CNIT 129S: Securing Web Applications
Spring 2022 -- Sam BowneSchedule · Lecture Notes · Projects · Links · Grading
|
|
Course JustificationIndustry advisors have repeatedly asked us to teach this class, because every modern business needs a web presence and there are far too few workers qualified to protect them from hackers. There are many jobs available for students who learn how to protect our healthcare, financial, and other confidential data from criminals, spies, and pranksters. Catalog DescriptionTechniques used by attackers to breach Web applications, and how to protect them. How to secure authentication, access, databases, and back-end components. How to protect users from each other. How to find common vulnerabilities in compiled code and source code. Learning OutcomesUpon successful completion of this course, the student will be able to: Textbook"The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470 Buy from Amazon QuizzesThe quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts. Discussion BoardEach CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due. For class-related questions, please send messages inside Canvas, or email cnit.129s@gmail.com |
Schedule (subject to revision) | |||
---|---|---|---|
Date | Assignment Due | Topic | |
Wed 1-19 | Ch 1: Web Application (In)security Ch 2: Core Defense Mechanisms
| ||
Wed 1-26 | Quiz Ch 1-2 * Proj H 110a * |
Ch 3: Web Application Technologies Proj ED 102 Demonstration
| |
Wed 2-2 | Quiz Ch 3 * Proj ED 102 * Discussion 1 * |
Ch 3: Web Application Technologies (continued) Project W 600 & ED 103 Demonstration
| |
Wed 2-9 | Quiz: Ch 4 * Proj ED 103 * Discussion 2 * |
Ch 4: Mapping the Application Demos: File Path Traversal in the Web Security Academy
| |
Wed 2-16 | Quiz Ch 5 Proj W 600 Discussion 3 |
Ch 5: Bypassing Client-Side Controls Demos: OS command injection in the Web Security Academy
| |
Wed 2-23 | Quiz: Ch 6 +20 pts of WSA Proj Discussion 4 |
Ch 6: Attacking Authentication Demos: W 520, Authentication in the Web Security Academy Recommended WSA Topic: Directory Traversal
| |
Wed 3-2 | No Quiz +20 pts of WSA Proj Discussion 5 |
Ch 7: Attacking Session Management Demo: SQL Injection Recommended WSA Topic: OS command injection
| |
Wed 3-9 | Quiz: Ch 7 & 8 +20 pts of WSA Proj Discussion 6 |
Ch 8: Attacking Access Controls Ch 9: Attacking Data Stores (Part 1) Demo: SQL Injection Recommended WSA Topic: Authentication
| |
Wed 3-16 | Quiz: Ch 9 +20 pts of WSA Proj Discussion 7 |
Ch 9: Attacking Data Stores Demo: Cross-site scripting Recommended WSA Topic: SQL injection
| |
Wed 3-23 | Quiz Ch 10 +20 pts of WSA Proj Discussion 8 |
Ch 10: Attacking Back-End Components Demo: Exploiting XSS to steal cookies Recommended WSA Topic: SQL injection
| |
Wed 3-30 | Holiday - No Class | ||
Wed 4-6 | Quiz: Ch 11 +20 pts of WSA Proj Discussion 9 |
Ch 11: Attacking Application Logic Recommended WSA Topic: Cross-site scripting
| |
Wed 4-13 | Quiz Ch 12 +20 pts of WSA Proj Discussion 10 |
Ch 12: Attacking Users: Cross-Site Scripting Recommended WSA Topic: Cross-site scripting
| |
Wed 4-20 | Quiz Ch 13 +20 pts of WSA Proj |
Ch 13: Attacking Users: Other Techniques (Part 1) Recommended WSA Topic: Access control vulnerabilities Demo: Information disclosure
| |
Wed 4-27 | No Quiz +20 pts of WSA Proj |
Ch 13: Attacking Users: Other Techniques (Part 2) Recommended WSA Topic: Information disclosure Demo: CSRF
| |
Wed 5-4 | No Quiz +20 pts of WSA Proj |
Hacking APIs Demos: AP 100-103
| |
Wed 5-11 | No Quiz All Extra Credit Proj Due |
Last Class: More API Hacking
| |
Wed 5-18 - Wed 5-25 |
Final Exam available online throughout the week. You can only take it once. | ||
All Quizzes due 30 min. before class * No late penalty until 2-16 |
LecturesGrading Policy · First Day Handout
Ch 1: Web Application (In)security & To get PPT files, use Cloud Convert. |
Links |
---|
Links for Chapter LecturesCh 1a: Highly Secure DogfoodCh 1b: Online Voting - Follow My Vote - 100% Secure Ch 1c: Android Apps Vulnerable to Code Modification Ch 1d: Security Problems at Colleges Ch 1e: CMS Vulnerabilities are Decreasing Ch 1f: Attention SinVR users | Continuous Cyber Security | UK | Digital Interruption (Jan 17, 2018)
Ch 3a: RESTful Resource Naming
Ch 4a: Using Burp Spider
Ch 5a: HTTP ETag - Wikipedia
Ch 6a: Microsoft Passport and Windows Hello
Ch 7a: ASP.NET View State Overview
Ch 8a: IBM Knowledge Center - HTTP session manager troubleshooting tips
Ch 9a: escaping - How to escape apostrophe (') in MySql?
