Week03

Feedback

less/same/more yapping?

Report

Key things:

  • Report Groups
  • Format
  • Due date + submission

Important Parts

  • LINKED TABLE OF CONTENTS
  • Linked appendix for:
    • verbose definitions
    • screenshots
    • code
    • long payloads
  • Should address vulnerability, not flag
  • Memes only outside of content

Lectures

This is the law, watch.

Examples

Content

  • PKI
    • Certificates
    • Trust
  • HSTS
  • Authentication
    • MFA
    • TOTP
    • SSO + OAuth + SAML (Extended)
  • Secrets

PKI

Public Key Infrastructure

  • Used to determine who is/owns something
  • Uses Certificates
  • Based on trust

Certificates

  • TLS (and mTLS)
  • Certificate Authorities (CA)
    • CA issues certs
    • CAs sign certs with their root cert
    • Root certs are stored in OS/Browsers
  • Trust

HSTS

HTTP Strict Transport Security

  • Prevents MITM
  • Policy enforced by browsers
  • Common on financial and (some) govt. sites

AuthN 2.0

MFA

Multi-factor Authentication

  • Requiring multiple factors
    • Know
    • Have
    • Are
  • Avoid requiring same type of factor

TOTP

Time-based One-Time Password

SSO + SAML + OAuth

  • Single Sign On
  • Security Assertion Markup Language
    • Authentication
  • OAuth 2.0
    • Authorisation
  • Useful Link