331 - Network and Web Security - 2024

Table of Contents

A.k.a 60015 or 70082, but just "331" for short.

hacking.jpg

Announcements

Schedule

Week 6 - 19/02/24

  • Overview. This week we focus on the security of the client side of web applications. The same origin policy is the main security policy that the browser implements by default to isolate web pages from each other. We look at XSS and other JavaScript threats, and explore the security implications of cookies and browser-based storage. In the lab session we attempt to find and exploit XSS vulnerabilities.
  • Topics
  • Activities
    • Lab on Monday
      • Tutorial 7: Client-side vulnerabilities - Part 1
    • In class session on Thursday
      • Tutorial 8: Code review for PHP and XSS
      • Q&A, demos, etc
    • Familiarise with the OWASP cheatsheets for

Week 5 - 12/02/24

Week 4 - 05/02/24

  • Overview. This week we start with web security. First we look at HTTP which is the main protoocols supporting web applications, then we see how HTTPS protects HTTP by encapsulating it inside TLS. Follows a short introduction to PHP and some of its tricky features. PHP will be our reference language for the server side of web applications. Finally we look at the main threats and vulnerabilities affecting servers. In the tutorial, we will practice identifying some of those vulnerabilities against a demo web application.
  • Topics
    • 12 HTTP
      • Read Chapters 2 and 3 of The Tangled Web
      • Optional reading
        • For reference: IETF RFCs for HTTP and HTTPS
    • 13 PHP
    • 14 Server-side security
      • Read Chapters 1-4, 20, 21 of The Web Application Hacker's Handbook
  • Activities
    • Lab on Monday
      • Guide: Chrome and Burp in Kali
      • Tutorial 4: Server-side web vulnerabilities
    • In class session on Thursday
      • Invited lecture 2: DMARC: Counter-Attacking Email Fraud (Charlie Hothersall-Thomas, Netcraft)
      • Q&A, demos, etc
    • Recommended exercise
      • Write a simple web app in PHP that can store HTTP POST data in a SQL database
      • Optional: serve your web app over HTTPS (you can get a certificate for free at https://letsencrypt.org or try using a self-signed certificate)

Week 3 - 29/01/23

  • Overview. This week we cover core material on network security. This is important in its own merit and also because attacks against web applications sometime span both the application and network layer. We cover a little bit more background on the TCP/IP stack, then look at key weaknesses, threats and attacks techniques for the main protocols that enable web applications: IP, TCP, UDP, DNS and TLS. In the tutorial you will apply some of these concepts in practice, so it should be attempted after reviewing all the modules. Note that module 9 is only a quick overview of firewalls and IDSs, as an in depth study goes beyond the scope of this course.
  • Topics
  • Activities
    • Lab on Monday
      • Tutorial 3: Network security tools
    • In class session on Thursday
      • Invited lecture 1: Introduction to Ransomware Operations (Antoine Vianey-Liaud, Crowdstrike)
      • Q&A, demos, etc

Week 2 - 22/01/24

  • Overview. This week we cover more background material and general topics relevant to the rest of the course, and end with a quick look at the security of local area networks. Authentication and passwords are pervasive in cybersecurity. We introduce key concepts and best practices here, and will come back to the topic later in the course. Pentesting is a useful conceptual framework to assess the security of a network, and we will practice it in the labs from now on. The networks background module is mostly to the benefit of those students who do not have a computing background, but can serve as a quick refresher to the others. Finally we briefly discuss local area networks and some of their security weaknesses. You will practice some of what you learn on authentication, networks and LANs already in this week's tutorial, which is practical and based on virtual machines. You will need to have installed Kali on VirtualBox, either on your laptop or on a machine in the labs. Most students have no problems with this process but some find it difficult and time consuming, so please share on EdStem if you have problems, so that other people can benefit too.
  • Topics
    • 4 Authentication
    • 5 Pentesting
      • Read Chapters 3 and 4 of Professional Penetration Testing
      • Optional reading
        • Read Chapters 6 and 7 of Professional Penetration Testing
    • 6 Networks background
      • Optional reading (highly recommended if you are new to computer networks)
        • Sections 4.1, 4.2, 4.3, 6.4 (up to and including 6.4.3) of Computer Networking - A Top-Down Approach - 7th Edition
    • 7 LAN security
  • Activities
    • Lab on Monday
      • Tutorial 2: Virtual security lab and passwords
    • In class session on Thursday

