CSE361

Course CSE361
Title Web Security
Credits 3
Course Coordinator

Nick Nikiforakis

Description

This course will cover all aspects of web security, including browser security, web server security, and web application security. Topics include: SOP and JavaScript; application and protocol vulnerabilities; probing, surveillance, and tracking; penetration testing; modern social engineering techniques; monetary incentives and monetization.

Prerequisite CSE331, CSE major
Course Outcomes

The participants of this course will be conversant with basic and advanced terminology and concepts of web security. They will be familiar with a wide range of attacks against all layers of a web application and will able to understand the risks that a web application is exposed to and take the necessary actions to secure it, both during the design and implementation phases of a web application, as well as later in an application’s lifetime.

Textbook

Required: Dafydd Stuttard, Marcus Pinto, "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws", Publisher: Wiley; 2 edition (2011), ISBN-10: 1118026470, ISBN-13: 978-1118026472

Major Topics Covered in Course
  • Week 1. Introduction to basic web security concepts. Threat models, definitions, code of conduct, examples of past attacks and their repercussions.
  • Week 2. Authentication and authorization on the web. Session management, cookies, proper password storage, multi-factor authentication.
  • Week 3. Encrypting web content in transit (HTTPS), SSL handshake, known SSL vulnerabilities, Certificate properties and verification.
  • Week 4. JavaScript and DOM/BOM. Sandboxing of JavaScript in the browser, same-origin policy and its exceptions.
  • Week 5. Mapping a web application: crawling techniques, discovering hidden content, identifying end-points that accept user input, inspecting older versions of websites, mapping the overall attack surface.
  • Week 6. Attacks against the server-side: SQL injection, attacks against session management, credentials prediction, Remote File Inclusions, Local File Inclusions, Remote command Execution, discovery of unprotected backups, application logic vulnerabilities.
  • Week 7. Attacks against the client-side: Cross Site Scripting (Reflected, Persistent, DOM-base), Cross-Site Request Forgery, Session Fixation, Session Hijacking, SSL stripping
  • Week 8. Midterm Exam
  • Week 9. Attacks against the user: malicious downloads, phishing, spear-phishing, vishing, UI redressing attacks, malicious browser extensions.
  • Week 10. Automated pentesting tools, advantages, disadvantages, ethics. Keeping access on a server. Hiding the origin of attacks and general difficulties attack attribution (proxies, VPNs, public clouds, compromised servers). DNS Security
  • Week 11. Mitigations against server-side attacks (defensive programming, escaping user-input, whitelisting versus blacklisting, web application firewalls). Mitigations against client-side attacks (browser filters, server-driven/browser-enforced security policies), user education. Use of web application frameworks, e.g., Django
  • Week 12. Predicting future attacks, identifying and responding to current attacks. Recovery strategies. Attack analytics, decoys and honeypots, intrusion detection/intrusion prevention systems
  • Week 13. Advanced topics and case studies, to be chosen according to instructor and student interest. (Possible examples: privacy, web tracking, underground economy, monetization of victimized users, exploit kits, denial of service against websites, cloud-based security, security and the law, quantum cryptography, ethics, full disclosure.)
  • Week 14. Advanced topics and case studies, to be chosen according to instructor and student interest. (Possible examples: privacy, web tracking, underground economy, monetization of victimized users, exploit kits, denial of service against websites, cloud-based security, security and the law, quantum cryptography, ethics, full disclosure.)

Laboratory Projects
Course Webpage