Skip to content
/ vulnerability-of-the-day Public

A pedagogically-curated collection of vulnerability demonstrations for undergraduate software engineering students

www.se.rit.edu/~se331/
7 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

andymeneely/vulnerability-of-the-day

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits

format-string/demo

format-string/demo

 
 

hardcoded-credentials/demo

hardcoded-credentials/demo

 
 

hashing-salt/demo

hashing-salt/demo

 
 

integer-overflow

integer-overflow

 
 

log-neutralization/demo

log-neutralization/demo

 
 

log-overflow/demo

log-overflow/demo

 
 

open-redirect/demo

open-redirect/demo

 
 

os-command-injection/demo

os-command-injection/demo

 
 

path-traversal/demo

path-traversal/demo

 
 

prngs/demo

prngs/demo

 
 

reflection-abuse/demo

reflection-abuse/demo

 
 

sql-injection/demo

sql-injection/demo

 
 

stack-buffer-overflow-return-pointer/demo

stack-buffer-overflow-return-pointer/demo

 
 

stack-buffer-overflow

stack-buffer-overflow

 
 

www-template

www-template

 
 

xml-dtd/demo

xml-dtd/demo

 
 

.classpath

.classpath

 
 

.gitignore

.gitignore

 
 

.project

.project

 
 

README.markdown

README.markdown

 
 

Repository files navigation

Vulnerability of the Day

Vulnerability of the Day is a pedagogically-curated collection of vulnerability demonstrations for undergraduate software engineering students. The goal is to teach students how to avoid simple coding mistakes by providing concise code examples. Key characteristics are:

  • 10 minutes long or less
  • Can be understood by a third-year college student in a software engineering course
  • Socially-relevant examples
  • Can be run on a Linux console, using make
  • Simple, concise, but also not contrived.
  • Real-world CVEs (with source code patches linked) are a big plus

Code Formatting Guidelines

  • All source code must be "projector-friendly", meaning that the vast majority of the demo code should be readable at:
    • 90 characters wide
    • 48 lines long
  • Having the entire program be under 48 lines is not hard rule (e.g. import statements are not super important), but the instructor should be able to show the main body, including comments, on a 4:3 projector screen with 18 point Lucida Console font in Vim with line numbers set.

Building Demos

Each VotD must have a Makefile that can run on Linux, with the following targets make, make exploit, and make compile. The default is make exploit. Here's a skeleton Makefile:

# Sample Makefile for VotD

exploit: compile
	java BankAccount
	java GetPatient

compile: 
	javac *.java

The one exception are web-based vulnerabilities (e.g. XSS), which require different building guidelines (TBD)

Layout

a-votd-dir/
    www/ - webpage descriptions of each vulnerability. See the www/Readme.markdown for more details
    demos/ - code examples for each vulnerabilitiy 
    instructors/ - notes for instructors in each vulnerability

Building an Individual VotD

Details are TBD, but here's what I'm thinking. Sometimes a prof might want to just demo one VotD to the class. So they might do something like:

make integer-overflow

and it:

  • Copies the code sample
  • Makes an individual webpage for that VotD
  • Optionally copies the instructor notes
  • Zips it up and the webpage links to the zip

Or, maybe:

make website votds.txt

and it reads the text file for the votds, builds the webpage, and copies instructor notes for each day.

And, maybe:

make new a-new-votd

and that makes a new set of directories for a votd

About

A pedagogically-curated collection of vulnerability demonstrations for undergraduate software engineering students

www.se.rit.edu/~se331/

Resources

Readme
Activity

Stars

7 stars

Watchers

5 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages