About this course

• Title: Introduction to Web Cybersecurity
• Lecturers: Marco Rocchetto (marco@v-research.it) & Mattia Pacchin (mattia@v-research.it)
• Students: ITS 1st year (@311Verona)
• When: January-February 2021
• Office hours: you can always drop us an email to schedule a 1 on 1 meeting.

Learning Outcomes

This course provides an overview on the problems and challenges related to software security in the context of Web applications, focusing on the main current solutions (namely, testing techniques). The student will familiarize with general cybersecurity principles (such as cryptography and security properties as confidentiality, integrity, and availability) and with the main cybersecurity issues in the Web (such as the OWASP top 10 web app security risks, and the main knowledge bases such as the CWE, CVE, NVD, CAPEC). The student will be asked to critically analyze the security of Web applications and ultimately to provide evidences of cyber-insecurities in Web applications (using learning platforms such as the OWASP Juice Shop). Alongside the “hacking her way to cybersecurity” approach, the student will be made aware of the current unfalsifiability of necessary security claims, and subsequent lack of clear understanding of what a cybersecure web application should look like.

No specific skill is required but the basic understanding of programming is presupposed. Within the course, an introduction to the basic concepts of HTML, JavaScript, SQL will be provided.

Course Resources

Learning Platforms and Softwares

• OWASP WebGoat as the reference learning platform
• OWASP Juice Shop as a “playground” where the students will test their cybersecurity skills and understanding
• XSS Game as a “playground” for testing XSS skills
• ZAP

Lessons

L0. 19-January-2021 (Tuesday) [14.00-18.00]

1. An introduction to Cybersecurity [theory 1h]
   • #whoami & course overview
   • Beliefs on Cybersecurity
   • Infosec and the CIA-triad evolution (1970-today)
   • Attacker vs Hacker, Blue and Red Teams, …
   • Hacker Ethics and Laws against Attackers
   • Cybersecurity Resources: CVE, CWE, CAPEC, WASC, NVD
   • Cybersecurity Resources: OWASP, DEFCON, PHRAK, IEEE S&P
2. Coffee break [10m]
3. Lab Configuration [lab 1h]
4. Hacking the HTTP [theory 30m + lab 1h30m]
   • The WebGoat platform [15m]
   • The HTTP protocol and the Client-Server architecture [15m]
   • Webgoat lesson (General->HTTPBasic) [1h30m]
     • ZAP HUD Tutorial [OPTIONAL]

Lesson 0 - Resources

• Slide (pdf, odp)
• WebGoat & ZAP installation

L1. 26-January-2021 (Tuesday) [14.00-18.00]

1. Cybersecurity Topic #1 - SQL-injection [theory 30m + lab 2h]
   • Intro to Databases and DBMS [15m]
   • WebGoat lesson (A1 - Injection, path traversal excluded) [2h]
2. Coffee break [10m]
3. Open Discussion [30m]

Lesson 1 - Resources

• Slide (pdf, odp)

L2. 1-February-2021 (Monday) [14.00-18.00]

1. Intro to JavaScript & HTML [30m]
2. Cybersecurity Topic #3 - XSS
   • XSS short intro [15m]
   • WebGoat exercises (A7 - Cross-site Scripting) [1h]
3. Cofee break [10m]
4. XSS Game [1h30m]

Lesson 2 - Resources

• Slide (pdf, odp)

L3. 9-February-2021 (Tuesday) [14.00-18.00]

1. Crypto Overview & Integrity Deep Dive [1h30m]
   • Steganography, Encryption & Decryption
   • Symmetric and Asymmetric Encryption
   • Overview of Cryptographic Algorithms (One-Time Pad and RSA)
   • Attacks on Protocol Logic (man-in-the-middle, reflection, …)
   • Trust and Authentication (PKI)
2. Coffee break [10m]
3. Cybersecurity Topic #4 - CSRF
   • WebGoat lesson (A8:2013 Request Forgery) [1h]

Lesson 3 - Resources

• Slide (pdf, odp)

L4. 16-February-2021 (Tuesday) [14.00-18.00]

1. OWASP Juice Shop [2h50m]
2. Coffee break [10m]
3. Results Review & Discussion [1h]