This course introduces students to offensive security techniques. After presenting the fundamental concepts, the weaknesses, and vulnerabilities, students will focus on practical attacks in two of the most critical cybersecurity areas: binary exploitation and web exploitation. For defensive cybersecurity experts, like Cyber Designers and Cyber Analysts, this course allows students to understand attacks and counter them properly. Moreover, the knowledge and abilities obtained from this course are fundamental to building the competence needed for starting a career as a penetration tester.

In the binary exploitation area, students will acquire: - knowledge and details about memory management; - abilities to attack software binary applications; - knowledge of OS-level protections (e.g., DEP, ASLR, stack canaries); - abilities to circumvent OS-level protections. In the web exploitation area, students will acquire: - Knowledge about technical and logical vulnerabilities in web applications; - abilities to mount different types of attacks from and beyond the OWASP Top 10. Moreover, students will develop the ability to analyse the security properties of components and whole information systems, identify weaknesses and vulnerabilities, and use them to exploit them.

Students need knowledge of web applications, as acquired from the Web Applications course, and a solid background in Operating Systems. Moreover, they need advanced competencies in Python programming. The Security Verification and Testing (SVT) course is not mandatory, but it is strongly suggested. Students enrolling in this course without having acquired the competence from the SVT exam must cover the gap in basic binary exploitation techniques (BOF attacks and Format Strings attacks) and basic knowledge of reverse engineering tools (Radare2 or Ghidra, gdb). The material required to bridge the gap will be provided, but students are warned of the additional effort.

Memory management (1CFU) - Review of the basics on memory management in Linux applications (stack, functions) and OS-level mitigations (stack canaries, ASLR, DEP) - Dynamic memory, GOT and PLT - Heap in Linux and some heap-level mitigations, use of the heap in Windows (sketch) Binary exploitation (2CFUs) - Code reuse attacks (gadgets, ROP, ret2libc) - Heap exploitation attacks - Bypassing stack canaries and ASLR Web exploitation (3CFUs) - Injection attacks (command injection, basic and advanced SQL injections) - Path traversal attacks - Bypassing authentication and authorization: insecure object references, session authentication attacks (JWT), … - Other OWASP Top 10 attacks (XSS, XXE, …)

None.

The course includes theoretical lessons (18h), practical exercises (12h), and labs (30h). The course will introduce the theoretical background in the two exploitation areas with theoretical lessons. Then, practical exercises will introduce the weaknesses, vulnerabilities, and basic attacks. Finally, the students will experiment with attacks of increasing levels of complexity in ad hoc laboratories. The course will include five binary exploitation labs and five web exploitation labs.

Slides of the lessons and exercises; Lab exercises texts and some hints and solutions; links to online resources (writeups, exploitation examples); Video recordings of the classes; Some books cover part of the course topics; their use is not encouraged. - Dafydd Stuttard and Marcus Pinto, "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", Wiley, ISBN: 978-1118026472 - Jon Erickson, "Hacking: The Art of Exploitation", No Starch Press, (Old but still a quite good introduction)

Slides; Esercizi; Esercizi risolti; Esercitazioni di laboratorio; Esercitazioni di laboratorio risolte; Video lezioni dell’anno corrente;

E' possibile sostenere l’esame in anticipo rispetto all’acquisizione della frequenza

Modalità di esame: Prova scritta (in aula); Prova orale facoltativa; Prova pratica di laboratorio;

Exam: Written test; Optional oral exam; Practical lab skills test;

... The exam assessment consists of two independent parts: a written test, which accounts for up to 21 points, and the evaluation of the practical part, which accounts for up to 12 points. The written test lasts 90 to 120 minutes. It may include open-answer and closed-answer questions to check that the student has acquired the expected knowledge and skills (see expected learning outcomes). The questions about the skills may be simple exercises, use cases related to the tools experimented with in the laboratories, or attacks and attack strategies. For each question, the maximum grade that can be obtained is specified and made visible to the students during the exam. The grade of the written part will be the sum of the grades assigned to the answers given to the questions. The written test will be taken using the Exams platform in a classroom. In case of technical problems, the students may be asked to write their test with a pencil and paper. The test is closed-book, i.e., the student cannot consult any material during the test and cannot use any electronic device except the PC used for the test. A sample exam will be made available to the students through the Exercise platform. The evaluation of the practical part will be done using an ad hoc CTF (OffSecCTF). Different challenges will be delivered at different moments of the course, but always after the corresponding labs. Students will be assigned a score (up to 12) depending on the challenges they solve and specific deadlines. Some challenges will be delivered to be solved asynchronously; some challenges may be asked to be solved synchronously. Students will be asked to provide information and answer questions about their solutions before granting the points. The exact CTF rules and score assignments will be provided to students at the beginning of the course. The final grade will be the sum of the grade of the written part and the practical part. Laude is assigned if the sum of grades exceeds or equals 31. The teachers will request an oral exam if there are doubts about the evaluation of the written test. In this case, the oral exam will consist of additional questions to resolve the teachers' doubts about the evaluation. Moreover, the teachers will mandatorily request an oral exam if there are doubts about the solutions to the CTF challenges. The final grade will be computed based on the written test result and the evaluation of the oral exam, and may result in an insufficient score. Alternatively, selected voluntary students can replace the CTF part or the whole exam with individual homework related to the course's topics, delivering a written report. In this case, the topics are agreed upon with the teacher.

Gli studenti e le studentesse con disabilità o con Disturbi Specifici di Apprendimento (DSA), oltre alla segnalazione tramite procedura informatizzata, sono invitati a comunicare anche direttamente al/la docente titolare dell'insegnamento, con un preavviso non inferiore ad una settimana dall'avvio della sessione d'esame, gli strumenti compensativi concordati con l'Unità Special Needs, al fine di permettere al/la docente la declinazione più idonea in riferimento alla specifica tipologia di esame.