CNIT 129S: Securing Web Applications
Spring 2021 -- Sam BowneSchedule · Lecture Notes · Projects · Links · Grading
|
|
Course JustificationIndustry advisors have repeatedly asked us to teach this class, because every modern business needs a web presence and there are far too few workers qualified to protect them from hackers. There are many jobs available for students who learn how to protect our healthcare, financial, and other confidential data from criminals, spies, and pranksters. Catalog DescriptionTechniques used by attackers to breach Web applications, and how to protect them. How to secure authentication, access, databases, and back-end components. How to protect users from each other. How to find common vulnerabilities in compiled code and source code. Learning OutcomesUpon successful completion of this course, the student will be able to: Textbook"The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470 Buy from Amazon QuizzesThe quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts. Discussion BoardEach CCSF student must contribute to the Discussion Board in Canvas. There are dates listed in the schedule with Discussion assignment due. For class-related questions, please send messages inside Canvas, or email cnit.129s@gmail.com |
Schedule (subject to revision) | |||
---|---|---|---|
Date | Assignment Due | Topic | |
Thu 1-21 | Ch 1: Web Application (In)security
| ||
Thu 1-28 | Quiz Ch 1-2 * Proj H 110a * |
Ch 2: Core Defense Mechanisms Ch 3: Web Application Technologies
| |
Thu 2-4 | Quiz Ch 3 * Proj ED 102 * Discussion 1 * |
Project Demonstrations
| |
Thu 2-11 | Quiz: Ch 4 Proj ED 103 Discussion 2 |
Ch 4: Mapping the Application
| |
Thu 2-18 | Quiz Ch 5 Proj W 600 Discussion 3 |
Ch 5: Bypassing Client-Side Controls
| |
Thu 2-25 | Quiz: Ch 6 +20 pts of WSA Proj Discussion 4 |
Ch 6: Attacking Authentication Recommended WSA Topic: Directory Traversal
| |
Thu 3-4 | No Quiz +20 pts of WSA Proj Discussion 5 |
Ch 7: Attacking Session Management Recommended WSA Topic: OS command injection
| |
Thu 3-11 | No Quiz due Discussion 6 |
Lecture cancelled due to Internet problems | |
Thu 3-18 | Quiz: Ch 7 & 8 +20 pts of WSA Proj Discussion 7 |
Ch 8: Attacking Access Controls Ch 9: Attacking Data Stores (Part 1) Recommended WSA Topic: Authentication
| |
Thu 3-25 | Quiz: Ch 9 +20 pts of WSA Proj Discussion 8 |
Ch 9: Attacking Data Stores Recommended WSA Topic: SQL injection
| |
Fri 4-1 | Holiday - No Class | ||
Thu 4-8 | Quiz Ch 10 +20 pts of WSA Proj Discussion 9 |
Ch 10: Attacking Back-End Components Recommended WSA Topic: SQL injection
| |
Thu 4-15 | Quiz: Ch 11 +20 pts of WSA Proj Discussion 10 |
Ch 11: Attacking Application Logic Recommended WSA Topic: Cross-site scripting
| |
Thu 4-22 | Quiz Ch 12 +20 pts of WSA Proj Discussion 11 |
Ch 12: Attacking Users: Cross-Site Scripting Recommended WSA Topic: Cross-site scripting
| |
Thu 4-29 | Quiz Ch 13 +20 pts of WSA Proj |
Ch 13: Attacking Users: Other Techniques (Part 1) Recommended WSA Topic: Access control vulnerabilities
| |
Thu 5-6 | No Quiz +20 pts of WSA Proj |
Ch 13: Attacking Users: Other Techniques (Part 2) Recommended WSA Topic: Information disclosure
| |
Thu 5-13 | No Quiz All Extra Credit Proj Due |
Last Class: Velociraptor
| |
Wed 5-19 - Wed 5-26 |
Final Exam available online throughout the week. You can only take it once. | ||
All Quizzes due 30 min. before class * No late penalty until 2-11 |
LecturesGrading Policy · First Day Handout
Ch 1: Web Application (In)security & To get PPT files, use Cloud Convert. |
Projects | |
---|---|
H 110a: Linux Journey (20 pts + 63 extra) |