Loading...
 
Print

HackIt!-Framework

Bachelor Thesis
Florian Kerber

Background

HackIts are short security challenges which are often web-based. Their purpose is to raise awareness for common security issues by showing different intrusion possibilities in today's computer security. While solving the challenges of this framework, the user gets confronted with common security problems, for example, those that occur in modern web development like SQL injection or cross-side scripting. Especially beginners tend to forget or do not know the necessity to sanitize user inputs and are therefore a common target to frustration after their work has been destroyed by intruders. Safe software and cautious usage of current electronic media will also downsize information leakage in industrial espionage as well as other security incidents. By knowing the attack vectors users will now spot those flaws in their own software or behaviour easier and make it more difficult to misuse their systems.

After finishing the challenges provided, the user should be able to distinguish between normal and phishing mail, identify security vulnerabilities in source codes, as well as get a keen sense of security problems in today's software.

Aim

As the majority of the Internet users primary demand convenience and usability of their software, these criteria are the main spotlights for today's developers whilst their security moved to the background. To increase the focus on the growing importance of security aspects during software development and Internet usage, the HackIt!-Framework developed in this thesis will put its audience in the attacker's perspective and teach it how to identify and counter common security vulnerabilities.

Scenarios

The content of the HackIt!-Framework is intended for developers of software who are not yet familiar with the concepts of computer and information security. By confronting them with common mistakes and the risks that arise thereof, they will be sensitized to avoid these mistakes in their future work.

As the target audience of the Internet moves down the age-ladder quickly, these young students are a potential attack target and therefore a usage candidate for this framework, by using it to get informed about the responsible usage with their personal data.

Possible users of the framework include the participants of InfoSphere, which introduces young students in the world of informatics, as well as the WebTech lecture, to accompany its exercises.

Features

The HackIt!-Framework will provide its users a full-fledged modular framework for creating, modifying, and supervising HackIt-based security challenges. It ships with an extensive administration panel, allowing the lecturer to modularly create a customized set of challenges via drag and drop. These challenge modules are categorized by their type (JavaScript, MySQL, XSS, ...), their difficulty, and their estimated time required to be solved. Additionally, users will be able to request hints and tips for the challenges, which, depending on the administrative settings, will cause scoring penalties or not. Optionally, the administrator can enable a high score for this challenge set, allowing users to view the progress of their classmates, thus creating a motivation boost due to competitive gameplay.

Challenge Types

All challenges are categorized by their type, providing a pleasant overview and the possibility to easily mix challenge sets. Basic, realistic, and review challenges build up the main challenge presence, whereas there are only few advanced challenges available.

  • Basic: These challenges contain simple plain JavaScript challenges and are mostly used to warm up and give the user a basic understanding of JavaScript password checks.
  • Realistic: Realistic challenges confront the user with real-world problems of today's software. These include but are not limited to SQL injection and cross-side scripting due to missing input sanitization as well as htaccess security and weak or commonly-used passwords. Some missions will also focus on the differentiation between legit and phishing mail.
  • Review: During these challenges, the user gets confronted with the source code of a particular security feature and is responsible for finding the vulnerability or problem in it.
  • Advanced: These kind of challenges require ssh key breaking, reverse engineering of self-modifying executables, custom hash breaking, and/or deep domain knowledge and should not be used for common school exercises or at least be marked as optional. There are only a few challenges of this type with the purpose to challenge participants that already solved everything else.

 

 

Supervisor

 


Created by holz. Last Modification: Sunday, 16. September 2012 13:19:24 by Kerber.