Follow the partner policy.
For this assignment, you're going to make a short video explaining a web security topic.
You'll focus in particular on how your topic works.
Possible topics
These topics all involve web security. Some of them are attacks and some of them are
security tools intended to thwart attacks.
Do not do SQL Injection or Stored Cross-Site Scripting, since I have already
provided you with videos on those topics.
Here are some possible web-related attack topics
- Distributed Denial of Service attacks (DDoS)
- Cross-Site Request Forgery (CSRF or XSRF)
- Reflected Cross-Site Scripting (this is related to but not identical to
Stored XSS, and introduces some social engineering not
required for Stored XSS).
- Tabnabbing
- target="_blank" attack
- Watering Hole attacks
- Domain Fronting (Is this an attack? Sort of. Wikipedia describes it as
"a technique for Internet censorship circumvention".)
- Some other attack of your choosing. (If you do this, you must
get clearance from me first.)
Here are some possible web-related defense topics. For these, you'll focus
on "what is it for?", "what attacks is it intended to thwart?", and "how does it work?"
Note that almost all of these are quite complicated, so you'll probably want to select
a sub-topic if you pick one of these.
- Encrypted Client Hello in TLS 1.3
- DNSSec
- OAuth (you might find the
vulnerabilities described here helpfulf for narrowing this topic)
- Kerberos
- Single Sign-On (SSO)
- Some other defense of your choosing. (If you do this, you must
get clearance from me first.)
What to hand in
- Once you have chosen a topic, please post your names and topic in the #general channel on Slack.
- Post your video somewhere. Make it public for carleton.edu people (or, if you prefer,
completely public). If you need help sorting this out, let me know.
- Post a link to your video in the #general channel on Slack.
- Make sure your video includes text near the beginning showing all partners' names.
A little advice
- Picking your topic: The defense topics (with the exception of Encrypted Client Hello)
are much more complicated than the attack topics. So if time is tight for you this week, consider
going with an attack.
- Understanding your topic: You simply can't do this assignment
effectively without understanding your topic in detail. So
make sure to start by studying your topic thoroughly and making sure you have figured out how it works.
(In fact, the main point of this exercise is to give you practice learning a security topic
on your own.)
- Keep your video short, on the order of 5 to 15 minutes.
- Keep it simple. A little introduction and context is valuable at the beginning,
but go as quickly as you can to the "how does it work" part of your video.
- You are not required to include a demo. You may do a demo, but keep in mind
that demos can be quite difficult to set up. For example, for both of my videos linked below,
prepping the demo took about 75% of the time I spent creating the video.
- Examples. You can look at my two recent videos as
long versions of the type of thing I'm after:
- Tone of the video. You can play it completely straight or you can
try to make it fun—either approach can be great. If you include humor,
please keep it clean and don't make jokes at anybody's expense.
Be creative, figure things out, ask questions, and have fun!