CNIT 129S: Securing Web Applications

Fall 2025 -- Sam Bowne

Thu 6-9 pm SCIE 37 CRN: 73496

Schedule · Lecture Notes · Projects · Links · Grading

To attend class remotely, go to Twitch

Free Textbook Access

  • Go here
  • Select a School of "City College of San Francisco"
  • Enter your CCSF email address
  • Enter the book's title the "Find a Solution..." field
  		      

Course Justification

Industry advisors have repeatedly asked us to teach this class, because every modern business needs a web presence and there are far too few workers qualified to protect them from hackers. There are many jobs available for students who learn how to protect our healthcare, financial, and other confidential data from criminals, spies, and pranksters.

Catalog Description

Techniques used by attackers to breach Web applications, and how to protect them. How to secure authentication, access, databases, and back-end components. How to protect users from each other. How to find common vulnerabilities in compiled code and source code.

Advisory: CNIT 131 and CNIT 120, or comparable familiarity with websites and security concepts

Learning Outcomes

Upon successful completion of this course, the student will be able to:
  1. Explain the current state of Web application security
  2. Analyze basic application functionality
  3. Secure data stores and back-end components
  4. Protect users from other users
  5. Demonstrate common exploits and patch their root causes
  6. Implement servers and firewalls effectively

Textbook

"The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470 Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

Don't use CCSF's Canvas system for this class. Instead, all students should use this Canvas server:

Enroll Here · View Course · Reset password

Discussion Board

Each CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due.

For the topics and requirements, see the Discussion board in Canvas.

Email

For class-related questions, please send messages inside Canvas, or email cnit.129s@gmail.com

Schedule (subject to revision)

DateAssignment DueTopic
Thu 8-21  Mod 1
Ch 1: Web Application (In)security
Ch 2: Core Defense Mechanisms

Thu 8-28 Quiz Ch 1-2 *
Proj W 101 *		 Mod 2
Ch 3: Web Application Technologies
Proj ED 102 Demonstration

Thu 9-4 Quiz Ch 3 *
Proj ED 102 *
Discussion 1 *		 Mod 3
Demos: ED 103 and W 600

Thu 9-11 Quiz: Ch 4 *
Proj ED 103 *
Discussion 2 *		 Mod 4
Ch 4: Mapping the Application
Demos: File Path Traversal in the Web Security Academy

Thu 9-18 Quiz Ch 5
Proj W 600
Discussion 3		 Mod 5
Ch 5: Bypassing Client-Side Controls
Demos: OS command injection in the Web Security Academy

Thu 9-25 Quiz: Ch 6
+2 WSA Projects
Discussion 4 		Mod 6
Ch 6: Attacking Authentication
Demo: Authentication in the Web Security Academy

Thu 10-2 No Quiz
+2 WSA Projects
Discussion 5		 Mod 7
Ch 7: Attacking Session Management
Demo: WSA SQL Injection
Thu 10-9 No Quiz Mod 8
TBA
Thu 10-16 Quiz: Ch 7 & 8
+2 WSA Projects
Discussion 6
Turn in WSA Scores  		 Mod 9
Ch 8: Attacking Access Controls
Ch 9: Attacking Data Stores (Part 1)
Demos: WSA SQL Injection, starting with "listing the database contents..."
Wed 10-23   Quiz: Ch 9
+2 WSA Projects
Discussion 7		 Mod 10
Ch 9: Attacking Data Stores (Part 2)
Demo: WAS Cross-site scripting
Thu 10-30 Quiz Ch 10
+2 WSA Projects
Discussion 8		 Mod 11
Ch 10: Attacking Back-End Components
Demo: WSA Exploiting XSS to perform CSRF
Thu 11-6 No Quiz Mod 12
Hacking APIs
Thu 11-13 Quiz: Ch 11
+2 WSA Projects
Discussion 9 		Mod 13
Ch 11: Attacking Application Logic
Demo: WSA CSRF
Thu 11-20 Quiz Ch 12
+2 WSA Projects
Discussion 10		 Mod 14
Ch 12: Attacking Users: Cross-Site Scripting
Demo: WSA JWT
Thu 11-27 No Quiz Holiday: No Class
Thu 12-4 Quiz Ch 13
+2 WSA Projects		 Mod 15
Ch 13: Attacking Users: Other Techniques
Demo: WSA Information disclosure
Thu 12-11 No Quiz
All Extra Credit Due 		Last Class: No New Material
Fri 12-12
through
Fri 12-19		  Final Exam available online throughout the week.
You can only take it once.
All quizzes due 30 min. before class
* No late penalty until 9-11

Lectures

Grading Policy · First Day Handout

Ch 1: Web Application (In)security &
Ch 2: Core Defense Mechanisms · KEY · PDF
Ch 3: Web Application Technologies · KEY · PDF
Getting started with Burp Suite
Ch 4: Mapping the Application · KEY · PDF
Ch 5: Bypassing Client-Side Controls · KEY · PDF
Ch 6: Attacking Authentication · KEY · PDF
Ch 7: Attacking Session Management · KEY · PDF
Ch 8: Attacking Access Controls · KEY · PDF
Ch 9: Attacking Data Stores (Part 1 of 2) · KEY · PDF
Ch 9: Attacking Data Stores (Part 2 of 2) · KEY · PDF
Ch 10: Attacking Back-End Components · KEY · PDF
Ch 11: Attacking Application Logic · KEY · PDF
Ch 12: Attacking Users: Cross-Site Scripting · KEY · PDF
Ch 13: Attacking Users: Other Techniques (Part 1 of 2) · KEY · PDF
Ch 13: Attacking Users: Other Techniques (Part 2 of 2) · KEY · PDF
Ch 14: Automating Customized Attacks
Ch 15: Exploiting Information Disclosure

To get PPT files, use Cloud Convert.

Projects

Submitting Projects

CCSF students must do these things to get credit:

  • Perform the project steps until you find a flag
  • Capture a whole-desktop image showing the flag
  • Outline or highlight the flag in the image
  • Submit the image in the appropriate Project in Canvas
  • Type the flag into the text field

If you prefer, you can use the automated scoreboard
at the bottom of this page, but please do not submit
the same project both in Canas and the automated
scoreboard.

LJ 101-807: Linux Journey (83 extra)
W 101: Linux command line (20 pts + 15 extra)
ED 102: Command Injection (20 pts + 40 extra)
ED 103: SQLI Challenges (30 pts + 155 pts extra)
W 600: Burp & Web Security Academy (20 pts)

AP 100: Finding API Endpoints (20 pts extra)
AP 101: Using Postman with Burp (20 pts extra)
AP 102: Cracking a Java Web Token Signature (20 pts extra)
AP 103: Fuzzing with Postman (20 pts extra)
AP 104: Broken Object-Level Access (BOLA) (10 pts extra)
AP 105: Broken Function-Level Access (BFLA) (10 pts extra)
AP 106: NoSQL Injection (10 pts extra)
AP 110: Installing crAPI (15 pts extra)

AP 120: Vulnerable API (20 pts extra)
AP 121: Using OWASP ZAP to Scan Vulnerable API (25 pts extra)

AP 130: c{api}tal (75 pts extra)

OLD BROKEN PROJECT -- NOT RECOMMENDED
W 520: SAML (15 pts extra)

If you use the scoreboard, don't submit
those projects in Canvas.

Enter Flags · Scoreboard · Details

Scoreboard archived in 2022
Scoreboard archived 8-21-24
Scoreboard archived 8-20-25

Last updated: 9-25-25 8 pm