From 218f060fb9167bff10a311f3981fcf9107d30862 Mon Sep 17 00:00:00 2001 From: Aurala <39862070+Aurala@users.noreply.github.com> Date: Tue, 24 May 2022 19:51:01 +0300 Subject: [PATCH] Capitalization and whitespace fixes --- data/installation.md | 66 +++++++++++++-------------- data/module-1/part-1/8-history.md | 8 ++-- data/module-1/part-1/9-internet.md | 16 +++---- data/module-2/part-1/index.md | 2 +- data/module-2/part-1/server.md | 14 +++--- data/module-2/part-2/applications.md | 68 ++++++++++++++-------------- data/module-2/part-2/data.md | 22 ++++----- data/module-2/part-2/http.md | 8 ++-- data/module-2/part-2/index.md | 2 +- data/module-2/part-3/index.md | 2 +- data/module-2/part-3/security.md | 28 ++++++------ data/module-2/part-4/index.md | 2 +- data/module-2/part-5/framework.md | 11 ++--- data/module-2/part-5/index.md | 2 +- data/module-2/part-6/index.md | 2 +- data/module-3/part-1/index.md | 10 ++-- data/module-4/part-1/index.md | 2 +- data/module-4/part-3/certificates.md | 2 +- static/public/scripts/sanity.py | 2 +- 19 files changed, 133 insertions(+), 136 deletions(-) diff --git a/data/installation.md b/data/installation.md index 7e64fd16..350d65f2 100644 --- a/data/installation.md +++ b/data/installation.md @@ -6,7 +6,7 @@ information_page: true --- The programming exercises in Securing Software and Advanced Topics -are based on python, save for few exceptions where javascript is used. +are based on Python, save for few exceptions where JavaScript is used. In order to do programming exercises, you need to install several software packages: @@ -15,25 +15,25 @@ In order to do programming exercises, you need to install several software packa In addition, Securing Software requires -- several additional packages to test python exercises -- ChromeDriver + Chrome to test javascript exercises +- several additional packages to test Python exercises +- ChromeDriver + Chrome to test JavaScript exercises -## Installing TMC +## Installing TMC TMC requires a fairly modern Java 8 or later to work properly. - Open jdk 1.8.0_212 for example works + OpenJDK 1.8.0_212 for example works as should all 11.x and 12.x versions. - You can try to install and run tmc and update your java install if logging in with the cli fails. + You can try to install and run TMC and update your Java install if logging in with the cli fails. Follow the instructions on the following page to install [TMC client](https://github.com/testmycode/tmc-cli). -Note that on this course we use the command line version of TMC, not netbeans +Note that on this course we use the command line version of TMC, not NetBeans or any other IDE. So, you need to know the basics of command line use in the terminal/command prompt. If you detest command line usage, it is possible to use Visual Studio IDE (with -python) as there is also a Visual Studio -[plugin](https://www.mooc.fi/en/installation/vscode) for TMC client. +Python) as there is also a Visual Studio +[plugin](https://www.mooc.fi/en/installation/vscode) for TMC client. ## Installing Python 3 @@ -41,28 +41,28 @@ The exercises requires Python 3 (3.5 or higher). This may be confusing as for example Macs come with preinstalled Python 2. There are many many ways to install Python 3 - Download it from the official [website](https://www.python.org/downloads/). -- Ubuntu/debian users can use apt-get. +- Ubuntu/Debian users can use apt-get. - Mac users can use MacPorts if it is installed. -- Popular distribution of python, [anaconda](https://www.anaconda.com/products/individual) or [miniconda](https://docs.conda.io/en/latest/miniconda.html), has its own package installation system. This distribution should work but it has not been tested. If you already have anaconda installed, we suggest that you try to install the needed packages with anaconda. +- Popular distribution of Python, [Anaconda](https://www.anaconda.com/products/individual) or [Miniconda](https://docs.conda.io/en/latest/miniconda.html), has its own package installation system. This distribution should work but it has not been tested. If you already have Anaconda installed, we suggest that you try to install the needed packages with Anaconda. We assume from now on that the command for Python 3 is `python3` which should -be the case for mac / linux. It may be also just `python`, in which case, -whenever we ask you to type `python3`, just type `python`. This is especially true if you are using windows. +be the case for Mac / Linux. It may be also just `python`, in which case, +whenever we ask you to type `python3`, just type `python`. This is especially true if you are using Windows. You can see the -version of your python with +version of your Python with ```shell python3 --version ``` -It is not a bad idea to have python reachable via PATH environment variable. This should be more-or-less automatic -for mac and linux. Official Windows installer asks whether you want to have yout python in PATH (say yes). +It is not a bad idea to have Python reachable via PATH environment variable. This should be more-or-less automatic +for Mac and Linux. Official Windows installer asks whether you want to have your Python in PATH (say yes). ## Installing additional packages This step is only required for Securing Software. -Package installer for Python (pip) should be already installed with modern python if you installed python from python.org or using conda distribution. +Package installer for Python (pip) should be already installed with modern Python if you installed Python from python.org or using conda distribution. If you you installed it using apt-get or port, then most likely you will need to install pip. The package name is probably `python3-pip`, alternatively follow these instructions to install [pip](https://pypi.org/project/pip/). @@ -70,35 +70,35 @@ alternatively follow these instructions to install [pip](https://pypi.org/projec Install the following packages using pip ```shell -python3 -m pip install django selenium beautifulsoup4 requests +python3 -m pip install django selenium beautifulsoup4 requests ``` -You need to allow your firewall software to allow python to listen and to connect