Skip to content
/ vulnerability-of-the-day Public
forked from votd/vulnerability-of-the-day

A pedagogically-curated collection of vulnerability demonstrations for undergraduate software engineering students.

7 stars 12 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

secure-software-engineering/vulnerability-of-the-day

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits

.settings

.settings

 
 

cache-poisoning

cache-poisoning

 
 

compression-bomb

compression-bomb

 
 

format-string

format-string

 
 

hardcoded-credentials

hardcoded-credentials

 
 

hashing-salt

hashing-salt

 
 

integer-overflow

integer-overflow

 
 

log-neutralization

log-neutralization

 
 

log-overflow

log-overflow

 
 

nosql-injection

nosql-injection

 
 

open-redirect

open-redirect

 
 

os-command-injection

os-command-injection

 
 

path-traversal

path-traversal

 
 

prngs

prngs

 
 

reflection-abuse

reflection-abuse

 
 

sql-injection

sql-injection

 
 

stack-buffer-overflow

stack-buffer-overflow

 
 

toctou

toctou

 
 

xml-dtd

xml-dtd

 
 

.classpath

.classpath

 
 

.gitignore

.gitignore

 
 

.project

.project

 
 

README.markdown

README.markdown

 
 

build_votds

build_votds

 
 

wishlist.markdown

wishlist.markdown

 
 

Repository files navigation

Vulnerability of the Day

Vulnerability of the Day is a pedagogically-curated collection of vulnerability demonstrations for undergraduate software engineering students. The goal is to teach students how to avoid simple coding mistakes by providing concise code examples. Key characteristics are:

  • 10 minutes long or less
  • Can be understood by a third-year college student in a software engineering course
  • Socially-relevant examples
  • Can be run on a Linux console, using make
  • Simple, concise, but also not contrived.
  • Real-world CVEs (with source code patches linked) are a big plus

Code Formatting Guidelines

  • All source code must be "projector-friendly", meaning that the vast majority of the demo code should be readable at:
    • 90 characters wide
    • 48 lines long
  • Having the entire program be under 48 lines is not hard rule (e.g. import statements are not super important), but the instructor should be able to show the main body, including comments, on a 4:3 projector screen with 18 point Lucida Console font in Vim with line numbers set.

Building Demos

Each VotD must have a Makefile that can run on Linux, with the following targets make, make exploit, and make compile. The default is make exploit. Here's a skeleton Makefile:

# Sample Makefile for VotD

exploit: compile
	java BankAccount
	java GetPatient

compile: 
	javac *.java

The one exception are web-based vulnerabilities (e.g. XSS), which require different building guidelines (TBD)

Layout

a-votd/
    demos/ - code examples for each vulnerabilitiy 
    a-votd.html - webpage descriptions of each vulnerability. See www-template/README.markdown for more details
    notes.markdown - notes for instructors in each vulnerability
    compatibility.markdown - compatibility concerns for the vulnerability

VotD Build Script

Building Documentation

build_votds is a Python 2.7 build script that will automatically put together documentation and optionally zip up the examples of a selection of VotDs for distribution.

You can build the documentation for a individual VotD with this command:

build_votds www <source> <dest> VotDs...
  • is the directory in which the build script should look for the named vulnerabilities
  • is the directory where the script should output the documentation index.html

For example:

build_votds www . . integer-overflow buffer-overflow

The script will

  • look in the current directory for 'integer-overflow' and 'buffer-overflow'
  • Generate a combined documentation page for those two vulnerabiltiies
  • Output the documentation to index.html in the current directory.

Adding Another VotD to an Existing Index.html

You can use the 'add' parameter to build_votds to append documentation for additional VotDs to an existing index.html. Simply run:

build_votds add <source> <dest> VotDs...
  • is the directory in which the build script should look for the named vulnerabilities
  • is the directory where the script should look for the existing documentation index.html

Note that if an index.html does not exist at the target location, the script will create one for you as if you ran build_votds with the 'new' parameter.

Building a Distributable Zip

You can use the 'zip' parameter to build_votds to create a distributable zip archive containing examples and documentation for chosen VotDs.

build_votds zip <source> <dest> VotDs...
  • is the directory in which the build script should look for the named vulnerabilities
  • is the directory where the script should output votds.zip, containing the chosen examples.

The script will build a documentation file for the selected vulnerabilities if one doesn't already exist, and then zip up the examples and instructors' notes along with them.

Creating a new VotD

If you would like to add a new vulnerability, you can use build_votds to create the directory skeleton and documentation template for you. To do so, call build_votds with the 'new' parameter and the name of the new exploit.

build_votds new <source> <dest> <vulnerability-name>
  • is the directory containing the `www-template` directory
  • is the directory where the script should output the new VotD's directory

About

A pedagogically-curated collection of vulnerability demonstrations for undergraduate software engineering students.

Resources

Readme
Activity
Custom properties

Stars

7 stars

Watchers

7 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Java 53.0%
  • Makefile 18.8%
  • Ruby 9.0%
  • Python 7.8%
  • C 7.6%
  • HTML 2.2%
  • Other 1.6%