Course Code Course Title Core/Elective

Professional
U21IT803 WEB SECURITY Elective-IV
Prerequisite Contact Hours Per Week
CIE SEE Credits
Computer L T D P
Networks 3 - - - 40 60 3
Course Objectives
Develop ability to
1. Understand the core security challenges associated with web applications, including the potential risks posed by
user input.
2. Learn the essential defense mechanisms for securing web applications, including authentication, session
management, and handling user input securely.
3. Recognize the vulnerabilities associated with session management in web applications and understand
techniques used by attackers to exploit them
4. Explore common web security threats such as XSS, CSRF, and injection attacks, and understand strategies for
defending against them.
5. Understand advanced web security threats such as DoS attacks and session hijacking, and explore
comprehensive strategies for securing modern web applications.

Course Outcomes
At the end of the course, student would be able to
1.Identify and address fundamental security risks in web applications, including strategies to mitigate
vulnerabilities in user input handling.
2. Implement and manage robust authentication and error handling systems in web applications.
3. Assess and improve the security of session management systems by implementing encryption and mitigating
token hijacking risks.
4.Implement best practices to safeguard against XSS, CSRF, and injection attacks, demonstrating skill in detecting
and mitigating web application threats.
5.Implement defensive software architectures and conduct vulnerability management to secure web applications
against advanced threats.

UNIT – I
Web Application (In)security: The Evolution of Web Applications-Common Web Application Functions,
Benefits of Web Applications, Web Application Security - “This Site Is Secure”, The Core Security
Problem,Users Can Submit Arbitrary Input.
Web Application Technologies: The HTTP Protocol:- HTTP Requests, HTTP Responses ,HTTP Methods ,
URLs, REST, HTTP Headers, Cookies, Status Codes , HTTPS, HTTP Proxies, HTTP Authentication,
Web Functionality: Server-Side Functionality, Client-Side Functionality, State and Sessions, Encoding
Schemes:URL Encoding, Unicode Encoding, HTML Encoding, Base64 Encoding, Hex Encoding, Remoting
and Serialization Frameworks.

UNIT – II
Core Defence Mechanisms:- Handling User Access –Authentication, Session Management, Access
Control, Handling User Input- Varieties of Input, Approaches to Input Handling ,Boundary Validation ,
Multistep Validation and Canonicalization, Handling Attackers:- Handling Errors, Maintaining Audit
Logs, Alerting Administrators, Reacting to Attacks, Managing the Application.
Mapping the Application:- Analysing the Application: Identifying Entry Points for User Input,
Identifying Server-Side Technologies, Identifying Server-Side Functionality, Mapping the Attack Surface.
Transmitting Data Via the Client :- Hidden Form Fields ,HTTP Cookies, URL Parameters , The Referer
Header

UNIT- III
Attacking Session Management:- The Need for State, Alternatives to Sessions, Weaknesses in Token
Generation- Meaningful Tokens, Predictable Tokens, Encrypted Tokens, Weaknesses in Session Token
Handling:- Disclosure of Tokens on the Network, Disclosure of Tokens in Logs, Vulnerable Mapping of
Tokens to Sessions, Vulnerable Session Termination, Client Exposure to Token Hijacking, Securing Session
Management.
Attacking Authentication:- Design Flaws in Authentication Mechanisms- Bad Passwords, Brute-Forcible
Login, Vulnerable Transmission of Credentials. Securing Authentication:- Use Strong Credentials, Handle
Credentials Secretively, Prevent Brute-Force Attacks, Prevent Information Leakage

UNIT – IV
Threats & Defence in Web Security: CROSS-SITE SCRIPTING ATTACKS, XSS Discovery and
Exploitation ,Stored XSS , Reflected XSS, DOM-Based XSS, ,Defending against XSS Attack.
Cross-Site Request Forgery - CSRF Query Parameter Tampering Alternate GET Payloads ,CSRF Against
POST Endpoints, Defending against CSRF Attacks, XML External Entity (XXE)- Direct XXE, Indirect
XXE, Defending against XXE Attacks.

UNIT - V
Threats & Defense in Web Security: Injection- SQL Injection: Code Injection, Command Injection,
Defending Against Injection.
Denial of Service (DoS)- regex DoS (ReDoS) ,Logical DoS Vulnerabilities, Distributed DoS, Defending
Against DoS, Session Hijacking -How Sessions Work , How Attackers Hijack Sessions.
Securing Modern Web Applications: Defensive Software Architecture, Comprehensive Code Reviews,
Vulnerability Discovery, Vulnerability Analysis, Vulnerability Management, Regression Testing, Mitigation
Strategies

Suggested Readings:
1. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws Authors: Dafydd
Stuttard and Marcus Pinto,Second Edition, 2011,Wiley
2. Web Application Security, Andrew Hoffman, First Edition, 2020, O’Reilly Media, Inc.