to the internet. +You need to allow your firewall software to allow Python to listen and to connect to the internet. -## Installing ChromeDriver and Chrome +## Installing ChromeDriver and Chrome This step is only required for Securing Software. -There are few programming exercises that require writing javascript. -In order to test these exercises locally, the tests rely on a chrome browser. +There are few programming exercises that require writing JavaScript. +In order to test these exercises locally, the tests rely on a Chrome browser. Two pieces of software are required - the browser [Google Chrome](https://www.google.com/chrome/) -- a software that allows python communicate with the the browser [ChromeDriver](https://sites.google.com/a/chromium.org/chromedriver/downloads) +- a software that allows Python communicate with the the browser [ChromeDriver](https://sites.google.com/a/chromium.org/chromedriver/downloads) When installing ChromeDriver you need to make sure that the driver version matches the browser version, otherwise the driver refuses to work. The browser version can be seen by going to chrome://version . -You also need to make sure that both chrome and the chromedriver can be reached via PATH environment variable, that is, -you should be able to open the chromedriver and the browser via command line without specifying the exact location of the executable. +You also need to make sure that both Chrome and ChromeDriver can be reached via PATH environment variable, that is, +you should be able to open ChromeDriver and the browser via command line without specifying the exact location of the executable. -Chromedriver doesn't come with an installer. Instead it's a zipped executable. +ChromeDriver doesn't come with an installer. Instead it's a zipped executable. You need to unzip the package, and place the executable somewhere where the PATH can reach it. -Google Chrome has a tendency to update itself. When this happens you will need to update your chrome driver manually. +Google Chrome has a tendency to update itself. When this happens you will need to update your ChromeDriver manually. ### Sanity check @@ -109,7 +109,7 @@ download the [script](/public/scripts/sanity.py) and test it with python python3 sanity.py ``` -The script will test if the python packages are installed and uses selenium to access google.com. +The script will test if the Python packages are installed and uses Selenium to access google.com. Note that this script tests the installations required for the Securing Software course. These packages are not needed for Advanced topics. @@ -121,13 +121,13 @@ If it asks for a server address, then your TMC client is outdated. Re-install th Provide login details, and use organization slug `mooc`. -Download the exercises for securing software with the command +Download the exercises for Securing Software with the command ```shell tmc download mooc-securing-software-22 ``` -Download the exercises for the advanced topics with the command +Download the exercises for Advanced Topics with the command ```shell tmc download mooc-cyber-advanced-topics-2022 @@ -139,12 +139,12 @@ You can test the exercises locally with `tmc test` and submit your solutions wit See `tmc help` for additional commands. You can test individual exercise by going to an exercise-specific folder, or -you can test all of them at once by issuing testing commands at root. +you can test all of them at once by issuing testing commands at root. Every exercise has automated tests. If you end up in situation where `tmc test` cannot find any test, you can locate the bug by either starting the application yourself -(if the programming exercise is django, then start the server with `manage.py`) -or submit the exercise and see the logs on TMC website. +(if the programming exercise is Django, then start the server with `manage.py`) +or submit the exercise and see the logs on TMC website. NB! The TMC server tests the exercises with Python 3.7. Most likely, your Python installation will be a newer version. Make sure that you do not use diff --git a/data/module-1/part-1/8-history.md b/data/module-1/part-1/8-history.md index 3b68116f..55d255bb 100644 --- a/data/module-1/part-1/8-history.md +++ b/data/module-1/part-1/8-history.md @@ -12,7 +12,7 @@ We will provide selected historical examples and comment on patterns and trends. Malware predates commercial, wide-spread internet. [Brain](https://www.youtube.com/watch?v=lnedOWfPKT0), the first _virus_ for PC (with MS-DOS being the operating system) was written in January 1986. -The virus infected the boot sector of floppy disks. +The virus infected the boot sector of floppy disks. If the floppy disk was inside the PC during its boot, a contemporary computer would first try boot it from the floppy, before moving to the hard disk (if such was present). Booting from the floppy disk allowed @@ -68,9 +68,9 @@ possible due to the significant scripting abilities in Microsoft office programs led to a significant rise of macro viruses as now viruses could spread through documents, especially as email attachments. -The first email virus/worm/trojan, _Happy99_ appeared in January 1999. +The first email virus/worm/trojan, _Happy99_ appeared in January 1999. The virus consisted of a trojan executable that upon execution would show firework -animation, and attached itself to an existing windows library. Under certain conditions, +animation, and attached itself to an existing Windows library. Under certain conditions, it would then send itself further over email to a new machine. In May, 2000, an internet worm _ILOVEYOU_ infected over 10 million Windows users. The worm consisted of an email asking to open an attachment "LOVE-LETTER-FOR-YOU.txt.vbs". @@ -185,7 +185,7 @@ alleged connections as is, without further speculation. Notable examples of APT actions include: -* [APT1](https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), a Chinese cyber espionage group +* [APT1](https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf), a Chinese cyber espionage group * [Guccifer 2.0](https://www.washingtonpost.com/world/national-security/cyber-researchers-confirm-russian-government-hack-of-democratic-national-committee/2016/06/20/e7375bc0-3719-11e6-9ccd-d6005beac8b3_story.html), a hacker group responsible for cyber security attack against Democratic National Committee in United States, supported by Russian government. * [Lazarus Group](https://www.nytimes.com/2014/12/18/world/asia/us-links-north-korea-to-sony-hacking.html?