Master the human side of careers to marry your new tech skills
Alright I also like to take a look back at all that you learned or were exposed to during this semester:
HTML
Basic CSS
Vanilla Javascript
DOM manipulation
NodeJS
Express
Firebase
CDN hosting
Github pages
Heroku
PHP
REST APIs
.htaccess
SQL
Apache File serving
React and Angular
MVC in JS with and without frameworks
Bootstrap
Material-UI
socketio
hybrid apps (react native, electron, and such)
OAuth
Role-Based Access Control
AWS: lambda, API gateway, chat bots, S3, EC2, etc
Hashing, Salting, Stretching, bcrypt/scrypt
AES
XOR
One-Time pad
Cryptographically Secure Pseudo-Random Number Generators
Diffie-Hellman Key Exchange
Public-Key Infrastructure
TLS/SSL certs
Let's Encrypt
Web Assembly
JWTs
Single Page Apps
Sessions, Cookies, LocalStorage
Steganography
Pohlig-Hellman Attack
Session Hijacking
SQL Injection
Server-Side Template Injection
XSS
Blind XSS
NSF Cyber Framework
MITRE Attack Framework
Cyber Killchain
Threat Modeling
OWASP top 10
Exfiltration Techniques
Docker
Digital Ocean
DVWA/Gruyere/Juice Shop
CSRF
Local File Inclusion
PCAP forensics
File Upload Exploits
Exposed .git directory
Insecure default settings of X
Privelege Escalation
Deserialization/Pickling exploits
eXternal XML Entities
Prototype Pollution
Escaping Blacklist Filters
The process of mastery
Comfort with Discomfort?
The CTF landscape and culture
Well that's a lot. Obviously you haven't mastered all of that, and honestly the list
is probably incomplete in terms of the many skills you had to figure out in your various projects along the way.
But for 30ish hours of lecture time that's a pretty decent ROI IMHO.
A last concept set
Request Smuggling
I've been wanting to teach you cache poisoning and HTTP desync (request smuggling).
I wasn't quite good enough to write my own problem for those so I (and JD) have given you a send off:
DEFCON is the holy grail of CTF competency so I think it would be a real win if you're able to crack it.
Now here is what the two concepts have in common:
The idea is to take advantage of a particular weakness in a particular library to essentially put a break between two requests that gets honored by one program but not the other.
huh? You send a request to a proxy (a load-balancer) and it reads one of your headers to know where the end of your data lives. The rest of the data is sent along to another gateway (gunicorn then flask)
which processes the data in a different way. This actually let's you set headers for the request that comes after you...
Here just look at this:
CRLF injection
There's actually another variation on this theme called: CRLF injection (Carriage Return Line Feed) where if you can control (with a parameter)
some contents in a server rendered page then you can induce a fake end to the HTTP data and put in your own fake start to a new HTTP request but this time it will seem like it's from the localhost.
Cache Deception
The third variation on that idea is cache poisoning which is best
Here the idea is that whenever a server caches a website it does a pretty weak job of catching
all possible changes to that site. So it uses the /path/you/request and maybe the params to cache your files.
So if you can find any header/param that will be included in the resulting page you can poison the cache for other people with
something you've injected. Here's a diagram and some screenshots to quickly get the idea across:
