Parts of the course are inspired by or based on material from the SysSec Common Curriculum.
Hoorcollege/lecture: donderdag 10:30-12:30 in HG00.307
Werkcollege/lab session: maandag 15:30-17:30 in HG00.075
Vereiste voorkennis: Security (NWI-IPC021) en Databases en Security (NWI-IPC024).
Book: Introduction to Computer Security, by Michael Goodrich & Roberto Tamassia
Pearson New International Edition, ISBN 10: 1-292-025490-9, ISBN 13: 9781292025407, 2013.
We only use chapters 1, 5.1 and 7 for this course, but the book will also be used for courses in the second year of the Cyber Security (specifically, for Peter Schwabe's Network and OS Security courses in the autumn).
Our apologies for the fact that this webpage does not pass the W3C Markup Validation Service.
For this course there are obligatory weekly web hacking exercises, which have to be done in pairs. There are two kind of lab assignments:
If you want to try out more exercises, try out the Natas challenges.
|April 16: lecture 1|| Evolution of (attacks on) the internet & web; HTTP, URL, HTML
To read: Chapter 1 (Fundamental Concepts), Chapter 5.1 (Network Security Concepts), Chapter 7.1.1 (HTTP and HTML )
To do: look at HTTP traffic that demo_get_post.html produces
|April 20: lab session 1|| WebGoat 1a,2a,3a,4a & hackme lvl0.
Deadline: have your answer to lvl0 submitted by Monday April 27 noon.
|April 23: lecture 2|| Sessions (in URL or cookie), HTTPS
To read: Chapter 7.1.3 (HTTPS), 7.1.4 (sessions)
|April 27||No lab session because of Koningsdag|
|April 30: lecture 3|| Injection attacks on servers: OS command injection, path traversal, PHP injection, (blind) SQL injection, ...
To read: Chapter 7.3
|May 11: lab session 2|| WebGoat 8abc (sessions) & 5abcdefg (Command & SQL injection) & hackme lvl1, lvl2.
Deadline: have your answer to lvl1 and lvl2 submitted by Monday May 18 noon.
|May 14||No lecture because of Ascension Day|
|May 18: lab session 3|| WebGoat 6abc & 7abc & hackme lvl3, lvl4
Deadline: have your answer to lvl3 and lvl4 submitted by Monday May 25 noon.
To read: Chapter 7.1.3 (dynamic content), 7.2 (Attacks on clients)
To watch:movie on XSS.
|May 25||No lab session because of Pentecost|
|May 28: lecture 5|| More attacks on clients: ClickJacking/UI redressing & CSRF [slides]
To read: Chapter 7.2.3 (Click-Jacking), 7.2.7 (CRSF), 7.2.8 (Countermeasures against Client-Side Attacks)
To watch:movies on Forceful browsing and CSRF.
Also interesting to watch, but not exam material: ad explaining the Auto Clicker Bot and how to clickjack Facebook likes.
|June 1: lab session 4|| WebGoat 7de & hackme lvl5, lvl6
Deadline (extended!): have your answer to lvl5 and lvl6 submitted by Wednesday June 10 noon.
|June 4: lecture 6|| More attacks on clients: online privacy
To read: 7.2.5 (Privacy attacks)
To watch: Big Brother Pizza movie and movie about data gathered by telecom operator
To try out: your settings for supercookies and a cookie blocker such as Ghostery or DoNotTrackMe
|June 8: lab session 5||Continued work on lvl5-lvl6 & WebGoat 9a, 10a|
|June 11: lecture 7||Attacks on sessions (incl. SSL stripping)
(For revision you can also watch Moxie Marlinspike's presentation at Blackhat 2009 [movie])
|June 15||No lab session, for some mysterious reason that only course schedulers know.|
|18 juni lecture 8||Security requirements and attacker (business) models [slides];|
|June 25||8:30-11:30 tentamen in HG00.307. Exam material and what to expect|
|Friday August 7||12:30 - 15:30 hertentamen in HG01.028|