Web and Cloud Security

Instructor: Wu-chang Feng
Class: Zoom
Attendance:Form link
Office hours: time and place
Contact and discussion: TA: Wenjing Wu
Resources
Course Description
This course covers web and cloud systems and how they can be subverted. The class will focus on the highest risk vulnerabilities, give students practical experience in how they work, and study how they can be prevented. The class will consist mostly of laboratory exercises focused on developing student skills in performing penetration testing.

Schedule

Week Topic Assignments Due (Mon)
1 Course overview, Web Basics
Web Programming
1.1
1.2

2 Authentication, Session Management
Broken Authentication
1.3, 1.4 (HW #1)
3 Broken Access Control Unvalidated Redirects/Forwards, File upload, File includes
SSRF, XML External Entities (XXE)
1.5
1.6, 1.7

4 HTTPS, Sensitive Data Exposure
Command, Code injection, SQL injection
Blind SQL injection
2.1
2.2 (HW #2)
Lab notebook #1, HW #1
5 Cross-site Scripting (XSS)
Content Security Policy (CSP), Cross-Origin Resource Sharing (CORS)
3.1
3.2
6 Cross-site Request Forgery (CSRF), Clickjacking, Web Cache Poisoning
Web sockets, Insecure Deserialization
3.3, 3.4
3.5, 3.6, 3.7
Final project
Lab notebook #2, HW #2
7 Cloud overview, Cloud vulnerabilities, Cloud security (GCP) 4.1, 4.2, 4.3
8 Cloud security (AWS) - iam_privesc_by_rollback, cloud_breach_s3
Cloud security (AWS) - ec2_ssrf, rce_web_app
4.4, 4.5, 4.6, 4.7
Lab notebook #3
9 Cloud security (AWS) - Security via specification, Terraform, Serverless Goat
Tools (wfuzz, nmap, metasploit, sqlmap, w3af)

5.1, 5.2, 5.3, 5.4, 5.5, 5.6

10 Cyber Kill Chain, Mitre Attack Framework, Threat modeling
Advanced Topics
  • Security Misconfiguration
  • Insufficient Logging and Monitoring
  • Request Smuggling
Lab notebook #4
Finals Final project work Lab notebook #5 (Monday @11:59pm)
Screencast (Thursday @11:59pm)

Assignments

Labs and notebook
Lab assignments will be given each class covering the course material. You will maintain and turn in lab notebooks documenting your completion of each exercise. The notebook should include answers to any questions posed and screenshots requested that include your OdinID within them including a final screenshot of each solved level that contains the URL of the level instance. Notebooks should be exported as a PDF file and include a table of contents generated by Google Docs. Submission will be done via adding, committing and pushing the file to your private git repository. Use the following naming convention to submit your notebooks.
  • notebooks/<notebook_number>.pdf e.g. notebooks/1.pdf
The notebook will be graded based upon the following rubric:
  • Completeness
  • Inclusion of answers to questions asked
  • Inclusion of OdinID or project identifier in screenshots
Lab assignments will be given each class covering the course material. You will perform each one, while maintaining a lab notebook in a Google Doc that documents your progress via screenshots with your OdinID in them. The notebook should also include answers to any questions in the labs. 
Homework programs
Homework programming assignments are to be submitted via GitLab. Specific criteria and a grading rubric for each program is included in the assignment writeup.

Final project
You will attempt to solve a sequence of levels from PortSwigger's Web Security Academy site that have not already been assigned to you as part of a lab. Detailed instructions will be given when the project is assigned.

Course objectives

  • Learn the basics of web clients, servers, protocols, and programming
  • Understand common, high-risk web and cloud vulnerabilities

  • Practice ethical hacking to demonstrate how web and cloud vulnerabilities may be leveraged
  • Develop penetration testing skills

Policies

Grading Late assignments will docked 20%, but may be turned in at any time before finals week. Late work will not be graded until the end of finals week.
Attendance 5%
Programs 20%
Lab Notebooks 55%
Final Project and Walkthrough 20%
Attendance
Attendance is mandatory and absences will count against a student's overall grade.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.