_r=0), a hacker group responsible for hacking Sony Pictures as a retaliation for the movie "The interview", with possible links to North Korea. * [Stuxnet](https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/) a significant and extremely sophisticated computer worm designed to attack diff --git a/data/module-1/part-1/9-internet.md b/data/module-1/part-1/9-internet.md index 0dac6c48..74b23106 100644 --- a/data/module-1/part-1/9-internet.md +++ b/data/module-1/part-1/9-internet.md @@ -12,14 +12,14 @@ connected to the Internet. Internet has layers. Different protocols that are responsible for communication can be grouped in 4 layers. -1. Link layer +1. Link layer 2. Internet/network layer 3. Transport layer 4. Application layer Protocols at the link layer are responsible for direct communication between two entities over the same link, for example, a protocol responsible -communication between a laptop and a WiFi-router establishes the +communication between a laptop and a WiFi-router establishes the frequency, as well as how bits are transferred over that frequency. On the other extreme, the protocols in the application layer establish common language between two applications sharing information, for example, the HTTP protocol describes how @@ -48,7 +48,7 @@ Grouping protocols in 4 layers is often referred as _TCP/IP model_ (named after _internet protocol suite_. Often the link layer is split in 2 layers, physical link, and data link, leading to 5 layers instead of 4. We can also use Open Systems Interconnection model (OSI model) which has 7 layers. - + ## Internet layer and IP protocol @@ -77,14 +77,14 @@ packet size, and is smaller than the payload. That is, if the payload is larger what the link layer can transmit in one packet, IP protocol will chop the packet in smaller fragments, and transmit them individually. A maximum size for a single IP -packet is 65535 bytes of which 20 bytes are an IP header. Naive implementations of IP fragmentation +packet is 65535 bytes of which 20 bytes are an IP header. Naive implementations of IP fragmentation allowed for [exploits](https://www.kyberturvallisuuskeskus.fi/en/vulnerability-handling-ip-fragments) such as denial-of-service attacks. IP also provides a checksum to make sure that the payload has not been corrupted. Note that the goal of this checksum is to protect from non-malicious errors due to, for example noisy underlying communication channel. If the packet is modified by an attacker, it is trivial to compute a new valid checksum for -that particular packet. +that particular packet. When a device, either the end host or a router, notices a corrupted IP packet, it is dropped, and an error message is sent back. @@ -170,7 +170,7 @@ of the protocol is significant overhead, especially due to the acknowledgment packets. This latency is not acceptable in certain real-time applications, for example, online gaming. An alternative protocol for TCP is User Datagram Protocol (UDP), a simple protocol providing ports and a(n optional) checksum as -additional services, and nothing else. +additional services, and nothing else.
@@ -205,7 +205,7 @@ measures are taken, traffic data can be intercepted or, worse, modified. This is known as a man-in-the-middle attack, and modifying traffic can extremely sophisticated, for example, [injecting](https://thenextweb.com/insights/2017/12/11/comcast-continues-to-inject-its-own-code-into-websites-you-visit/) -(java script) code to a web browser when a user visits 3rd party websites. +(JavaScript) code to a web browser when a user visits 3rd party websites. Data encryption can be done in a link layer, for example, WiFi can use WPA2 to encrypt its traffic. Similarly, data over cellular connection is encrypted. @@ -229,7 +229,7 @@ the actual payload cannot be observed. It is possible to use the encryption protocol (known as TLS) used by HTTPS to encode normal IP traffic. Here, the user connects to a special server and establishes -a secure channel. Using this channel the user sends IP data packets. +a secure channel. Using this channel the user sends IP data packets. The server then decrypts the stream, and forwards the packets to the address specified in the packets. The server also modifies the TCP/IP headers (similar to NAT) so that it seems that the connection is coming diff --git a/data/module-2/part-1/index.md b/data/module-2/part-1/index.md index 70ae7046..7749566c 100644 --- a/data/module-2/part-1/index.md +++ b/data/module-2/part-1/index.md @@ -12,7 +12,7 @@ participant will learn the principles of developing web applications, typical security issues that are related to such applications, and how such issues are discovered and mitigated. -This course assumes that you are (somewhat) familiar with programming in python and +This course assumes that you are (somewhat) familiar with programming in Python and comfortable with using command line commands. By continuing, you agree to not to do any harm with this information or other similar information on the internet. diff --git a/data/module-2/part-1/server.md b/data/module-2/part-1/server.md index 6f08e015..abacc463 100644 --- a/data/module-2/part-1/server.md +++ b/data/module-2/part-1/server.md @@ -66,7 +66,7 @@ each of these resources are retrieved separately by the browser (except for the Each resource that the browser retrieves is also a potential security threat. For example, if a malicious user has found means to include his or her own -Javascript as a part of a site, the Javascript will be executed on the users' +JavaScript as a part of a site, the JavaScript will be executed on the users' machine. Whilst this may not at first sound like such a bad deal, it can -- for example @@ -171,7 +171,7 @@ urlpatterns = [ ```python # views.py