Seminar
Seminar: 10 minute talk about some security issue (vulnerability). Why it exists, how does it work, how was it fixed (if the fix was somehow innovative). Try to generalize some learning points from it.
Homework assignment 1 "Naive authentication"
Deadline: April 19th 2023.
You are applying for a promotion to senior Cybersecurity engineer for an international spy agency. In order to prove your skills you are required to assess their new agent database procured from "Not your enemy Ltd". However you suspect that the site does not match security requirements expected by the agency.
To prove your competence you must:
- Find out credentials for the admin panel (user, password)
- List names of all the agents, Find out password of the day
- Write a report on security problems and recommendations on how to fix them (template provided).
Report should contain the following:
- Overview of the security vulnerabilities that you have discovered
- Your assessment of the criticality of discovered vulnerabilities and explanation why this is an issue
- Step-by-step guide how to reproduce discovered issues (preferably with screenshots)
- Your recommendations how these issues could be resolved
Report template: Attach:report-template.pdf
Link to access the homework exercise: https://secprog.vitaos.ee/assignment1/
Solve the task and send your report to andres.jogi(at)cyber(dot)ee and aivo.toots(at)cyber(dot)ee.
NB: Active scanning, Denial of service and Brute force attacks against the server are prohibited.
Homework assignment 2 "Gradebook"
Deadline: May 26th 2023
Relevant XKCD: https://xkcd.com/2385/
This time we have decided that all of you will automatically receive 0 points for your homework. However your grades are stored in the web application running inside provided virtualbox OVA image.
In order to receive points for this homework you must:
- Download the provided files (source code, OVA image)
- Run the image inside VirtualBox. To run VM with Apple computers with M1/M2 CPU, please use updated VirtualBox version from https://www.virtualbox.org/wiki/Downloads
- You can access the web service by visiting http://localhost:8080 (From your host computer not the VirtualBox Guest) when the VM is running
- You can read the applications source code that is included in the zip
- You are not provided shell access to the virtual machine
- Create user inside the application to view your grades
- View your grade
- If you do not like your grade, find a way to abuse vulnerabilities inside the software to change it
- Document the vulnerabilities that you exploited and how these problems could be fixed
Report should contain the following:
- Overview of the security vulnerabilities that you have discovered
- Your assessment of the criticality of discovered vulnerabilities and explanation why this is an issue
- Step-by-step guide how to reproduce discovered issues (preferably with screenshots)
- Your recommendations how these issues could be resolved
Link to access the files necessary to complete the homework exercise: https://owncloud.ut.ee/owncloud/s/wSGLJi4AYoDF6KY
Solve the task and send your report to aivo.toots(at)cyber(dot)ee.
Final homework assignment "Supply chain attack"
Deadline: May 26th 2023
It seems that many of you seemed to have issues with getting 0 points for your homework, even going as far as hacking our site (Very good!). So yet again we have decided to give everyone 0 points in advance. We have fixed most of the bugs that you reported and added some additional "features" to the site. We even implemented administrator bot that visits the site every 5 minutes and shows you a screenshot of your lack of points on the index page.
Your task is familiar to the previous assignment.
In order to receive points for this homework you must:
- Download the provided files (source code, OVA image)
- Run the image inside VirtualBox. To run VM with Apple computers with M1/M2 CPU, please use updated VirtualBox version from https://www.virtualbox.org/wiki/Downloads
- You can access the web service by visiting http://localhost:8080 (From your host computer not the VirtualBox Guest) when the VM is running
- You can read the applications source code that is included in the zip
- You are not provided shell access to the virtual machine (you should consider this VM as a black box that is not under your control e.g no access to its disk)
- Create user inside the application to view your grades
- View your grade
- If you do not like your grade, find a way to abuse vulnerabilities inside the software to change it
- Document the vulnerabilities that you exploited and how these problems could be fixed
Report should contain the following:
- Overview of the security vulnerabilities that you have discovered
- Your assessment of the criticality of discovered vulnerabilities and explanation why this is an issue
- Step-by-step guide how to reproduce discovered issues (preferably with screenshots)
- Your recommendations how these issues could be resolved
Link to access the files necessary to complete the homework exercise: https://owncloud.ut.ee/owncloud/s/SRE2YHg5awp2cqd
Solve the task and send your report to aivo.toots(at)cyber(dot)ee.