Parts of the course are inspired by or based on material from the SysSec Common Curriculum.
Hoorcollege: woensdag 15:30-17:30 in LIN5
Werkcollege: dinsdag 8:30-10:30 in HG00.075
Vereiste voorkennis: Security (NWI-IPC021) en Databases en Security (NWI-IPC024).
Book: Introduction to Computer Security, by Michael Goodrich & Roberto Tamassia
Pearson New International Edition, ISBN 10: 1-292-025490-9, ISBN 13: 9781292025407, 2013.
We only use chapters 1, 5.1 and 7 for this course, but the book will also be used for courses in the second year of the Cyber Security (specifically, for Peter Schwabe's Network and OS Security courses in the autumn).
For this course there are obligatory weekly web hacking exercises, which have to be done in pairs. ALL these exercises must be done in order for you to take the exam. At the exam we assume familiarity with the material in these exercises. Exercises have to be handed in via Blackboard, except the hackme.cs.ru.nl exercises, which are handed in via that website.
Our apologies for the fact that this webpage does not pass the W3C Markup Validation Service.
Some of the examples discussed in the lectures are demo directory.
|16 april college 1|| Evolution of (attacks on) the internet & web; HTTP, URL, HTML
To read: Chapter 1 (Fundamental Concepts), Chapter 5.1 (Network Security Concepts), Chapter 7.1.1 (HTTP and HTML)
|22 april practicum 1||Exercises 1,2,3|
|23 april college 2|| sessions (in URL or cookie), HTTPS, injection attacks
To read: Chapter 7.1.3 (HTTPS), 7.1.4 (sessions) and 7.3.3 (SQL injection)
|6 mei practicum 2||Exercises 4,8|
|7 mei college 3|| Injection attacks on servers: OS command injection, path traversal, PHP injection, (blind) SQL injection, ...
To read: Chapter 7.3
|13 mei practicum 3||Exercise 5|
To read: Chapter 7.1.3 (dynamic content), 7.2 (Attacks on clients)
|20 mei practicum 4||Exercise 5, 6|
|21 mei college 5|| More attacks on clients: ClickJacking/UI redressing & CSRF [slides]
To read: Chapter 7.2.3 (Click-Jacking), 7.2.7 (CRSF), 7.2.8 (Countermeasures against Client-Side Attacks)
|27 mei practicum 5||Exercise 7|
|28 mei college 6|| More attacks on clients: online privacy
Also see the
Big Brother Pizza movie
To read: 7.2.5 (Privacy attacks)
|3 juni practicum 6||Exercise 9,10|
|4 juni college 7||Attacks on sessions: SSL stripping. No lecture, but watch Moxie Marlinspike's presentation at Blackhat 2009 [movie] [slides]|
|10 juni practicum 7||Solve the challenges at hackme.cs.ru.nl|
|11 juni college 8||
MitM attacks on sessions [slides];
Security requirements and attacker (business) models [slides];
|17 juni practicum 8||Last chance to complete the hackme.cs.ru.nl challenges. Deadline: 9:00 s'ochtends 18 juni|
|18 juni college 9||Explanation of the hackme.cs.ru.nl challenges by Willem and Ko.|
|19 juni college 9||Q & A session for the exam (13:45 in HG00.304)|
|do 26 juni||8:30-11:30 tentamen in HG00.304. Exam material and what to expect|
|do 7 aug||hertentamen in HG01.028|