from django.http import HttpResponse - + def pathView(request): return HttpResponse('Path') @@ -212,7 +212,7 @@ urlpatterns = [ ```python # views.py from django.http import HttpResponse - + def greetView(request, user): return HttpResponse('Hi ' + user) @@ -236,7 +236,7 @@ urlpatterns = [ ```python # views.py from django.http import HttpResponse - + def greetView(request): user = request.GET.get('user') @@ -364,7 +364,7 @@ def homePageView(request): The context variable is a [dictionary](https://docs.python.org/3/tutorial/datastructures.html#dictionaries), -and it can also contain nested dictionaries and lists. +and it can also contain nested dictionaries and lists. The context can be then rendered using the `{{}}` syntax in the template @@ -390,7 +390,7 @@ application. Forms are defined in HTML (see [form](http://www.w3schools.com/html/html_forms.asp)) using the `form`-element. The form-element will contain the path to which the content will be sent to, the type of the request, and the data. For now, the type of the request will be -POST. We will discuss POST and GET later. +POST. We will discuss POST and GET later. The data is defined using fields such as the input field (` -During this part of the securing software course, we have taken the first steps +During this part of the Securing Software course, we have taken the first steps into understanding web applications. The next part will look into using databases and the underlying HTTP protocol. diff --git a/data/module-2/part-2/applications.md b/data/module-2/part-2/applications.md index 17384f5c..2ce9a7ef 100644 --- a/data/module-2/part-2/applications.md +++ b/data/module-2/part-2/applications.md @@ -20,22 +20,22 @@ is being sent to the server. Other common attribute names include `id` that is used to define a unique identifier for the element and `class` that is used to define a classification for that element. -### Javascript +### JavaScript While HTML is the language for defining the structure and content of a web -page, Javascript is a language for defining dynamic content to the page. -javascript is a programming language, and like almost any programming language, +page, JavaScript is a language for defining dynamic content to the page. +JavaScript is a programming language, and like almost any programming language, it is executed one command at a time, top to bottom, left to right. - + For the purposes of this course, we use the [VanillaJS](http://vanilla-js.com/) -framework. It is one of the most used Javascript frameworks, requires no +framework. It is one of the most used JavaScript frameworks, requires no downloading or installing, and is crucial for an in-depth understanding of most -of the other Javascript components and frameworks. +of the other JavaScript components and frameworks. -(VanillaJS is not actually a framework, just plain Javascript. _Understanding_ +(VanillaJS is not actually a framework, just plain JavaScript. _Understanding_ it will likely help you immensely, and likely also reduce the possibility of writing code with plenty of holes that others must fix...) @@ -51,12 +51,12 @@ href="https://twitter.com/iamdevloper/status/610191865216786432">14. June -Javascript file names typically end with `.js` and they are included to a HTML +JavaScript file names typically end with `.js` and they are included to a HTML page using the `script` element. The element `script` has an attribute `src`, which defines the location of the source code file. Alternatively, one can add the code directly to HTML by surrounding it with ` ``` - + The Mozilla Developer Network has a high-quality and comprehensive -[Javascript](https://developer.mozilla.org/en-US/docs/Web/JavaScript) tutorial. +[JavaScript](https://developer.mozilla.org/en-US/docs/Web/JavaScript) tutorial. -### Modifying page content with Javascript +### Modifying page content with JavaScript -Each element in a web page can be accessed and modified using Javascript. +Each element in a web page can be accessed and modified using JavaScript. Specific elements can be identified using the [querySelector](https://developer.mozilla.org/en-US/docs/Web/API/Document/querySelector) method. It allows identifying elements based in the id-attribute value @@ -136,7 +136,7 @@ is used. - + @@ -144,7 +144,7 @@ is used. ``` In the above HTML document, the input field can be identified with the id value -"content". Using Javascript, the value of the field could be changed as +"content". Using JavaScript, the value of the field could be changed as follows. ```javascript @@ -193,7 +193,7 @@ field is not empty. - + @@ -212,9 +212,9 @@ function validate() { } ``` - + -Note that Javascript code is executed within the browser. This means that the +Note that JavaScript code is executed within the browser. This means that the above validation functionality works primarily as a way to increase usability of the site, but not the validity of the data. If there is a need to validate content, one cannot only rely on the browser (i.e. the client). @@ -244,7 +244,7 @@ document.querySelector("#messages").appendChild(paragraph); -These Javascript calls use the Document Object Model (DOM) interface for +These JavaScript calls use the Document Object Model (DOM) interface for altering the HTML document. See [https://developer.mozilla.org/en-US/docs/Web/API/Document\_Object\_Model](https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model) for additional information. @@ -253,7 +253,7 @@ for additional information. ### JSON dataformat and retrieving data from a server -Objects and data in Javascript are typically represented using the [Javascript +Objects and data in JavaScript are typically represented using the [JavaScript Object Notation](http://www.json.org/) (JSON) format. The format follows essentially a key: value structure, where variables are separated using commas. The definition of an object starts and ends with a bracket. For example, a @@ -293,13 +293,13 @@ In the example above, a query is made to the address processed and content from the response is shown to a user in an element with the id "content". - + -When building and analyzing Javascript