[go: up one dir, main page]
Scribd
Upload
83 views6 pages

WEB - SECURITY Course Outline

The document outlines a syllabus for a web security course aimed at teaching students how to build secure web applications and audit for vulnerabilities. It covers topics such as web basics, network attacks, injection flaws, authentication issues, and includes a practical lab and end-of-course project. The course aims to provide hands-on experience with web programming and security auditing techniques.

Uploaded by

aldikhalid151
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
83 views6 pages

WEB - SECURITY Course Outline

The document outlines a syllabus for a web security course aimed at teaching students how to build secure web applications and audit for vulnerabilities. It covers topics such as web basics, network attacks, injection flaws, authentication issues, and includes a practical lab and end-of-course project. The course aims to provide hands-on experience with web programming and security auditing techniques.

Uploaded by

aldikhalid151
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

WEB SECURITY - SYLLABUS

December 7, 2024

Course Objective
The web is our gateway to many critical services and is quickly evolving as
a platform to connect all our devices. Web vulnerabilities are growing on
a year-to-year basis, and designing secure web applications is challenging.
This course introduces students to the field of web security: how to build
secure web applications.
The goal of this course is to enable students to:

• Gain hands-on experience with web programming.

• Critically audit web applications for security flaws.

• Design and implement exploits for real security bugs.

• Develop secure web applications.

Course Content
1. Web Basics: HTML, CSS, JS, URLs, DOM, Frames, HTTP, Navi-
gation, Cross-Domain Communication.

2. Network Attacks & HTTPS.

3. Limitations of HTTPS.

4. Same Origin Policy & Web Attacker Model.

5. Injection Flaws (I): Cross-site Scripting (XSS).

6. Injection Flaws (II): SQL Injection, OS Command Injection, HTTP


Header Injection.

1
7. Authentication Flaws.

8. Request Authorization Flaws.

9. Cookie Flaws and Server Misconfiguration.

10. Attacks on User Interfaces.

References
1. Gollman D. (2011). Computer Security, 3rd edition.

2. Stallings W., Brown L. Computer Security: Principles and Practice,


Prentice Hall, 3rd edition.

2
5-Day Course Plan
Day 1: Introduction to Web Security and Fundamen-
tals
Topics:
• Introduction to Web Security:
– Importance of securing web applications.
– Overview of common vulnerabilities and their impact.
• Web Basics:
– HTML, CSS, and JS fundamentals.
– Understanding URLs and DOM structure.
– Frames, HTTP request-response cycle, navigation.
– Introduction to Cross-Domain Communication.
• Network Attacks and HTTPS:
– Basics of HTTPS and its role in securing web traffic.
– Examples of network-based attacks: eavesdropping, man-in-
the-middle (MITM), and DNS spoofing.
Activities:
• Analyze a simple HTML page and identify its elements (tags, struc-
ture).
• Discuss scenarios where HTTPS protects data and where it may fail.

Day 2: Authentication Flaws and the Web Attacker


Model
Topics:
• Limitations of HTTPS:
– Certificate authority (CA) vulnerabilities and exploitation.
– SSL/TLS downgrade attacks.
• Same-Origin Policy and Web Attacker Model:

3
– Understanding same-origin policy (SOP) and its importance.
– Attack vectors enabled by SOP bypasses.

• Authentication Flaws:

– Common issues in authentication mechanisms:


∗ Weak password policies.
∗ Token-based authentication flaws.
– Case studies of real-world authentication breaches.

Activities:
• Students analyze a login form and identify weaknesses.

• Simulate a basic token-based authentication process and discuss how


tokens can be compromised.

Day 3: Injection Attacks and Server-Side Vulnerabil-


ities
Topics:
• Injection Flaws (I):

– Cross-Site Scripting (XSS):


∗ Reflected XSS.
∗ Stored XSS.
∗ DOM-based XSS.
• Injection Flaws (II):

– SQL Injection:
∗ Exploiting improperly sanitized inputs.
∗ Extracting sensitive data via SQLi.
– OS Command Injection and HTTP Header Injection:
∗ Understanding and demonstrating potential exploits.
• Cookie Flaws and Server Misconfiguration:

– Misconfigured cookie flags (e.g., HttpOnly, Secure).


– Server-side errors leading to data leakage.

4
Activities:
• Simulate an XSS attack on a demo web application.
• Perform basic SQL Injection to retrieve data in a controlled environ-
ment.

Day 4: Practical Lab on Web Exploits


Objective: Apply theoretical knowledge in a practical setting.
• Perform SQL Injection to extract data from a vulnerable web appli-
cation.
• Exploit XSS to steal session cookies and simulate user impersonation.
• Test for authentication flaws, such as bypassing login mechanisms.
• Identify vulnerabilities in server configurations.
Tools:
• OWASP Juice Shop or DVWA (Damn Vulnerable Web Application).
• Burp Suite for traffic interception and analysis.

Day 5: End-of-Course Project


Objective: Conduct a comprehensive audit of a provided web application.
• Tasks:
– Identify and exploit vulnerabilities in the application, including:
∗ Injection flaws (SQLi, XSS).
∗ Authentication and authorization issues.
∗ Cookie-related flaws.
– Write a detailed vulnerability report outlining:
∗ Identified issues.
∗ Exploitation methods.
∗ Proposed mitigations.
• Deliverables:
– A comprehensive vulnerability report.

5
– A presentation summarizing findings and fixes.

Tools:

• Same tools as Day 4, plus any scripting tools needed for custom
exploit creation.

You might also like