Ch 10a: Microsoft retires Filemon and Regmon from Sysinternals
Ch 12w: Memory Forensics: Mandiant Redline
Ch 13a: About IFRAME and clickjacking
Miscellaneous LinksXtreme Vulnerable Web Application (XVWA) -- GOOD FOR PROJECTSSQL Injection Videos - YouTube DVWA - Damn Vulnerable Web Application XVWA Reddit explaining why it exists rapid7/hackazon · GitHub OWASP Broken Web Applications Project hackazon Installation Guide.pdf OWASP Vulnerable Web Applications Directory Project Hackazon -- Public hosted server! Hackazon: Stop hacking like its 1999 - Dan Kuykendall - OWASP AppSec California 2015 - YouTube Hackazon Test Site Review - CyberSecology Wikto XVWA - Xtreme Vulnerable Web Application -- SERVER TO HACK Hackazon -- SERVER TO HACK HTML "text-indent: -9999px" and holding the line Incident Response for an SEO Spammed Website Website Security: How Do Websites Get Hacked? 7 Security Measures to Protect Your Servers | DigitalOcean Stop Forum Spam -- Useful for WordPress Sites WS-Attacker · SOAP and XML attacks for web app pentesting -- USEFUL FOR PROJECTS securityheaders.io -- USEFUL INFO Security Archive - Case Study: phpbb.com Compromised (from 2009) phpBB.com Hacked in Dec. 2014 dsnextgen.com iframe hack Sfisaca.org ISACA San Francisco -- Domain is 46 years old? Google Flagged My Site as Malware Best Open Source Web Application Vulnerability Scanners - InfoSec Resources WPScan -- Vuln Scanner for Wordpress Sites How To: Use Thug Honeyclient to Investigate a Malicious Website Thug - Python low-interaction honeyclient Welcome to Thug's documentation! Removing a PHP Redirector Security Engineering - VERY USEFUL VULNERABILITY FIXES LifeSize Room Exploits; \"skiplogin\" parameter FTW OWASP VBScan is a Black Box vBulletin Vulnerability Scanner GitHub\'s CSP journey Victor Santoyo: How To Know If You\'ve Been Hacked | WordPress.tv wordpress-exploit-framework Vulnerable Web Application - bWAPP Weaponized WordPress How Google helps 600,000 webmasters re-secure their hacked sites every year Online CSRF PoC Generator: A web alternative to the Burp Suite Pro and ZAP CSRF PoC generators urlquery.net - Free URL scanner CMSmap automates the process of detecting security flaws of the most popular CMSs In Q1/2016 the most hacked platforms were #WordPress, #Joomla and #Magento. Get our full report here SQLmap POST request injection Joomla : Products and vulnerabilities -- 178 RCE vulns! Wordpress : Products and vulnerabilities -- 53 RCE Vulns Top 10 content management systems CMS Vulnerabilities -- Security is Improving in Recent Years Joomla 1.5 ( 3.4.5 - Object Injection RCE X-Forwarded-For Header (CVE-2015-8562) -- USE FOR PROJECT UNIX / Linux Tutorial for Beginners RingZer0 CTF -- GOOD FOR PRACTICE Javascript without letters or numbers JavaScript written only with brackets? Tripwire Open Source vs. OSSEC : Which Is Right For You? Downloads -- OSSEC Intricately -- fingerprints sites A Beginner's Guide to HTTP/2 and its Importance Practical Website Hacking CTF Practical Web Hacking CTF by InfoSecInstitute Write-up -- Ibrahim M. El-Sayed (the_storm) Hack I-Bank Pro -- Burp defeating authentication Google CTF -- Web Write-Ups (11/15) | Brett Buerhaus Web Application