The homework for this section is related to vulnerability disclosure and attempts to get students to think about the larger picture of how vulnerabilities are used in a modern context. To that end, students must answer the following questions about a hypothetical vulnerability they have identified in a real application.
- For what reasons would you want to post details of the vulnerability on the internet, either without notifying the vendor or before they were able to issue a patch?
- For what reasons would you want to notify the vendor and refuse to release public details of the vulnerability until either the patch or released or some time afterward?
- Identify a previously reported vulnerability in the application you picked and describe who found it, how it was reported, and a timeline of major events about it.
- How does this vendor accept reports of vulnerability information? What is their established process for dealing with vulnerabilities (if any)?
- My slides and Jon Cran's slides from ISU
- Intro videos about intrusions performed via web application and clientside flaws
The demo from this presentation is documented in the blog entries, Patching and Hooking Students.
This is the intro material I recorded for the Fall 2008/Spring 2009 class.