Notes Index for Web App Sec
- Course Pedagogy
- FAST FRIDAYS: Learn by doing (no details just plan)
- Javascript the Language
- HTML/CSS the DOM and how to manipulate the DOM
- Basic Hosting: Fileservers, Glitch.com, Github Pages
- FAST FRIDAYS: Learn Dynamic Data by Doing (no details just plan)
- REST APIs, AJAX requests, NodeJS and Express
- KATAS for self-paced practice
- Firebase as a REST API and real-time database
- FAST FRIDAYS: in-class survey (authentication, hosting, database design)
- SECRET NOTES: unplanned lecture on client-side routing (single-page apps)
- Firebase Authentication
- FAST FRIDAY: Student's choice (Beauty, File Storage, Functions/Lambdas, YouTube APIs)
- Role-Based Access Control and Firebase Security Rules
- Sessions, Cookies, LAMP, Session Hijacking
- Intro to SQL (and SQL injection)
- SECRET NOTES: unplanned lecture on websec in context
- Unplanned lectures for Project 1 prep: EXAMPLE AUTH SITE
- Unplanned lectures for Project 1 prep: EXAMPLE Single-Page App
- Project 1 prep: EXAMPLE Logged In Database App
- Passwords, Salting, Stretching, Entropy, Complexity Theory
- Project 1 turn-in process
- Four quick classics: LFI, exposed .git, type juggling, insecure deserialization
- XSS, Cross-Site Scripting, clients running code on other clients
- JWTs JSON Web Tokens
- BEGIN CRYPTO INTERLUDE...
- Fetch CERT, Validate CERT
- Use Public Creds in CERT to start a Key-Exchange
- Use shared key to generate random bytes in two places at once
- Use XOR and random to encrypt and decrypt
- XOR and the One-Time Pad
- Internet Crypto (Key Exchanges, PKI)
- SIDE QUEST: intuitive cylic groups
- RSA and Digital Signatures
- Man-in-the-middle, certs, and Let's Encrypt
- Burpsuite, PortSwigger Labs, and SSRF
- Prototype Pollution and Exploitable Gadgets
- Server-Side Template Injection (notes emptyish)
- Digital Ocean, Docker, DVWA, OWASP Juice Shop, Reverse Shells
- AWS day, lambda, s3, playing around
- Walkthroughs of the ProfNinja CTF problems
- XXE and XXE to gain SSRF
- Hybrid apps: web access to device stuff (accelerometer, location, camera), write-once-deploy anywhere, react native
- Web CTF flow chart
- Last Class