CIT 4310: Web Application Security

Contact Hours: 45 hours

Prerequisites: CIT 4302 Advanced Web Programming

Purpose: This unit provides knowledge and skills in web security that properly secure a
web server, web page, and web application.

Expected Learning Outcomes

At the end of this course the student should be able to:

i. Learn how attackers map a target looking for possible vulnerabilities

ii. Understand cross-site scripting and cross-site request forgeries; and how
to prevent it.

iii. Discuss authentication and access controls, what to do, what not to do,
and how to do it right.

iv. Understand what injection (e.g., SQL, shell code) attacks are and ways of
preventing them.

v. Learn about XML, AJAX, JSON, SOAP, Web Services, and possible
problems for applications that use them.

Course Content
Web Security Concepts: Motivations: Costs and Standards, Open Web Application
Security Project, Web Application Security Consortium, CERT Secure Coding
Standards, Assets are the Targets, Security Activities Cost Resources, Threat Modeling,
and System/Trust Boundaries. Web Application Common Vulnerabilities and
Mitigations: SSL vulnerabilities and testing, Proper encryption use in web application,
Session vulnerabilities and testing, Cross-site request forgery, Business logic flaws,
Concurrency, Input-related flaws and related defenses, and SQL injection
vulnerabilities, testing, and defense. Augmenting Web Server Security: Configuring
security for HTTP services, Securing communication with SSL/TLS, and Detecting
unauthorized modification of content.

Mode of Delivery
Lectures, tutorials, practicals.
Instructional Materials /Equipment
A computer laboratory, object oriented programming language like Java, enterprise
solution frameworks like J2EE, .NET; lecture notes, illustration charts, journals,
overhead presentation equipment.

Assessment
Type Weighting (%)

Examination 70%

Continuous Assessment 30%

Total 100%

Core Text Books

i. E. C-Council Press. (2017). Ethical Hacking and Countermeasures: Web Applications
and Data Servers (2nd ed.). Boston, MA: Cengage Learning. ISBN: 1305883454.

ii. LeBlanc, J., & Messerschmidt, T. (2016). Identity and Data Security for Web
Development: Best Practices (1st ed.). Sebastopol, CA: O'Reilly Media. ISBN:
1491937017.

iii. Barnett, R. C. (2013). Web Application Defender's Cookbook: Battling Hackers and
Protecting Users (1st ed.). Indianapolis, IN: John Wiley & Sons, Inc. ISBN:
1118362187.

Core Journals
i. Journal of Information Security and Applications. ISSN: 2214-2126.

ii. International Journal of Web Applications. ISSN: 0974-7710.

iii. International Journal of Information Security. ISSN: 1615-5262.

Recommended Text Books

 i. Kim, P. (2015). The Hacker Playbook 2: Practical Guide to Penetration Testing. North
Charleston, SC: Secure Planet, LLC. ISBN: 1512214566.

ii. Mueller, J. P. (2015). Security for Web Developers: Using JavaScript, HTML, and CSS
(1st ed.). Sebastopol, CA: O'Reilly Media. ISBN: 1491928646.

iii. Pauli, J. J. (2013). The Basics of Web Hacking: Tools and Techniques to Attack the Web
(1st ed.). Rockland, MA: Syngress. ISBN: 0124166008.

iv. Shema, M. (2012). Hacking Web Apps: Detecting and Preventing Web Application
Security Problems (1st ed.). Waltham, MA: Elsevier, Inc. ISBN: 159749951X.

Recommended Journals
i. International Journal of Web Engineering and Technology. ISSN: 1476-1289.

ii. Journal of Internet Services and Applications. ISSN: 1867-4828.

iii. Journal of Computer Security - Web Application Security. ISSN:0926-227X.