Portland State University CS 495/595: Web and Cloud Security

Web and Cloud Security

Instructor: Wu-chang Feng (wuchang)
Class: VSC 105, MW 2:00pm-3:50pm
Office hours: time
Contact and discussion:

DM @wuchang pdx-cs.slack.com
Post on channel #cs495
In-class questions/feedback anonymously sayat.me

TA: Alex Hodges (hodgesa)

DM @Alex Hodges pdx-cs.slack.com:
Office hours: Mondays 9-11am Fishbowl (Outside FAB 120)

Resources

Course slides on PSU Google Drive
Python tutorial screencast
Lecture screencasts
Course student reviews
Google's write-up

Course Description
This course covers web and cloud systems and how they can be subverted. The class will focus on the highest risk vulnerabilities, give students practical experience in how they work, and study how they can be prevented. The class will consist mostly of laboratory exercises focused on developing student skills in performing penetration testing.

Schedule

Week	Topic	Assignments	Due (Monday before class)
1	Course overview, Web Basics Web Programming	1.1 1.2
2	Authentication, Session Management Broken Authentication	1.3, 1.4 (HW #1)
3	Broken Access Control Unvalidated Redirects/Forwards, File upload, File includes SSRF, XML External Entities (XXE), Sensitive Data Exposure (HTTPS)	2.1 2.2, 2.3	Lab notebook #1, HW #1 (1.4) (4/14)
4	Sensitive Data Exposure, Command/Code injection SQL injection, Blind SQL injection	3.1 3.2 (HW #2)	Lab notebook #2 (4/21)
5	Cross-site Scripting (XSS), Cross-Origin Resource Sharing (CORS) Content Security Policy (CSP)	4.1	Lab notebook #3 (3.1) (4/28)
6	Cross-site Request Forgery (CSRF), Clickjacking, Web Cache Poisoning Insecure Deserialization, Web Sockets	4.2 5.1, 5.2	HW #2 (3.2) (5/5)
7	Request Smuggling, Misconfiguration, Insufficient Logging, APIs Tools (wfuzz, xsstrike, commix, nmap, metasploit, sqlmap)	5.3, 5.4, 5.5	Lab notebook #4 (5/12)
8	Cloud overview, Cloud security (GCP) Cloud vulnerabilities	6.1, 6.2, 6.3, 6.4, 6.5 6.6 (Final project)	Lab notebook #5 (5/19)
9	Cloud security (AWS), AWS CloudGoat iam_privesc_by_rollback, cloud_breach_s3 (in class only) Infrastructure/Security as Code, Terraform, AWS CloudGoat ec2_ssrf, rce_web_app (in class only), AWS Serverless Goat	7.1, 7.2, 7.3 8.1, 8.2, 8.3, 8.4	Lab notebook #6 (5/26)
10	Cyber Kill Chain, Mitre Attack Framework, AWS CloudGoat rce_web_app Mitre Attack Navigator, Defenses, AWS CloudGoat levels		Lab notebook #7 (6/2)
Finals			Lab notebook #8 (6/9) Final project (Thursday 6/12 @11:59pm)

Assignments

Labs and notebook
Lab assignments will be given each class covering the course material. You will maintain and turn in lab notebooks documenting your completion of each exercise. The notebook should include answers to any questions posed and screenshots requested that include your OdinID within them including a final screenshot of each solved level that contains the URL of the level instance. Notebooks should be exported as a PDF file and include a table of contents generated by Google Docs. Submission will be done via adding, committing and pushing the file to your private git repository. Use the following naming convention to submit your notebooks.

notebooks/Labs<notebook_number>.pdf e.g. notebooks/Labs1.pdf

The notebook will be graded based upon the following rubric:

Completeness
Inclusion of answers to questions asked
Inclusion of OdinID or project identifier in screenshots

Lab assignments will be given each class covering the course material. You will perform each one, while maintaining a lab notebook in a Google Doc that documents your progress via screenshots with your OdinID in them. The notebook should also include answers to any questions in the labs.

Homework programs
Homework programming assignments are to be submitted via GitLab. Specific criteria and a grading rubric for each program is included in the assignment writeup.

Final project
You will attempt to solve a sequence of levels from PortSwigger's Web Security Academy site that are taken from a set provided by the instructor. You will then perform a screencast walkthrough of the levels you solved.

Late work

Always turn in what you have done on-time. Late work will be docked 20%, but may be turned in at any time before finals week. If you submit any late work, it will be graded during finals week. Late work must be placed in the late directory in your GitLab repository and named according to the lab number. Use the following naming convention for late work: late/LabsX.pdf. For example, a late addendum to Labs1.pdf should be submitted as late/Labs1.pdf.

Course objectives

Learn the basics of web clients, servers, protocols, and programming
Understand common, high-risk web and cloud vulnerabilities

Practice ethical hacking to demonstrate how web and cloud vulnerabilities may be leveraged
Develop penetration testing skills

Policies

Grading

Attendance	5%
Programs	20%
Lab notebooks	55%
Final project	20%

Attendance and participation
Attendance is required and will be taken each class. Due to their nature, several lab exercises will only be offered during class. Two absences are allowed with no deduction regardless of the reason. You do not need to notify the instructor. Participation in the Slack channel is encouraged. You are expected to follow this code of conduct when communicating.

Academic misconduct

Includes allowing another student to copy your work unless specifically allowed by the instructor.
Includes copying blocks of code from external sources without proper attribution
Results in a grade of 0 for the assignment or exam.
Results in the initiation of disciplinary action at the university level.