| Instructor: | Prateek Saxena (dcsprs at nus dot edu dot sg) | |
| TAs | Shen Shiqi & Loi Luu (Email:cs5331.ta at gmail dot com; Office Hour: 5:30 - 6:30 pm before class) | |
| Room & Timings: | LT19 , Tuesday 6:30 - 8:30 pm | |
| IVLE Page: | CS5331 | |
| Semester: | AY 2015/2016 Semester 2 |
The web is our gateway to many critical services and is quickly evolving as a platform to connect all our devices. Web vulnerabilities are growing on a year-to-year basis and designing secure web applications is challenging. This course introduces you to the field of web security: that is, how to build secure web applications. The course covers fundamental concepts of web programming, web vulnerability exploitation, web browser design flaws, and a few advanced topics in web privacy.
The goal of this class is to enable students to:
The table below lists the schedule of topics.
| Week | Date | Topic | Readings | Announcements |
|---|---|---|---|---|
| 1 | 12 Jan | Web Basics: HTML, CSS, JS, URLs, DOM, Frames, HTTP, Navigation, X-Domain communication | Lecture Videos | Assgt. 0 out |
| 2 | 19 Jan | Network Attacks & HTTPS | Lecture Videos |
Assgt. 1 out |
| 3 | 26 Jan |
|
||
| 4 | 2 Feb | Limitations of HTTPS |
Recommended: More Tricks for Defeating SSL in Practice Optional: |
|
| 5 | 9 Feb |
|
||
| 6 | 16 Feb | Same Origin Policy & Web Attacker Model Injection Flaws (I): Cross-site Scripting (XSS) |
Recommended: Towards a Formal Foundation of Web Security Optional: |
Assgt. 2 out |
| 23 Feb |
|
|||
| 7 | 1 Mar | Injection Flaws (II) : XSS (contd.), SQL Injection, OS Command Injection, HTTP Header Injection | Recommended: Taint-Enhanced Policy Enforcement Optional:
|
|
| 8 | 8 Mar | (I) Authentication Flaws (II) Request Authorization Flaws |
Recommended: (I) Robust Defenses for Cross-Site Request Forgery (II) Signing Me onto Your Accounts through Facebook and Google Optional: |
|
| 9 | 15 Mar | Insecure Web Logic: Logic Flaws, HTTP Pollution, HTTP Parameter Tampering | Recommended: Toward Black-Box Detection of Logic Flaws in Web Applications Optional: |
Assgt. 3 out |
| 10 | 22 Mar |
Cookie Flaws and Server Misconfiguration |
Recommended: Cookies Lack Integrity: Real-World Implications |
|
| 11 | 29 Mar | Attacks on User Interfaces |
Recommended: Clickjacking Attacks And Defenses Optional: |
|
| 12 | 5 Apr |
Browser Design & Flaws | Recommended: The Security Architecture of the Chromium Browser Optional: |
|
| 13 | 12 Apr |
User Privacy: Browser & Device Fingerprinting, User Tracking, Browser Caching Flaws | Recommended: Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting Optional:
|
This class is heavy and requires hands-on programming and experimentation. I will explain the detailed logistics of the course in the first lecture. There will be no exam, labs or tutorials for the course.
The entire grade is divided across 4 project assignments. The first project is done individually, and the rest can be done in teams of at most 4 students. In each project, the team members are expected to individually implement certain parts and declare their collaborative contributions explicitly. Grade distribution is as follows:
Each student is expected to have access to his own laptop / desktop. All project assignments are distributed as VirtualBox VMs; you are expected to be able to setup and run these VMs. If you do not have access to your own laptop / desktop, you should approach the instructor within the first week of the course.
This is a graduate-level class for students interested in understanding web security, both conceptually and operationally. The class is designed to be somewhat self-paced and self-taught; all graded assignments are done at home. Lectures will only cover topics at a conceptual level. Being a graduate class, you are expected to pick-up and learn new things on your own with help from your friends / teammates and from the web. The IVLE forum is your best friend --- if you get stuck, ask questions and exchange ideas freely on the forum or consult the web. The instructor and TAs will *not* help debug your code, or tell you how to overcome technical difficulties. There is no restriction on your communication with your colleagues, so be prepared to ask around and pick things up on your own.
The prerequisite is good undergraduate level understanding of computer science and having taken a undergraduate or graduate course in security. Exceptions to prerequisite requirements are allowed with the permission of the instructor.
In this class, you will be exposed to several powerful attack techniques. This class is not an invitation exploit vulnerabilities in the wild without informed consent of all involved parties. Attacking someone else's computer system is an offence; you are expected to use your knowledge with discretion.
For all readings and assignments, please feel free to discuss with your peers and use the Internet. All students must comply with NUS academic honesty policies.