applications, being able to debug them is crucial. Up to date browsers such as Google Chrome provide quite good tools for analyzing the application. See [Chrome DevTools](https://developers.google.com/web/tools/chrome-devtools/) for a start. +When building and analyzing JavaScript applications, being able to debug them is crucial. Up to date browsers such as Google Chrome provide quite good tools for analyzing the application. See [Chrome DevTools](https://developers.google.com/web/tools/chrome-devtools/) for a start. -When debugging your own applications, the very basic command is `console.log()`, which can be used to print out variable details and other information to the developer tools console. When the command `console.log("Hello world!");` is inserted into your Javascript code, the text "Hello world!" will be printed to the Developer tools console. When looking for problems in code, debugging using the console log is a good start. +When debugging your own applications, the very basic command is `console.log()`, which can be used to print out variable details and other information to the developer tools console. When the command `console.log("Hello world!");` is inserted into your JavaScript code, the text "Hello world!" will be printed to the Developer tools console. When looking for problems in code, debugging using the console log is a good start. -If you are familiar with debuggers and breakpoints in IDEs, similar functionality is available for browsers as well. See [Inspect and Debug Javascript](https://developers.google.com/web/tools/chrome-devtools/javascript/add-breakpoints) at Google Developers. +If you are familiar with debuggers and breakpoints in IDEs, similar functionality is available for browsers as well. See [Inspect and Debug JavaScript](https://developers.google.com/web/tools/chrome-devtools/javascript/add-breakpoints) at Google Developers. @@ -328,12 +328,12 @@ Similarly to the previous part, these assignments are submitted to the Test My C The assignment template has some functionality for adding tasks. Your task is to alter the loadTasks function so that the existing tasks are loaded when the -page is shown to the user. Do this using Javascript and the server `tasks` service. +page is shown to the user. Do this using JavaScript and the server `tasks` service. If you wish an additional challenge, add the functionality to remove tasks as well. -The automated test relies on using selenium with chromedriver and chrome, make +The automated test relies on using Selenium with ChromeDriver and Chrome, make sure that you have installed them properly, see [instructions](/installation-guide), otherwise you cannot do local tests. @@ -341,7 +341,7 @@ tests. Hints: - Do not use absolute URLs, the automated test will start its own server at its own port. -- Javascript [for-loop](https://thecodebarbarian.com/for-vs-for-each-vs-for-in-vs-for-of-in-javascript) syntax. +- JavaScript [for-loop](https://thecodebarbarian.com/for-vs-for-each-vs-for-in-vs-for-of-in-javascript) syntax. - The `tasks` service returns you a string that needs to be parsed into a JSON object. The JSON object will have a field named `tasks` containing the list of tasks. @@ -351,9 +351,9 @@ will have a field named `tasks` containing the list of tasks. -Public resources such as javascript files, images and stylesheets and can be +Public resources such as JavaScript files, images and stylesheets and can be accessed from anywhere. At the same time, if a web application requests data -using javascript, the request may be blocked if the target server has not +using JavaScript, the request may be blocked if the target server has not explicitly allowed such requests and the target server is not the same server on which the application is currently running on. diff --git a/data/module-2/part-2/data.md b/data/module-2/part-2/data.md index 0f8f36ab..6afc4732 100644 --- a/data/module-2/part-2/data.md +++ b/data/module-2/part-2/data.md @@ -31,10 +31,10 @@ Check out the tutorial at [https://sqlbolt.com/](https://sqlbolt.com/) ## Python and SQLite -We will use SQLite with python since it is ridiculously easy to use. +We will use SQLite with Python since it is ridiculously easy to use. SQLite is a naive SQL database engine, which makes it very easy to use, for example one does not need to care about setting up database user rights -because there are no users. While SQLite is an ideal engine for learning +because there are no users. While SQLite is an ideal engine for learning SQL, more serious projects should use more refined database engines such as [MySQL](https://www.mysql.com/) or [PostgreSQL](https://www.postgresql.org/). Note that all of them support vanilla SQL commands, the differences are within @@ -54,7 +54,7 @@ cursor = conn.cursor() Once the cursor has been established, we can use `cursor.execute()` to execute a single SQL command or `cursor.executescript()` to execute multiple SQL commands. If we modify the database, then we should save the changes with `conn.commit()`. -For more information, see Python's sqlite [library](https://docs.python.org/3/library/sqlite3.html). +For more information, see Python's SQLite [library](https://docs.python.org/3/library/sqlite3.html). @@ -163,7 +163,7 @@ in the src directory. Read the [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html). Try to implement the delete query incorrectly, that is, form the string -directly. +directly. @@ -231,7 +231,7 @@ bob.age = 45 bob.save() ``` -The models are saved in a database. The default database is a sqlite stored in +The models are saved in a database. The default database is a SQLite stored in `db.sqlite` file. The same database is also used for storing user sessions, as well as, registered users and admins (something that django provides as a built-in service). @@ -277,7 +277,7 @@ executed, or that none of them are. Database management systems offer support for implementing transactions, but, as we often work outside the database, additional steps are needed. -Transactions matter also if there are multiple database users, which may lead +Transactions matter also if there are multiple