Aids: Two 8 1/2 x 11 double sided aid sheets. Printed or written as you like. Non-programmable calculator.
 
Most of the questions are short answers, some questions ask to write or explain some code snippets. 
All topics that we covered in class are included in the exam. Here's a summary of some of them: 

1) Understand and know how to identify CIA. 

2) Buffer overflows: you need to know how to identify vulnerable code, know how to exploit and
how to fix it. Know the stack layout. 

3) Know your inputs, understand white-listing vs blacklisting. Use tools to filter inputs (regular expressions). 
Understand Integer overflows. 

4) Understand XSS and SQL injections. Know how to exploit, how to fix and how to prevent.  

5) System security: how passwords are stored, breaking passwords, permissions and access control in 
Linux, environment variables, setuid, malware/worms & rootkits (different types, detection and prevention,
STORM botnet). Protecting systems, securing boot, etc. 

6) Fingerprinting and footprinting: commands and tools to gather information about the local 
system and remote systems. 

8) Networking (Ethernet, IP, TCP, ICMP, UDP, DNS), Understand the basic protocols, how they work
and what they are used for. Intrusion detection systems and firewalls. Basic attacks: syn flooding,
arp spoofing, dns spoofing. 

9) Cryptography: understand the basic encryption algorithms: one-time pad, RSA, block ciphers, etc. & 
encryption modes (ECB vs CBC). Random number generators, hash functions (its relation to
storing passwords on the system) and signature algorithms. Public key infrastructure and 
secret sharing. 

10) Mobile security is not explicitly covered in the final. 
Generally, you need to understand everything we covered in class, tutorials or the assignment.