This year’s Penetration Testing and Exploit Development course (Fall 2008) will contain completely rewritten course material, guest lectures from leading security professionals, and free access to commercial tools provided by Fortify Software and Matta (thank you!). Additionally, the class will be held on-campus rather than online as it has been.
The instructor for the course is Nasir Memon with TA’s Dan Guido (me) and Vikram Padman. The syllabus has been finalized and the guest professors as well as their respective topics are as follows:
- December 4th — FINAL PROJECTS
- December 11th — hack the planet/show off projects
Students will have to complete one homework assignment every two weeks, a take-home midterm, and do a final project of their choosing. Each two week session will contain one full session of Q&A to review the homework associated with it. Extra credit will be given for participating in CSAW and UCSB iCTF.
Any questions about the course can be e-mailed to me at dguido@gmail.com.
EDIT: The course will be held in room RH227
A recent article in ComputerWorld profiled NYU-Poly, and specifically the ISIS lab, as 1 of 10 “IT Schools to Watch.”
When Stan Nurilov attended Polytechnic Institute of New York University in an accelerated bachelor’s/master’s of computer science program from 2002 to 2006, he truly enjoyed the technical courses he took in areas like operating systems and databases.
But it wasn’t until he graduated and began working as a software developer/project leader for a branch of the U.S. military that Nurilov fully appreciated the project-level courses that taught him about leadership qualities.
“Those classes really help me when I need to work with customers and gain collaboration on projects,” he says.
Stan is a graduate of our SFS program that pays for two years of tuition, rent, and other expenses in exchange for a commitment to work at a government agency for two years.
Head over to ComputerWorld and read the rest of the article!
Published on
August 16, 2008 in
Meta and Web.
On August 13th .mario, a high-profile member of the sla.ckers.org forum, alerted me to a XSS issue on the CSAW registration form. I had previously looked through the code and concluded it was safe based on this block of filtering code included at the top of the page:
//don't use this script!
foreach ($_COOKIE as &$cookie) {
$cookie = trim(strip_tags(@mysqli_real_escape_string($mySQL, $cookie)));
}
foreach ($_POST as &$post) {
if (is_array($post)) {
foreach ($post as &$_post) {
$_post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $_post)));
}
}
else {
$post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $post)));
}
}
Additionally, the registration script limits sources of user controllable input by only ever using the POST and COOKIE superglobals.
Continue reading ‘PHP strip_tags not a complete protection against XSS’
I also did the Fortify [Web] Hacking Challenge last week. Their challenge was refreshingly different, fun, and relaxing compared to the other web hacking challenges I’ve done. I really enjoyed playing in it even if it only lasted a short time. Here’s the official description of the contest:
The link below will take you to a Web site which contains numerous vulnerabilities but is being defended by the Fortify Real-Time Analyzer (RTA). When you conduct an attack, Fortify RTA will block your efforts and redirect you to a separate page. However, if you conduct a particularly impressive attack, Fortify RTA will redirect you to a different page, with a code word. There are three code words available.
Fortify RTA had a tight lock on that website! I probably came up with a hundred separate attacks against their website, but they were only looking for a very specific 3. Every so often, I’d come up with what I thought was an impressive attack but it wouldn’t give me any points! Here’s one example:
I found an authorization problem when viewing account details that let me enumerate the database for and grab the account details of every client in the bank. I used Burp Intruder to automate harvesting this data, making over 10,000 requests to the server to gather the info. Then I manipulated client-side parameters on the ‘transfer funds’ page to steal money from other clients and deposit it into my account. This wasn’t an attack they were looking for and didn’t get me any points! Grrr..
I took screenshots of all the actual attacks below.
Continue reading ‘Fortify Hacking Challenge’
Thanks to Aleksey and Phn1x for dealing with my constant stream of questions while reversing this. You’d think it was the first time I opened a debugger!
The level 1 challenge was a binary that asked for input and, if your input was correct, printed out an e-mail address you could use to get the level 2 binary. The Khallenge is a contest of speed, so the first person to get to and beat level 3 wins. Unfortunately, I solved level 1 after the contest ended and the level 2 and 3 binaries aren’t online yet, so no prizes and no info on those.
Continue reading ‘F-Secure Khallenge Level 1′
Published on
August 10, 2008 in
Wireless.
Do you ever connect to the free wifi at your local tea lounge and get assigned an address like 192.168.1.148? Are those 47 other users sucking up all the bandwidth, preventing you from reading that webpage or checking your email for that important message? Has the wireless AP simply crashed under all the load of those hippie mac users continuously reading LOLcats for no good reason?
This happens to me every so often and I use a simple, harmless, and effective technique to deal with it called an 802.11 deauthentication attack. I use aircrack-ng (available on a BackTrack live CD) to temporarily knock everyone off the AP to unclog its pipes and allow you to reach the internets. This blog post will walk you through how to do this yourself if you’re ever stuck in the same situation.
Continue reading ‘802.11 Deauthentication attacks for fun and profit’
Recent Comments