Web attacks and defences (server side)This page contains the material of (new) undergraduate course Sicurezza held by Prof. Riccardo Focardi . Course is taught in Italian but this page and all the material is in English.
IMPORTANT NOTE: In this course you will learn attack techniques. Remember that trying attacks on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.
Exam and optional assignments (challenges)
The exam consists of a written test that aims at verifying the knowledge of the different topics of the course. Assignments are optional and consist of a problem (challenge) to solve, giving an extra score with respect to the the mark of the written test.
Course is strongly based on on-line material since there exists no textbook covering practical security in a satisfactory way. All slides, links and extra material will be made available in this page. For program exploitation it is possible to refer to the (not so recent) book: J. Erickson, Hacking, the art of exploitation, No starch press, 2008.
- Linux testbed (Linux host for lab exercises)
- Virtual meeting point is Slack! Find more information in the moodle page of the course.
Program and on-line material
Background e TOOLS
- [21/09/2022] Introduction and Unix shell (slides, Bandit wargame)
- [29/09/2022] Stream editor and regular expressions (slides, sed manual, solutions)
- [05/10/2022] Introduction to Python (slides, official tutorial, solutions)
- [06/10/2022] Lab: interacting with programs (lab)
- [12/10/2022] Assembly x86-64 (slides)
- [13/10/2022] Program analysis (slides, gdb docker profile)
- [19/10/2022] Challenge 1: Program Analysis (challenge)
- [20/10/2022] Buffer overflow (slides, exercise solution)
- [26/10/2022] Stack overflow (slides)
- [27/10/2022] Lab on stack protector (lab)
- [02/11/2022] Format strings (slides)
- [03/11/2022] Secure coding (slides)
- [09/11/2022] Challenge 2: Program Exploitation (challenge) Bring your laptops!
System and network security
- [10/11/2022] Identification (slides)
- [16/11/2022] Unix access control (slides)
- [17/11/2022] Challenge 3: Identification (challenge)
- [23/11/2022] Firewalls – netfilter (slides)
web security (server)
- [24/11/2022] Web attacks – server side (slides)
- [30/11/2022] Web attacks and defences – server side (slides)
- [01/12/2022] Lab on server side web attacks (on-line lab)
- [07/12/2022] Side channels (Blind SQLi) (slides)
- [07/12/2022 (on-line)] Challenge 4: SQL injections (challenge)
WEB SECURITY (client)
- [14/12/2022] Client side web security (slides)
- [15/12/2022] Client side attacks (XSS and CSRF) (slides, examples)