database users, which may lead to unintented consequences. Consider the following classic problem of transforming money from one account to another. @@ -294,7 +294,7 @@ def transfer(sender, receiver, amount): ``` Consider two threads A and B calling `transfer` at the same time with the following sequence: -* Thread A retrieves the accounts +* Thread A retrieves the accounts * Thread B retrieves the accounts * Thread B updates and saves the accounts * Thread A updates and saves the accounts @@ -343,7 +343,7 @@ is reached Django sends `BEGIN TRANSACTION` command to SQLite (Actually it sends `SAVEPOINT` but it is almost the same thing). Once the function is done Django sends `COMMIT` to SQLite which completes the transaction. -SQLite does not allow any writes whenever there is an open (second) transaction. +SQLite does not allow any writes whenever there is an open (second) transaction. So in our previous example, _both_ threads A and B will fail, by throwing an exception. More importantly, the fail will happen only during the commit. That is, the local objects `acc1` and `acc2` that are currently held in memory during the call of `transfer` are updated, @@ -354,11 +354,11 @@ no writes are possible. To see this effect in practice, we can open a connection database and open a transaction without closing it ```shell -$ sqlite3 src/db.sqlite3 +$ sqlite3 src/db.sqlite3 SQLite version 3.30.1 2019-10-10 20:19:45 Enter ".help" for usage hints. sqlite> BEGIN TRANSACTION; -sqlite> +sqlite> ``` As long as this connection is open, no other connection (manual or Django) can @@ -413,7 +413,7 @@ acc = Account.objects.get(pk=0) user = acc.owner ``` -We can also cross-search accounts using owner's information +We can also cross-search accounts using owner's information ```python accounts_owned_by_johns = Account.objects.filter(owner__first_name='John') diff --git a/data/module-2/part-2/http.md b/data/module-2/part-2/http.md index c2942f72..b88e284e 100644 --- a/data/module-2/part-2/http.md +++ b/data/module-2/part-2/http.md @@ -62,7 +62,7 @@ Unlike in GET, the parameters are not shown in the URL browser (also it doesn't to show them as the parameters can be, for example, images). Moreover, a modern browser will ask you whether to resubmit the form if you try to reload a web page that has been retrieved using a POST method: a sign that POST should be considered as something that modifies -the server data while GET is simply to query the server. +the server data while GET is simply to query the server. @@ -105,7 +105,7 @@ maintained. Familiarize yourself with the [OWASP Session Management Cheat -Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html). +Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html). Consider also checking information on [Session hijacking](https://en.wikipedia.org/wiki/Session_hijacking). @@ -132,14 +132,14 @@ Hints: * You should be able to figure out the session id formula by studying the [cookies](https://developers.google.com/web/tools/chrome-devtools/storage/cookies). * During automated tests, the counter in the session id will be a small random number (between 1 and 11). The sniffer should do multiple guesses to find Alice. * Use Python library [requests](https://www.w3schools.com/python/ref_requests_get.asp). -* Note that `json.loads` does not work with byte streams when using Python 3.5. +* Note that `json.loads` does not work with byte streams when using Python 3.5. * The session id for Django web servers is stored in a cookie named `sessionid`. -During this part of the securing software course, we briefly visited frontend +During this part of the Securing Software course, we briefly visited frontend and backend functionality and looked into how databases are used when developing web applications. During the next week we will look deeper into the typical security issues in web applications. diff --git a/data/module-2/part-2/index.md b/data/module-2/part-2/index.md index cbda743f..31f71634 100644 --- a/data/module-2/part-2/index.md +++ b/data/module-2/part-2/index.md @@ -12,7 +12,7 @@ participant will learn the principles of developing web applications, typical security issues that are related to such applications, and how such issues are discovered and mitigated. -This course assumes that you are (somewhat) familiar with programming in python and +This course assumes that you are (somewhat) familiar with programming in Python and comfortable with using command line commands. By continuing, you agree to not to do any harm with this information or other similar information on the internet. diff --git a/data/module-2/part-3/index.md b/data/module-2/part-3/index.md index 8913d894..2ac511e1 100644 --- a/data/module-2/part-3/index.md +++ b/data/module-2/part-3/index.md @@ -12,7 +12,7 @@ participant will learn the principles of developing web applications, typical security issues that are related to such applications, and how such issues are discovered and mitigated. -This course assumes that you are (somewhat) familiar with programming in python and +This course assumes that you are (somewhat) familiar with programming in Python and comfortable with using command line commands. By continuing, you agree to not to do any harm with this information or other similar information on the internet. diff --git a/data/module-2/part-3/security.md b/data/module-2/part-3/security.md index 381e72f4..95eee0b8 100644 --- a/data/module-2/part-3/security.md +++ b/data/module-2/part-3/security.md @@ -221,13 +221,13 @@ that can be used for XSS testing. The exercise contains a simple direct message application, where messages are -not properly sanitized. This allows to send messages containing HTML code, and Javascript code. +not properly sanitized. This allows to send messages containing HTML code, and JavaScript code. Write a message that---when viewed by the victim in the application---will steal the victim cookie. Write the message in `src/msg.html`. The test will simulate the heist by sending the message in `src/msg.html` -to the victim and have the victim view the message. +to the victim and have the victim view the message. -To steal the