CPEG 470/670 Section 10

CISC 472 Section 10

Web Applications Security

Fall 2024

Meeting Time and Place

Section 10

Lecture: MWF 9:10 - 10:05 in Willard Hall 006

Instructors

Andrew Novocin

Email: andynovo@udel.edu

Office Hours: F 10:05am - 11:15am and W 3-4 in Evans 132 (collaboration hub)

Fridays 3-5 we'll do CTF competitions in the iSuites (Evans Cyber Range)

CTF team will compete most weekends

Course DISCORD: https://discord.gg/gt96HGcFE6

Connect via Our CTF DISCORD: https://discord.gg/fSdDd8N you'll be in jail until I give you member status

Important Links:

The course notes index page!

I try to add a new, thematic, flag for each set of notes

Web KATAs for self-paced learning

Mastery Tasks and suggested schedule for Project 1: Make 3 To-Do Apps each in a different stack with basic CRUD functionality (Due: October 23rd)

Mastery Tasks and suggested schedule for Project 1.5: Security Report hacking another student's apps (Due: Nov 6th)

Mastery Tasks and suggested schedule for Project 2 (Due: In place of our final)

OWASP website

Project Submission Format/Instructions

Course recordings from THIS SEMESTER

Course recordings from Fall 2023

Course recordings from Fall 2022

Materials

Meta-Cognition

This is a field that is always moving and wide spread. When you work with a client or at a new position their stack will always be a little different. Don't mistake knowing the specific tools or language with the required skills. Your job is Just-In-Time learning of whatever you need. The job is to be the sort of person who says, yeah I'll solve it, regardless of the stack.

The course is shotgun, you won't master everything, but you should concentrate on the learning how to learn in this domain.

Super powers from this course:

Mastery Tasks:

  • DEV STUFF:
    • Sufficient Javascript, HTML, CSS to make an interactive website
      • jQuery
      • MVC
      • Single Page Apps
      • Angular/React/Vue
    • Learn how to host a website:
      • static files via apache/nginx
      • deploying static files to a CDN
      • static files or templates via NodeJS, PHP, Flask
      • Basics of pointing DNS records:
        • A
        • CNAME
        • MX
        • TXT
      • Using HTTPS via TLS/SSL certs
        • Let's Encrypt
        • Cloud provisioning
    • Wiring up a database:
      • Relational Mode - Pick one of: SQLite, MySQL/Maria, Redis, Postgres
      • NoSQL - Pick one of: Mongo, Cassandra, CouchDB
      • Cloud Stores - Pick one of: Firebase, DynamoDB, Cosmos DB
    • Serving the data via REST API via connecting with:
      • Node with Express
      • PHP
      • Flask
      • Django
      • Firebase
    • Connecting front-end to your backend via AJAX, Websockets, or Forms
    • Perform Authentication using old-school and new-school tech:
      • passwords
      • cookies
      • sessions
      • localStorage
      • tokens
      • oAuth
      • JWT
    • Perform Authorization using RBAC to:
      • grant/revoke a role to a user
      • give verb to noun permissions to a role
    • Mess with caching and cache invalidation
    • Serverless functions
      • Firebase
      • Lambdas (and their kin)
    • Hybrid Apps
      • Ionic
      • React Native
      • Cordova
    • Cloud Provisioning
      • Docker
      • Rancher
      • The Big Cloud Companies
  • VULNERABILITIES:
    • XSS
    • Injection (SQLi, server-side templates, NoSQL injection)
    • Sensitive Data Exposure
    • XXE
    • Broken Access Control
    • Misconfiguration (default configs too)
    • Deserialization exploits
    • JWT tinkering
    • File Upload Exploits
    • Cache Poisoning
    • Directory Traversal
    • CSRF
  • SECURITY CONTEXT:
    • NIST framework
    • Attack/Defense models
    • OSINT
    • Security Lifecycle
    • Network Traffic
    • ELK/Splunk monitoring
    • CVEs
    • Threat Hunting
view raw websec_tasks.md hosted with ❤ by GitHub

Grading/Assessment

Old Notes:

Just put "/fall2023" or "/fall2022" at the end of the URL