Web Security

Instructor: Wu-chang Feng
Contact and discussion: Office hours: here
Recommended textbook
  • Web Application Security: A Beginner's Guide, Sullivan, Liu, McGraw-Hill Education, 2012. ISBN-13:  978-0-07-177616-5.
Resources
Course Description
This course provides an introduction to how the web works, web site vulnerabilities, and techniques to improve web security.  The course provides students with key concepts that underlie common web vulnerabilities, helps them develop skills to leverage them, and demonstrates mechanisms for preventing them.

Schedule

Week Topic Slides Labs and Homework
1 Course syllabus, OWASP Top 10
Web Basics
slides
slides

2
REST/JSON
Web client programming
Web server reconnaissance
A4: Insecure Direct Object Access
A7: Missing Function-Level Access Control
slides
slides
slides
slides

A4/A7
3 A6: Sensitive Data Exposure
slides
A6
4 A1 (Part 1): Injection (Command, Code)
A1 (Part 2): Injection (SQL)
slides
slides
A1 (Part 1)
A1 (Part 2)
5 A1 (Part 3): Injection (Blind SQL) slides
A1 (Part 3)
6 A2: Broken Authentication and Session Management
A3: Cross-site Scripting (XSS)
A10: Unvalidated Redirects and Forwards
slides
slides
slides
Program #1 due in D2L
A2
A3/A10
7 A8: Cross-site Request Forgery (CSRF)
A5: Security Misconfiguration
A9: Using Known Vulnerable Components
Additional Labs
slides
slides
Program #2 due in D2L
A8/A5/A9
Additional Labs
8 Additional labs
Final project selection
9 Additional labs

Final project
10
Additional labs
Final project
Finals Final CTF Exam (Wed, June 14, 12:30pm-2:20pm)
Final project screencast due on MediaSpace (Tue, June 13, 11:59pm)
Lab notebook due in D2L (Sun, June 18, 11:59pm)
All homework levels due (Sun, June 18, 11:59pm)

Assignments

Labs and notebook
Lab assignments will be given each class covering the course material. You and your partner will solve each one, while maintaining a shared lab notebook (a single Google or Office Doc) that contains your write-ups of the labs.  The write-ups should include the vulnerability being demonstrated, how you solved it, and possible remediations to mitigate the threat.  Include screenshots as needed.  Write-ups should allow others to repeat your methodology to solve the level.  The notebook will be graded based upon the following rubric:
  • Number of levels solved
  • Description of vulnerability
  • Description of technique, URL, or script used to exploit vulnerability
  • Description of prevention or other remediation to mitigate threat
All lab assignments must be completed to obtain the minimum passing grade. Beyond the required labs, progression through additional levels and the difficulty of the levels will determine grading.
Homework and Programs
  • Homework and programming assignments are to be done individually, but lab and project work will be done collaboratively with another student.
  • Homework from the CS 410 CTF can be submitted directly via flag submissions for lessons and challenges
  • All other assignments are to be submitted to the corresponding D2L dropbox folder.
  • Assignments are due by the beginning of class. Late assignments will docked 10% for each day late up to 5 days. After 5 days, late assignments will not be accepted.
Final project
You and your partner will select and attempt one of the PentesterLab exercises outside of the Web For Pentester levels.  For this exercise, your group will create a narrated screencast that walks-through the level from set-up to completion.  Screencast software and submission are to be done via PSU's Media Space on the course's channel.  The project will be graded based upon the following rubric:
  • Exercise difficulty
  • Guided vs. CTF
  • Thoroughness of walkthrough (including setup)
  • Analysis of vulnerability and description of prevention/remediation.
On the last day of class, students will select a walk-through from a different group and repeat the exercise described.  Please bring headphones.

Course objectives

  • Learn the basics of web clients, servers, protocols, and programming
  • Understand common, high-risk web vulnerabilities

  • Practice ethical hacking to demonstrate how web vulnerabilities may be leveraged
  • Develop web penetration testing skills

Policies

Grading
Attendance 10%
Homework 30%
Programs 20%
Lab notebook 20%
Final project and walkthrough 10%
Final exam 10%
Attendance
The class is based on students putting in time and effort to become proficient. As a result, attendance is mandatory and absences will count against a student's overall grade.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.