Web and Cloud Security

Instructor: Wu-chang Feng
Contact and discussion: Office hours: here
Resources
Course Description
This course covers web and cloud systems and how they can be subverted. The class will focus on the highest risk vulnerabilities, give students practical experience in how they work, and study how they can be prevented. The class will consist mostly of laboratory exercises focused on developing student skills in performing penetration testing.

Schedule

Week Topic Assignments Due (Mon)
1 Course overview, Web Basics
Web Programming
Homework #1

2 Broken Access Control
SSRF, XML External Entities (XXE), Sensitive Data Exposure
Lab 1.1
Lab 1.2

3 Command, Code injection, SQL injection
Blind SQL injection
Lab 2.1, Lab 2.2
Blind SQL Program #1
Lab notebook #1 (1.1-1.2)
4 Authentication
Broken Authentication, Unvalidated Redirects/Forwards
Lab 2.3 | Timing Side-Channel Program #2
5 Cross-site Scripting (XSS), Content Security Policy (CSP), Cross-Origin Resource Sharing (CORS)
Cross-site Request Forgery (CSRF), Clickjacking
Labs 3.1, 3.2
Lab 3.3
Blind SQL Program #1
Lab notebook #2 (2.1-2.3)
6 Insecure Deserialization
Security Misconfiguration, Using Known Vulnerable Components, Insufficient Logging and Monitoring
Labs 3.4, 3.5
Timing Side-Channel Program #2
7 Cloud overview, Cloud vulnerabilities
Cloud security (GCP)
Lab 4.1
Lab notebook #3
8 Cloud security (AWS) Labs 4.2, 4.3, 4.4, 4.5

9 Cloud security (AWS)
Tools (wfuzz, nmap, metasploit, sqlmap, w3af)

Labs 5.1, 5.2, 5.3, 5.4, 5.5

10 Cyber Kill Chain, Mitre Attack Framework, Threat modeling
Final project work
Lab notebook #4
Finals Final project work Lab notebook #5 (Mon, 3/16)
Screencast (Thu, 3/19)
cs495.oregonctf.org (Sun, 3/22)

Assignments

Labs and notebook
Lab assignments will be given each class covering the course material. You may work with a partner to solve labs, but each student must maintain and turn in individual lab notebooks containing writeups of each lab exercise. Notebooks should be submitted within D2L as PDF files. Writeups must include the vulnerability being demonstrated, how it was solved, and possible remediations to mitigate the threat.  Include screenshots as requested.  Write-ups should be written in a way that would allow others to repeat your methodology to solve the level.  The notebook will be graded based upon the following rubric:
  • Completeness
  • Description of vulnerability
  • Description of technique, URL, or script used to exploit vulnerability
  • Description of prevention or other remediation to mitigate threat
Homework and Programs
Homework levels (cs495.oregonctf.org) and programming assignments are to be done individually. Homework from the CS 495 CTF can be submitted directly via flag submissions on the site. Programming assignments are to be submitted via GitLab Late assignments will docked 10% for each day late up to 3 calendar days, after which they will not be accepted. Specific criteria and a grading rubric for each program is included in the assignment writeup.
Final project
You will solve multiple levels from PortSwigger's Web Security Academy site that have not already been assigned to you as part of a lab. You will then create a narrated screencast no longer than 20 minutes in length that walks-through the levels that you solved.   You will then submit your screencast via PSU's Media Space. Screencasts can be recorded via the software on Media Space (e.g. Kaltura Capture) or from tools such as QuickTime, Zoom, or Open Broadcaster. After uploading the screencast, you will publish it as "Unlisted" so that anyone with the link can access it. Then, you will create a directory in your repository named final which will include a file called url.txt containing the URL of your screencast on Media Space. In addition, any source files you used as part of your project should also be included and will contribute to your grade. The following rubric will be used for grading:
  • Difficulty of levels
  • Quantity of levels
  • Demonstration of vulnerability
  • Demonstration and walkthrough of its exploitation including how the input you provide leverages the vulnerability
  • Description of prevention/remediation.
  • Repository contents including scripts and the working URL in final/url.txt pointing to your screencast of < 20 min.

Course objectives

  • Learn the basics of web clients, servers, protocols, and programming
  • Understand common, high-risk web and cloud vulnerabilities

  • Practice ethical hacking to demonstrate how web and cloud vulnerabilities may be leveraged
  • Develop penetration testing skills

Policies

Grading
Attendance 10%
Homework Site 30%
Programs 15%
Lab Notebooks 30%
Final Project and Walkthrough 15%
Attendance
The class is based on students putting in time and effort to become proficient. As a result, attendance is mandatory and absences will count against a student's overall grade.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.