Session 1 (18/11/90)
--------------------

Topics:
 * Introduction to OllyDbg and Process Architecture

References:
 * http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/
 * http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/ (from the beginning up to "Where did I come from? Exposing your history")

Links:
 * OllyDbg Download: http://www.ollydbg.de/odbg110.zip
 * Altap Salamander: http://www.altap.cz/ftp/salamand/as254.exe (first install it and then try to crack C:\Program Files\Altap Salamander\salamand.exe)


Session 2 (25/11/90)
--------------------

Topics:
 * Cracking sample software via patching: Altap Salamander
 * Cracking sample software via recognizing serial number: Crackme1.exe

References:
 * http://securityxploded.com/reverse-engineering-video-converter.php


Homework 1 (02/12/90)
---------------------
 * hw1-874-902.zip
 * Due date: 18/12/1390


Session 3 (2/12/90)
-------------------

Topics:
 * Introduction to process monitor tools: procmon
 * Introducing PE file format:
  * DOS Header
  * NT Header
  * Image Base and Relative Addresses
  * Sections and Section Headers
  * Dynamic Libraries and Import Table
  * Resources
 * Examples of Java and .Net Decompilers

References:
 * Using procmon: http://www.mztools.com/articles/2008/MZ2008024.aspx
 * PE file format tutorial: http://msdn.microsoft.com/en-us/magazine/cc301805.aspx

Links:
 * sysinternals tools pack: http://technet.microsoft.com/en-us/sysinternals/bb842062
 * procmon download: http://download.sysinternals.com/Files/ProcessMonitor.zip
 * peview download: http://www.magma.ca/~wjr/PEview.zip
 * peid download: http://www.peid.info/getfile.php?id=1
 * A Java Decompiler: http://dj.navexpress.com/
 * A .Net Decompiler: http://test.saurik.net/anakrino/Anakrino9.zip (Exemplar.exe is guaranteed to work)
 * Examples of .Net applications to decompile (exe files are inside bin dir): CSharpDecompile.zip


Session 4 (9/12/90)
-------------------

Topics:
 * Watching a stack buffer overflows.
  * Where function arguments and local variables are placed.
  * Functions prolog and epilog (Compiler generated instructions of function beginning and ending).
  * Viewing simple stack structure.
  * Overwriting stack data, especially return address. 

References:
 * http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/

Links:
 * Sample code and executable: OverflowServer-v1.zip


Session 5 (15/1/91)
-------------------

Topics:
 * Exploiting a stack overflow.
  * Finding return address offset when overflowing the stack.
  * Finding a good place for EIP to go: a fixed-place "JMP ESP" instruction.
  * Guiding EIP to our shellcode place filled first by CC ("INT 3" instruction which is equivalent to debugger breakpoint)
  * Replacing CCs with out testing shellcode: opening calc.exe
 * Demonstrating an exploit inside malformed pdf file which attacks Adobe Reader 7.
 * Demonstrating a priviledge escalation exploit on a not updated Windows XP SP2.

Notes:
 * Test above experiments only from Windows XP (Newer versions of Windows Such as Vista or 7 have more advanced security features which may prevent these attacks. We will cover some of these features in the following sessions).

References:
 * http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-2-%E2%80%94-exploiting-the-stack-overflow/

Links:
 * The python script to attack OverflowServer: OverflowServer-Attack.py
 * To run python scripts on windows, install ActivePython: http://download.cnet.com/ActivePython-for-Windows-32-bit/3000-2069_4-10053436.html
 * Malformed pdf file which attacks Adobe Reader 7.0.0 ~ 7.0.9 (Do not hesitate to look inside this file, go to the file ending where you find a text javascript!): AdobeReader-Attack.pdf
 * Adobe Reader 7.0 download link: http://www.oldapps.com/adobe_reader.php?app=CD531547C6DF4C7219CB7E270292FCB8
 * Priviledge escalation exploit: KiTrap0D.zip


