331 - Network and Web Security - 2022

Table of Contents

A.k.a COMP96015/96016 or COMP 60015, but just "331" for short.

hacking.jpg

Announcements

  • The course is now over. Watch this space for the 2023 edition.
  • Also this year Netcraft has offered its Netcraft 331 Prizes awarding an Amazon voucher to the top 10 performers of the exam. This year's 1337 h4x0rs were: Luqman Liaquat, Albert Schleidt, Thomas Alner, Andy Wang, Vincent Bardenheier, Madi Baiguzhayev, Daniel Ababei, Rodi Degirmenci, Anonymous, Arman Fidanoglu, Thomas Loureiro Van Issum.

Schedule

Week 7 - 28/02/22

  • Overview. This is the final week of the course. We conclude the client-side security part by looking at the security of sessions, which allow users to access and modify persistent state on the server, such as a bank account or a social network profile. In the lab, we practice CSRF attacks against sessions. Our last topic is web user privacy. We survey key issues, techniques and countermeasures for fingerprinting and tracking on the web. You are encouraged to try the recommended activities, which will deepen your appreciation of the privacy topics.

Week 6 - 21/02/22

  • Overview. This week we focus on the security of the client side of web applications. The same origin policy is the main security policy that the browser implements by default to isolate web pages from each other. We look at XSS and other JavaScript threats, and explore the security implications of cookies and browser-based storage. In the lab session we attempt to find and exploit XSS vulnerabilities.

Week 5 - 14/02/22

  • Overview. This week we being with SQL injection, probably the most exploited server-side vulnerability, which we will practice also in the lab session. Then we look at key features and security aspects of JavaScript, and in particular obfuscation techniques. Finally we overview how browsers work, and discuss the main relevant security threats and attacks.

Week 4 - 07/02/22

  • Overview. This week we start with web security. First we look at HTTP which is the main protoocols supporting web applications, then we see how HTTPS protects HTTP by encapsulating it inside TLS. Follows a short introduction to PHP and some of its tricky features. PHP will be our reference language for the server side of web applications. Finally we look at the main threats and vulnerabilities affecting servers. In the tutorial, we will practice identifying some of those vulnerabilities against a demo web application.

Week 3 - 31/01/22

  • Overview. This week we cover core material on network security. This is important in its own merit and also because attacks against web applications sometime span both the application and network layer. We cover a little bit more background on the TCP/IP stack, then look at key weaknesses, threats and attacks techniques for the key protocols that enable web applications: IP, TCP, UDP, DNS and TLS. In the tutorial you will apply some of these concepts in practice, so it should be attempted after reviewing all the modules. Note that module 9 is only a quick overview of firewalls and IDSs, as an in depth study goes beyond the scope of this course.

Week 2 - 24/01/21

  • Overview. This week we cover more background material and general topics relevant to the rest of the course, and end with a quick look at the security of local area networks. Authentication and passwords are pervasive in cybersecurity. We introduce key concepts and best practices here, and will come back to the topic later in the course. Pentesting is a useful conceptual framework to assess the security of a network, and we will practice it in the labs from now on. The networks background module is mostly to the benefit of those students who do not have a computing background, but can serve as a quick refresher to the others. Finally we briefly discuss local area networks and some of their security weaknesses. You will practice some of what you learn on authentication, networks and LANs alread in this week's tutorial, which is practical and based on virtual machines. You will need to have installed Kali on VirtualBox, either on your laptop or on a machine in the labs. Most students have no problems with this process but some find it difficult and time consuming, so please share on EdStem if you have problems, so that other people can benefit too.

Week 1 - 17/01/22

  • Overview. This week we cover some general security topics which are relevant to the rest of the course. In order to secure a sysytem, we want to be able to discover, fix and even better prevent security vulnerabilities. Attackers attempt to install malware on their victimes, and use malware itself to implement further attacks. Although malware is not the focus of this course, we need to have some familiarity with it in order to understand the objectives and techniques used to attack networks and web applications. Threat modelling is a conceptual tool that we will use in the rest of the course to assess the security of applications and systems. Note that this week is a gentle introduction to the course, the pace and difficulty will increase as we get into technical topics.

Resources

People

Lecturer

sergio.jpg Sergio Maffeis. Sergio is a senior lecturer in Computer Security at Imperial. He received his Ph.D. from Imperial and his MSc from University of Pisa, Italy. Maffeis' research interests include security, formal methods, and programming languages. His recent work focuses on the application of formal methods to web security. You can find out more from his home page.


