Upload File

webseclab - usenix · webseclab elie bursztein baptiste gourdin celine fabry jason bau gustav...

  • Home
  • Documents
  • Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell
13
Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell Stanford University 1

Upload: others

Post on 30-Jun-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

WebseclabElie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt

Hristo Bojinov Dan Boneh John C. MitchellStanford University

1

Page 2: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Web vs System

1186

2793

1528

996

1275

1095

2000 1951

1531

1647

Num

ber o

f vul

nera

bilit

ies

1000

2000

3000

2005 2006 2007 2008 2009

Evolution of the number of vulnerabilties by years

Web System

http://ly.tl/t1
http://ly.tl/t1
Page 3: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Web vulnerabilities breakdownN

umbe

r of v

ulne

rabi

lity

0

100

200

300

400

500

600

700

800

900

1000

2005 2006 2007 2008 2009

Evolution of the web vulnerabilities over the years by types

XSS SQLi XCS Session CSRF SSL Infomation Leak

http://ly.tl/t1
http://ly.tl/t1
Page 4: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

BlackHat Training on Web security

012345678910

2005 2006 2007 2008 2009 2010

http://ly.tl/t1
http://ly.tl/t1
Page 5: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

No bullet proof language

140

224

302

511

1170

1220

5070

pl

do

cfm

jsp

asp

aspx

php

0%10%20%30%40%50%60%70%80%90%100%

PHP ASP ASPX JSP CFM DO PL

http://ly.tl/t1
http://ly.tl/t1
Page 6: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Webseclab Goals

• Blending edge exercises

• Inclusive environment

• No setup

• Minimal learning curve

• Easy class management

http://ly.tl/t1
http://ly.tl/t1
Page 7: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Webseclab architecture

Cloud service

VM1 VM2

User 1

VM1 VM2

User 2

http://ly.tl/t1
http://ly.tl/t1
Page 8: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein Slide deck 2010 http://ly.tl/t1

Key features

• Exercises

• Quizzes

• Projects

• Real case

• Class management

• Synchronization

• Realtime goal

• Quizzes push

• Analytics

VM Cloud

http://ly.tl/t1
Page 9: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Page 10: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Page 11: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Webseclab VM architecture

Webseclab

Webseclab

http://ly.tl/t1
http://ly.tl/t1
Page 12: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Webseclab VM architecture

Virtual  Machine

IDE

Sandbox

Firefox

WebSecLab

SQL  via  phpmyadmin

Categories

Exercise

Objective

Constraints

Pitch

Exercice  rendered

Exercice  code

Hints

Sync

Dashboard

Webseclab

Webseclab

http://ly.tl/t1
http://ly.tl/t1
Page 13: Webseclab - USENIX · Webseclab Elie Bursztein Baptiste Gourdin Celine Fabry Jason Bau Gustav Rydstedt Hristo Bojinov Dan Boneh John C. Mitchell

Elie Bursztein et al Webseclab http://ly.tl/t15

Exercises repartition

Weseclab

Webseclab: exercises repartition

0

5

10

15

20

6

1

45

12

6

17

78

7

Introduction Browser security Mixing content XSSCSRF Session Phishing AuthenticationEmbedding SQL injections

Tuesday, May 18, 2010

http://ly.tl/t1
http://ly.tl/t1

Busting Frame Busting - OWASP€¦ · OWASP 2 Busting Frame Busting A Study of Clickjacking Vulnerabilities on Popular Sites Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson

Mobile Token-Based Authentication fileMobile Token-Based Authentication b On a Budget Hristo Bojinov Dan Boneh Stanford Computer Security Lab Saturday, April 16, 2011

Webseclab Security Education Workbench - USENIX ·  · 2010-07-17and instant feedback for exercise answers. Further, ... including SQL Injection and SSL configuration. ... pl do

XCS: Cross Channel Scripting and its Impact on Web ...€¦ · XCS: Cross Channel Scripting and its Impact on Web Applications Hristo Bojinov* Stanford University ... Second, XSS

Rydstedt Nyman, M. Organizational Organizational Lessons

Neuroscience Meets Cryptography: Designing Crypto Primitives Secure Against Rubber Hose Attacks A Paper by Hristo Bojinov, Daniel Sanchez, Paul Reber,

Webseclab Security Education Workbench

Multiagent control of Self- reconfigurable Robots- Hristo bojinov,Arancha Casal,Tad Hogg Harini Gurusamy

Rob Laber, Lead CV Engineer Hristo Bojinov, CTO...Cloud Instance Selection for Your GPU Fleet Lessons from Developing Smart Kitchen Technology Hristo Bojinov, CTO Rob Laber, Lead CV

Webseclab Security Education Workbench - …theory.stanford.edu/~jcm/papers/webseclab.pdf · Webseclab Security Education Workbench Elie Bursztein, ... (Linux, Apache, ... Exercice

Webseclab Security Education Workbench - USENIX...server, database, and network. Within this environment, we have developed a series of project exercises, equal in heft to textbook

Webseclab Security Education Workbenchtheory.stanford.edu/people/jcm/papers/webseclab.pdf · we continue to develop additional projects and anticipate that further distribution of

Design and Analysis of Switchback Experiments Files/WP21-034...Design and Analysis of Switchback Experiments Iavor Bojinov Technology and Operations Management Unit, Harvard Business

Busting Frame Busting: a Study of Clickjacking ...a Study of Clickjacking Vulnerabilities on Popular Sites Gustav Rydstedt, Elie Bursztein, Dan Boneh Stanford University frydstedt,elie,[email protected]

Webseclab Security Education Workbench - Stanford Universitycrypto.stanford.edu/~jcm/papers/webseclab.pdf · Figure 1: Web application vulnerabilities versus system vulnerabilities

ISSN 1313 - 8820 olume Marchtru.uni-sz.bg/ascitech/1_2014/003.pdf · Ihsan Soysal (Turkey) Horia Grosu (Romania) Bojin Bojinov (Bulgaria) Stoicho Metodiev (Bulgaria) Nutrition and

1 Vlado Bojinov

A hydrochemical investigation and socioeconomic assessment ... · Rio Zapomeca river basin focusing on arsenic contamination Axel Hagström & Anton Rydstedt Department of Risk Management

Gustav Rydstedt, Elie Burzstein, Dan Boneh, Collin Jackson

1 Multiagent Control of Modular Self-Reconfigurable Robots Tad Hogg HP Labs Hristo Bojinov Jeremy Kubica Arancha Casal PARC’s modular robotics group