CSIT -542 Web Security 2(1-0-1)

Course Outcome ( CO)

At the end of course , the student will be able to:
CO 1 Understand the concepts of Web Secuity.
CO 2 Understand the Web architecture and applications
CO 3 Understand how common mistakes can be bypassed and exploit the applications
CO 4 Identify common web application vulnerabilities and their mitigation
CO 5 Build small secure web applications
COURSE OUTLINE :
A web application is an application that uses the web browser, or user agent, to access a web server. The application can be realized
using a server side implementation or JavaScript running in the web browser. Often a combination of the two is used. The programming
language used on the server can be any language, but several languages have been developed with web applications in mind, e.g.,
PHP, ASP, JSP and Ruby. The examples in the course uses PHP, but the theory behind most attacks and counter measures is general
and can be applied to applications written in any language. . Therefore, it is very important to learn the fundamentals of this emerging
technology, the security threats in web applications and how to mitigate them.
DETAILED SYLLABUS

UNIT-I
Introduction: Introduction to Network Security and Web Security. Architecture of web security. Security issues related to web
development. Basics of security Risk, Threats, Vulnerability And Security Attacks.

UNIT-II
Web Application Security: Cross Site Scripting Attacks (XSS) and their types. Prevention and Mitigation of XSS attacks. Sanitizing and
Validating User Input. Client side encoding, blacklisting and whitelisting inputs.
UNIT-III
Content Security and Credential Management : What is content security? Default directives and wild cards. Security threat due to
inline code and eval() functions. Concept of nonce attribute and script hash. Broken Authentication and Session Management. Strength,
use and storage of passwords. Hashing. Password recovery.
UNIT-IV
Session Management and SQL injections: Session and types of session attacks. Session Hijacking. Session hijacking counter
measures. Sidejacking. Bobby tables. Anatomy of SQL injection(SQLi) attacks. Types of SQL injection. SQL injection mitigation and
prevention.
UNIT-V
XSRF and OWASP : Cross Site Request Forgery (XSRF) threat. Prevention and mitigation of XSRF attacks. The basics of Open Web
Application Security Project (OWASP). Two factor Authentication(2FA) and OTP`s. Social Engineering. Direct Object Reference Attack.
iFrames and their security. Sandboxing.

Text books/Reference Books:

1. Web Security: For Developers Real Threats, Practical Defense Copyright © 2020 by Malcolm McDonald.
2. Web Security, Privacy and Commerce Simson G Arfinkel, Gene Spafford, O’Reilly.
3. Web Security: Application Model & Same-Origin Policy, Matt Fredrikson, Carnegie Mellon University.
4. Web Security, Privacy, and Commerce by Simson Garfinkel with Gene Spafford, Nov 2001, 2nd Edition, O`reilly.