Wednesday, July 30, 2014

Web Hacking 2014, lessons learned

We've done Immunity's Web Hacking class five times now and each time we learn something different. This blog post is going to incorporate some lessons from both the public Infiltrate 2014 class as well as a private class we did for a client.

Create a minimum and maximum duration for topics -- Web hacking takes place over 3-4 days, with 7 hours per day of instruction. The maximum amount of time we want to spend on any one topic is therefore 7 hours. In my experience 90 minutes is the minimum amount of time it takes to introduce a topic and have students complete a few hands on exercises. As an example, we can introduce XXE and have students exploit a straight forward vulnerability in probably under 90 minutes. But getting the HTTP and FTP out-of-band techniques is a bit more complicated.

What is the minimum time needed for a topic? -- Some things can't really be meaningfully condensed, in our experience if you want to successfully exploit a padding oracle vulnerability under real world constraints we need 7 hours to get you there (assuming you have no prior experience). Likewise we can give a good introduction to XSS and have you practically exploit (i.e. more than just popping alert(1)) a few bugs in about 2 hours.

Topics must be modular -- Prior to the private class we'd basically always covered the same things in our web hacking course. This client wasn't interested in PHP or Open Source Information Gathering (OSIG) so we had to cut those from the course. By keeping each topic isolated we could add and subtract content pretty easily and shuffle the order in which we covered topics. This is to say that no part of XSS should depend on completing the Command Injection topic, intra topic dependencies are ok and unavoidable.

In order to be modular you need a lot of content -- The PHP and OSIG modules combined for around 6-7 hours worth of content, since those weren't being covered we had to dramatically expand the content of each module to make up the difference. We've got around 5-6 hours of XSS content available and now we can fit this topic into any length slot based on customer need.

Testing things at scale -- One of the big 'whoops' moments we had for the Infiltrate version of this class was the scoring server breaking. We'd tested it prior to the class but came to find out during the course that the sqlite3 backing DB was not up to this particular task with the number of students we had. So, Miguel had to convert to PostgreSQL during the lunch break.

Better score reporting -- When we started the class in 2012 we had a dedicated war games type portion of the class after we'd covered all the content. In each subsequent class we've cut down on the war games portion in favor of covering more content but kept the scoring, completing in class exercises awarded tokens of a certain value, the student with the highest score at the end would win something (this year, a plaque!). We're going to spend some development time getting better scoring reporting for the instructors so we can track who hasn't completed a particular exercise a bit easier. We will probably do away with the dedicated war games portion in favor of spending more time on certain topics.

After hours access -- For each iteration of this class we've run into the situation where students want to keep working but the class had ended for the day. Typically we stop teaching at 5:00PM and call a hard stop at 5:30 but many students want to continue working. We've considered hosting copies of the exercises on a private VPN that students can access from their rooms if they wish and we may put some engineering time into that before the next Infiltrate.

ircd and collaboration -- Esteban had the great idea to host an in class ircd that would allow for greater collaboration if students wanted it. Some people might say "create a Sharepoint site" or "start a wiki", communicating effectively over IRC is a skill your attackers have so you should learn it too.

Fit and finish matter -- Aesthetically this class is almost 100% powered by Bootstrap. Use design to make accessing information easier and more pleasing. This goes a long way towards streamlining the class. Especially when students don't have to ask you if an exercise is broken because all you have is a single input field and an unhelpful HTML title.

Be more than vulnerable -- Students tend to be more engaged when interacting with applications that serve some purpose outside of just being vulnerable. One of our XSS exercises allows students to make web comics, another is a front end for a network ACL complete with listening service you need to connect to. Sometimes when you have to teach a very specific concept, zeroing in on that functionality is unavoidable. But we try to make the page easy to hold a student's interest and that comes by adding a bit of functionality.