CS361, Web Security, Fall 2017
|Lecturer: ||Nick Nikiforakis
|Teaching Assistant:|| Harpreet Singh Chawla (office hours)|
|Time:||MW 5:30 PM - 6:50 PM|
|Office Hours: || Thursday 4:00 PM - 5:00 PM, Friday 4:00PM - 5:00 PM, and by appointment|
|Contact:|| nick[email squiggly thingy] cs.stonybrook.edu|
- Most of your requests (clarifications, questions about upcoming deadlines, projects, etc.) should be publicly asked on Piazza, so that
other students can benefit from Q&As.
- If you need to ask me something personal (that does not apply to the entire class), then you can send me an email. If you need to reach me through email,
make sure your title starts with "[CSE 361]" (without the quotes). Mislabeled or unlabeled emails will, most likely, not be read.
- Project descriptions are out: 1, 2, 3 (cap: 7 teams per project)
- Please subscribe to Piazza
In this class, we will together explore the concepts behind web security. We will look at the core principles behind secure (and insecure) systems and how these principles apply to web applications. We will learn how the web works, how to find vulnerabilities, how attackers compromise web applications, and how to avoid these vulnerabilities when implementing and deploying your own web applications.
The course will consist of lectures, hands-on labs (likely done on the laptops of the students in class), a few select paper presentations by teams of students, and one (or two) small projects.
Some of the topics that we will cover are the following:
- Security properties (Confidentiality, Integrity, Availability)
- Passwords, Biometrics, Hardware Tokens
- Workings of browsers (Same-Origin Policy, Cookies, Session Management, Isolation of documents from different origins)
- Workings of the Domain Name System and how it applies to web security
- Attacks against web applications (XSS, CSRF, Session Fixation, HTTP Parameter Pollution...) and defenses
- Attacks against web servers (SQL Injection, LFI, RFI, Command injections) and defenses
- Attacks against the user (Clickjacking, Malvertising, Cybersquatting, Fake AVs, Scareware, Drive-by downloads) and defenses
- Secure Design Principles
- SSL and TLS
- Mapping web applications
- Penetration testing for the web
- Web privacy (stateful and stateless tracking)
Following a long-standing tradition in security courses, there is no official textbook for this course. I am drawing inspiration mostly from the following books:
- The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition, by Dafydd Stuttard and Marcus Pinto
- The Tangled Web: A Guide to Securing Modern Web Applications, by Michal Zalewski
Requirements and Grading
Subject to minor tweaks throughout the semester.
- Lab Participation and Lab Assignments: 10% Show up at the labs, actively pursue the task given, (continuing to work from home if required), writing reports as requested.
- Article/Research Paper Summaries and In-class Presentations: 10% Read and summarize web articles on attacks and defenses as well as research papers. Each student team will give at least one in-class presentation of a research paper (~15 minutes).
- Class Project: 30% Class project will involve coding a system/mechanism for defense or attack purposes. More details will come soon. Apart from the projects that I will provide, you are welcome (maybe even encouraged) to come up with novel ideas and discuss them with me
- Midterm: 15% Brief, in class exam, covering about half of the lectures and studied papers
- Final: 35% Final Exam on everything covered in this class
Schedule and Reading Assignments
Note: If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, please contact the staff in the Disabled Student Services office (DSS), Room 133, Humanities, 632-6748v/TDD. DSS will review your concerns and determine with you what accommodations are necessary and appropriate. All information and documentation of disability are confidential.
Note: Each student must pursue his or her academic goals honestly and be personally accountable for all submitted work. Representing another person's work as your own is always wrong. Any suspected instance of academic dishonesty will be reported to the Academic Judiciary. For more comprehensive information on academic integrity, including categories of academic dishonesty, please refer to the academic judiciary website at http://www.stonybrook.edu/commcms/academic_integrity/.