Teaching Assistants

fahad.jpg Fahad Alotaibi. Fahad is a PhD student at Imperial College London under the supervision of Dr. Maffeis. He received his MSc from The University of York (UK) in Cyber Security, and his BCs from Shaqra University (KSA) in Computer Science. Fahad’ research is focused on robusting deep learning-based security applications againsts evasion attacks and concept drift. Fahad is also interested in other areas such as digital forensics and ransomware prevention.


myles.png Myles Foley. Myles is a PhD student at Imperial College London under the supervision of Dr. Maffeis. He received his MEng from University College London in Electronic Engineering with Computer Science, earning the ‘Outstanding MEng Graduating Student’ prize. Myles’ research is focused at novel - and exciting - ways of applying reinforcement learning to problems in cyber security.


aaron.jpg Zhongyuan "Aaron" Hau. Aaron is a PhD student from Imperial under the supervision of Dr. Lupu, working on anomaly detection. He received his M.Sc Computing Science from Imperial College London.


mohamad.png Mohamad Hazim. Hazim is a PhD student from Imperial under the supervision of Dr. Maffeis. He received his MCompSc from the University of Malaya, Malaysia. His research interests include computer security and artificial intelligence. Hazim is currently working on software vulnerability detection using machine learning.


kate.jpg Kate Highnam. Kate is a PhD student at Imperial College London under the supervision of Dr. Maffeis and Dr. Nicholas R. Jennings. She received her bachelors from the University of Virginia in Computer Science with an undergraduate thesis on automated software patches within drones. After her role as a Cyber Threat Huntress, her research is now focused on domain adaptation for machine learning models in intrusion detection.


ferda.png Ferda Özdemir Sönmez. Ferda is a research associate at the Institute for Security Sciences and Technologies, in Imperial. She received her BSc degree in Electrical and Electronics Engineering Department, Middle East Technical University (METU), Ankara, Turkey. After graduation, she worked in the private sector as a software engineer, software development consultant, project manager, and IT manager. She has held the PMP degree since 2009. The projects she worked with include mainly e-government and Telco projects. She started her graduate study in Informatics Institute, METU, in 2012 in the Information Systems field and got her MSc in 2012 and Ph.D. in 2019 in the same department.


Hall of Fame

  • Netcraft 331 Prizes
    • For the past 4 years, Netcraft sponsored awards for the top 10 performers in the exam (an Amazon voucher worth GBP 250)
    • The winners of the 2022 edition were: Luqman Liaquat, Albert Schleidt, Thomas Alner, Andy Wang, Vincent Bardenheier, Madi Baiguzhayev, Daniel Ababei, Rodi Degirmenci, Anonymous, Arman Fidanoglu, Thomas Loureiro Van Issum.
    • The winners of the 2021 edition were: Michael Kuc, Andreas Casapu, Maksymilian Graczyk, Anonymous, Matteo Bilardi, Anonymous, Ali Abidi, Thomas Roberts, Tilman Roeder, Alexander Reichenbach
    • The winners of the 2020 edition were: Zak Cutner, Daniel Hails, Hadrian Lim Wei Heng, Fraser May, Alexander Nielsen, Giovanni Passerello, Matthew Pull, Ethan Sarif-Kattan, Marco Selvatici, Sebastian Reuter
    • The winners of the 2019 edition were: Jordan Spooner, Teodor Begu, Thomas Pointon, William Seddon, Niklas Vangerow, Lorenzo Silvestri, Pablo Gorostiaga-Belio, Giorgos Gavriil, Olivier Roques, Aurel Bily
  • 331 Bug Bounties
    • 331 Bug Bounty 2022
      • Albert Schleidt demonstrated the Dirtycow privilege escalation exploit on the listener vm.
      • Fabian Hauf, Anne-Sophie Hannes, Jonathan Powell, Vincent Bardenheier, Albert Schleidt reported a DOM-based XSS vulnerability in NaturalReaders.com.
    • 331 Bug Bounty 2020
      • Kelvin Zhang reported an authentication vlunerability in https://play.mtn.co.za/ to HackerOne, and got credited for it
    • 331 Ofuscation Bounty 2020
      • Winners: James Williams, Marco Selvatici
      • Runner ups: Tristan Nemoz, Robert Jin, James Dalboth and Anonymous