Hello again. I usually write articles as a developer, but today I want to share the experience of the information security exam at Moscow Polytechnic . In my opinion it turned out quite interesting. The task can even be useful for novice testers and pentesters. But first, I will talk a little about how the classes were held during the semester - so that it would be clear how we came to life like that.

Training

Lectures

During the semester, I had two pairs of classes a week for each group, and at that time I tried to cram as much information as possible to expand my horizons. At lectures he told different things:

• About the dangers of the Internet of things;
• The history of Niantic struggle with Pokemon lovers;
• The essence of bug bounty programs;
• Examples of vulnerabilities found on PornHub;
• Why is it so difficult to protect against attacks from mobile applications;
• Thor is so good, and why can he not save;
• Stories about fraud in the banking sector;

And much more. In fact, I understand perfectly well that students forget three-quarters of the information received, and the remaining quarter at the time of graduation becomes irrelevant.
')
Therefore, the most important thing for me was to convey to the students that:

• Now almost any kettle can be attacked by a hacker;
• You can not trust anyone, nothing and never. Neither users, nor hardware, nor software.
• A good developer, a good hacker and a security specialist are three qualities that cannot but coexist;
• Current computing power allows you to do terrible things;
• Breaking is not building. This is both interesting and necessary;
• The dark side can be attractive. But there are far fewer cookies than there are on light ones - but you can grab off the Jedi to the fullest.

Seminars

Taking into account the fact that the time at the seminars was noticeably less than I would like (yes, I am ready to lead this subject for at least several years - the topic is very deep), I had to choose some concrete things that students would do in the most applied manner so The idea of ​​hacking was somewhat different from movies with beautiful running green lines. At the same time, I wanted to consider as much as possible the methods of attack, and not the options for protection. It seemed most interesting to me to consider attacks on web applications. They are visual, effective, and many of the principles used there can also be applied to mobile and even desktop applications. Since the students in the past semester studied PHP, they considered these vulnerabilities in PHP - with the proviso that almost all of the same is true for other development languages.

In general, the laboratory were as follows:

• SQL injections. Probably, someone will call me a star-fighter, and tell me that all modern languages ​​no longer allow me to shoot myself in the leg so-so ... But practice shows that this is not so. Legacy code and crooked lazy hands work wonders.
• XSS;
• Downloading malicious files;
• Clickjacking;
• Generate HTTP request. I added this lab when I saw that students do not understand very well how HTTP works. Next time this lab will be the first;
• Automated testing;
• Encryption. I tried to reduce cryptography to a minimum (insanely important science and a subject to which a separate semester could be diverted, but time, time). But you need to at least know what hashing differs from encryption and EDS, as well as where you can and where you cannot use md5.
• DVWA (Damn Vulnerable Web Application) testing with Kali Linux tools. From the funny - in the process of testing, we found incompatibility with PHP 7. Then we immediately fixed it in the student distribution and sent the pull request to the main repository. Pull rekvest was immediately accepted.

Full laboratory tasks can be viewed here - the layout on github pages is fast, convenient, and allows you to quickly fix any of the jambs found in the task. The student pressed F5 - and now he has a new version of the task! For particularly harmful readers - I immediately confess that in some places there is a copy of Wikipedia. It would be possible to give links - but there often come across wonderful things like this . So you have to rewrite materials by hand. And from time to time students found on the Internet all sorts of non-trivial solutions ...

Exam

A special vulnerable web application was prepared for the exam (link is at the end of the post). Initially, I had a desire to prepare additional vulnerabilities in the machine itself (outdated software, open service ports with simple passwords, and so on), but decided that there would not be enough time for this - therefore, only the application itself was broken.
Once again I will not list the vulnerabilities, because there was exactly what we went through in laboratory work. I warn you in advance - there is poor-quality code! Tons of it! That was the point.

Funny algorithm we came up with for the evaluation of students. For the exam, the bug bounty format was used, and therefore each vulnerability cost there a certain amount of reward. Just like in the adult real world. And the exam had to be bought ... An excellent mark cost $ 20,000, a satisfactory score of 12,000. You can cash.

If anyone is interested, then the virtual machine itself was raised on vagrant + virtualbox, as the OS there was CentOS 7, from the software there was nginx + mariadb + php-fpm plus several extensions. It was also possible to use Kali Linux 2016.2, which was prepared in a standard way, on the exam - similar to the one we used in laboratory work.

The exam lasted five hours (we practice the WorldSkills format). It passed without any surprises - everything worked, everything (what was needed) broke, all the students who went to pairs, passed. Who did not go - alas. In my opinion, it should be so.

Bug work

After the exam, I filed such an anonymous questionnaire - google forms are simply divine for quickly collecting feedback. If you're interested, you can call out - I deliberately exported the results of the student survey and left the form open (at the moment, 160 people have already filled them out). It was nice to get 13 answers - with the total number of students at 30 people and the absence of obligatory filling, this is simply an excellent result. It was also very pleased that the guys liked the course, and the feedback was mostly positive. I don’t see any reason to praise myself here, so let’s dwell on criticism (the author’s spelling is preserved):

Extremely little information on the labs at the lectures.

Yes, there is such a thing. I wanted to tell the most interesting things at lectures, and to study labs at seminars. But, apparently, they also need to devote time lectures.

Little time is allocated during the semester for lectures.

