Software & Web Security 2

Software & Web Security 2, NWI-IPC026, Spring 2014

This course is taught by Erik Poll, Peter Schwabe, Harald Vrancken, Willem Burgers, and Ko Stoffelen.
It is is part of the Cyber Security Track of the Bachelor Informatica.
More info in the studiegids.

This course gives an introduction to the way the web works (incl. HTTP(S), HTML, URLs, cookies, javascript, DOM, SOP) and the security problems that come with this (incl. (various injection attacks, XSS, CSRF, clickjacking/UI redressing, SSL stripping, ...) and the privacy threats and attacker (business) models on the web.

Parts of the course are inspired by or based on material from the SysSec Common Curriculum.

Hoorcollege: woensdag 15:30-17:30 in LIN5
Werkcollege: dinsdag 8:30-10:30 in HG00.075
Vereiste voorkennis: Security (NWI-IPC021) en Databases en Security (NWI-IPC024).

Book: Introduction to Computer Security, by Michael Goodrich & Roberto Tamassia
Pearson New International Edition, ISBN 10: 1-292-025490-9, ISBN 13: 9781292025407, 2013.
We only use chapters 1, 5.1 and 7 for this course, but the book will also be used for courses in the second year of the Cyber Security (specifically, for Peter Schwabe's Network and OS Security courses in the autumn).

For this course there are obligatory weekly web hacking exercises, which have to be done in pairs. ALL these exercises must be done in order for you to take the exam. At the exam we assume familiarity with the material in these exercises. Exercises have to be handed in via Blackboard, except the exercises, which are handed in via that website.

Our apologies for the fact that this webpage does not pass the W3C Markup Validation Service.

Schedule & course material

There is a separate webpage with information on the WebGoat lab assignments.
The final exercises are at

Some of the examples discussed in the lectures are demo directory.

16 april college 1 Evolution of (attacks on) the internet & web; HTTP, URL, HTML [slides]
To read: Chapter 1 (Fundamental Concepts), Chapter 5.1 (Network Security Concepts), Chapter 7.1.1 (HTTP and HTML)
22 april practicum 1 Exercises 1,2,3
23 april college 2 sessions (in URL or cookie), HTTPS, injection attacks [slides]
To read: Chapter 7.1.3 (HTTPS), 7.1.4 (sessions) and 7.3.3 (SQL injection)
6 mei practicum 2 Exercises 4,8
7 mei college 3 Injection attacks on servers: OS command injection, path traversal, PHP injection, (blind) SQL injection, ... [slides]
To read: Chapter 7.3
13 mei practicum 3 Exercise 5
14 mei college 4 JavaScript, DOM, XSS [slides]
To read: Chapter 7.1.3 (dynamic content), 7.2 (Attacks on clients)
20 mei practicum 4 Exercise 5, 6
21 mei college 5 More attacks on clients: ClickJacking/UI redressing & CSRF [slides]
To read: Chapter 7.2.3 (Click-Jacking), 7.2.7 (CRSF), 7.2.8 (Countermeasures against Client-Side Attacks)
27 mei practicum 5 Exercise 7
28 mei college 6 More attacks on clients: online privacy [slides]. Also see the Big Brother Pizza movie
To read: 7.2.5 (Privacy attacks)
3 juni practicum 6 Exercise 9,10
4 juni college 7 Attacks on sessions: SSL stripping. No lecture, but watch Moxie Marlinspike's presentation at Blackhat 2009 [movie] [slides]
10 juni practicum 7 Solve the challenges at
11 juni college 8 MitM attacks on sessions [slides];
Security requirements and attacker (business) models [slides];
17 juni practicum 8 Last chance to complete the challenges. Deadline: 9:00 s'ochtends 18 juni
18 juni college 9 Explanation of the challenges by Willem and Ko.
19 juni college 9 Q & A session for the exam (13:45 in HG00.304)
do 26 juni 8:30-11:30 tentamen in HG00.304. Exam material and what to expect
do 7 aug hertentamen in HG01.028