Web Application Security

Rotterdam University of Applied Sciences

View project on GitHub

Logo

Web Application Security

Web Applications are currently the predominant source of software vulnerabilities exploited in online attacks.Quantity and importance of data entrusted to web applications is growing, and defenders need to learn how to secure them. Traditional network defences, such as firewalls, fail to secure web applications. There is a growing need and demand for web programmers to be security literate.

This course introduces these potential risks and helps students to better understand web application vulnerabilities, thus enabling them to properly defend organizations’ web assets. This course covers the main types of web application vulnerabilities and current professional coding and testing best practices to be able to successfully develop and test secure web applications.

Disclaimer!

Read this disclaimer carefully, and ensure you clearly understand all statements, before you start the course:

  • You understand that in this class we may cover methods to exploit vulnerabilities in contemporary computer systems and computer networks.

  • You further understand that we may learn techniques employed by unethical individuals to circumvent security mechanisms, violate copyright, cause damage, cause financial loss, or break the law in other ways.

  • You hereby pledge to use all information obtained in this class in an ethical and responsible manner, properly observing University Policy and the law.

  • You further pledge to abide by course rules, in particular (but not limited to) hacking systems declared off-limits by the instructional staff.

  • By using the course materials, you accept that you will only lawfully use it in a test lab – with devices that you own or are allowed to conduct penetration tests on – to enhance your own knowledge. We do not endorse use of any information expressed on the course outside of a lab environment.

  • Any actions and or activities related to the materials contained in this course is solely your responsibility.The misuse of the knowledge and information in this course can result in criminal charges brought against the persons in question.

Course Description

You can find the full course descriptor at: Web Application Security Course Descriptor

Course Platform

We will be using Edmodo as a platform for comminucation, sharing the materials, announcements,etc. It is a global education network that helps connect all learners with the people and resources needed to reach their full potential.

Edmodo

Please register in Edmodo, if you do not have an account on it. Then, you can join the class using the code given to you by your instructor in the class.

Learning Outcome

On completion of this module, students will be able to:

  1. Understand web application security and its importance.

  2. Understand common mistakes of coders and vulnerabilities of web applications.

  3. Explains how code developers’ mistakes may be exploited to the benefit of the attackers and how to prevent these attacks.

  4. Build secure web applications using secure coding practices.

Assessment

The course assessment includes one Final Exam.

The exam paper contains at least 40 questions (Mulitple Choice Questions) from all topics covered in the course.

A student needs to obtain a minimum 60% of marks to successfully pass the course.

Slides

The print-friendly version of course slides can be download below:

Week 1: The Basics

Week 2: Passing Data to Subsystems

Week 3: User Input

Week 4: Output Handling

Week 5: Web Trojans

Week 6: No Lecture

Week 7: Exam Tips and Discussion (Slides will be available for download in week 8)

Please note that reading the slides only is not sufficient to successfuly pass the course. You will need to read the textbook to ensure you understand the discussed topics in the classes.

Quizzes

There are weekly quizzes designed to help you to review and assess the knowldge gained in the past weeks.

Please note the deadline of submission.

The quizzes are prepared in Edmodo.

Lab Practices

Lab instructions can be download below:

Week 1: No Lab

Week 2: HTTP Requests and Responses

Week 3: Building a Security Lab

Week 4: SQL Injection

Week 5: Input Validation

Week 6: Cross-site Scripting

Week 7: No Lab

Textbook:

Sverre H. Huseby. Innocent Code: A Security Wake-Up Call for Web Programmers. Wiley; 1 edition (January 30, 2004)

Additional References:

Paco Hope and Ben Walther. Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast. O’Reilly Media; 1 edition (October 27, 2008).

Dafydd Stuttard and Marcus Pinto. The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws. Wiley; 2 edition (September 27, 2011).

Extra Reading:

Jakob Kallin and Irene Lobo Valbuena. Excess XSS: A comprehensive tutorial on cross-site scripting