cybersecuritybase / cybersecuritybase.github.io Goto Github PK

Hello,

Possible to suspect that this is designed situation.
But just interesting: does quizzes of Part-Three (Securing Software course) should be with 'View feedback'-item? Like ability to see review about our answers (and our reviews possible to read by other users).

Or such task designed to 'internal' check by course staff only?
I feel that if report was with 'mistakes' -- maybe user want to fix instruction (until deadline). Not sure if this is valid option.

Thanks!

Hello,

Looks like that even https://cybersecuritybase.github.io/ is ready for CSB-2017 launch: current page and start date of 'Securing Software'-part with potentially outdated-view (or mistake for month/year).
I able to think that expected date is 06.11.2017. Or also "unknown". @nygrenh

Thanks.

I can not give review number 2 as there are two review number 1 and one review 3.

Maybe because there's the same id: https://github.com/cybersecuritybase/cybersecuritybase.github.io/blob/master/securing/part6.html#L140-L142

Hello,

Quiz after '1.7. Missing Function Level Access Control' with name 'Using an Access Control Matrix' is not loaded with my own experience (other quizzes works and loaded);
Page with next statement:

Couldn't load the quiz

Thanks!

// also it can be visible under dashboard:
You've answered num out of 16 quizzes (expected to be 17 quizzes?!).
And where not possible to find this quiz (only reviews for it).

Hello,

Part-Three of Security Software course with next words:

1.8. Cross-site Request Forgery
Cross-site Request Forgery (CRSF) makes it possible to create requests from another site (source) to the web application (target). If the user who is accessing the source site is authenticated to the target web application, the browser of the user will send an authentication token (e.g. cookie) with the request to the target application as the user is accessing the source site, making it possible to access data as an authenticated user that should not be accessible.

Does "CRSF" should be "CSRF"?

Thanks!

Hello,

I feel that this point can not be critical. But just interesting:

With Part-Two of Securing Software and with "Who wants to be a millionaire?"-quiz:

• we're able to perform peer-review (check other answers and review it).
• and we're able do not answer/complete quiz before it.

and, yes, by 'ability' to perform peer-review (to see other answers) - I meant designed steps (not an available tricks which was always there). By 'designed steps' - required only to open Part-two page and be logged.

Does it should be with this view? Previous quizzes (Part-One) do not allow it.

Sorry for this ask.

Thanks!

Week three does not appear to have the code samples uploaded to TMC for the assignments.

It's not clear from the exercise, which password list to use. When using the both lists that have 10k password, I had no success.

Or should the passwords be fuzzed additionally? When using radamsa for fuzzing the passwords from the list, the data is "too dirty" to be used as password IMHO. I would not expect something like

foo\n󠁤\0‌$(xcalc)\x0a$!!\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\\x0d$`%p`xcalc`\x2147483651\r$&+inf%#x`xcalc`%

as password.

This can be closed.

Hello,

Sorry for this strange ask.

Currently all of previous parts (one, two, three) of Securing Software course starts with "
How to pass the course"-note.

But Part-Four do not contain such. I able to suspect that it's OK (but strange that all of previous parts with this 'note' at first).

Thanks!

How can I submit my exercise without using the TMC plugin? On the course it says:

'submitting them means sending them to the server as a zip.'

But that's very vague.

Hello,

This URL is noted with first part of Securing Software course.

Whilst one may think that Java sucks, it can -- in the end -- be a decent language to work with due to, among other things, static typing, a good developer base, and an abundance of high-quality libraries and developer tools.

and URL to https://wiki.theory.org/YourLanguageSucks is not direct link to:
https://wiki.theory.org/index.php/YourLanguageSucks

Just because this is not a critical point - sorry for ask - but what if it should not be with this state.

Thanks!

The opening date for "Advanced Topics" seems to be wrong. It should be:

16.1.2017 - 6.3.2017

Hello,

Most likely it discussed already.. but I completed previous launch of CSB with Microsoft Edge.
From those days, Microsoft Edge has received many improvements, fixes and some other tweaks.

But CSB-2017 course-material's pages still with next notification under Edge browser (too):

Some parts of this page might not work on your current browser. Consider switching to either Chrome or Firefox.

Does this notification is reasonable one? I able to think about some things which should not work with Edge (and work with Firefox/Chrome), but does it 'in use' with cybersecuritybase.github.io?
Or does it known what kind of parts might not work with Microsoft Edge?

Or maybe it can be OK to use Microsoft Edge (Windows 10 64bit) as officially recommended browser?

Microsoft Edge 41.16299.15.0
Microsoft EdgeHTML 16.16299

Sorry for not a critical concern.

Thanks!

Hello,

Sorry for this suggestion. Based on the potential feelings that each user with their own view about 'likert' scale (and how to use it).

Maybe it is good to provide something like guideline for course. As an example of 'grades'.
Or/and maybe to add more categories (for example, level of English) or option to skip it with checkmark like "I do not understand anything" (because if so -> not possible to grade an answer).

For example, based on quiz "Concerns and benefits with developers gaining access to production systems." -> my own view about "Essay was on-topic"-category.

one point is 'not about course/topic meanings at all'.
two points are 'words about DevOps but not about ask'
three points are 'words was partly about ask but not about all of meanings AND with 'unrelated' content'
four points are 'words about main ask, DevOps as such, security risks but not about 'benefits'-part'
five points are 'all enough good and nice'

then there can be restriction about "Essay was comprehensive"-category:

if previous category rated as 'five points' (or four) -> MOST LIKELY grade for second category can not be with less points. Or if such situation is possible -> what kind of examples ? something like too small sentences (?!) - but it's sounds as 'point' for well-reasoned category.
So, point is that this second category should be with relations about first one. Or it is random. At least, possible - but a little be strange to rate 'comprehensive'-essay which was not on-topic (at all).

