Course Description Class Logistics & Grading Topics Important Dates
Instructor: Prateek Saxena (prateeks at comp dot nus dot edu dot sg)
TAs Shiqi Shen & Deli Gong (Email: cs5331.ta at gmail dot com)
Room & Timings: LT19 , Tuesday 6:30 - 8:30 pm
IVLE Page: CS5331
Semester: AY 2016/2017 Semester 2


Course Description

The web is our gateway to many critical services and is quickly evolving as a platform to connect all our devices. Web vulnerabilities are growing on a year-to-year basis and designing secure web applications is challenging. This course introduces you to the field of web security: that is, how to build secure web applications. The course covers fundamental concepts of web programming, web vulnerability exploitation, web browser design flaws, and a few advanced topics in web privacy.

The goal of this class is to enable students to:

  • Get hands-on experience on web programming
  • Critically audit web applications for security flaws.
  • Design and implement exploits for real security bugs.
  • Develop secure web applications.

Schedule & Syllabus

The table below lists the schedule of topics.

WeekDateTopic ReadingsAnnouncements
1 10 Jan Web Basics: HTML, CSS, JS, URLs, DOM, Frames, HTTP, Navigation, X-Domain communication Lecture Notes  
2 17 Jan

Network Attacks & HTTPS


Lecture Videos

Assgt. 1 out
3 24 Jan

Limitations of HTTPS

Recommended: More Tricks for Defeating SSL in Practice


4 31 Jan

Same Origin Policy & The Web Attacker Model

Injection Flaws (I): Cross-site Scripting (XSS)

Recommended: Towards a Formal Foundation of Web Security

5 7 Feb

Injection Flaws (II) : XSS (contd.), SQL Injection, OS Command Injection, HTTP Header Injection


Taint-Enhanced Policy Enforcement

Document Structure Integrity


6 14 Feb

(I) Authentication Flaws

(II) Request Authorization Flaws


(I) Robust Defenses for Cross-Site Request Forgery

(II) Signing Me onto Your Accounts through Facebook and Google


Assgt. 2 out
  21 Feb

No class -- Recess Week

7 28 Feb

Guest Lecture / Tutorial Session --- instructor out of town



8 7 Mar

Insecure Web Logic: Logic Flaws, HTTP Pollution, HTTP Parameter Tampering

Recommended: Toward Black-Box Detection of Logic Flaws in Web Applications


9 14 Mar Cookie Flaws and Server Misconfiguration

Recommended: Cookies Lack Integrity: Real-World Implications

Assgt. 3 out

21 Mar

Attacks on User Interfaces

Recommended: Clickjacking Attacks And Defenses


11 28 Mar

Browser Design & Flaws

Recommended: The Security Architecture of the Chromium Browser



4 Apr

User Privacy: Browser & Device Fingerprinting, User Tracking, Browser Caching Flaws

Recommended: Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting



11 Apr

Assignment 3 Competition




Class Logistics & Grading

This class is heavy and requires hands-on programming and experimentation. I will explain the detailed logistics of the course in the first lecture. There will be no exam, labs or tutorials for the course.

The entire grade is divided across 4 project assignments. The first project is done individually, and the rest can be done in teams of at most 4 students. In each project, the team members are expected to individually implement certain parts and declare their collaborative contributions explicitly. Grade distribution is as follows:

  • Assignment 1: Make your App (30%)
  • Assignment 2: Exploits! (30%)
  • Assignment 3: Scan'em all (30%)
  • YouTeach Videos (10%)

Each student is expected to have access to his own laptop / desktop. All project assignments are distributed as VirtualBox VMs; you are expected to be able to setup and run these VMs. If you do not have access to your own laptop / desktop, you should approach the instructor within the first week of the course.


Who should take this class?

This is a graduate-level class for students interested in understanding web security, both conceptually and operationally. The class is designed to be somewhat self-paced and self-taught; all graded assignments are done at home. Lectures will only cover topics at a conceptual level. Being a graduate class, you are expected to pick-up and learn new things on your own with help from your friends / teammates and from the web. The IVLE forum is your best friend --- if you get stuck, ask questions and exchange ideas freely on the forum or consult the web. The instructor and TAs will *not* help debug your code, or tell you how to overcome technical difficulties. There is no restriction on your communication with your colleagues, so be prepared to ask around and pick things up on your own.


The prerequisite is good undergraduate level understanding of computer science and having taken a undergraduate or graduate course in security. Exceptions to prerequisite requirements are allowed with the permission of the instructor.

Note on Ethics

In this class, you will be exposed to several powerful attack techniques. This class is not an invitation exploit vulnerabilities in the wild without informed consent of all involved parties. Attacking someone else's computer system is an offence; you are expected to use your knowledge with discretion.

For all readings and assignments, please feel free to discuss with your peers and use the Internet. All students must comply with NUS academic honesty policies.