We will study some typical vulnerabilities in web applications and how to prevent them when you write your application.
Protecting data privacy and integrity is fundamental in every application, but specially challenging in web applications that are publically accesible, since a lot of people is dedicated to exploit vulnerabilities and since every day there are discovered new vulnerabilities, new exploits, and there are new tools and practices. The organizers have some experience with secure web applications (see for example SIVeL
We will use material of several sources, but specially from OWASP, a well known organization, that produces, among others, a good Open Standard to verify the security of Web Applications
. OWASP also developed an application to learn about web application security: WebGoat. We will use it during this course, some lessons require to change the sources in Java of that application, those lessons are not mandatory.
Each one of the 10 weeks of this course will comprise of a lesson with a topic, a hands-on lab, and then a brief discussion about the topic. At the end of the semester, we will tackle a project that will use much of what you learned in previous lessons.
4. Lesson Plan
The following is the draft lesson plan for the semester. Unfortunately, we don't have enough time to cover all vulnerabilities but we'll cover some of the big ones though.
9/19 Week 1: Introduction, Installation of tools, and HTTP Basics
9/26 Week 2: Access Control Flaws
10/3 Week 3: AJAX Security
10/10 Week 4: Authentication Flaws
10/17 Week 5: Cross-Site Scripting (XSS)
10/24 Week 6: Injection Flaws
10/31 Week 7: Parameter Tampering
11/7 Week 8: Session Management Flaws
11/14 Week 9: Final Project
11/21 Week 10: End of Course Survey
5. Native Language
There are versions of this study group in english and in spanish