09.3: Homework

Within your course repository, create a directory for the homework, then commit and push to your remote repository.

cd <path_to_repo>
mkdir hw9
touch hw9/app.py
touch hw9/screencast_url.txt
git add hw9
git commit -m "initial commit"
git push

In this homework, based on the lab exercises, you will extend the exercises given to you in the labs to build applications that automate the identification, patching, and/or exploitation of vulnerable code or CTF levels.

Automate the identification of vulnerabilities in known vulnerable code repositories (Copilot corpus | theZoo)
Automate the identification of malicious or vulnerable code in source-code, git commits, software patches, packages and package dependencies.
Automate exploitation of CTF exercises (Github Secure Code Game, Overthewire CTFs, picoCTF, cs205 CTF, cs492 CTF, angr CTF)
Automate exploitation of specific web vulnerabilities using custom tools (SSRF, Command injection, File-path traversal, Information disclosure, Deserialization, Insecure File upload, XXE)
Automate the analysis and generation of patches for vulnerable code (e.g. such as a by forking, branching, modifying code, committing code, and submitting a pull request on a GitHub repository)
Build agents with custom tools to make command invocations more reliable for commands used in labs (e.g. nmap, sqlmap) and command line tools not used in lab exercises.

As an alternative option, you may also

Utilize state-of-the-art agentic frameworks such as Strix or Kali-MCP to perform a comprehensive vulnerability analysis of the set of virtual machines utilized in the week's lab.

Note that when testing these tools on Google Cloud resources, take care to point them only to the internal IP addresses of servers you deploy on your Google Cloud Project (e.g. 10.x.y.z). Your development should be organized and incremental, with frequent commits into your git repository. Code should also be properly documented via Python docstrings. In addition, you must also ensure API keys do not show up in your source files, but rather are passed in via environment variables. Ensure your application code is pushed to your repository before class.

Screencast

Upon completing your application, via a narrated screencast of no longer than 5 minutes, you will perform a demonstration and source code walk-through of the application. Ensure that the video camera is turned on initially in your screencast. The screencast should follow the order given below:

Check out the application source code from your course repository.
Demonstrate the application running showing both its capabilities as well as its limitations
Perform a source code walk-through via the git commits on Gitlab to explain how the application has been incrementally implemented.

Upload your completed screencast on MediaSpace. Ensure that it is published as "Unlisted". Then, update the file screencast_url.txt in the homework's directory to contain the URL that your unlisted screencast on MediaSpace is located. Push the changes that include the updated URL to your repository before class.

Rubric

We will be using your screencast and git repository to evaluate your homework.

Code checkout shown

Demonstration of the various capabilities of the application

Demonstration of the various limitations of the application

Functionality added

Code quality (clean with no unused code or variables, readable, modular, documented with Docstrings and comments, no hard-coded keys within source code)

Walkthrough of source code via git commits shown on Gitlab. (Quantity of submitted code explained minus the quantity of submitted code not explained)

Instructions followed properly including code submission in the specified repository files, sequencing and length of screencast.