"Essay was well-reasoned"-category with state that answer indeed can be 'five'--on-topic and 'five'--comprehensive - but not so well-reasoned (how can be). But it's should not be about worst English (PROBABLY) or something with broken wording. More valid for not enough level of explanations (possible to add more 'reasons') OR reasons are broken. And so on.

"Essay was easy to follow"-category about "like it" or "not".
And then based on previous categories - possible different thoughts about this grade.
But, for example, does worst English or wording is a reason for grade less then "three"-points?

Also is there any 'total score' to answer as passing?

Thanks!

Hello,

Part Three of Securing Software course with next example of reporting vulnerability (steps to reproduce trouble):

Issue: SQL Injection
Steps to reproduce:

1. Open Injection Flaws
2. Select Numeric SQL Injection
3. Open Developer Console
4. Inspect the Weather Station Element
5. In the Developer Console, find the select element that
   lists the weather stations.
6. Edit one of the option elements within the select element and
   change the option value to "101 OR station < 9999999".
7. Select the altered option from the dropdown list on the page
8. Press Go!
9. You can now see all weather the weather data.

But (?!) looks like that it should not work with WebGoat (?!). At least, such steps should not be enough. Or should be based on certain advanced 'developer console' (?!). Does it possible to verify that provided example steps indeed valid for reproducing this trouble-example under WebGoat? I tried only with Windows 10 (different browsers) - where it's not valid steps (or...).

Own WebGoat's hints about using WebScarab (as potential hook for request to server and modify it on-the-fly?!).

Thanks!

Hi
What's the license of this project?
MIT?

Hello,

Sorry for this discussion.

With my experience (and I'm with experience about previous CSB launch) Advanced Topics Part Three for CSB-2017 with view like:

• all Quizzes of Part-Three were marked as answered with first-time opening this Part-Three (and indeed answer is chosen and there is statement about). Does it re-use from previous CSB-launch?
  Or something wrong locally (?!).

Even it should not be a critical point but just looks a little be strange.

Thanks!

In the quiz about DevOps in part 5 it says the following:

Consider the DevOps movement where developers are given the access to the production systems and the responsibility to maintain them. What security issues arise over the traditional setup, where a separate systems administration team are in control of the production servers? In addition, what are the benefits of such changes? Limit your answer to 300 characters.

The limit should be 300 words, right?

The news link for the Heartbleed exploit isn't in use anymore: https://github.com/cybersecuritybase/cybersecuritybase.github.io/blob/master/introduction/index.html#L163

If the method would not have been annotated with the @transactional annotation, the accounts would have to be separately saved if we want to commit the changes to the database.

I practically see no difference between both codes. What I am missing here?

Hello,

Concerned next words of Part-Three (Securing Software):

One of the important lists that they maintain is the OWASP Top 10 which contains a list of the ten most critical web application security risks. The most recent list is from 2013, and an updated list will be released either late 2016 or in 2017.

I thought that recently was second release candidate for OWASP-Top-Ten-2017 and decided to open their OWASP-Top-Ten-Project page. Where, today, possible to see that:

OWASP Top 10 2017 Released
The OWASP Top 10 - 2017 is now available.

Probably only first days... but maybe will be good to note it under material (not as only potential release).

Thanks!

Hello,

Looks like that CSB-2017 Advanced Topics Part Five with broken URLs for quizzes.
For example,

• FIRST quiz "Should everything be connected?":

Read from the Observer article about eight security

'article' with next URL:
https://cybersecuritybase.github.io/advanced/%22http://observer.com/2015/07/eight-internet-of-things-security-fails/%22

• SECOND quiz "What would happen if a “smart” system was compromised?":

Read about the capabilities of vacuum cleaners from [Telegraph]("http://www.telegraph.co.uk/technology/2017/07/25/robot-vacuum-cleaner-plans-sell-maps-peoples-homes/" TARGET="_blank").

sounds as markdown rather than html.

• THIRD quiz "Anything can be hacked?":

Watch Ashkan Fardost's TEDx video about the speed of the technology. Then watch Avi Rubin's TEDx video about...

It is time to secure the IoT as F-Secure stated in their blog or in their tech report.

'video', 'video', 'blog', 'report' with next URLs:

• https://cybersecuritybase.github.io/advanced/%22https://www.youtube.com/watch?v=sgMG7zRrcPk%22
• https://cybersecuritybase.github.io/advanced/%22https://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked%22
• https://cybersecuritybase.github.io/advanced/%22https://safeandsavvy.f-secure.com/2018/01/22/wake-up-call-the-time-to-secure-the-iot-is-now/%22
• https://cybersecuritybase.github.io/advanced/%22https://fsecureconsumer.files.wordpress.com/2018/01/f-secure_pinning-down-the-iot_final.pdf%22

In addition,

under text-page there is such place:

(Nitesh Dhanjani's <a href"http://www.dhanjani.com/docs/Hacking%20Lighbulbs%20Hue%20Dhanjani%202013.pdf" TARGET="_blank">paper about the security of HUE).

where visible that "href" is not about "=",so, URL is broken under text.

Sorry for double-edit (github hangs and by "Enter" it was created it before my full view).

Thanks!

Not sure this is the right place to post. But I can't access http://sec-mooc-1.cs.helsinki.fi:7831/ which is mentioned on ch-2 "The Byteless are coming to town!".

On the FAQ, there's a line mentioning an infographic for "insight into different languages used by professionals". Presumably this is supposed to link to an image or a website for the aforementioned infographic?