COMP6443 Final exam review

Computer Network 计算机网络代写, Cyber Security 网络安全代写, Operating System 操作系统代写, Web Development 网站开发代写 / CS代考, Javascript 代写

COMP6443 – COURSE REVIEW
Web Application Security
Add WeChat powcoder

Assignment Project Exam Help
• The exam will go for 24 3 hours, and should be done from home.
• The exam will comprise of:
• 7 practical chahlletntgpes://powcoder.com
• 1 written response challenge
• There are no hidden or bonus marks.
Add WeChat powcoder
• This is a high-level recap. You should review the weekly slides.

TOPIC 1: RECON
• Recon identifies infrastructure, applications and content
• Offensive: look for unpatched software, test / admin content, test admin Assignment Project Exam Help
• Defensive: know your network / verify your asset list https://powcoder.com
• Check for bug bounty community cheat sheets
• Commercial tools available
Add WeChat powcoder
• Verify false positives / negatives
• You will not need to do host discovery in the final exam.

TOPIC 1: RECON • Automated tooling:
• dirb, dirbuster, gobuster (have a wordlist ready) Assignment Project Exam Help
• burp passive scanner
• fingerprint / check for CVE’s (whatweb, etc)
• altdns, zdns, massdns
• View source:
• Comments
Add WeChat powcoder
• HTTP Headers
https://powcoder.com

TOPIC 2: AUTHENTICATION
• Authentication identifies a specific user logging in
• Typical attacks:
Assignment Project Exam Help
• Brute force / simple passwords (e.g. admin:admin)
• Injection attacks against login functionality
https://powcoder.com
• Broken forgot password functionality
• XSS (stealing a user’s cookie)
Add WeChat powcoder
• Session fixation (forcibly set a user’s cookie).
• Burpsuite request tampering to modify
• Hashcat/john/google to look up password hashes

TOPIC 2: AUTHORIZATION
• Authorization identifies whether a user is permitted to take an action or use
a resource. Assignment Project Exam Help
• Typical attacks:
• IDOR (id=2)
https://powcoder.com Add WeChat powcoder
• Browse to privileged pages / content as unprivileged user
• Modify own user pages
• CSRF (force someone else to take a privileged action)
• XSS (use another user to fetch privileged content)

TOPIC 2: ACCESS CONTROL
Assignment Project Exam Help https://powcoder.com
Add WeChat powcoder

TOPIC 3: SERVER-SIDE ATTACKS
Assignment Project Exam Help https://powcoder.com
‘”;../–#`ls`
Add WeChat powcoder
Make your own test string. Edit it to suit it each target. Test your own systems.
Code Help, Add WeChat: cstutorcs
TOPIC 3: SQLi
• Write out your SQLi in notepad to plan it.
select * from users where username=‘admin’ and password=‘hunter2’ limit 1; Assignment Project Exam Help
• Quote styles (single vs double quote)
• Comment styles (–, #, 😉
https://powcoder.com
Add WeChat powcoder
• Wildcards (%, *)
• Binary searches vs delays
• sqlmap (but always manually review your tool output).

TOPIC 3: COMMAND INJECTION • Look for where you think commands are being built
ping 8.8.8.8 && dd if=/dev/urandom of=/dev/sda1 bs=1 count=1024
Assignment Project Exam Help
• Be aware of OS specifics • Chaining commands
https://powcoder.com
Add WeChat powcoder
• UNC paths • Backticks
• Cheatsheet: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat _Sheet.html

TOPIC 3: DEFENSE AGAINST INJECTION • Any input influenced by a user is considered tainted.
• Do not (without filtering):
Assignment Project Exam Help
• Use tainted data in processing
• Display tainted data to the user
• Filtering techniques:
• Check the input exists at all
https://powcoder.com
Add WeChat powcoder
• Check input is legitimate format and size
• Whitelist entire input (e.g. “input must be 1,2 or 3”)
• Whitelist characters

TOPIC 4: CLIENT SIDE SECURITY
Assignment Project Exam Help https://powcoder.com
Add WeChat powcoder

Programming Help, Add QQ: 749389476
TOPIC 4: CSRF
Assignment Project Exam Help https://powcoder.com
Add WeChat powcoder
(source: week 5)

TOPIC 4: SAME ORIGIN POLICY
Assignment Project Exam Help https://powcoder.com
Add WeChat powcoder
tl;dr: JavaScript from one origin cannot access data from another origin.
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

TOPIC 4: CSRF

Assignment Project Exam Help



Add WeChat powcoder
Use random CSRF tokens to prevent this.

TOPIC 4: XSS
• When an attacker can control the content displayed to users
• HTML, JavaScript, CSS, any other active content. Assignment Project Exam Help
• Extract cookies (document.write(“blah”+document.cookie))
• Chain with CSRF (use JavaScript to trigger the request)
https://powcoder.com
• Reflected: attacker sends a malicious link, triggers when accessed by the
• Stored: attacker poisons a persistent store, displayed later
You should have some payloads prepared for the exam, e.g.:

Add WeChat powcoder
浙大学霸代写 加微信 cstutorcs
TOPIC 5: DEVSECOPS / AGILE SECURITY
DevSecOps—short for development, security, and operations—automates the integration of
security at every phase of the software development lifecycle, from initial design through
integration, testing, deployment, and software delivery.
Assignment Project Exam Help
• Role of security in agile? https://powcoder.com
• Static AST, Dynamic AST, Instrumented AST
• Source code review:
• Sources, sinks, tAaintdadnd tWaintetraCckhingat powcoder
• Tools: commercial, grep
The exam’s written component will be on Week 5 content.

Assignment Project Exam Help https://powcoder.com
THANKS FOR LISTENING TO US RANT!
questions? email / openlearning
Add WeChat powcoder
(there is no lecture tomorrow)