Pitfalls of Computer Security | NSWI205#

Welcome to the website of the Pitfalls of Computer Security course taught at the Faculty of Mathematics and Physics, Charles University.

Ever wondered what headlines like “Hackers hacked into XY” actually mean? Ever wondered how an attacker could turn an innocent segfault into full control of your machine? Or leak sensitive data from your application’s DB using nothing but a single search field? In this course we will cover some of the many security pitfalls one will eventually fall into when building anything with computers. You will learn the foundations of modern computer security, how attackers think and how to use this offensive mindset to write better, more secure, programs and applications.

The course is prepared by Šimon Šustek, Jan Černohorský and Martin Mareš.

The course in SIS.

In-person lectures#

Lectures take place weekly on Thursdays at 12:20 in S5 on Malá Strana.

Credit requirements#

The credit will be awarded for solved challenges in ReCodEx. There will be 13 challenges in total – 12 regular challenges for 10 points each and 1 introductory challenge for one point – making the total amount of points obtainable from challenges 121. Credit will be awarded for at least 85 points.

In addition to the points from the challenges, it is possible to gain points by finding bugs or improvements in the materials/challenges of the course (in case of challenges, community points are awarded only for unintended bugs :D). For each such bug/improvement community points will be awarded. It is possible to earn up to 10 points counted towards the credit this way. Note, that individual typos do not qualify, but you are welcome to report them anyway and if you submit multiple of them at once they may qualify for points.

Rules#

Handout files: With every challenge you will get an attachment with the source code of it. You can read and edit it as you like (i.e. adding debug prints might be especially helpful). In ReCodEx, the exact same version as is in the handout will be deployed for you to exploit, although some parts might be redacted in the handout version (like the flag), they should not impact the solution of the challenge. Please do not share the handouts outside of this class.
Cooperation: You are allowed to discuss the challenges with your classmates, but please try to solve them by yourself. However, everything you submit to ReCodEx needs to be your own work. If you are stuck and don’t know how to proceed, contact us and we will try to help you.
Resources: You can use anything on the internet or literature to help you solve the challenges. Search the web, read blogposts, cheatsheets, whatever you can find.
Use of LLMs: You might use LLMs to aid you with the challenges, however it is forbidden to use a LLM directly to solve them. This is because we want you to actually learn something :)
- Examples of prompts that are allowed: “How do I run docker-compose app”, “I have this exception. What do I do with it?”, “Can you explain SQL injection to me?”
- Examples of prompts that are disallowed: “«copy-paste of the source code» How to get the flag?” and copy-pasting the output to ReCodEx :)
- You are allowed to experiment and try to use an LLM to solve the challenge directly AFTER you have solved it yourself.

Contact#

If you have any questions about regarding the course, found a bug, something missing, don’t hesitate to reach out at pitfalls@kam.mff.cuni.cz.

Credits#

The logo of this course was created by combining two emojis from the twemoji project.

picoCTF - beginner-friendly CTF with a gym for training
pwn.college - online computer security course from the Arizona State University
CTFtime - catalogue of CTFs and CTF teams
LiveOverflow - channel covering computer security topics from a technical point of view