Session 6 (22/1/91)
-------------------

Topics:
 * Preventing buffer overflow or its exploitation:
  * Another example of buffer overflows: OverflowCommand.exe
  * Using safe APIs
   * For example using strcpy_s instead of strcpy).
   * Visual Studio gives a warning on using MOST of unsafe APIs.
   * OverflowCommand-Fixed.exe (strcpy_s which terminates program when buffer size is insufficient).
   * OverflowCommand-Continue.exe (the best situation: strcpy_s do not overrun the buffer and the program continues to run).
  * Stack Cookies (/GS compiler option)
   * Explanations of Stack Cookies and compiler generated code to store and check these cookies on the stack.
   * OverflowServer-WithStackCookie.exe
   * Stack Cookies can be bypassed via overwriting SEH chains (there is also other techniques to bypass stack cookies).
  * SEH chain and SafeSEH feature
   * Brief description of exception handling implementations and SEH chains.
   * Brief description of SafeSEH feature to prevent exploitation of SEH pointers.
    * A SafeSEH module is a module to which SEH pointers can only point to valid registered points (these points are specified by the compiler in a tables inside PE file).
    * If a SEH pointer points not to a registered address inside a SafeSEH module, the system will close the program immediately.
    * Attacker can not search for specific instructions (e.g. POP POP RET) inside SafeSEH modules.
   * SafeSEH was not a powerful prevention technique (at least in Windows XP and below) because:
    * For a program to be safe, all modules must be SafeSEH which is a rare situation.
  * DEP
   * Description of DEP feature and NX bit in CPU architecture.
   * ProcessExplorer: A sysinternals application to show processes details (After adding DEP column, show which processes are DEP enabled).
   * Showing how can enable DEP for all processes in Windows.
   * OverflowServer-PermDEP.exe: An application which is DEP enabled also in Windows XP SP3 (DEP is enabled automatically in Windows Vista and above).
and above (independant of windows settings).
  * ASLR
   * Description of ASLR feature (introduced in Windows Vista and above).
   * Compiler must generate a relocatable executable module.

References:
 * Safe APIS: http://sebug.net/paper/Meeting-Documents/owasp_2011/05-%E6%9D%8E%E5%BB%BA%E8%92%99.pdf
 * Stack cookies brief description: http://static.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan_html/node5.html
 * Stack cookies, their implementation (compiler generated codes for inserting and checking stack cookies), bypassing stack cookies, SEH chains, abusing SEH chains to bypass stack cookies, ... . This is a very long tutorial, review it up to "Stack cookie bypass demonstration 2 : Virtual Function call". The author use windbg debugger (instead of ollydbg). Link: http://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
* SafeSEH feature: http://msdn.microsoft.com/en-us/library/9a89h429%28v=vs.80%29.aspx
* Exploitation tutorial using SEH overwrite. It describe SEH chains, SafeSEH, and many more exploitation details (which are not necessary to know): http://www.ethicalhacker.net/content/view/309/2/
* Description of DEB and how to enable it for all applications: http://vlaurie.com/computers2/Articles/dep.htm
* What is ASLR: http://blogs.msdn.com/b/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx

Links:
* Overflow Command source code and executables: OverflowCommand-v1.zip
* Process Explorer (inside sysinternals): http://technet.microsoft.com/en-us/sysinternals/bb896653

Session 7 (29/1/91) ------------------- Topics: * How to generate shellcodes (using Metasploit)
* Format String Attacks and their prevention
* Not to pass user controlled string to format strings.
* Dangling pointers: Dangerousness and prevention.
* Integer Overflows: An introduction.
* Reviewing codes for these vulnerabilities + tools
* An introduction to fuzz testing and fuzzers

