Really ?
I received news that I will be on the team of tutors for Term 1 2019 of COMP6443 - Web Application Security. I would have loved to contribute more but for now I’m tutoring a 2 hr/week timeslot in a class of 11 students.
The real heavy lifters are @sy, @tjp and @carey (and also @zain) as they build the infrastructure and challenges! 
@zain is the course admin as well as a casual tutor
— the other casual tutors are @blankaex and @bluecicada.
What do I teach them ?
Well I will update the list as we go but so far here is what the course content is like:
| Weeks | Content |
|---|---|
| 1 | Recon/OSINT/bruteforcing |
| 2 | SQLi |
| 3 | SQLi (cont.)/XXE |
| 4 | Session Management/CSRF |
| 5 | Access Controls (Authorization/Authentication) |
| 6 | XSS |
| 7 | SSRF/LFD/RCE |
| 8 | Dependencies and Frameworks/Docker (not really examinable) |
| 9 | Lightning Talks and Project Demos |
| - | (end) |
What have I learnt so far ?
- You can never truly understand a technical concept, students always ask me a question that catches me off guard, I have so much more to learn !
- Humans are terrible at retaining information. At one point I wanted to explain
HMAC’s but I totally forgot my COMP6441 material about Confidentiality, Integrity and Authenticity!
- I find it really refreshing to go over the content and having to warmup my muscle memory again, from using tools like
Burp Suite(which I neglected for the previous half year) to writingSQLipayloads again
- I feel like something I need to improve is my explanation skills
- For example today when I explained CSRF and CSRF tokens
- The students looked confused afterwards…
- I asked them if I was speaking too fast and they said no
- Sitting in another tutor’s class is also beneficial as I can see
- how other tutors handle the flow of their tute
- how they react to certain situations
I feel that we are all learning from each other which is great
- Being a tutor also allows me to get closer to the lecturers Norman and Abhi who are professionals in the industry
They offered me a chance to guest lecture, but I still havent decided on a topic to do yet... what shall it be ?
Random stuff I did as well
- Presented my demo for 10 minutes during a lecture
- It was a
SSRF/XSS/LFDtriple-challenge I wrote for a previous CTF - The prepared one wasn’t functioning properly
- It felt nice to have my five minutes of fame as a lecturer hahaha
- It was a
- Filled in for @zain for the first 10 minutes of his class
- Worked as a SecEDU clerk by helping to record lectures
Updated: What I ultimately learnt from everything
- There are many ways to explain things:
- Some analogies work and some don't.
- Usually you have to trial and error
- Use different ones depending on the crowd you’re explaining to
(ie. how much technical background they have)
- Some students require special care and attention
- especially the shy ones.
- especially the shy ones.
- Conversely, the more bold and inquisitive ones are also hard to handle
- They occasionally test the limits of your knowledge by asking things that you aren’t always able to answer/answer with full confidence.
- They occasionally test the limits of your knowledge by asking things that you aren’t always able to answer/answer with full confidence.
- Sometimes you really have to drop the ball and say… “I don’t know”, I’d rather admit not knowing than lie and provide incorrect information.
- I have trouble asserting my authority during tutorials
- This sounds cheesy but it really boils down to my personality type
- I tend to treat everyone equally although some situations may arise which are better if I was more in control of the class!
- I think I definitely gained more control over-time but my first two weeks were not that great