cookie, use Javascript to send the cookie to `mail/` on the same server. +To steal the cookie, use JavaScript to send the cookie to `mail/` on the same server. Note that in the real world this can be _any_ server but for automatic testing we added the `mail/` service to the same server to simulate the heist. @@ -241,11 +241,11 @@ The application has the following username and password combinations for testing Hints: -* Look into Tasks exercise (addTask function) on how to do Javascript POST requests with JSON as request body. +* Look into Tasks exercise (addTask function) on how to do JavaScript POST requests with JSON as request body. * For debugging purposes, the server will print to the console any mail obtained through `mail/` request. * When using POST make sure that you include `/` in `mail/`. * In certain situations you may get `Message: unknown error: DevToolsActivePort file doesn't exist` when running `tmc test`. -This means that your chrome installation is a bit wonky, what often helps is commenting out +This means that your Chrome installation is a bit wonky, what often helps is commenting out the line `options.add_argument('--user-data-dir=test/chrome_user_data')` in `test/test_xss.py`. @@ -271,11 +271,11 @@ Python packages `safety` (and `safety-db`) can be used to check any vulnerable p Python package `safety` can be used to find installed vulnerable packages. The package relies on another package `safety-db` which is simply a curated -JSON file of known vulnerable python modules. +JSON file of known vulnerable Python modules. In this assignment, the goal is to write a simple query system that given -the safety-db json file and a package name returns a list of all vulnerabilities -associated with that package. +the safety-db JSON file and a package name returns a list of all vulnerabilities +associated with that package. The output should contain a list of tuples ```python @@ -283,7 +283,7 @@ The output should contain a list of tuples ``` During the writing of this exercise the `safety-db` package was quite broken, -so instead of installing `safety-db`, you should download the json file `insecure_full.json` directly +so instead of installing `safety-db`, you should download the JSON file `insecure_full.json` directly from [here](https://github.com/pyupio/safety-db/tree/master/data). @@ -303,7 +303,7 @@ Knowing the top 10 most critical web application security issues is a good start. However, new security flaws are constantly discovered, and a security professional needs to keep up with the development of the field. Incident databases such as [Common Vulnerabilities and -Exposures](https://cve.mitre.org/) +Exposures](https://cve.mitre.org/) are crucial for keeping up with the latest developments of the field. @@ -327,7 +327,7 @@ accessible. Many frameworks these days include CSRF defences by default. The exercise contains an unsafe bank application that uses GET methods without -any CSRF protection. +any CSRF protection. The application has the following username and password combinations for testing: @@ -337,7 +337,7 @@ The application has the following username and password combinations for testing Write an HTML file that when opened (if the user is logged in) moves $10 to Alice's account. Note that there is a confirmation dialog which you also need to deal with. -Do not use Javascript, instead use `img` tags. +Do not use JavaScript, instead use `img` tags. The automated test will ignore the DNS name of the server in img tags, so you can use `localhost:8000` freely, or any other name, depending on your setup. @@ -354,7 +354,7 @@ requires setting up an HTTPS server, which is not trivial. Instead, to test the file manually, do the following steps. - Start the server. - Login as bob. -- in src directory, run `python3 -m http.server 9000` (this will start a second web server). +- In src directory, run `python3 -m http.server 9000` (this will start a second web server). - Go to `http://localhost:9000/csrf.html` (this will process the csrf message). - Reload the original page where you have logged as bob. @@ -367,6 +367,6 @@ They are not required when you use `tmc test` or `tmc submit`. -In this this part of the securing software course, we looked at some of the +In this this part of the Securing Software course, we looked at some of the most common web security issues. During the next part, we will look a bit deeper into finding flaws in software. diff --git a/data/module-2/part-4/index.md b/data/module-2/part-4/index.md index 17095974..7b2f48ac 100644 --- a/data/module-2/part-4/index.md +++ b/data/module-2/part-4/index.md @@ -12,7 +12,7 @@ participant will learn the principles of developing web applications, typical security issues that are related to such applications, and how such issues are discovered and mitigated. -This course assumes that you are (somewhat) familiar with programming in python and +This course assumes that you are (somewhat) familiar with programming in Python and comfortable with using command line commands. By continuing, you agree to not to do any harm with this information or other similar information on the internet. diff --git a/data/module-2/part-5/framework.md b/data/module-2/part-5/framework.md index e545ca90..2d934641 100644 --- a/data/module-2/part-5/framework.md +++ b/data/module-2/part-5/framework.md @@ -47,7 +47,7 @@ with form data. The assignment template contains a variant of the -banking application used in the previous exercise. +banking application used in the previous exercise. Go over the code and fix the security issues. @@ -227,9 +227,9 @@ reacts with their current version of the system. One of the most commonly used version control systems is [Git](https://en.wikipedia.org/wiki/Git), which is also used by -[Github](https://github.com/). If you are not familiar with them, see the +[GitHub](https://github.com/). If you are not familiar with them, see the [Hello World tutorial provided by -Github](https://guides.github.com/activities/hello-world/) -- more advanced +GitHub](https://guides.github.com/activities/hello-world/) -- more advanced users may benefit from the [Pro Git