Web Security

Instructor: Wu-chang Feng
Contact and discussion: Office hours: here
Recommended text:
  • OWASP Top 10 (2013) pdf
Course Description
This course provides an introduction to how the web works, web site vulnerabilities, and techniques to improve web security.  The course provides students with key concepts that underlie common web vulnerabilities, helps them develop skills to leverage them, and demonstrates mechanisms for preventing them.


Week Topic Slides Labs and Homework
1 Course motivation and overview
Web Basics

Web client programming

3 A5: Broken Access Control
A4: XML External Entities (XXE)
A3: Sensitive Data Exposure
4 A1 (Part 1): Injection (Command, Code)
A1 (Part 1)
5 A1 (Part 2): Injection (SQL)
A1 (Part 3): Injection (Blind SQL)
A1 (Part 2)
A1 (Part 3)
6 A2: Broken Authentication
7 A7: Cross-site Scripting (XSS)
A8: Insecure Deserialization
Program #1 due in D2L
8 A6: Security Misconfiguration
A9: Using Known Vulnerable Components
A10: Insufficient Logging and Monitoring
A: CSRF, Unvalidated Redirects and Forwards
Cloud security
Program #2 due in D2L
Final project listings | sign-up
9 X0: Reconnaissance tools
X1: Penetration testing, exploitation, and WAFs (metasploit, sqlmap, w3af, zap)
  Final project
Final project screencast due on MediaSpace (Wed, Dec 6, 11:59pm)
Finals Final CTF (Thurs., Dec 7, 12:30pm - 2:20pm)

Lab notebook due in D2L (Sun, Dec 10, 11:59pm)
All homework levels due (Sun, Dec 10, 11:59pm)


Labs and notebook
Lab assignments will be given each class covering the course material. You and your partner will solve each one, while maintaining a shared lab notebook (a single Google or Office Doc) that contains your write-ups of the labs.  The write-ups should include the vulnerability being demonstrated, how you solved it, and possible remediations to mitigate the threat.  Include screenshots as needed.  Write-ups should allow others to repeat your methodology to solve the level.  The notebook will be graded based upon the following rubric:
  • Number of levels solved
  • Description of vulnerability
  • Description of technique, URL, or script used to exploit vulnerability
  • Description of prevention or other remediation to mitigate threat
Homework and Programs
Homework and programming assignments are to be done individually. Homework from the CS 495 CTF can be submitted directly via flag submissions on the site. Programming assignments are to be submitted to the corresponding D2L dropbox folder. Assignments are due by the beginning of class. Late assignments will docked 10% for each day late up to 5 days. After 5 days, late assignments will not be accepted. The program will be graded based upon the general rubric below.
  • Correctness of program
  • Efficiency of the algorithm
  • Conciseness, clarity, and modularity of the code
  • Code documentation via Python Docstrings
Specific criteria for each program is included in the assignment writeup.
Final project
You and your partner will select and attempt one of the free levels from the lab site. For this exercise, your group will create a narrated screencast that walks-through the level from set-up to completion.  Screencast software and submission are to be done via PSU's Media Space on the course's channel.  The project will be graded based upon the following rubric:
  • Exercise difficulty
  • Thoroughness of walkthrough (including setup)
  • Analysis of vulnerability and description of prevention/remediation.
On the last day of class, students will select a walk-through from a different group and repeat the exercise described.  Please bring headphones.

Course objectives

  • Learn the basics of web clients, servers, protocols, and programming
  • Understand common, high-risk web vulnerabilities

  • Practice ethical hacking to demonstrate how web vulnerabilities may be leveraged
  • Develop web penetration testing skills


Attendance 10%
Homework 30%
Programs 20%
Lab Notebook 20%
Final Project and Walkthrough 10%
Final Exam CTF 10%
The class is based on students putting in time and effort to become proficient. As a result, attendance is mandatory and absences will count against a student's overall grade.
Academic misconduct
  • Includes allowing another student to copy your work unless specifically allowed by the instructor.
  • Includes copying blocks of code from external sources without proper attribution
  • Results in a grade of 0 for the assignment or exam.
  • Results in the initiation of disciplinary action at the university level.