References:
* Format String Attack: http://hackerproof.org/technotes/format/FormatString.pdf
* Format String Attack again (view via proxy): https://www.owasp.org/index.php/Format_string_attack
* Description of dangling pointers and prevention techniques: http://en.wikipedia.org/wiki/Dangling_pointer
* Exploiting dangling pointers (out of course score, just for curious students): http://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf
* Firefox 3.6 patched vulnerabilities (look for buffer and integer overflows): http://www.mozilla.org/security/known-vulnerabilities/firefox36.html
* Recent integer overflow vulnerability in openssl (encryption library of most browsers and applications): http://www.exploit-db.com/exploits/18756/
* Integer overflows (only first paragraphs told in the class): http://www.phrack.com/issues.html?issue=60&id=10
* Integer overflows again (good exploitable example): http://www.fefe.de/intof.html
* Chrome patch of libpng integer overflow (view via proxy): http://src.chromium.org/viewvc/chrome/branches/963/src/third_party/libpng/pngrutil.c?r1=121492&r2=121491&pathrev=121492
* List of secure versions of C functions: http://msdn.microsoft.com/en-us/library/wd3wzwts%28v=vs.80%29.aspx
* Code review hints (view via proxy): https://www.owasp.org/index.php/Reviewing_Code_for_Buffer_Overruns_and_Overflows
* What is fuzz testing?: http://en.wikipedia.org/wiki/Fuzz_testing

Links:
* Metasploit 2.8 for Linux (Run ./msfweb and connect to port 55555 via a browser): metasploit-2.8-linux.tar.gz
* Advanced tools that integrate with the compiler and try to detect and prevent memory management vulnerabilities (such as dangling pointers):
* http://www.cis.upenn.edu/acg/softbound/
* http://www.semanticdesigns.com/Products/MemorySafety/
* A list of general fuzzers: http://www.fuzzing.org/


Session 8 (5/2/91)
------------------

Topics:
* Introduction to web applications:
* HTTP request and response; structure and the headers.
* Static web site vs. dynamic web application.
* Sending data methods: GET and POST parameters.
* Basic HTML forms.
* Client-side scripts; e.g. javascript.
* Introduction to SQL injection attack
* Database in web application architecture
* Sample attacks via GET parameter

References:
* HTTP Protocol: http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
* HTML Tutorial: http://www.w3schools.com/html
* Specially see these sections: Intro, Forms, IFrames.
* Javascript Tutorial: http://www.w3schools.com/js
* PHP Tutorial: http://www.w3schools.com/php
* Specially see these sections: Intro, Forms, GET, POST, Include, Cookies, MySQL Intro.
* Slides of Web Application Security: WebSlides.pptx
* SQLi concept and exploits: http://www.unixwiz.net/techtips/sql-injection.html

Links:
* DVWA, an insecure web application for testing: DVWA-1.0.7.zip
* See installation steps in README.txt
* You must install Apache, PHP, MySQL, and php-mysql library first.
* To install these on an ubuntu linux: aptitude install apache2 php5 mysql-server php5-mysql
* Set security level to low.


Session 9 (12/2/91)
-------------------

Topics:
* SQL Injection completed: see slides.
* SQLi prevention.
* SQLi tests on DVWA.

References:
* Slides of Web Application Security: WebSlides.pptx

Links:
* Parametrized sql statements in php: http://blog.ulf-wendel.de/2011/using-mysql-prepared-statements-with-php-mysqli/


Session 10 (19/2/91)
--------------------

Topics:
* XSS Attack: see the slides.

References:
* Slides of Web Application Security: WebSlides.pptx
* Same-Origin Policy: http://en.wikipedia.org/wiki/Same_origin_policy


Session 11 (26/2/91)
--------------------

Topics:
* OWASP TOP 10

References:
* OWASP TOP 10 Presentation: OWASP_Top_10_-_2010 Presentation.pptx
* OWASP TOP 10 Document: OWASP Top 10 - 2010.pdf

Links:
* ESAPI for PHP: owasp-esapi-php-rev834.zip


Session 12 (9/3/91)
--------------------

Topics:
* Brief introduction to web application penetration testing.
* Transport Layer Security: SSL and TLS.

References:
* Public Key Infrastructure: http://en.wikipedia.org/wiki/Public-key_infrastructure
* SSL/TLS Protocol: http://en.wikipedia.org/wiki/Transport_Layer_Security

Links:
* Acunetix (PenTest tools for web applications)