Yes, we had a couple of lectures a week. It's nice that the guys saw that you could tell a lot more. Well, maybe we will meet again in the magistracy.

The lack of a projector in the first lectures.

Yes, I did not get an audience with a projector right away. With him goes much clearer.

Kali and LInux in general should be shown to people in more detail.

Yes, the problem here is that there was no Linux course before. It will be necessary to adjust the sequence of courses.

It was difficult to attend lectures so early.

Me too :)

As an improvement, I would suggest (a) adding an interest in the course. For example, blitz polls, tests at lectures (google kahoot). This would increase the involvement of students and give an understanding of who swims and where.

Great idea. Next time we do.

YouTube video

Yes, the problem with visual materials was. And with the video in Russian in general, the problem is serious. He is not there, but what is there is so monstrous ... And the diction is much worse than mine, and often there are situations when the author makes a mistake, after which for 10 minutes she searches for and rolls back ... And in the background, Vladimirsky plays in the background central "and domino chips knock. In general, we need very strong nerves to look at it. And to write your video from scratch is very labor intensive. So as a result, I either used the video materials of Positive Technologies (I really love these guys!), Or put the English video and voiced it. The next time you will need to either record yourself, or at least impose your voice acting. But it will be necessary to look for a person for this, since my diction is lame. In general, the task is difficult, but lifting.

It is difficult to listen to speeches with shortcomings in diction, and it would also be worthwhile to speak louder, then the second part was often just inaudible.

Yes, there is. I am glad that only one student noticed this (well, or simply the others are excessively polite). I will try to correct and use the microphone to enhance the sound. Speaking loudly for two or three couples in a row simply does not have enough throat - and so it came to work later without a voice.

An inapplicable theory that I will forget in a couple of months.

Alas, so with all the theory. But I hope that the guys remember the main ideas (see above). Well, such things can pop up in memory if you continue to deal with them.

Written material that was not particularly helpful in the course.

Here, apparently, meant that it is not particularly useful for the exam. Alas, the theory in the exam could not be put. I will think how best to link the course.

People are afraid to approach and ask (the problem is global and apparently not treated over the years and courses), we must somehow come up with an approach to them, so that the students themselves come and ask how they should do if they don’t understand at all. I will not offer anything, I just need to think about it somehow.

Yes, there is a problem, and it is very serious. The first course, which is supervised by microelectronics projects, is still worse. Guys just do not know how to ask (although there is an interesting division by gender - girls are more willing to ask questions). I will try to correct with a large number of feedback - including tests, polls, and so on. To convince the guys to ask questions is incredibly difficult.

Also, many students indicated that they would like to have more time for the exam. Need to think. IMHO, it’s almost unreal to work with your head for 6-8 hours - perhaps you need to shorten the exam program in order to better meet 4-5 hours. Or really take a break.

They also wrote that there was an imperfect system of assessing vulnerabilities - there were small awards for small vulnerabilities, and for large ones, one-third of the necessary rewards could be obtained immediately. On the one hand, I thought of big vulnerabilities - very few people will find them, but if they do, it will be rewarded in full. On the other hand, more small vulnerabilities were clearly needed. There is work to do.

Results

In general, I am satisfied, although there is still a lot of work to finalize the course. The good news is that now there is a backbone on which it is already easier to build up more tasty “meat”. And it's good that the first pancake is not a lump. And then there will be more, more interesting and tastier!

I would be happy feedback from the audience Habra. Right now, you can influence the future of Russian education and which applicants will come to you in a few years.

PS Now I am looking for a good QA-engineer in my team. Accept resumes with reports on this application;)

PS2. You can invite me to read some course from you. But it should be socially useful, interesting, or for money (better, of course, all three). And there are always offers from all kinds of nice companies - think up and give us a course for a few rubles, you have all the materials, videos, manuals, and the course remains in our property ... I am afraid to think who writes materials for them, and why they teach such courses students.

Thanks

Without these people, there would be no such exam. So thanks:

• To the head of the educational program “WEB-technologies” Ivan Chikunov and the dean of the faculty of informatics and control systems Andrei Filippovich - for allowing me to arrange such a mess;
• Denis Vasiliev , leading the course on mobile development - for being able to integrate coolly my mobile development exam with mine;
• Olga Prudkovskaya, head of the Fablab of the Moscow Polytech, for calling me to the Moscow Polytech and for an inspiring example (she is very cool!);
• Vladimir Kanin , my director at PayMe , for giving me time to make the world a little better;
• Dmitry Leonov , the author of BugTraq.Ru and a wonderful teacher of my native department of the automated control system at the Russian State University of Oil and Gas named after Ivan Mikhailovich Gubkin. Without it, I would never have become neither a good specialist nor a teacher. Special thanks for permission to use his teaching materials in his classes. I thank him for the deep and modern knowledge that he gives. Seven years since my graduation, he hiccups when I once again recall with gratitude his work. I can only hope that someday I will be hiccupped the same way.
• My wife and children. Wife - for tolerating my nightly gatherings with the preparation. Children - for the fact that they encourage me to ensure that by the time they enter the university there are good educational programs.

Links

• Application source ;
• An image of a machine ready for testing . Extremely easy to deploy - start the car and go to port 80. Login and password for testing - "ivanov", "1". I ask for some time to remain in the distribution - it distributes only my server to the Google Compute Engine, and therefore does not come out too quickly. It's nice that already 11 people have downloaded the image;
• My contact details in case we had something in common.