- go over homework
- application server attacks
- clusterd
- webdav
- tomcat
- demo
- do stuff
- try attacks
- none, enjoy memorial day!
- see some of you at Sasquatch
- flex time
- flex time
- flex time
- << reading >>
- review
- review
- review
- take your final!
- Bitcoin
- Near Field Communication
- Buffer Overflows
- Metasploit/Armitage
- Hacking Wireless Devices
- Arp Spoofing & DNS Poisoning
- Operating Systems and Rootkits