_____ ____________ __ __ _________
/ _/ | / / ____/ __ \ / // /< / ____/
/ // |/ / /_ / / / / / // /_/ /___ \
_/ // /| / __/ / /_/ / /__ __/ /___/ /
/___/_/ |_/_/ \____/ /_/ /_/_____/
This course will cover the ins and outs of web application security from the perspectives of the developer, administrator, and attacker. We will cover attacks from the all too common Cross-Site Scripting attack through Cross-Site Request Forgery, SQL Injection, all the way to more advanced topics such as hash length extension attacks, cookie tossing, and specialized vulnerabilities against common web frameworks.
The goals of this course center around familiarizing students with how to recognize a possible vulnerability, write a proof-of-concept in order to demonstrate the issue, and provide helpful remediation so that a developer can properly mitigate the threat. The emphasis will be on hands on learning and the students will be expected to think creatively as they face common defenses and work with unfamiliar frameworks and languages.
Grade breakdown:
- midterm: 20%
- final: 30%
- hw: 45%
- participation: 5%
Late penalty:
- 10% daily
- stops at 30% deduction
- Resources: BNFDVJRFR7T2WLTKCKGOUYDALP4KP733O
- who I am and what I do
- teaching methodology
- class overview
- github
- where web application security fits into information security
- online resources for security in general
- bug bounties
- responsible disclosure
- general tips and tricks
- books
- Web Application Hacker's Handbook
- The Browsers Hacker's Handbook
- Tangled Web
- Hacking: The Art of Exploitation
- Bug Hunter's Diary
- anatomy of a web application
- frontend
- middle layer
- database
- cookies
- authentication
- lay of the web application land
- web 2.0 hotness
- MVC
- HTML5
- the internet
- DNS
- routing
- SSL/TLS
- HTTP
- CAs
- browsers
- session sidejacking demo
- vuln 3rd party code
- xss password exfil
- business logic attacks
- scenarios
- create myspace accounts
- threat modeling
- typical pentest
- puzzle
- primary
- read WAHH XSS chapter (12)
- read WAHH chapter 3
- secondary
- read WAHH chapter 2 & 1
- puzzle
- cross-site scripting (XSS)
- description
- how it works
- why it's so common
- why it's bad
- how to find it
- how to mitigate
- reflective XSS
- stored XSS
- DOM XSS
- XSS demos
- OpenSSL Heartbleed attack walkthrough
- filter bypass techniques
- no spaces (encoding and slashes)
- no script tag
- XSS via images
- encoding galore
- other weirdness
- weaponsized XSS
- exfil
- fake login page
- BeEF
- XSS-Harvest
- do stuff
- XSS exfiltration
- filter bypassing
- primary
- XSS challenges
- 10-15 challenges of increasing difficulty
- must complete 10 for 100% (extra are extra points)
- special payloads
- XSS exfiltration payload
- spoofed login page
- pentest report
- one overall description (3-5 sentences)
- repro steps for 3 highest
- mitigation recommendations
- ASP.NET
- PHP
- Ruby on Rails
- due next thursday
- XSS challenges
- secondary
- reading on CSRF and Clickjacking
- WAHH Chapter 13 section on "Inducing User Action" (501-515)
- reading on CSRF and Clickjacking
- CSRF
- how it works
- why it's bad
- how to find it
- how to mitigate
- special tactics
- CSRF with flash
- CSRF examples
- demo simple CSRF
- demo CSRF in the wild
- create your own!
- how Tor works
- go over homework
- CSRF examples
- Clickjacking
- how it works
- why it's bad
- how to mitigate
- special tactics
- CSRF proof of concept
- clickjacking proof of concept
- pentest report
- bonus: csrf and clickjacking in the wild
- read SQLi WAHH chapter
- due next thursday
- SQL injection
- how it works
- why it's bad
- how to find it
- how to mitigate
- how to pull data
- special tactics
- SQLi demos
- regular expressions!
- go over homework
- advanced exfiltration
- xp_cmdshell
- SQL injection w/ DMBS
- hibernate
- demo
- practice
- SQL injection challenges
- pentest report
- due next thursday
- cryptography
- public/private key
- forward secrecy
- hashes
- stream vs block cipher
- algorithm modes: ECB, CBC, others
- authentication
- walk through typical auth scheme
- password hashing
- set cookie
- where attacks come in
- session fixation, session invalidation, CSRF
- sql injection, password cracking
- do stuff
- ssl scan
- hash cracking
- do stuff
- bitflipping ECB auth cookie
- ecb mode challenge?
- ssl scan continued
- hash cracking continued
- go over homework
- Clickjacking
- http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
- how it works
- why it's bad
- how to mitigate
- special tactics
- info leakage
- HTTP methods
- cookie entropy
- cookie settings
- combine XSS, HttpOnly cookies, and HTTP Trace
- do stuff
- vulnerable site demoing insecure settings + XSS
- burp repeater for entropy check
- midterm
- due next tuesday
- go over midterm
- authentication issues
- timing attacks
- 2 factor auth
- single signon
- cookie tossing
- do stuff
- timing attack
- practice
- hash length extension attacks
- detailed explanation
- live demo walkthrough
- do stuff
- hash length extension attacks
- hash length extension attack
- basic timing attack
- info leakage in the wild
- << reading >>
- due next thursday
- MVC frameworks
- demo a small MVC app
- mass assignment attack
- weaponized XSS
- go over homework
- deserialization attacks
- two mass assignment attacks
- two deserialization attacks
- build your own web worm
- << reading >>
- due next thursday
- race conditions
- tricking password managers
- remote file inclusion (RFI)
- local file inclusion (LFI)
- do stuff
- trick a password manager
- LFI/RFI walkthrough
- exploit LFI/RFI
- go over homework
- application server attacks
- clusterd
- webdav
- tomcat
- demo
- do stuff
- try attacks
- none, enjoy memorial day!
- see some of you at Sasquatch
- review
- review
- review
- take your final!
- Bitcoin
- Near Field Communication
- Buffer Overflows
- Metasploit/Armitage
- Hacking Wireless Devices
- Arp Spoofing & DNS Poisoning
- Operating Systems and Rootkits