Added two computer security lessons

Computer Security/lesson_10.md

@@ -0,0 +1,48 @@
+# Computer Security - lesson 10
+#### Stefano Zanero
+###### 5 May 2016
+## Format String Bugs
+The format string bugs are typical of C language but the idea
+can be applied also to other languages.
+The key part of a string formatting function is the *format string*
+The first parameter of the f.s.f. is Interpreted as the format string
+So whatever i pass to the function, the function use it.
+In the format string there are placeholders that tell the function
+how many more parameters there are, and the function is going
+to look for those on the stack.
+
+So we can access arbitrary data on stack, so we can:
+- Bypass __ASLR__ by knowing the stack allocation address
+
+It would be interesting if we would be able to write on the stack.
+There is the `%n` placeholder that is used to write on a variable
+the number of characters currently written.
+This was used to count characters to create command line interface
+on fixed terminals, but it's not used anymore.
+
+At some point in the stack we will find the same variable we passed
+to the format string function.
+
+Our current limit is that we can pass only a 256 charachter string to
+the format string variable, but hopefully the format string function
+acceps `%N$x` as a placeholder, that tells the program to fetch
+the Nth parameters, that even if it doesn't exist, it corresponds
+to some value on the stack.
+
+As of now i can only write the number of characters currently printed,
+but i would like to write in memory an arbitrary number.
+The trick is to use `%Nc` that padds the printed number with N figures.
+The number accepted is a short int (16bits,64K max value)
+But i can still write 32bit values by using two `%c` and writing first the
+number with the lower value and then the number with the higher value
+(Using another %c).
+
+What i need for the complete exploit is:
+```
+"<addr1>[4bytes]<addr2>%x%x%x%x%c%n%c%n"
+```
+I will need to tune the `%c` parameter based on the actual lenght of the string 
+and the target value (length) that we want to write in memory.
+
+The simple `%n` overflows and writes always 4bytes word, to write
+16 bits at a time we can use `%hn`

Computer Security/lesson_11.md

@@ -0,0 +1,26 @@
+# Computer Security - lesson 11
+#### Stefano Zanero
+###### 6 May 2016
+## Web Application Security
+The typical target of web attacks are the browser of the users
+and the data on the server.
+It is the current trend to offer software not anymore as clients
+but as web applications, this is true for SaaS and Corporate Intranets.
+
+The core of navigation is going through pages carrying over a state
+But that's an illusion in HTTP pages because it is intrinsecally stateless.
+So we're building __stateful__ interaction over HTTP that is __stateless__
+Also HTTP doesn't support __authentication__ by itself, so it is 
+implemented in the application.
+
+> People make mistakes.
+And the fact that web applications have the view side not under the
+control of the programmer, in fact it runs inside the browser
+
+__SOP__ is a common policy adopted by browsers and consists of allowing scripts
+coming from a website to access only data from that website.
+
+__XSS__ or __cross site scripting__ is the technique of putting in a textbox
+a javascript executable code marked as `<SCRIPT>` that will be executed in
+the client and violate the __SOP__ policy to access data or perform operations
+on the attached site from the client.