CSE 361, Web Security, Spring 2021

Lecturer: Nick Nikiforakis
Teaching Assistants:Md Mehedi Hasan (mdmehedi.hasan [at sign] stonybrook.edu)
Time: Tuesdays and Thursdays, 4:45PM - 6:00PM
Place: Zoom (announced over Blackboard)
Office Hours: Mondays and Wednesdays, 5:00PM - 6:00PM, Zoom link available on Piazza
Contact: nick[email squiggly thingy] cs.stonybrook.edu
Important: When sending me an email about the course, make sure your title starts with "[CSE 361]" (without the quotes). Mislabeled or unlabeled emails will, most likely, not be read.

News

Class Description

In this class, we will together explore the concepts behind web security. We will look at the core principles behind secure (and insecure) web applications, how to both discover vulnerabilities, as well as how to correct them.

The course will consist of lectures, individual assignments, and group assignments.

Some of the topics that we will cover are the following:

Textbook

Following a long-standing tradition in security courses, there is no official textbook for this course. If you like having a book as a reference, you can get a free copy of the Web Application Security book by Andrew Hoffman from NGINX here

Requirements and Grading

Subject to minor tweaks throughout the semester.

Schedule and Reading Assignments

The list available below includes all topics and slides discussed during this course. Announcements regarding assignments, projects, and exams are only available via Piazza and Blackboard.

Date Topic
2/2 Class cancelled (Snow day)
2/4 Introduction and History of the Web
2/9 Introduction and History of the Web (continued from last time)
2/11 Client-side Technologies and Security
2/16 Cross-domain Communications
2/18 Cross-domain Communications (continued from last time)
2/23 Attacking the Same-Origin Policy
2/25 Attacking the Same-Origin Policy (continued from last time)
3/02 Attacking the Same-Origin Policy (continued from last time)
3/04 Invited talk from Matt Nappi, SBU's Chief Information Security Officer
3/09 Content Security Policy and Framing Attacks
3/11 Content Security Policy and Framing Attacks (continued from last time)
3/15 Content Security Policy and Framing Attacks (continued from last time)
3/17 CSRF, XSSI, SRI, and Sandboxing
3/23 Midterm Recap
3/25 Midterm (in class)
3/30 Invited talk by Philippe De Ryck: Getting API security right
4/01 No Class (Spring Staycation)
4/06 CSRF, XSSI, SRI, and Sandboxing (continued from last time)
4/08 Database (in)security
4/13 Database (in)security (continued from last time)
4/15 Code execution flaws
4/20 Code execution flaws (continued from last time)
4/22 Assorted Server-side Issues
4/27 Assorted Server-side Issues (continued from last time)
4/29 Infrastructure Security

Misc

Remote/Online learning: Students are expected to attend every class, report for examinations and submit major graded coursework as scheduled. If a student is unable to attend lecture(s), report for any exams or complete major graded coursework as scheduled due to extenuating circumstances, the student must contact the instructor as soon as possible. Students may be requested to provide documentation to support their absence and/or may be referred to the Student Support Team for assistance. Students will be provided reasonable accommodations for missed exams, assignments, or projects due to significant illness, tragedy or other personal emergencies. In the instance of missed lectures or labs, the student is responsible for studying all missed content and completing make-up assignments, in consultation with the instructor. Please note, all students must follow Stony Brook, local, state and Centers for Disease Control and Prevention (CDC) guidelines to reduce the risk of transmission of COVID. For questions or more information click here.

Note: If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, please contact the staff in the Student Accessibility Support Center, Room 128, Educational Communications Center (ECC), 631-632-6748. The center will review your concerns and determine with you what accommodations are necessary and appropriate. All information and documentation of disability are confidential. For more information, please visit their website: https://www.stonybrook.edu/commcms/studentaffairs/sasc/

Note: Each student must pursue his or her academic goals honestly and be personally accountable for all submitted work. Representing another person's work as your own is always wrong. Any suspected instance of academic dishonesty will be reported to the Academic Judiciary. For more comprehensive information on academic integrity, including categories of academic dishonesty, please refer to the academic judiciary website at http://www.stonybrook.edu/uaa/academicjudiciary/.