Week 1 - 15/01/24

  • Overview. This week we cover some general security topics which are relevant to the rest of the course. In order to secure a system, we want to be able to discover, fix and, even better, prevent security vulnerabilities. Attackers attempt to install malware on their victims, and use malware itself to implement further attacks. Although malware is not the focus of this course, we need to have some familiarity with it, in order to understand the objectives and techniques used to attack networks and web applications. Threat modelling is a conceptual tool that we will use in the rest of the course to assess the security of applications and systems. Note that this week is a gentle introduction to the course, the pace and difficulty will increase as we get into technical topics.
  • Topics
  • Activities
    • Lab on Monday
      • Guide: Install VirtualBox and Kali
    • In class session on Thursday
      • Overview, Q&A, demos
      • Tutorial 1: Threat Modelling

Organization

  • Timetable:
    • Fri 9:00am: recorded lectures and slides for the following week released on Scientia. Links: UG ~ MSc
    • Mon 4pm:-6pm: lab session in Hux 219.
    • Thu 2pm-4pm: in-class activities in Huxley 311, including a variety of
      • Q&A, demos, extras on weekly material
      • Tutorials (not computer-based)
      • Invited lectures
      • "Office" hours
  • edStem will be used for course announcements and course related questions.
    • Questions via email will be ignored.
  • The weekly course schedule, along with suggested reading will be posted on the course website as the course unfolds.
  • External students: registration instructions.

Assessment

  • Assessed coursework
    • The assessed (individual) coursework started February the 15th at 4pm here: 60015 and 70082.
    • The deadline for the coursework is February the 29th at 2pm.
    • There is nothing to submit on Scientia, just use the link above.
  • Exam
    • The exam will take place at 10am on the 20rd of March, in the labs.
    • Answer 2 questions out of 2 in 2 hours.
    • The format is "open book" (you are allowed to bring limited study material with you).
    • Selected cheatsheets and reference guides will also be provided to help with the practical part.
    • Roughly half of the exam will consists of practical security tasks.

Resources

People

Lecturer

sergio.jpg Sergio Maffeis. Sergio is a senior lecturer in Computer Security at Imperial. He received his Ph.D. from Imperial and his MSc from University of Pisa, Italy. Maffeis' research interests include security, formal methods, and programming languages. His recent work focuses on the application of formal methods to web security. You can find out more from his home page.


Guest Lecturers

antoine.png Antoine Vianey-Liaud. Antoine manages a team of threat hunters at Crowdstrike, uncovering sophisticated adversaries within the networks of a large customer base. He received his MSc from Imperial College London in 2016, delivering an ISO and thesis under the supervision of Dr Maffeis. His interests include intrusion detection (using security domain knowledge, statistical and data science methods), capture the flag competitions, and security in all its forms.


charlie.jpg Charlie Hothersall-Thomas. Charlie is a Director of Engineering at Netcraft, where he leads the DevOps division. Prior to this he worked as a developer on a variety of Netcraft's anti-cybercrime products. His technical expertise includes web security, TLS and PKI, networking, Linux system administration and Tor. He graduated in 2014 with a BEng in Computing from Imperial College London, where he started BrowserAudit as his final year project.


joseph.jpg Joseph Katsioloudes. Joseph works for the GitHub Security Lab, and was previously a Security Consultant at IBM. He obtained an MSc in Cyber Security Engineering from the University of Warwick and an MEng in Computing from Imperial College London. His experience in security stems from summer internships and own initiatives to problem-solve. Highlights include the disclosure of a zero-day vulnerability for a top ten cryptocurrency during his final year at Imperial College, the GCHQ security accreditation, software contributions to open-source tools and advanced attack simulations.




