The document consists of various exercises that also includes Social Engineering. These exercises will help you trigger the ideas in your brain and also use the power of imagination to get better at Security.
Web and mobile security workshop workbook v1 - by santhosh tuppad
1. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
SECURITY - WORKSHOP
WORKBOOK
Twitter: https://twitter.com/santhoshst/
LinkedIn: https://www.linkedin.com/in/santhosh-tuppad-338b7412/
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
2. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
#SE01 → Your enemy resides in a different country and you want to spy on all
his activities on his computer
More context:
// He connects to internet to check his email
// He uses anti-virus that is a free edition
// He is attracted to piracy and porn
Write down your approach or your thoughts about gaining access to his every
bit of data on his computer.
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
3. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
#SE02 → You want to know the IP address of a target and you need to know
this without the knowledge of the target.
More context:
// Target is available on social media platform. That’s twitter.
// Target likes freebies
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
4. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
#SE03 → You need to get into a physical infrastructure of a multinational
company. The company entrance has a security guard and if you bypass him
through social engineering, you can accomplish your goal. What are your ideas
to get through the security guard?
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
5. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
#EX01 → Your job is to help the customer with the 5 good security questions
and 5 bad security questions. Please list down.
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
6. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
#EX02 → Identify the possible threats in your company. These can be
notorious developers, rogue insiders, employees who hold grudge and so on.
Also, list down reasons why you think they are threat to your company.
Basically, identify threat agents or threat drivers.
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
7. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
#EX03 →→ Passive Reconnaissance →→ You have been assigned a task to
gather information or do a passive recon for http://tuppad.com/
Gather information as much as you can and list down the highlights about
your exploration.
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
8. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
EX04 → Develop a functional design / algorithm for forgot password feature
in web application. Your goal is to help the customer achieve secure enough
forgot password feature.
More context:
// application type: food delivery / ecommerce
// email address is used as a username
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
9. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
EX05 → What’s the best password according to you and why?
apple@123
aaaaaa@0
RomaniaIsBeautiful
ILoveClujOnMilkyWay
19199919
0989
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
10. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
EX06 → Username enumeration attack → Which of the below error message
is secure enough and why are others not good enough?
Invalid username / password
The username entered is incorrect. Please retry!
Username and password are both incorrect. Try again!
The password entered for username Santhosh is incorrect. (Wordpress way)
Incorrect credentials
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.
11. WEB AND MOBILE SECURITY WORKSHOP BY SANTHOSH TUPPAD
EX07 → Your task is to stop the bots from cracking the username and
password in the login form. And also stop the human employed bots to stop
manual brute-force attack. As a security consultant, what suggestions would
you like to give in order to secure login form against brute force attacks?
These exercises are crafted only for the participants of the workshop by Santhosh Tuppad.
Kindly do not redistribute them without the permission.