Web Security, NWI-IPC026, Spring 2017

This course is taught by Erik Poll and Harald Vranken, with Manuela Bergau, Jos Craaijo, Wouter Kuhnen and Thomas van der Burgt as student assistants.
More info in the studiegids.

xkcd cartoon 'tags' Hoorcollege/lecture: Mondays 13:45-15:30 in HG00.304
Werkcollege/lab session: Wednesdays 10:45-12:30 in HG00.029 and HG00.625
Vereiste voorkennis: Security (NWI-IPC021) en Databases en Security (NWI-IPC024).

This course gives an introduction to the way the web works (incl. HTTP(S), HTML, URLs, JavaScript, DOM, cookies, SOP, HSTS, CSP) and the security problems that come with this, incl. various injection attacks such as command and SQL injection, XSS, CSRF, clickjacking/UI redressing, SSL stripping, ... and the privacy threats and attacker business models on the web.

In Blackboard the annotated copy of the article Surviving the Web: A Journey into Web Session Security' van Stefano Calzavara et al. (ACM Computing Surveys, Volume 50 Issue 1, April 2017, doi.org/10.1145/3038923) highlights relevant material for this course.

As background reading you can also use chapters 1, 5.1, and 7 of Introduction to Computer Security, by Michael Goodrich & Roberto Tamassia, ISBN 13: 9781292025407. There is a copy of this book in the studielandschap in the library. Below we list, for each of the lectures, the relevant sections in this book.

Schedule & course material

Slides will be made available as the course progresses. Examples of webpages discussed in the lectures are demo directory.

For this course there are obligatory exercises. You can do these in pairs. ALL these exercises must be done in order for you to take the exam. Cheating is completely trivial for some assignments, as answers are easy to copy, and for Webgoat the answers are in the tool. But be aware that at the exam we assume familiarity with the material in these exercises, so if you have not actually done the exercises you will have a problem.

More info about lab sessions.

April 10: lecture 1 Evolution of attacks on the internet & web; HTTP, URL, HTML [slides];
To try out: use WebScarab to look at the HTTP traffic generated by using the 4 forms on demo/demo_get_post.html
Optional reading: Chapter 1 (Fundamental Concepts), Chapter 5.1 (Network Security Concepts), Chapter 7.1.1 (HTTP and HTML)
April 12: lab session 1 Assignment 1
April 17 No lecture - Easter
April 19 No lab session this week, but watch Moxie Marlinspike's talk on SSL-stripping at Blackhat 2009
April 24 and 26 May holiday
May 1: lecture 2 Sessions and HTTPS [slides]
To try out:
  • Check if your browser is vulnerable for the latest Unicode homograph attack (April 2017): if it display the URL as apple.com it is.
  • Check out this demo page via http and via https to understand how your browser copes with mixed HTTP/HTTPS content. Modern browsers may warn about mixed content, or block parts altogether.
  • Browsers may also warn about pages with 'active content' via HTTP, such as this insecure login page of Radboudnet, with a crossed-out lock rather than an absent lock (in Firefox), or a text 'Niet veilig' (in Chrome).
Optional reading: Chapter 7.1.3 (HTTPS), 7.1.4 (sessions)
May 3: lab session 2 Assignment 2
May 8: lecture 3 Attacks on servers: command injection, path traversal, PHP injection, (blind) SQL injection [slides]
Optional reading: Chapter 7.1.3 (dynamic content), 7.2 (Attacks on clients)
May 10: lab session 3 Assignment 3
May 15: lecture 4 Attacks on clients: JavaScript, DOM, XSS [slides]
To watch: animation about XSS. A nice explanation of XSS, incl. DOM-based XSS, is this XSS tutorial page.
To try out: the webpages that demo JavaScript, demo the DOM, demo JavaScript and the DOM some more, test the Single-Origin-Policy (SOP), test SOP a bit more, and try XSS via the DOM
Optional reading: Chapter 7.1.3 (dynamic content), 7.2 (Attacks on clients)
News article about the mind-boggling JavaScript security vulnerability discovered in Windows Defender last week
May 17: lab session 4 Assignment 4
May 22: lecture 5 More attacks on clients: ClickJacking/UI redressing & CSRF [slides]
To watch: animations about Forced (aka forceful) browsing and CSRF.
To try out: the webpages that demo ClickJacking (1, 2, 3). Last year's demos of UI redressing with Blackboard and Radboudnet no longer work, as these sites now use X-Frame-Options, as you can see here.
Also interesting to watch, but not exam material: ad explaining the Auto Clicker Bot.
Optional reading: Chapter 7.2.3, 7.2.7, 7.2.8
May 24: lab session 5 Assignment 5
May 29: lecture 6 More attacks on clients: online privacy [slides]
To watch: Big Brother Pizza movie and gathered by telecom operator
To do: Check your settings for supercookies aka Flash cookies and try out a privacy plugin such as Privacy Badger or Ghostery
Interesting uses of web beacons: Optional reading: 7.2.5 (Privacy attacks)
May 31: lab session 6 Finishing work on assignment 5
June 5: no lecture because of Pentecost
June 7: lab session 7 back-up session - not sure if we'll need it
Friday June 16 8:30-11:30 exam in HAL 2
Exam material and what to expect
Mock exam
In Blackboard the annotated copy of the article Surviving the Web: A Journey into Web Session Security' van Stefano Calzavara et al. (ACM Computing Surveys, Volume 50 Issue 1, April 2017, doi.org/10.1145/3038923) highlights relevant material for this course.
Friday July 14 8:30 - 11:30 resit exam in HG01.028

Does this webpage does pass the W3C Markup Validation Service? It should, really, but a few errors have been deliberately left to illustrate to complexity of HTML as a language.

xkcd cartoon 'exploits of a mum'