Course Description Class Logistics & Grading Topics Important Dates
Instructor: Prateek Saxena (dcsprs at nus dot edu dot sg)
TAs Shen Shiqi & Loi Luu (Email:cs5331.ta at gmail dot com; Office Hour: 5:30 - 6:30 pm before class)
Room & Timings: LT19 , Tuesday 6:30 - 8:30 pm
IVLE Page: CS5331
Semester: AY 2015/2016 Semester 2


Course Description

The web is our gateway to many critical services and is quickly evolving as a platform to connect all our devices. Web vulnerabilities are growing on a year-to-year basis and designing secure web applications is challenging. This course introduces you to the field of web security: that is, how to build secure web applications. The course covers fundamental concepts of web programming, web vulnerability exploitation, web browser design flaws, and a few advanced topics in web privacy.

The goal of this class is to enable students to:

  • Get hands-on experience on web programming
  • Critically audit web applications for security flaws.
  • Design and implement exploits for real security bugs.
  • Develop secure web applications.

Schedule & Syllabus

The table below lists the schedule of topics.

WeekDateTopic ReadingsAnnouncements
1 12 Jan Web Basics: HTML, CSS, JS, URLs, DOM, Frames, HTTP, Navigation, X-Domain communication Lecture Videos Assgt. 0 out
2 19 Jan Network Attacks & HTTPS

Lecture Videos

Assgt. 1 out
3 26 Jan

No class -- Instructor is on leave

4 2 Feb

Limitations of HTTPS

Recommended: More Tricks for Defeating SSL in Practice


5 9 Feb

No class -- Chinese New Year

6 16 Feb

Same Origin Policy & Web Attacker Model

Injection Flaws (I): Cross-site Scripting (XSS)

Recommended: Towards a Formal Foundation of Web Security

Assgt. 2 out
  23 Feb

No class -- Recess Week

7 1 Mar Injection Flaws (II) : XSS (contd.), SQL Injection, OS Command Injection, HTTP Header Injection


Taint-Enhanced Policy Enforcement

Document Structure Integrity



8 8 Mar

(I) Authentication Flaws

(II) Request Authorization Flaws


(I) Robust Defenses for Cross-Site Request Forgery

(II) Signing Me onto Your Accounts through Facebook and Google


9 15 Mar Insecure Web Logic: Logic Flaws, HTTP Pollution, HTTP Parameter Tampering

Recommended: Toward Black-Box Detection of Logic Flaws in Web Applications


Assgt. 3 out

22 Mar

Cookie Flaws and Server Misconfiguration

Recommended: Cookies Lack Integrity: Real-World Implications

11 29 Mar

Attacks on User Interfaces

Recommended: Clickjacking Attacks And Defenses



5 Apr

Browser Design & Flaws

Recommended: The Security Architecture of the Chromium Browser



12 Apr

User Privacy: Browser & Device Fingerprinting, User Tracking, Browser Caching Flaws

Recommended: Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting





Class Logistics & Grading

This class is heavy and requires hands-on programming and experimentation. I will explain the detailed logistics of the course in the first lecture. There will be no exam, labs or tutorials for the course.

The entire grade is divided across 4 project assignments. The first project is done individually, and the rest can be done in teams of at most 4 students. In each project, the team members are expected to individually implement certain parts and declare their collaborative contributions explicitly. Grade distribution is as follows:

  • Assignment 0: Setup (5%)
  • Assignment 1: Make your App (25%)
  • Assignment 2: Exploits! (20%)
  • Assignment 3: Scan'em all (50%)

Each student is expected to have access to his own laptop / desktop. All project assignments are distributed as VirtualBox VMs; you are expected to be able to setup and run these VMs. If you do not have access to your own laptop / desktop, you should approach the instructor within the first week of the course.


Who should take this class?

This is a graduate-level class for students interested in understanding web security, both conceptually and operationally. The class is designed to be somewhat self-paced and self-taught; all graded assignments are done at home. Lectures will only cover topics at a conceptual level. Being a graduate class, you are expected to pick-up and learn new things on your own with help from your friends / teammates and from the web. The IVLE forum is your best friend --- if you get stuck, ask questions and exchange ideas freely on the forum or consult the web. The instructor and TAs will *not* help debug your code, or tell you how to overcome technical difficulties. There is no restriction on your communication with your colleagues, so be prepared to ask around and pick things up on your own.


The prerequisite is good undergraduate level understanding of computer science and having taken a undergraduate or graduate course in security. Exceptions to prerequisite requirements are allowed with the permission of the instructor.

Note on Ethics

In this class, you will be exposed to several powerful attack techniques. This class is not an invitation exploit vulnerabilities in the wild without informed consent of all involved parties. Attacking someone else's computer system is an offence; you are expected to use your knowledge with discretion.

For all readings and assignments, please feel free to discuss with your peers and use the Internet. All students must comply with NUS academic honesty policies.