This page contains the material of undergraduate course Sicurezza held by Prof. Riccardo Focardi . Course is taught in Italian but this page and all the material is in English.

IMPORTANT NOTE: In this course you will learn attack techniques. Remember that trying attacks on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.

Exam and optional assignments (challenges)

The exam consists of a written test that aims at verifying the knowledge of the different topics of the course. Assignments are optional and consist of a problem (challenge) to solve, giving an extra score with respect to the the mark of the written test.


Course is strongly based on on-line material since there exists no textbook covering practical security in a satisfactory way. All slides, links and extra material will be made available in this page. For program exploitation it is possible to refer to the (not so recent) book: J. Erickson, Hacking, the art of exploitation, No starch press, 2008.

Useful links

  • Linux testbed (Linux host for lab exercises)
  • Virtual meeting point is Slack! Find more information in the moodle page (work in progress) of the course.

Program and on-line material

Background e TOOLS

Program analysis

Program exploitation

  • [12/10/2023] Buffer overflow (slides, exercise solution)
  • [18/10/2023] Stack overflow (slides)
  • [19/10/2023] Lab on stack protector (lab)
  • [25/10/2023] Format strings (slides)
  • [26/10/2023] Secure coding (slides)
  • [02/11/2023] Challenge 2: Program Exploitation (challenge)

    System and network security

  • [08/11/2023] Identification (slides)
  • [09/11/2023] Unix access control (slides)
  • [15/11/2023] Challenge 3: Identification (challenge)
  • [16/11/2023] Firewalls – netfilter (slides)

    web security (server)

  • [22/11/2023] Web attacks – server sideĀ  (slides)
  • [23/11/2023] Web attacks and defences – server side (slides)
  • [29/11/2023] Lab on server side web attacks (on-line lab) Bring your laptops!
  • [30/11/2023] Side channels (Blind SQLi) (slides)
  • [06/12/2023] Challenge 4: SQL injections (challenge)

    WEB SECURITY (client)

  • [07/12/2023] Client side web security (slides)
  • [13/12/2023] Client side attacks (XSS and CSRF) (slides, examples)