CYBER OFFENSE AND DEFENSE

Course Information

Lecturer: Mario Alviano

Office hours: consult my homepage

Teaching Assistant: Francesco Pacenza

Office hours: consul my homepage

Microsoft Teams: for code and link search on this page

Notice Board

07/10/2022 13:40: Starting from Friday 14 October (included), Friday lectures will start at 10:30.

28/09/2022 22:00: To attend the course fill this form

28/09/2022 21:20: Seriously, I don't have the full picture here. Who want to attend this course is welcome. To do the exam, it's required to attend at least 70% of the hours and being able to book for the exam on Esse3. This is what I know... please, clarify anything else with the administration and coordinator.

28/09/2022 20:30: I'm not sure anymore who is the target of this course. Please, clarify it with the coordinator. If in doubt, it's safer to attend the lectures (they will count anyhow to reach the threshold of 70%).

27/09/2022 07:40: The main target of this edition of the course are second year students of the Security curriculum (attend this course in substitution of Ethical Hacking). Students of the first year in Security will attend the next edition of this course, as planned in their curriculum. So, why is it listed in the first year calendar? Because of some technicality of our systems, and bureaucracy nightmares!

27/09/2022 07:30: I'm happy to share a link on Brembo Hackathon from Andrea Fusaro (Software Development Team Lead at Brembo S.p.A.). It was an interesting event in Bergamo to team up and collaborate with automotive experts (and with a prize pool worth up to €30,000.00). Waiting for next edition... you may want to start thinking on what you will propose!

25/09/2022 11:00: Lectures will be in Aula Pitagora (ex MT11)

Promo Videos (most recent up)

Pills (most recent up)

Dates and Deadlines

Lectures

Thursday and Friday in room MT11

1. Introduction ⌛⌛

2. SQL injection (SQLi) ⌛⌛⌛

3. Authentication ⌛⌛

4. Business logic vulnerabilities ⌛⌛⌛

5. Information disclosure + Directory traversal ⌛⌛

6. Command injection + File upload vulnerabilities ⌛⌛⌛

7. Access control ⌛⌛

8. Server-side request forgery (SSRF) + XXE injection ⌛⌛⌛

9. Cross-site scripting (XSS) - part 1 ⌛⌛

10. Cross-site scripting (XSS) - part 2 ⌛⌛⌛

11. Cross-site request forgery (CSRF) ⌛⌛

12. Cross-origin resource sharing (CORS) + Clickjacking ⌛⌛⌛

13. Insecure deserialization + Server-side template injection ⌛⌛

14. OAuth authentication ⌛⌛⌛

15. JWT attacks ⌛⌛

16. Student Project ⌛⌛ (18 November, shorter lecture)

17. Student Project ⌛⌛

18. Student Project ⌛⌛⌛

19. Student Project ⌛⌛

20. Student Project ⌛⌛⌛

21. Student Project ⌛⌛ (9 December, shorter lecture, online)

22. Student Project Showcase ⌛⌛

23. Exam Simulation ⌛⌛⌛

Books

• Computer Security: Principles and Practice, Global Edition - Stallings William and Brown Lawrie - Pearson

  • Sicurezza dei computer e delle reti - Stallings William – Pearson

  • Crittografia - Stallings William – Pearson

• Kali Linux Penetration Testing Bible - Gus Khawaja – Wiley

• Bug Bounty Bootcamp – Vickie Li – No Starch Press

Links

• https://portswigger.net/web-security/learning-path

• https://www.zaproxy.org/

• https://github.com/Textualize/rich

• https://typer.tiangolo.com/

• Basics

  • https://www.w3schools.com/python/

  • https://www.w3schools.com/sql/default.asp

  • https://www.w3schools.com/js/default.asp

  • https://www.w3schools.com/php/default.asp

Projects

Team members can be communicated compiling the form at the following link

Exams

Dates will be added to the calendar when available