Instructor: | Prateek Saxena (dcsprs at nus dot edu dot sg) | |
TAs | Enrico Budianto & Shweta Shinde (ta2014.cs5331 at gmail.com) | |
Room & Timings: | LT19 , Fridays 6:30 - 8:30 pm | |
IVLE Page: | CS5331 | |
Semester: | AY 2013/2014 Semester 2 |
The web is our gateway to many critical services and is quickly evolving as a platform to connect all our devices. Web vulnerabilities are growing on an year-to-year basis and designing secure web applications is challenging. This course introduces you to the field of web security: that is, how to build secure web applications. The course covers fundamental concepts of web programming, web vulnerability exploitation, web browser design flaws, and a few advanced topics in web privacy.
The goal of this class is to enable students to:
The table below lists the schedule of topics.
Week | Date | Topic | Readings | Announcements |
---|---|---|---|---|
1 | 17 Jan | Web Basics: HTML, CSS, JS, URLs, DOM, Frames, HTTP, Navigation, X-Domain communication | Assgt. 0 out | |
2 | 24 Jan | Network vs. Web Attackers & The Same Origin Policy | Recommended: Towards a Formal Foundation of Web Security Optional: |
|
3 | 31 Jan |
|
Assgt. 1 out | |
4 | 7 Feb | Limits of HTTPS : Mixed Content, SSL Flaws, PKI Insecurity; UI Attacks: Phishing, Clickjacking |
Recommended: More Tricks for Defeating SSL in Practice Optional: |
|
5 | 14 Feb | Injection Flaws: SQL Injection, OS Command Injection, Cross-site Scripting (XSS) | Recommended: Document Structure Integrity Optional:
|
|
6 | 21 Feb | Attacking the Client-Server Communication: HTTP Header Injection, CSRF, HPP, HTTP Parameter Tampering | Recommended: Robust Defenses for Cross-Site Request Forgery Optional: |
Assgt 2 out (planned) |
28 Feb |
|
|||
7 | 7 Mar | Authentication Flaws: Password Theft, Weak Authentication, Open Redirects, Single Sign-on bugs | Recommended: AUTHSCAN: Automatic Extraction of Web Authentication Protocols Optional: |
|
8 | 14 Mar | Misc: Access Control, Logic Flaws, JS Isolation Bugs, File Type Confusion, EARs | ||
9 | 21 Mar |
|
Assgt 3 out (planned) | |
10 | 28 Mar | Browser Flaws & Privilege Separated Designs | ||
11 | 4 Apr | Browser Extensions & Plugin Security, Cross-origin Code Injection | ||
12 | 11 Apr | Privacy Flaws: Browser & Device Fingerprinting, User Tracking, Browser Caching Flaws | ||
13 | 18 Apr |
|
This class is heavy and requires hands-on programming and experimentation. I will explain the detailed logistics of the course in the first lecture. There will be no exam, labs or tutorials for the course.
The entire grade is divided across 4 project assignments. The first project is done individually, and the rest can be done in teams of at most 4 students. In each project, the team members are expected to individually implement certain parts and declare their collaborative contributions explicitly. Grade distribution is as follows:
Each student is expected to have access to his own laptop / desktop. All project assignments are distributed as VirtualBox VMs; you are expected to be able to setup and run these VMs. If you do not have access to your own laptop / desktop, you should approach the instructor within the first week of the course.
This is a graduate-level class for students interested in understanding web security, both conceptually and operationally. The class is designed to be somewhat self-paced and self-taught; all graded assignments are done at home. Lectures will only cover topics at a conceptual level. Being a graduate class, you are expected to pick-up and learn new things on your own with help from your friends / teammates and from the web. The IVLE forum is your best friend --- if you get stuck, ask questions and exchange ideas freely on the forum or consult the web. The instructor and TAs will *not* help debug your code, or tell you how to overcome technical difficulties. There is no restriction on your communication with your colleagues, so be prepared to ask around and pick things up on your own.
Prerequisites
The prerequisite is good undergraduate level understanding of computer science and having taken a undergraduate or graduate course in security. Exceptions to prerequisite requirements are allowed with the permission of the instructor.
In this class, you will be exposed to several powerful attack techniques. This class is not an invitation exploit vulnerabilities in the wild without informed consent of all involved parties. Attacking someone else's computer system is an offence; you are expected to use your knowledge with discretion.
For all readings and assignments, please feel free to discuss with your peers and use the Internet. All students must comply with NUS academic honesty policies.