1 / 12

Security Challenge

Lectures 29-30. Security Challenge. Mechanics. We are going to take 2 classes to let you experiment with web site security. PRELAB (should be done already) Split into teams Install the insecure server on a public site (AWS lab) Each team makes a list of vulnerabilities

hesters
Download Presentation

Security Challenge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lectures 29-30 Security Challenge CS132 Lecture 29, 30: Security Challenge

  2. CS132 Lecture 29, 30: Security Challenge Mechanics • We are going to take 2 classes to let you experiment with web site security. • PRELAB (should be done already) • Split into teams • Install the insecure server on a public site (AWS lab) • Each team makes a list of vulnerabilities • Each team gets to choose defend or attack or both • Each team should have done some preliminary work

  3. CS132 Lecture 29, 30: Security Challenge Web Site • We have provided you with a simple web site • Using HTML, CSS, Node.JS, MySQL • You have access to source code, tables, etc. • There is certain private information • Passwords, Bank account information, social security numbers, …

  4. CS132 Lecture 29, 30: Security Challenge Attackers’ Goal • Access the private information • Alternatively, disable or break the web site

  5. CS132 Lecture 29, 30: Security Challenge Defenders’ Goal • Protect the private information • Keep the web site up • Keep the web site functional

  6. CS132 Lecture 29, 30: Security Challenge Constraints • Only minimal changes to database tables • Can add fields, nothing else • Basic functionality and URLs should remain the same • Source code needs to be available • Can’t use more than 3 computers simultaneously to attack • (No distributed denial of service attacks) • Otherwise, anything goes…

  7. CS132 Lecture 29, 30: Security Challenge Schedule: Class I • Defenders: • Upload your safer server to host • Post the URL of your web site – on the blackboard • Monitor the logs • Attackers: • Run your scripts/tests against as many servers as you want • See what works and what doesn’t • You can use curl or selenium if desired • Both: • Make plans for better defenses, improved attacks • Edit your servers/attacks as needed

  8. CS132 Lecture 29, 30: Security Challenge Schedule: Homework I • Create improved server, improved attacks

  9. CS132 Lecture 29, 30: Security Challenge Schedule: Class II • Defenders: • Upload your safer server to host • Post the URL of your web site on the blackboard • Update your site as needed during class • Attackers: • Provide scripts • Modify scripts as needed

  10. CS132 Lecture 29, 30: Security Challenge Homework II • For class on Monday • Written hand-in • Be prepared to present • List the security flaws • Defenders • That you missed in the initial implementation and fixed • That still exist in your implementation • Attackers • That you successfully exploited

  11. CS132 Lecture 29, 30: Security Challenge Next Time • Project presentations • For those not handing in a report • Make the presentations interesting and informative • Teach the class how things are done in practice • Make the presentations entertaining • Testing • We will look at different testing technologies • And then give you a chance to try them on your projects

  12. CS132 Lecture 29, 30: Security Challenge Next Time • Privacy • Pre-Class Work: • Sign up at aboutthedata.com and check that data that acxiom has on you personally. Is it accurate? Are you comfortable with them having this data? Is any of the data surprising? • Come prepared to discuss (without revealing private information)

More Related