Web Security

Instructor: Wu-chang Feng
Contact and discussion: Office hours: here
Recommended text:
  • OWASP Top 10 (2013) pdf
Resources
Course Description
This course provides an introduction to how the web works, web site vulnerabilities, and techniques to improve web security.  The course provides students with key concepts that underlie common web vulnerabilities, helps them develop skills to leverage them, and demonstrates mechanisms for preventing them.

Schedule

Week Topic Slides Labs and Homework
1 Course motivation and overview
Web Basics
REST/JSON
slides
slides
slides
2
Web client programming
Google Cloud Platform, Cloud Launcher
A0: Reconnaissance tools
slides
slides
A0
3 A4: Insecure Direct Object Access
A7: Missing Function-Level Access Control
slides
A4/A7
4 A6: Sensitive Data Exposure
A1 (Part 1): Injection (Command, Code)
slides
slides
A6
A1 (Part 1)
5 A1 (Part 2): Injection (SQL)
Program #1 info: A1 (Part 3): Injection (Blind SQL)
slides
slides
A1 (Part 2)
A1 (Part 3)
Program #1 - Due Tues 2/19 in D2L
6 Program #2 info: A2: Broken Authentication and Session Management
slides
A2
7 A3: Cross-site Scripting (XSS)
A10: Unvalidated Redirects and Forwards
slides
slides
A3/A10
8 A8: Cross-site Request Forgery (CSRF)
A5: Security Misconfiguration
A9: Using Known Vulnerable Components
A11/A12: Deserialization, Cloud
slides
slides
slides
Program #2 - Due 2/26 in D2L
A8/A5/A9
Final project listings | sign-up
9 X1: Penetration testing, exploitation, and WAFs (metasploit, sqlmap, w3af, zap)
slides
X1
Final project
10
Labs
  Final project
Final Project Presentations
Finals Final CTF

Lab notebook due in D2L
All homework levels due

Assignments

Labs and notebook
Lab assignments will be given each class covering the course material. You and your partner will solve each one, while maintaining a shared lab notebook (a single Google or Office Doc) that contains your write-ups of the labs.  The write-ups should include the vulnerability being demonstrated, how you solved it, and possible remediations to mitigate the threat.  Include screenshots as needed.  Write-ups should allow others to repeat your methodology to solve the level.  The notebook will be graded based upon the following rubric:
  • Number of levels solved
  • Description of vulnerability
  • Description of technique, URL, or script used to exploit vulnerability
  • Description of prevention or other remediation to mitigate threat
  • Graduate students are required to complete Natas Levels 1 - 25 in addition to the assigned labs: Natas
Homework and Programs
Homework and programming assignments are to be done individually. Homework from the CS 495 CTF can be submitted directly via flag submissions on the site. Programming assignments are to be submitted to the corresponding D2L dropbox folder. Assignments are due by the beginning of class. Late assignments will docked 10% for each day late up to 5 days. After 5 days, late assignments will not be accepted. The program will be graded based upon the general rubric below.
  • Correctness of program
  • Efficiency of the algorithm
  • Conciseness, clarity, and modularity of the code
  • Code documentation via Python Docstrings
Specific criteria for each program is included in the assignment writeup.
Final Project
You and your partner will select and attempt one of the free levels from the lab site. For this exercise, your group will give a presentation that walks-through the level from set-up to completion.  The project will be graded based upon the following rubric:
  • Exercise difficulty
  • Thoroughness of walkthrough (including setup)
  • Analysis of vulnerability and description of prevention/remediation.

Course objectives

  • Learn the basics of web clients, servers, protocols, and programming
  • Understand common, high-risk web vulnerabilities

  • Practice ethical hacking to demonstrate how web vulnerabilities may be leveraged
  • Develop web penetration testing skills

Policies

Grading
Attendance 10%
Homework 30%
Programs 20%
Lab Notebook 20%
Final Project and Walkthrough 10%
Final Exam CTF 10%
Attendance
The class is based on students putting in time and effort to become proficient. As a result, attendance is mandatory and absences will count against a student's overall grade.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.