Pen-testing Tutorials With Mutillidae (Hacking Illustrated Series InfoSec Tutorial Videos) PHP Security: SUHOSIN Over 78% of All PHP Installs Are Insecure (from 2014) How to write insecure code - OWASP PHP Tips, Resources and Best Practices for 2015 10 Most Common Mistakes That PHP Developers Make 7 More Mistakes Commonly Made by PHP Developers 18 Critical Oversights in Web Development BApp Store: Burp Plugins PHP-CGI Exploitation by Example Remote code execution via PHP [Unserialize] PHP Object Injection - OWASP GitHub Pull Request Tutorial Wiley: Evaluation Copies and Desk Copies Secret, forbidden, black-hat technique of obtaining the textbook (DO NOT CLICK THIS LINK) My Python Mirai Honeypot Script WAHH Methodology desktop background for Web Application hackers How to Prevent Windows 10 From Automatically Downloading Updates Rails SQL Injection Examples Common Rails Security Pitfalls and Their Solutions UXSS on Microsoft Edge -- Adventures in a Domainless World Netgear starts patching routers affected by a critical flaw US-CERT: Stop using your remotely exploitable Netgear routers Attacking WordPress SQL Injection in Rails: Live Demonstrations How To Scan And Check A WordPress Website Security Using WPScan, Nmap, And Nikto | Unixmen Penetration Testing Your WordPress Site - WordPress Security Complete Set Of CGI-BIN Exploits and what they do Article | Hellbound Hackers INFOSEC INSTITUTE CTF - capture the flag hacking exercises Hacker101 -- Free Web App Security Class -- GOOD FOR PROJECTS Using the Requests Library in Python Amazon Cookie Re-Use Convert cURL command syntax to Python requests Reverse Engineering APIs: Coffee Meets Bagel -- Nik Patel -- Medium Attacking SSO: Common SAML Vulnerabilities and Ways to Find Them Bypassing SAML 2.0 SSO with XML Signature Attacks JavaSerialKiller: Burp extension to perform Java Deserialization Attacks Java Deserialization Attacks with Burp Marshalling Pickles by frohoff Marshalling Pickles - Chris Frohoff & Gabriel Lawrence - OWASP AppSec California 2015 - YouTube On Breaking SAML: Be Whoever You Want to Be Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution) Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792) New Unsorted LinksThe New zANTI: Mobile Penetration & Security Analysis Toolkit -- USE FOR PROJECTSBurp Hacks for Bounty Hunters - YouTube Web Application Firewalls Reviews Ch 3m: Client-side validation Better API Penetration Testing with Postman Using OWASP ZAP GUI to scan your Applications for security OWASP API Security Top 10 Ch 4p: Google Dorks List 2019 - A Complete Cheat Sheet (New) Google Maps Platform -- Protecting API keys Find Secret API-Keys Keyfinder is a tool that let you find keys while surfing the web! 2020-03-09: REST Assured: Penetration Testing REST APIs Using Burp Suite: Part 1 Blind Cross Site Scripting (XSS) Overview - Bug Bounty Hunting GET YOUR BUG REPORT TRIAGED FASTER! - YouTube Learning path | Web Security Academy - PortSwigger GitHub - Audi-1/sqli-labs: SQLI labs to test error based, Blind boolean based, Time based. Burp Scanner - Web Vulnerability Scanner from PortSwigger 2023-05-16: Lab: Exploiting Java deserialization with Apache Commons | Web Security Academy |