Subject LTPJ C

WEB APPLICATION SECURITY

Code 2 0 0 4 3
Objectives 1. To reveal the underlying security flaws in web application
2. To identify and aid in fixing any security vulnerabilities during the web
development process.
Outcomes At the end of this course, students will be able to

1. Identify the vulnerabilities in the web applications

2. Identify the various types of threats and mitigation measures of web
applications.
3. Apply the security principles in developing a reliable web application.
4. Use industry standard tools.
5. Apply penetration testing.
Student 2) Having a clear understanding of the subject related concepts and of
Learning contemporary issues.
Outcome
6) Having an ability to design a component or a product applying all the
relevant standards and with realistic constraints.

10)Having a clear understanding of professional and ethical responsibility.

17) Having an ability to use techniques, skills and modern engineering tools
necessary for engineering practice.

Module Topics L Hrs SLO

1 OVERVIEW OF WEB APPLICATIONS 2

Introduction – history of web applications – interface ad

structure – benefits and drawbacks of web applications – Web 2
application Vs Cloud application

2 WEB APPLICATION SECURITY FUNDAMENTALS 3

Security Fundamentals: Input Validation - Attack Surface

10
Reduction Rules of Thumb- Classifying and Prioritizing Threads

3 BROWSER SECURITY PRINCIPLES 4

Origin Policy - Exceptions to the Same-Origin Policy - Cross-

Site Scripting and Cross-Site Request Forgery - Reflected XSS 10
- HTML Injection
4 WEB APPLICATION VULNERABILITIES 6

Understanding vulnerabilities in traditional client server

application and web applications, client state manipulation,
cookie based attacks, SQL injection, cross domain attack
2
(XSS/XSRF/XSSI) http header injection. SSL vulnerabilities
and testing - Proper encryption use in web application - Session
vulnerabilities and testing - Cross-site request forgery

5 WEB APPLICATION MITIGATIONS 5

Http request , http response, rendering and events , html image

tags, image tag security, issue , java script on error , Javascript
timing , port scanning , remote scripting , running remote code, 17
frame and iframe , browser sandbox, policy goals, same origin
policy, library import, domain relaxation

6 SECURE WEBSITE DESIGN 5

Secure website design : Architecture and Design Issues for Web

Applications, Deployment Considerations Input Validation,
Authentication, Authorization, Configuration Management
,Sensitive Data, Session Management, Cryptography, Parameter 6
Manipulation, Exception Management, Auditing and Logging,
Design Guidelines, Forms and validity, Technical
implementation

7 CUTTING-EDGE WEB APPLICATION SECURITY 3

Clickjacking - DNS rebinding - Flash security - Java applet

6
security - Single-sign-on solution and security - IPv6 impact on
web security.
8 Recent Trends 2

Project: Team project 60 [Non

Contact ]
 SQL Injections
 Broken Authentication and Session Management
 Cross-site scripting
 Insecure direct object references
 Security mis configuration
 Missing function level access control
 Cross-site request forgery
 Using components with known vulnerabilities
 Unvalidated redirects and forwards
  Sensitive data exposure

Lab experiments

1. Introduction to basic exploration tools

2. Assembly Language: the basics of x86 assembly
3. Binary Analysis. Executables and Processes
4. The Stack. Buffer Management
5. Exploit Protection Mechanisms
6. Strings
7. Integers
8. Encryption. Hashing. APIs
9. Password Breaking
10. Command injection vulnerability in Web application
11. Cross Site Scripting (XSS) attack

Reference Books

1.Sullivan, Bryan, and Vincent Liu. Web Application Security,

A Beginner's Guide. McGraw Hill Profe ssional, 2011.

2. Stuttard, Dafydd, and Marcus Pinto. The Web Application

Hacker's Handbook: Finding and Exploiting Security Flaws.
John Wiley & Sons, 2011

Knowledge Areas that contain topics and learning outcomes covered in the course

Knowledge Area Total Hours of Coverage

CS : IAS ( Information Assurance and Security) 30

Body of Knowledge coverage

KA Knowledge Topics Covered Hours

Unit

CS-IAS Operating 2
OVERVIEW OF WEB APPLICATIONS
Systems
Introduction – history of web applications – interface
(OS) ad structure – benefits and drawbacks of web
applications – Web application Vs Cloud application

CS-IAS Platform based WEB APPLICATION SECURITY 3

development FUNDAMENTALS

Security Fundamentals - Input Validation - Attack

(PBD) Surface Reduction Rules of Thumb - Classifying and
Prioritizing Threats
Social Issues
and Professional
Practice

(SP)

CS-IAS SP 4
BROWSER SECURITY PRINCIPLES

Origin Policy- Exceptions to the Same-Origin Policy -

Cross-Site Scripting and Cross-Site Request Forgery -
Reflected XSS - HTML Injection
CS-IAS PBD 6

WEB APPLICATION VULNERABILITIES

Understanding vulnerabilities in traditional client

server application and web applications, client state
manipulation, cookie based attacks, SQL injection,
cross domain attack (XSS/XSRF/XSSI) http header
injection. SSL vulnerabilities and testing - Proper
encryption use in web application - Session
vulnerabilities and testing - Cross-site request forgery