book](https://git-scm.com/book/en/v2). @@ -294,10 +294,7 @@ hosted, the software may e.g. be deployed only into a small part of the servers. One possibility for hosting the software is cloud services such as -[Heroku](https://www.heroku.com/). See e.g. [Heroku Github -Integration](https://devcenter.heroku.com/articles/github-integration) and -[Travis Heroku -integration](https://docs.travis-ci.com/user/deployment/heroku/). The first +[Heroku](https://www.heroku.com/). See e.g. [Heroku GitHub Integration](https://devcenter.heroku.com/articles/github-integration) and [Travis Heroku integration](https://docs.travis-ci.com/user/deployment/heroku/). The first link also has functionality for Travis CI integration. diff --git a/data/module-2/part-5/index.md b/data/module-2/part-5/index.md index 9c8e25f9..fb1f802f 100644 --- a/data/module-2/part-5/index.md +++ b/data/module-2/part-5/index.md @@ -12,7 +12,7 @@ participant will learn the principles of developing web applications, typical security issues that are related to such applications, and how such issues are discovered and mitigated. -This course assumes that you are (somewhat) familiar with programming in python and +This course assumes that you are (somewhat) familiar with programming in Python and comfortable with using command line commands. By continuing, you agree to not to do any harm with this information or other similar information on the internet. diff --git a/data/module-2/part-6/index.md b/data/module-2/part-6/index.md index 974d2701..db507f2e 100644 --- a/data/module-2/part-6/index.md +++ b/data/module-2/part-6/index.md @@ -12,7 +12,7 @@ participant will learn the principles of developing web applications, typical security issues that are related to such applications, and how such issues are discovered and mitigated. -This course assumes that you are (somewhat) familiar with programming in python and +This course assumes that you are (somewhat) familiar with programming in Python and comfortable with using command line commands. By continuing, you agree to not to do any harm with this information or other similar information on the internet. diff --git a/data/module-3/part-1/index.md b/data/module-3/part-1/index.md index 75be5bf0..36704324 100644 --- a/data/module-3/part-1/index.md +++ b/data/module-3/part-1/index.md @@ -51,7 +51,7 @@ installing and running the web application on Windows, Linux and Mac (including guidelines for installing any possible required dependencies). The code must be stored in a public repository so that other students may review it. -A standard option is to use [Github](https://github.com/). If you are a student at Helsinki University, you +A standard option is to use [GitHub](https://github.com/). If you are a student at Helsinki University, you can use [https://version.helsinki.fi](https://version.helsinki.fi). Make sure that the project is _public_. The easiest way to check the visibility is to try the links in incognito mode. Do _not_ remove the project until you have received the points. @@ -61,7 +61,7 @@ Note that essay is not accepted immediately as it needs to be approved by the co ### Writing essay -You will then write a 1000 word report (hard limits: 800-1500) that pinpoints the flaws and +You will then write a 1000 word report (hard limits: 800-1500) that pinpoints the flaws and describes how they can be fixed. The report _must_ follow the following structure: ```rest @@ -87,10 +87,10 @@ how to fix it... ``` -Add source link to each flaw if appropriate. Ideally, the link should +Add source link to each flaw if appropriate. Ideally, the link should have the format `https://urldomain/repo/file.py#L42` (Line 42 in `file.py`). -The links can be easily obtained by clicking the line numbers in the Github repository file browser. -If the flaw involves in omitting some code, then comment-out the code, and provide the link to the beginning of the commented block. +The links can be easily obtained by clicking the line numbers in the GitHub repository file browser. +If the flaw involves in omitting some code, then comment-out the code, and provide the link to the beginning of the commented block. Be specific with your fix. If possible, provide a fix to the problem in the code. The fix can be commented out. If appropriate, add a source link to each diff --git a/data/module-4/part-1/index.md b/data/module-4/part-1/index.md index c5d84505..93ccc90a 100644 --- a/data/module-4/part-1/index.md +++ b/data/module-4/part-1/index.md @@ -18,7 +18,7 @@ be also visited. -This course assumes that you are (somewhat) familiar with programming in python and +This course assumes that you are (somewhat) familiar with programming in Python and comfortable with using command line commands. By continuing, you agree to not to do any harm with this information or other similar information on the internet. diff --git a/data/module-4/part-3/certificates.md b/data/module-4/part-3/certificates.md index 2a7c6bb5..91a884d3 100644 --- a/data/module-4/part-3/certificates.md +++ b/data/module-4/part-3/certificates.md @@ -80,7 +80,7 @@ _Hints:_ 1. Make sure to use both `self.remote_address` and `self.path`. 2. Requests library is your friend. 3. You don't need to parse HTML. You can simply capitalize every letter in response (use `upper()`). -This will certainly break certain pages, especially with javascript code. +This will certainly break certain pages, especially with JavaScript code. Fancier approach would be to parse HTML with beautifulsoup but it is not needed for this exercise. diff --git a/static/public/scripts/sanity.py b/static/public/scripts/sanity.py index 0658d461..b6a356cb 100644 --- a/static/public/scripts/sanity.py +++ b/static/public/scripts/sanity.py @@ -3,7 +3,7 @@ from selenium.webdriver.chrome.options import Options import socket -# There is a 'feature' in selenium which may cause the firewall to react unless you provide an explicit port for the driver +# There is a 'feature' in Selenium which may cause the firewall to react unless you provide an explicit port for the driver def free_port(): free_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) free_socket.bind(('localhost', 0))