Nick Nikiforakis

This course will cover all aspects of web security, including browser security, web server security, and web application security. Topics include: SOP and JavaScript; application and protocol vulnerabilities; probing, surveillance, and tracking; penetration testing; modern social engineering techniques; monetary incentives and monetization.

Bulletin Link

The participants of this course will be conversant with basic and advanced terminology and concepts of web security. They will be familiar with a wide range of attacks against all layers of a web application and will able to understand the risks that a web application is exposed to and take the necessary actions to secure it, both during the design and implementation phases of a web application, as well as later in an application’s lifetime.

None

• Week 1. Introduction to basic web security concepts. Threat models, definitions, code of conduct, examples of past attacks and their repercussions.
• Week 2. Authentication and authorization on the web. Session management, cookies, proper password storage, multi-factor authentication.
• Week 3. Encrypting web content in transit (HTTPS), SSL handshake, known SSL vulnerabilities, Certificate properties and verification.
• Week 4. JavaScript and DOM/BOM. Sandboxing of JavaScript in the browser, same-origin policy and its exceptions.
• Week 5. Mapping a web application: crawling techniques, discovering hidden content, identifying end-points that accept user input, inspecting older versions of websites, mapping the overall attack surface.
• Week 6. Attacks against the server-side: SQL injection, attacks against session management, credentials prediction, Remote File Inclusions, Local File Inclusions, Remote command Execution, discovery of unprotected backups, application logic vulnerabilities.
• Week 7. Attacks against the client-side: Cross Site Scripting (Reflected, Persistent, DOM-base), Cross-Site Request Forgery, Session Fixation, Session Hijacking, SSL stripping
• Week 8. Midterm Exam
• Week 9. Attacks against the user: malicious downloads, phishing, spear-phishing, vishing, UI redressing attacks, malicious browser extensions.
• Week 10. Automated pentesting tools, advantages, disadvantages, ethics. Keeping access on a server. Hiding the origin of attacks and general difficulties attack attribution (proxies, VPNs, public clouds, compromised servers). DNS Security
• Week 11. Mitigations against server-side attacks (defensive programming, escaping user-input, whitelisting versus blacklisting, web application firewalls). Mitigations against client-side attacks (browser filters, server-driven/browser-enforced security policies), user education. Use of web application frameworks, e.g., Django
• Week 12. Predicting future attacks, identifying and responding to current attacks. Recovery strategies. Attack analytics, decoys and honeypots, intrusion detection/intrusion prevention systems
• Week 13. Advanced topics and case studies, to be chosen according to instructor and student interest. (Possible examples: privacy, web tracking, underground economy, monetization of victimized users, exploit kits, denial of service against websites, cloud-based security, security and the law, quantum cryptography, ethics, full disclosure.)
• Week 14. Advanced topics and case studies, to be chosen according to instructor and student interest. (Possible examples: privacy, web tracking, underground economy, monetization of victimized users, exploit kits, denial of service against websites, cloud-based security, security and the law, quantum cryptography, ethics, full disclosure.)

CSE361