My cybersecurity journey began in the third trimester of 2023 (UNSW) with COMP6841 (Extended Security Engineering and Cyber Security), a higher-level introductory course to the field. Intrigued by the complexity and challenges of cybersecurity, I pursued two more advanced yet rewarding cybersecurity courses: one in Web Security and the other in Binary Exploitation.
Below are my marks:
Each of these courses have pushed me to tackle real-world projects that tested my understanding of security concepts. In this blog, I'll go through what I've learned in each course, the projects I've completed, and how these experiences have shaped my journey in cybersecurity.
The course that started it all :D It is a higher-level introductory course to Security Engineering which covers Security analysis, cryptographic protocols, and key information security principles like confidentiality, integrity, and authentication. Two of my favourite things from this course were:
For this course, we were also required to undertake a security-related project of our choosing.
Project goal: To identify the domains within Cybersecurity which piques my interest through Wargame challenges, while developing my fundamental understanding of Security Engineering principles and technical skills.
Deliverables: Article guides on each technical domain I could explore, as well was documentation on my most insightful learning experience, and how my view on security engineering has shifted since the beginning of the course.
Check out the video below for an overview of my project!
By far the most time-consuming course I've ever done! It is a higher-level Web Application Security Course which involves tackling real-world vulnerabilities like XSS, SQL injection, CSRF, and SSRF. We also learned how to break and fix web apps, bypass misconfigurations (like in MFA!), and apply secure coding and testing practices.
For this course, we were also required to conduct two penetration tests against the Uni-run Quoccabank domain. Each test went over five weeks, and were intended to simulate an attack against Quoccabank by a malicious actor.
Project goal: To evaluate the current security of Quoccabank as well as the severity of a security breach on:
Note: The attacks were made with the level of access avaliable to an ordinary user.
For each vulnerability instance, we made use of the OWASP Risk Rating Methodology to estimate its severity based on various factors including Type of Threat Agents, Difficulty of Exploitation, and its Technical and Business Impacts. We also categorised each vulnerability instance under a CWE tag, and provided both exploitation and remediation instructions.
For both of these reports, my group had obtained 100% and 99% for our marks respectively. Below is the general structure of our report:
Time-consuming just like Web App Security >_< This course dives into cyber attack and defence of software at the low-level covering skills including source code auditing, fuzzing, memory corruption, and return oriented programming. In this course, I've engaged in wargames and analysis of real world case studies of vulnerabilities in widespread, complex software.
For the course project, my team and I created a blackbox binary application input fuzzer called warm&fuzzies Fuzzer.
It is a mutation-based fuzzer designed to uncover vulnerabilities in ELF binaries by intelligently mutating valid input samples. It combines static analysis and probabilistic input type detection to guide tailored mutation strategies for formats like XML, JSON, PDF, and more. With the implementation of advanced features like coverage-based input selection and an in-memory reset harness, our fuzzer was relatively efficient, precise, and adaptable in uncovering vulnerabilities.
For this project, we were able to achieve 94%!
Although I had an incredibly fun and rewarding time in the above courses, it had left me a little burnt out - coming in with little to no prior experience meant countless hours of independent study and testing. Despite this challenge, the excitment of breaking and securing software systems and web apps have only fueled my eagerness to keep exploring the cyberspace.