Full Description [Sept. 16, 2011, 8:32 a.m.]
We will study some typical vulnerabilities in web applications and how to prevent them when you write your application.
Protecting data privacy and integrity is fundamental in every application, but specially challenging in web applications that are publically accesible, since a lot of people is dedicated to exploit vulnerabilities and since every day there are discovered new vulnerabilities, new exploits, and there are new tools and practices. The organizers have some experience with web applications and secure web applications.
We will use material of several sources, but specially from OWASP, a well known organization, that produces, among others, a good Open Standard to verify the security of Web Applications. OWASP also developed an application to learn about web application security: WebGoat. We will use it during this course, some lessons require to change the sources in Java of that application, those lessons are not mandatory.
The following is the draft lesson plan for the semester. Unfortunately, we don't have enough time to cover all vulnerabilities but we'll cover some of the big ones though.
Each week will comprise of a lesson going over the week’s topic, a hands-on lab, and then a brief discussion about the topic. At the end of the semester, we will tackle a project that will use much of what you learned in previous lessons.
9/19 Week 1: Introduction, Installation of tools, and HTTP Basics
9/26 Week 2: Access Control Flaws
10/3 Week 3: AJAX Security
10/10 Week 4: Authentication Flaws
10/17 Week 5: Cross-Site Scripting (XSS)
10/24 Week 6: Injection Flaws
10/31 Week 7: Parameter Tampering
11/7 Week 8: Session Management Flaws
11/14 Week 9: Final Project
11/21 Week 10: End of Course Survey