1. Resources
  2. Ethics Policy and Scope

Ethics Policy and Scope


Ethics Policy

These courses expects a high standard of professionalism from its students with regard to how Web Application Security Testing is conducted. We expect all students to act in good faith at all times - including but not limited to:

  • Respect the property of others and the university
  • Always abide by the law and university regulations
  • Be considerate of others to ensure everyone has an equal learning experience
  • Always check that you have written permission (see scope below) before performing a security test on a system

Your actions speak volumes; It is our responsibility to uphold the reputation of the course, the course staff, fellow students, the school, the university and the ICT profession. If you are unsure whether your actions may violate this policy , ask the course staff for guidance.

Failure to adhere to this policy may result in an academic penalty.

Scope

As a student of this course, you have this written permission to attack *.quoccacorp.com , with the following exceptions :

  • CTFd ( ctfd.quoccacorp.com )
  • The lecture questions page ( questions.quoccacorp.com )
  • Internal services ( *.internal.quoccacorp.com )
  • The exam pages, once they become available ( midterm.quoccacorp.com , final.quoccacorp.com )
    • The exam challenges ( *.midterm.quoccacorp.com , *.final.quoccacorp.com ) are not included in this exception and are therefore within scope.
  • All Denial of Service (DoS) attacks and similar attacks that cause significant downtime.
  • The use of sqlmap (an automated SQL injection tool).
  • Use of another student's mTLS certificate.
  • All UNSW infrastructure ( *.unsw.edu.au )

When exploiting challenges, avoid exploits that will break them, so that other students have the opportunity to solve them. This is especially important during exams. An example of this is deliberately running a 'drop table' command using SQL injection during an exam. Deliberately breaking challenges without regard for others' learning may result in an academic penalty.

This all said, if you think you've found an interesting vulnerability or exploit that would affect any of these exceptions, including causing downtime, feel free to ask after a lecture or during Hamish's tute (W18B) and chances are we'll let you - we just need to know its happening beforehand so we can quickly fix it afterwards!

This scope does not allow you to do any sort of physical attacks or social engineering on any of the course staff members or your fellow students. For any targets outside this scope, we do not have the authority to give you attacking permission. Under no circumstances can you attack UNSW infrastructure ( *.unsw.edu.au ).

If you are unsure , ask the course staff for guidance.

Resource created 5 months ago, last modified 4 months ago.


Loading...

Back to top

COMP6443/COMP6843 25T1 (Web Application Security) is powered by WebCMS3
CRICOS Provider No. 00098G