PELAB Security Thesis Proposals

Here a list of currently available thesis proposals:

  1. Development of a module for a modular framework used for Web Application Penetration Testing:
    • Study: Web Application Pentesting techniques and tools
    • Development: A set of scripts or burp suite/ZAP plugins to assist the web app pentester
    • Context: Web Applications are enerally the main entry point for attackers, studying their vulnerabilities and possible mitigations is of fundamental importance in the Cybersecurity domain
  2. Study of Applicative Protocols and Implications with respect to security (SSDP, SNMP, SMB, NETBIOS, DHCP, LLMNR, and others)
    • Study: Details of the most commonly used and famous application level protocols, what implications on the security
    • Development: A software from scratch which exploits the vulnerability of one or more of these protocols or a software which gathers others scripts which are used for this purposes
  3. Operating systems Hardening Strategies (ref. Tanenbaum OS Book, SELinux, AppArmore) (DONE, but can be done for other softwares)
    • Study: Operating Systems hardening techniques and scenarios in common OSes
    • Development: A script which implements or automates an OS hardening procedure
  4. Firewalls, Defense and Evasion/Pivoting Techniques (Network Security Assessment + Metasploit)
    • Study: Network Pentesting techniques and tools
    • Development: Automating scripts or scanning script from scratch
  5. Antivirus Evasion Techniques (Various Publications + The Antivirus Hacker's Handbook)
    • Study: Basic Malware Analysis concepts and AV evasion strategies
    • Development: Collection of Snippets of code to bypass common AVs
  6. Social Engineering attacks, MITM, browser vulnerabilities (BITM), phishing strategies and mitigation
    • Study: Basic Social Engineering Attacks, and MITM strategies
    • Development: A development of a methodology/framework to conduct such attacks
  7. Windows Pentesting
    • Study: Basics of Windows OS Internals and security mechanisms (+ vulnerabilities)
    • Development: Methodology/software to attack AD/DC and in general Windows environments
  8. Write an higher level traffic analyzer built on libpcap or tcpdump:
    1. Analyze domains
    2. Requests per domain
    3. Files downloaded per domain
    4. HTTP Request types per domain
    5. Time spent on a website
    6. Provide fancy plots
    7. Study: How traffic analyzers work, what could be interesting in various troubleshooting scenarios
    8. Development: Software to analyze .pcap or .pcapng files and provide higher level details
  9. NoSQL Databases Security
    • Study: Most common NoSQL databases and their security implications
    • Development: An helper software for NoSQL attacks
  10. Cracking Passwords: An Overview
    • Tools for cracking, hydra, different protocols cracking
    • Delegating work, scripts to integrate different sources
  11. Development of a graphical dashboard to visualize dataset information for data science

5 and 6: require a longer period of study