The Official Course Outline now lives in ECOS.

ECOS is UNSW's Enterprise Course Outline Solution.


Course Information

Overview

The course is broken down into several topics:

  • Week 1: Reconnaissance
  • Week 2: Authentication & Authorisation
  • Week 3: Authentication & Authorisation
  • Week 4: SQLi
  • Week 5: Server-side attacks
  • Week 7: XSS
  • Week 8: Client-Side attacks
  • Week 9: DevSecOps
  • Week 10: Advanced topics and further studies


Course schedule

See the course schedule on the timetable page .


Backstory

This year the course is based around a fictional organisation known as QuoccaBank . Much of the course work and assessment will be based around this organisation.


Assessment Breakdown

The assessment breakdown will be as follows:

  • Topic Challenges: 10%
  • Written reports: 40% (2 x 20%)
  • Final Exam: 50%

The details of each of these can be seen in the sections below.


Coursework Assessments

Topic Challenges: At the end of each topic there will be a series of technical challenges to be completed. These are completed by way of discovering flags (random-looking strings which look like COMP6443{\w+} , unless otherwise specified) by interacting and crafting malformed requests to a website on our challenge platform - *.quoccabank.com .

You are encouraged to work in groups to complete the challenges (which will be formed in your first tutorial) but each student must submit their own 'flags' and are marked separately. Flags can be submitted to ctfd.quoccabank.com (After you have completed the getting started guide).

Please keep a personal copy of the flags you have found in case the server crashes (although this is highly unlikely to happen).

Written reports: Twice in the trimester a written report is to be submitted on your findings against QuoccaBank. This work is to be conducted in groups of 3-4, and is the report is assessed as a group. This will be submitted via CSE's Moodle ( here ).


Exams

There will be a final exam. More detail will be provided at a later date on the exam page .

In addition, there will also be two self assessments to see where you are at relative to the expectations of the course. These will be marked, but not worth a percentage of the final grade - they are solely there to see how you are doing and to point out any gaps in knowledge you may like to focus on. The two points of assessment will be in week 2 just before census, and again in week 5. Should you perform exceptionally well in the week 5 self assessment, this mark may become a percentage of the final grade. This will be discussed in lectures. (huh this isn't true. TODO: fix)


Industry Participation

Web Application Security and Testing is unique in that it is one of the only courses at UNSW that has heavy industry involvement. All of the extended lecturers are professionals working in the security industry. Several tutorials have been partnered with an industry tutor or are conducted by a tutor who is currently working in the industry. The intent is to give you as realistic an experience of cybersecurity so to better prepare you for work in the industry. Many of the industry partners have volunteered their time and spend many weeks preparing. Please be courteous, polite, and thank them for their time.


Tutorials

Tutorials are included in this course to assist with your learning. These sessions function like workshops, with some time allocated to go over the content and class discussion, then other time allocated to work on your weekly challenges in your working groups. Unlike previous tutorials you may have experienced at the university, there is a heavy focus on collaboration and peer-learning. You are encouraged to show your findings to your fellow students, engage in discussions, and interact with your fellow students.

A schedule of tutorials can be found on the timetable page .


Scope

You have been granted permission to perform penetration testing on *.quoccabank.com during the course.

Passive reconnaissance and research is permitted outside *.quoccabank.com but the Good Faith Policy still applies.

This does not allow you to do any sort of physical attacks, social engineering on any of the course staff members or your fellow students, or any kind of Denial of Service attack on our infrastructure. Good faith policies apply. For any targets outside this scope, we do not have the authority to give you attacking permission. Under no circumstances can you attack UNSW infrastructure ( *.unsw.edu.au ).

Resource created Tuesday 30 January 2024, 11:20:46 AM, last modified Wednesday 14 February 2024, 06:49:08 PM.


Back to top

COMP6443/COMP6843 24T1 (Web Application Security) is powered by WebCMS3
CRICOS Provider No. 00098G