CS-IAS PBD 5
WEB APPLICATION MITIGATIONS

Http request , http response, rendering and events ,

html image tags, image tag security, issue , java script
on error , Javascript timing , port scanning , remote
scripting , running remote code, frame and iframe ,
browser sandbox, policy goals, same origin policy,
library import, domain relaxation

CS-IAS SP 5
SECURE WEBSITE DESIGN

Secure website design : Architecture and Design Issues

for Web Applications, Deployment Considerations
Input Validation, Authentication, Authorization,
Configuration Management ,Sensitive Data, Session
Management, Cryptography, Parameter Manipulation,
Exception Management, Auditing and Logging, Design
Guidelines, Forms and validity, Technical
implementation
 CS-IAS SP CUTTING-EDGE WEB APPLICATION 3
SECURITY

Clickjacking - DNS rebinding - Flash security - Java

applet security - Single-sign-on solution and security -
IPv6 impact on web security.

Where does the course fit in the curriculum?

[In what year do students commonly take the course? Is it compulsory? Does it have pre-
requisites, required following courses? How many students take it?]

This course is a

 Elective Course.
 Suitable from 2nd semester onwards.
 Knowledge of any one programming language is essential.

What is covered in the course?

This course gives a detailed introduction to basics of web application security.

Phase I: Security Fundamentals and Policies

Various types of Validation, Common Vulnerability Scoring System.

Origin Policy, Understanding vulnerabilities in traditional client server application and web
applications, client state manipulation, cookie based attacks, SQL injection, Proper encryption
use in web application, cookie security policy, secure cookies, http only cookies.

Phase II: Session vulnerabilities and Mitigations

Cross-site request forgery, Input-related flaws and related defences, SQL injection
vulnerabilities, Blind SQL injection, testing, and defense.

Http request , http response, port scanning, Session Management, Cryptography, Mitigation,
Enforcement at the coding level , Escaping ,Pattern check , Database permissions, IPv6 impact
on web security.
What is the format of the course?

[Is it face to face, online or blended? How many contact hours? Does it have lectures, lab
sessions, discussion classes?]

This Course is designed with 100 minutes of in-classroom sessions per week, 60 minutes of
video/reading instructional material per week, as well as 200 minutes of non-contact time
spent on implementing course related project. Generally this course should have the
combination of lectures, in-class discussion, case studies, guest-lectures, mandatory off-class
reading material, quizzes.

How are students assessed?

[What type, and number, of assignments are students are expected to do? (papers, problem sets,
programming projects, etc.). How long do you expect students to spend on completing assessed
work?]

 Students are assessed on a combination group activities, classroom discussion, projects, and
continuous, final assessment tests.
 Additional weightage will be given based on their rank in crowd sourced projects/ Kaggle
like competitions.
 Students can earn additional weightage based on certificate of completion of a related MOOC
course.

Additional topics

[List notable topics covered in the course that you do not find in the CS2013 Body of
Knowledge]

Other comments

[optional]
 Session wise plan

Student Outcomes Covered: 2, 6,10,17

SI. Topic Covered Class Hour Lab Hours levels of Reference

mastery Book
NO

1 Introduction – history of web 2 Familiarity R1

applications – interface ad structure –
benefits and drawbacks of web
applications – Web application Vs
Cloud application.

2 Security Fundamentals - Input 2 Familiarity R1

Validation - Attack Surface
Reduction Rules of Thumb

3 Classifying and Prioritizing Threats 1 Assessment R1

4 Origin Policy - Exceptions to the 2 Familiarity R1

Same-Origin Policy

5 Cross-Site Scripting and Cross-Site 2 Usage R1

Request Forgery

6 Understanding vulnerabilities in 2 Familiarity R2

traditional client server application
and web applications, client state
manipulation, cookie based attacks,
SQL injection, cross domain attack
(XSS/XSRF/XSSI) http header
injection.

7 SSL vulnerabilities and testing - 2 Familiarity R2

Proper encryption use in web
application

8 Session vulnerabilities and testing - 2 Usage R2

Cross-site request forgery

9 Http request , http response, 2 Familiarity R2

rendering and events , html image
tags, image tag security, issue , java
script on error , Javascript timing

10 Port scanning , remote scripting , 3 Usage R2

running remote code, frame and
 iframe , browser sandbox, policy
goals, same origin policy, library
import, domain relaxation

11 Secure website design : Architecture 3 Assessment R1

and Design Issues for Web
Applications, Deployment
Considerations Input Validation,
Authentication, Authorization,
Configuration Management
,Sensitive Data, Session
Management

12 Cryptography, Parameter 2 Usage R1

Manipulation, Exception
Management, Auditing and
Logging, Design Guidelines,
Forms and validity, Technical
implementation

13 Clickjacking - DNS rebinding - 3 Usage R1

Flash security - Java applet
security - Single-sign-on solution
and security - IPv6 impact on web
security.

14 Recent trends 2 Familiarity

Total hours covered 30 Hours