Classroom Glossary Public page

Week 6: Midterm

1,156 words

The 3-hour proctored practical. Reproduce a CVE you have not seen before against an academy-provided lab target. No tool engineering; manual reproduction only. The exam assesses the methodology Weeks 1-5 built.

Theme

A midterm exists to ask one question: has the student internalized the first five weeks well enough to apply them to an unfamiliar CVE?

The exam gives you a spec for a CVE you have not seen before; an academy-provided lab target (a VM or container; not the SB6141); 3 hours to reproduce the vulnerability manually. The reproduction must demonstrate the vulnerable behavior, document the methodology, capture the evidence, and stay within authorization.

The exam tests:

  • Week 1 framing. Authorization line in your exam notebook (binary; missing = lose 20%).
  • Week 1 methodology. CVE-record reading: identify the vulnerable component; identify the vulnerable behavior; identify what evidence reproduction requires.
  • Week 2 mechanics. HTTP at the wire level; Burp Suite capture; curl reproduction; cross-origin demonstration if applicable.
  • Week 3 documentation. Per-session authorization line; isolation evidence (the academy provides a known-isolated test environment for the exam; you confirm).
  • Week 5 discipline. Manual reproduction first; no shortcuts; no skipping the authorization line for "just this once."

The exam does NOT test:

  • Tool engineering (no Python during the exam; manual reproduction only).
  • CVSS scoring (Week 8).
  • CVD drafting (Week 9).
  • Capstone work.

What the midterm does NOT include

No lecture this week. No graded lab. Independent practice is exam-prep self-study; the exam itself is 3 hours; the rest of the week is recovery + Week 7 preparation.

How to study (~8-10 hours over the week)

Day 1-2: Re-read your own lab portfolio (3 hr)

Open ~/adv-101/lab-portfolio.md. Read Labs 1-5 entries. For each lab, write a 100-word summary in your own words. If you cannot summarize a lab from memory, re-read its spec.

Day 3: Mock midterm (3 hr)

Pick ONE of the sample specs below. Set a 3-hour timer. Reproduce the CVE manually against a target you set up yourself. Stop at 3 hours regardless of completeness; grade your own work.

Sample spec A: Default-credential exposure on a vulnerable Tomcat install

The academy provides a Docker container running Apache Tomcat 8.0.x with default Tomcat Manager credentials (tomcat:s3cret). Reproduce unauthorized administrative access manually via curl. Document:

  1. The HTTP request that demonstrates unauthorized access.
  2. The CVSS-v3.1-style impact assessment (Confidentiality / Integrity / Availability) at vocabulary level (Week 8 deepens; here you state the affected dimensions only).
  3. The negative-scope statement (what you did NOT do; e.g., did not deploy a malicious WAR file even though the access would permit it).

Sample spec B: DVWA file-upload bypass

The academy provides a Docker container running DVWA (Damn Vulnerable Web Application) at "low" security level. Reproduce the file-upload-bypass technique (upload a non-image file to the image-upload endpoint). Document:

  1. The HTTP request that demonstrates the bypass.
  2. The technique class (the OWASP Top 10 category that matches; file upload bypass is part of A04 Insecure Design + A05 Security Misconfiguration in 2021 OWASP).
  3. The remediation suggestion (server-side validation; not client-side filename checks).
  4. The negative scope.

Sample spec C: Joomla 1.5 SQL injection

The academy provides a Docker container running Joomla 1.5 with a known SQLi at a specific endpoint. Reproduce the injection manually via curl. Document:

  1. The injection vector.
  2. The HTTP request demonstrating data exposure (do NOT exfiltrate; the demonstration stops at "the injection returns content the unauthenticated user should not see").
  3. The CVSS-style assessment at vocabulary level.
  4. The negative scope.

The exam-day spec will be one of these (or a close variant); the same shape every time. Practice once on the variant you find most accessible.

Day 4: Methodology drill (2 hr)

Without looking at your notes, write the reproduction template you intend to use during the exam. It should include:

  • The authorization line (verbatim format the academy expects)
  • The pre-reproduction checklist (target identified; environment confirmed isolated; tools ready)
  • The reproduction sequence (Burp capture; curl replay; document)
  • The post-reproduction documentation (transcript; negative scope; sign-off)

Carry the template to the exam (paper notes allowed; no internet during exam).

Day 5: Burp + curl drill (1 hr)

Practice the Burp -> Repeater -> curl round-trip on a benign target (e.g., httpbin.org). The exam's time pressure makes friction-free tool use critical; the drill builds muscle memory.

Day 6 (exam day): rest, then exam

Sleep. Do not cram. Bring the methodology template (paper); bring your authorization-line template; bring a notebook for the exam.

During the exam

Time budget: 3 hours total. Suggested split:

  • 0:00 to 0:15. Read the spec. Annotate. Identify the target, the CVE, the destructive action, the expected evidence. Write the authorization line into the exam notebook.
  • 0:15 to 0:30. Set up: launch Burp; configure browser proxy; access the target through the proxy; verify isolation (the academy provides a known-isolated environment; the exam-time check is "did I notice the isolation?", not "did I build it").
  • 0:30 to 1:30. Reproduce. Capture the request in Burp; replay with curl -v; observe; document.
  • 1:30 to 2:30. Document. Write the reproduction transcript per the methodology template; include the CVSS-vocabulary impact; write the negative-scope statement.
  • 2:30 to 3:00. Polish. Re-read; check the authorization line is present; check the negative scope is present; check the transcript is reproducible by another researcher.

Strategy:

  • The authorization line is 20% of the grade. WRITE IT FIRST.
  • A reproduction at 80% completeness with a clean transcript outscores a 100% reproduction with a hand-waved transcript.
  • If curl fails, fall back to Burp Repeater. Two tools for one job is the practitioner's safety net.
  • If you have time left, document what you would NOT do (negative scope expansion; cite specifically what's out of bounds).

After the exam

Submit per academy instructions (digital upload of the exam notebook, the reproduction transcript, any Burp exports). The course team grades within 7 days.

Week 7 picks up immediately with tool safety engineering II; do not take the midterm-relief week off.

Common midterm stumbles

From pilot-cohort observations (v0.1 carries the FND-101 + SEC-101 midterm pattern):

  • Skipping the authorization line. Fastest 20% you'll lose.
  • curl invocation without -v. Output is too terse; the grader cannot see the request. Always -v.
  • Burp configured but not capturing. The proxy is configured but the browser is using a different network path. Test the capture by issuing one warmup request to httpbin or similar before the actual exam target.
  • Time-mismanagement on documentation. Reproduction is the fun part; documentation is the assessed part. Budget at least 60 minutes for documentation.
  • Negative scope skipped. "I didn't have time" is not an excuse; the negative-scope statement is THREE SENTENCES. Always include.

What comes next

Week 7 introduces tool safety engineering II. Tool v0.3 adds structured logging (JSON file output + human-readable stderr), idempotent semantics (re-runs detect prior state), and rollback documentation (where rollback is possible, the tool implements it; where it is not, the tool documents the irreversibility). v0.3 is the version that becomes Tool v1.0 in the capstone.