Web Security

Instructor: Wu-chang Feng
Contact and discussion: Office hours: here
Recommended text:
  • OWASP Top 10 (2013) pdf
Resources
Course Description
This course provides an introduction to how the web works, web site vulnerabilities, and techniques to improve web security.  The course provides students with key concepts that underlie common web vulnerabilities, helps them develop skills to leverage them, and demonstrates mechanisms for preventing them.

Schedule

Week Topic Slides Labs and Homework
1 Course syllabus, OWASP Top 10
Web Basics
REST/JSON

2
Web client programming
Google Cloud Platform, Cloud Launcher
A0: Web server reconnaissance

3 A4: Insecure Direct Object Access
A7: Missing Function-Level Access Control
4 A6: Sensitive Data Exposure
A1 (Part 1): Injection (Command, Code)
5 A1 (Part 2): Injection (SQL)
A1 (Part 3): Injection (Blind SQL)
6 A2: Broken Authentication and Session Management
A3: Cross-site Scripting (XSS)
A10: Unvalidated Redirects and Forwards
Program #1 due in D2L
7 A8: Cross-site Request Forgery (CSRF)
A5: Security Misconfiguration
A9: Using Known Vulnerable Components
Program #2 due in D2L
8 X1: Deserialization
X2: Automated tools
  Final project selection
9 Additional labs

Final project
10
Additional labs
Final CTF (Wed, Dec 6, 12:30pm - 2:20am)
  Final project
Final project screencast due on MediaSpace (Tue, Dec 5, 11:59pm)
Finals

Lab notebook due in D2L (Sun, Dec 10, 11:59pm)
All homework levels due (Sun, Dec 10, 11:59pm)

Assignments

Labs and notebook
Lab assignments will be given each class covering the course material. You and your partner will solve each one, while maintaining a shared lab notebook (a single Google or Office Doc) that contains your write-ups of the labs.  The write-ups should include the vulnerability being demonstrated, how you solved it, and possible remediations to mitigate the threat.  Include screenshots as needed.  Write-ups should allow others to repeat your methodology to solve the level.  The notebook will be graded based upon the following rubric:
  • Number of levels solved
  • Description of vulnerability
  • Description of technique, URL, or script used to exploit vulnerability
  • Description of prevention or other remediation to mitigate threat
All lab assignments must be completed to obtain the minimum passing grade. Beyond the required labs, progression through additional levels and the difficulty of the levels will determine grading.
Homework and Programs
Homework and programming assignments are to be done individually. Homework from the CS 410 CTF can be submitted directly via flag submissions on the site. Programming assignments are to be submitted to the corresponding D2L dropbox folder. Assignments are due by the beginning of class. Late assignments will docked 10% for each day late up to 5 days. After 5 days, late assignments will not be accepted. The program will be graded based upon the general rubric below.
  • Correctness of program
  • Efficiency of the algorithm
  • Conciseness, clarity, and modularity of the code
  • Code documentation via Python Docstrings
Specific criteria for each program is included in the assignment writeup.
Final project
You and your partner will select and attempt one of the free levels from the lab site site. For this exercise, your group will create a narrated screencast that walks-through the level from set-up to completion.  Screencast software and submission are to be done via PSU's Media Space on the course's channel.  The project will be graded based upon the following rubric:
  • Exercise difficulty
  • Thoroughness of walkthrough (including setup)
  • Analysis of vulnerability and description of prevention/remediation.
On the last day of class, students will select a walk-through from a different group and repeat the exercise described.  Please bring headphones.

Course objectives

  • Learn the basics of web clients, servers, protocols, and programming
  • Understand common, high-risk web vulnerabilities

  • Practice ethical hacking to demonstrate how web vulnerabilities may be leveraged
  • Develop web penetration testing skills

Policies

Grading
Attendance 10%
Homework 30%
Programs 20%
Lab Notebook 20%
Final Project and Walkthrough 10%
Final Exam CTF 10%
Attendance
The class is based on students putting in time and effort to become proficient. As a result, attendance is mandatory and absences will count against a student's overall grade.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.