Presentation is loading. Please wait.

Presentation is loading. Please wait.

Li Yang, Carson Woods (University of Tennessee at Chattanooga

Published byYenny Jayadi Modified over 6 years ago

Similar presentations

Presentation on theme: "Li Yang, Carson Woods (University of Tennessee at Chattanooga"— Presentation transcript:

1 Developing Web Security Teaching Modules with Visualization and Hands-on Labs
Li Yang, Carson Woods (University of Tennessee at Chattanooga Xiaohong Yuan (North Carolina A&T SU) Cyber Ed Curriculum Showcase April 23, 2018

2 Motivation The challenge of conveying complex and dynamic information security concepts to the students Engaging students in active learning in information security education Outline Project Overview Project Objectives Developed Modules Lessons Learned Future Work

3 Project Overview Web applications are profitable targets of cybercrimes. A successful attack on web applications could bypass traditional enterprise perimeters guarded by firewalls and intrusion detection systems, resulting in data loss or breach of privacy. Understanding web threats, vulnerabilities, and security is important for both users and developers. Developing visualization tools to understand web threats and security Developing hands-on labs to sharpen student skills in web security With the increased number of consumers and applications using web applications, they also become a profitable target of cybercrimes. A successful attack on web applications could bypass traditional enterprise perimeters guarded by firewalls and intrusion detection systems, resulting in data loss or breach of privacy. Understanding web threats, vulnerabilities, and security is important for both users and developers Developing visualization tools to understand web threats and security Developing hands-on labs to sharpen student skills in web security

4 Project Overview – Visualization
Surveys suggest a widespread belief that visualization technology positively impacts learning [Naps03]. There has been growing evidence showing concept visualization systems are indeed effective when they engage learners in an active learning activity [Grissom03, Naps03]. Students will benefit from the interactive visualization as one of the active learning approaches, which involve students in the classroom in activities that are meaningful and make them think about what they are doing [Bonwell91].

5 Teaching Modules in Web Security
IoT Bonet DNS Cache Poisoning and Pharming Attack and Defense Cross-Site Scripting (XSS) & Cross-site Request Forgery (CSRF) Web Security Visualization + Lab Logic Flaw Browser Extensions Ad Fraud Top Vulnerabilities, News, emerging, Complex, Abstract, Dynamic Time-constraints

6 Module 1 Cross-Site Scripting (XSS) & Cross-site Request Forgery (CSRF)
Cross-site scripting (XSS) a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into the victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies, and bypass access control policies. Visualization: Normal web operation Vulnerabilities and attacks Defense strategies

7 Cross-Site Scripting (XSS) Visualization Samples
Figure 1 (a) Mel Steals Cookies from Alice (b) Mel impersonates Alice with Alice’s Cookie

8 Module 2 DNS Cache Poisoning and Pharming
Three players: a user, a DNS server, and an attacker Normal operation of DNS Several attack scenarios: Cache Poisoning and Pharming A defense solution such as HTTPS

9 Module 3 Logic Flaw Lecture Topics: API parameters in e-commerce
Arguments in URLs Workflow of transactions   How to complete complete an expensive order using the payment intended for a cheap order Hands-on Labs Implement logic flaw

10 Logic Flaw Visualization

11 Module 4 Ad Fraud Lecture Topics: How online advertisement works
Ad Replacement Attack Click Hijacking Attack Ad Fraud Mitigation Techniques: Serve Bluff Ads, Threshold based detection, Monitoring and Scrutinizing unexpected DNS resolvers Visualization Ad Replacement Click Hijacking Hands-on Labs: Students will simulate ad replacement fraud

12 Ad Replacement Visualization

13 Module 5 IoT Botnet Topics Visualization Hands-on Lab
IoT, DoS, password Visualization Hands-on Lab Students emulate the Mirai Command & Control (C&C) server, infect devices, and perform a DoS on a local LAMP server hosting a website. Mirai Botnet

14 Module 6 Browser Extensions
1. 2. Topics: What is Browser extension? Security implication of browser extension Visualization (to come) Hands-on Lab Write browser extension 3.

15 User Study of Visualization Tools on XSS and CSRF
Ten students participated in the survey. From North Carolina A&T State University in the Secure Software Engineering class On the average, students spent about 20 minutes on each tool.

16 Evaluate Hands-on Labs
Fifteen (15) students were enrolled in the class, and thirteen (13) students participated in the survey. Students had 10 days to work on the hands-on lab of ad replacement attack. Most of the students consider themselves as having excellent and high knowledge in different learning outcomes after using the hands-on lab on ad fraud. Secure Software Engineering class at North Carolina A&T State University in spring 2016

17 Demo XSS: http://web2. utc. edu/~djy471/XSS/xss
Demo XSS: Logic Flaw:

18 Lessons Learned Good developers are important (manpower) Recruit as early as possible (manpower) Develop compelling stories (expertise) Need a designer or experts in graphics (expertise/budget) Plan for course integration (expertise) User study and testing are important (budget/time)

19 Future Work Network Security Secure Coding
Software Vulnerability: BoF, Race Condition Wireless Security Cryptography Emerging Incidents

Download ppt "Li Yang, Carson Woods (University of Tennessee at Chattanooga"

Similar presentations

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
A First Course in Information Security

A First Course in Information Security
SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan 006329076 Srinivas Gudisagar 006376734 1.

SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan Srinivas Gudisagar
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.

Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google