Web Security

Instructor: Liz Lawrens (with Wu-chang Feng)
Contact and discussion: Office hours: By Appointment
Recommended text:
  • OWASP Top 10 (2013) pdf
Resources
Course Description
This course provides an introduction to how the web works, web site vulnerabilities, and techniques to improve web security.  The course provides students with key concepts that underlie common web vulnerabilities, helps them develop skills to leverage them, and demonstrates mechanisms for preventing them.

Schedule

Week Topic Slides Labs and Homework
1 Course motivation and overview
Web Basics
REST/JSON
slides
slides
slides
Install Lab VMs : Click here for walkthrough video
2
Web client programming
Google Cloud Platform, Cloud Launcher
A0: Reconnaissance tools
slides
slides
A0
Google Cloud Compute Setup : Click here for walkthrough video
3 A4: Insecure Direct Object Access
A7: Missing Function-Level Access Control
A6: Sensitive Data Exposure
slides
slides
A4/A7
A6
4 A1 (Part 1): Injection (Command, Code)
A1 (Part 2): Injection (SQL)
A1 (Part 3): Injection (Blind SQL)
slides
slides
slides
A1 (Part 1)
A1 (Part 2)
A1 (Part 3)
5 A2: Broken Authentication and Session Management
A3: Cross-site Scripting (XSS)
A10: Unvalidated Redirects and Forwards
slides
slides
slides
A2
A3/A10
Program #1 due in D2L
6 A8: Cross-site Request Forgery (CSRF)
A5: Security Misconfiguration
A9: Using Known Vulnerable Components
slides
slides
Program #2 due in D2L
A8/A5/A9
7 A11/A12: Deserialization, Cloud
X1: Penetration testing, exploitation, and WAFs (metasploit, sqlmap, w3af, zap)
slides
slides
X1
8 Final CTF (Thurs., Aug 16, 08:00am - 10:20am)

Lab notebook due in D2L (Sat, Aug 18, 11:59pm)
All homework levels due (Sat, Aug 18, 11:59pm)

Assignments

Labs and notebook
Lab assignments will be given each class covering the course material. You and your partner will solve each one, while maintaining a shared lab notebook (a single Google or Office Doc) that contains your write-ups of the labs.  The write-ups should include the vulnerability being demonstrated, how you solved it, and possible remediations to mitigate the threat.  Include screenshots as needed.  Write-ups should allow others to repeat your methodology to solve the level.  The notebook will be graded based upon the following rubric:
  • Number of levels solved
  • Description of vulnerability
  • Description of technique, URL, or script used to exploit vulnerability
  • Description of prevention or other remediation to mitigate threat
Homework and Programs
Homework and programming assignments are to be done individually. Homework from the CS 410 CTF can be submitted directly via flag submissions on the site. Programming assignments are to be submitted to the corresponding D2L dropbox folder. Assignments are due by the beginning of class. Late assignments will docked 10% for each day late up to 5 days. After 5 days, late assignments will not be accepted. The program will be graded based upon the general rubric below.
  • Correctness of program
  • Efficiency of the algorithm
  • Conciseness, clarity, and modularity of the code
  • Code documentation via Python Docstrings
Specific criteria for each program is included in the assignment writeup.

Course objectives

  • Learn the basics of web clients, servers, protocols, and programming
  • Understand common, high-risk web vulnerabilities

  • Practice ethical hacking to demonstrate how web vulnerabilities may be leveraged
  • Develop web penetration testing skills

Policies

Grading
Weekly Quiz 10%
Homework 40%
Programs 20%
Lab Notebook 25%
Final Exam CTF 5%
Attendance
The class is based on students putting in time and effort to become proficient. As a result, attendance is mandatory and absences will count against a student's overall grade.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.