Teaching Assistants

almuthanna.jpg Almuthanna Alageel. Almuthanna is a Honorary Research Associate at Imperial College London, where he obtained his PhD under the supervision of Dr. Maffeis. He has been working for KACST in cybersecurity since 2009 in addition to providing consultancy services for several organisations. He holds several professional certifications including CISSP, CISM, CRISC and PMP. He received his MSc in Computer Science from the University of Colorado at Denver, and his BSc in Computer Engineering from King Saud University. Almuthanna is working on detecting evasive APT campaigns.


abdullah.jpg Adbdullah Adlaihan. Abdullah is a PhD student at Imperial College London under the supervision of Dr. Maffeis. He received his MSc in computer science from Georgia Institute of Technology, and his BSc in computer science from King Saud University. Abdullah's focus is on utilizing Large Language Models (LLMs) for systems security.


eman.jpg Eman Maali. Eman is a PhD student at Imperial College London under the supervision of Prof. McCann. Eman's Ph.D. focus is IoT Security, in which she is developing an anomaly detector for IoT networks. In 2017, Eman completed her MSc in Electromagnetic Sensor Networks at the University of Birmingham. The focus of the Master's was on electromagnetic, antennas, propagation, computer communications networks, and RF and microwave engineering. Moreover, Eman completed her BA in Computer Systems Engineering from Birzeit University in Palestine.


fahad.jpg Fahad Alotaibi. Fahad is a PhD student at Imperial College London under the supervision of Dr. Maffeis. He received his MSc from The University of York (UK) in Cyber Security, and his BCs from Shaqra University (KSA) in Computer Science. Fahad’ research is focused on robusting deep learning-based security applications againsts evasion attacks and concept drift. Fahad is also interested in other areas such as digital forensics and ransomware prevention.


myles.png Myles Foley. Myles is a PhD student at Imperial College London under the supervision of Dr. Maffeis. He received his MEng from University College London in Electronic Engineering with Computer Science, earning the ‘Outstanding MEng Graduating Student’ prize. Myles’ research is focused at novel - and exciting - ways of applying reinforcement learning to problems in cyber security.


Hall of Fame

  • Netcraft 331 Prizes
    • For the past 4 years, Netcraft sponsored awards for the top 10 performers in the exam (an Amazon voucher worth GBP 250)
    • The winners of the 2023 edition were: Ghazal Farzamfar, Panayiotis Gavriil, Michal Glinski, Derek Lai, Maximilian Lau, Suhaib Mohammed, James Nock, Matthew Setiawan, Mike Sorokin, Ye Lun Yang.
    • The winners of the 2022 edition were: Luqman Liaquat, Albert Schleidt, Thomas Alner, Andy Wang, Vincent Bardenheier, Madi Baiguzhayev, Daniel Ababei, Rodi Degirmenci, Anonymous, Arman Fidanoglu, Thomas Loureiro Van Issum.
    • The winners of the 2021 edition were: Michael Kuc, Andreas Casapu, Maksymilian Graczyk, Anonymous, Matteo Bilardi, Anonymous, Ali Abidi, Thomas Roberts, Tilman Roeder, Alexander Reichenbach
    • The winners of the 2020 edition were: Zak Cutner, Daniel Hails, Hadrian Lim Wei Heng, Fraser May, Alexander Nielsen, Giovanni Passerello, Matthew Pull, Ethan Sarif-Kattan, Marco Selvatici, Sebastian Reuter
    • The winners of the 2019 edition were: Jordan Spooner, Teodor Begu, Thomas Pointon, William Seddon, Niklas Vangerow, Lorenzo Silvestri, Pablo Gorostiaga-Belio, Giorgos Gavriil, Olivier Roques, Aurel Bily
  • 331 Bug Bounties
    • 331 Bug Bounty 2023
    • 331 Bug Bounty 2022
      • Albert Schleidt demonstrated the Dirtycow privilege escalation exploit on the listener vm.
      • Fabian Hauf, Anne-Sophie Hannes, Jonathan Powell, Vincent Bardenheier, Albert Schleidt reported a DOM-based XSS vulnerability in NaturalReaders.com.
    • 331 Bug Bounty 2020
    • 331 Ofuscation Bounty 2020
      • Winners: James Williams, Marco Selvatici.
      • Runner ups: Tristan Nemoz, Robert Jin, James Dalboth and Anonymous.