Course Description Class Logistics & Grading Topics Important Dates
Instructor: Prateek Saxena (dcsprs at nus dot edu dot sg)
TAs Enrico Budianto & Shweta Shinde (ta2014.cs5331 at
Room & Timings: LT19 , Fridays 6:30 - 8:30 pm
IVLE Page: CS5331
Semester: AY 2013/2014 Semester 2


Course Description

The web is our gateway to many critical services and is quickly evolving as a platform to connect all our devices. Web vulnerabilities are growing on an year-to-year basis and designing secure web applications is challenging. This course introduces you to the field of web security: that is, how to build secure web applications. The course covers fundamental concepts of web programming, web vulnerability exploitation, web browser design flaws, and a few advanced topics in web privacy.

The goal of this class is to enable students to:

  • Get hands-on experience on web programming
  • Critically audit web applications for security flaws.
  • Design and implement exploits for real security bugs.
  • Develop secure web applications.

Schedule & Syllabus

The table below lists the schedule of topics.

WeekDateTopic ReadingsAnnouncements
1 17 Jan Web Basics: HTML, CSS, JS, URLs, DOM, Frames, HTTP, Navigation, X-Domain communication   Assgt. 0 out
2 24 Jan Network vs. Web Attackers & The Same Origin Policy

Recommended: Towards a Formal Foundation of Web Security



3 31 Jan

No class -- Public Holiday

  Assgt. 1 out
4 7 Feb

Limits of HTTPS : Mixed Content, SSL Flaws, PKI Insecurity; UI Attacks: Phishing, Clickjacking

Recommended: More Tricks for Defeating SSL in Practice


5 14 Feb Injection Flaws: SQL Injection, OS Command Injection, Cross-site Scripting (XSS)

Recommended: Document Structure Integrity



6 21 Feb Attacking the Client-Server Communication: HTTP Header Injection, CSRF, HPP, HTTP Parameter Tampering

Recommended: Robust Defenses for Cross-Site Request Forgery


Assgt 2 out (planned)
  28 Feb

No class -- Reading week

7 7 Mar Authentication Flaws: Password Theft, Weak Authentication, Open Redirects, Single Sign-on bugs

Recommended: AUTHSCAN: Automatic Extraction of Web Authentication Protocols
from Implementations


8 14 Mar Misc: Access Control, Logic Flaws, JS Isolation Bugs, File Type Confusion, EARs    
9 21 Mar

No class -- Out of town

  Assgt 3 out (planned)
10 28 Mar Browser Flaws & Privilege Separated Designs    
11 4 Apr Browser Extensions & Plugin Security, Cross-origin Code Injection    
12 11 Apr Privacy Flaws: Browser & Device Fingerprinting, User Tracking, Browser Caching Flaws    
13 18 Apr

No class -- Public Holiday



Class Logistics & Grading

This class is heavy and requires hands-on programming and experimentation. I will explain the detailed logistics of the course in the first lecture. There will be no exam, labs or tutorials for the course.

The entire grade is divided across 4 project assignments. The first project is done individually, and the rest can be done in teams of at most 4 students. In each project, the team members are expected to individually implement certain parts and declare their collaborative contributions explicitly. Grade distribution is as follows:

  • Assignment 0: Setup (5%)
  • Assignment 1: Meet Jack: (25%)
  • Assignment 2: Meet Tyler: (20%)
  • Assignment 3: Project Mayhem: (50%)

Each student is expected to have access to his own laptop / desktop. All project assignments are distributed as VirtualBox VMs; you are expected to be able to setup and run these VMs. If you do not have access to your own laptop / desktop, you should approach the instructor within the first week of the course.


Who should take this class?

This is a graduate-level class for students interested in understanding web security, both conceptually and operationally. The class is designed to be somewhat self-paced and self-taught; all graded assignments are done at home. Lectures will only cover topics at a conceptual level. Being a graduate class, you are expected to pick-up and learn new things on your own with help from your friends / teammates and from the web. The IVLE forum is your best friend --- if you get stuck, ask questions and exchange ideas freely on the forum or consult the web. The instructor and TAs will *not* help debug your code, or tell you how to overcome technical difficulties. There is no restriction on your communication with your colleagues, so be prepared to ask around and pick things up on your own.


The prerequisite is good undergraduate level understanding of computer science and having taken a undergraduate or graduate course in security. Exceptions to prerequisite requirements are allowed with the permission of the instructor.

Note on Ethics

In this class, you will be exposed to several powerful attack techniques. This class is not an invitation exploit vulnerabilities in the wild without informed consent of all involved parties. Attacking someone else's computer system is an offence; you are expected to use your knowledge with discretion.

For all readings and assignments, please feel free to discuss with your peers and use the Internet. All students must comply with NUS academic honesty policies.