Software & Web Security 2, NWI-IPC026, Spring 2015

This course is taught by Erik Poll, Harald Vranken, Ko Stoffelen, Aaron van Geffen, and Jakob Bleier.
It is is part of the Cyber Security Track of the Bachelor Informatica.
More info in the studiegids.

This course gives an introduction to the way the web works (incl. HTTP(S), HTML, URLs, cookies, javascript, DOM, SOP) and the security problems that come with this, incl. various injection attacks, XSS, CSRF, clickjacking/UI redressing, SSL stripping, ... and the privacy threats and attacker (business) models on the web.

Parts of the course are inspired by or based on material from the SysSec Common Curriculum.

Hoorcollege/lecture: donderdag 10:30-12:30 in HG00.307
Werkcollege/lab session: maandag 15:30-17:30 in HG00.075
Vereiste voorkennis: Security (NWI-IPC021) en Databases en Security (NWI-IPC024).

Book: Introduction to Computer Security, by Michael Goodrich & Roberto Tamassia
Pearson New International Edition, ISBN 10: 1-292-025490-9, ISBN 13: 9781292025407, 2013.
We only use chapters 1, 5.1 and 7 for this course, but the book will also be used for courses in the second year of the Cyber Security (specifically, for Peter Schwabe's Network and OS Security courses in the autumn).

Our apologies for the fact that this webpage does not pass the W3C Markup Validation Service.

Schedule & course material

Slides will be made available as the course progresses. Some of the examples of webpages discussed in the lectures are demo directory.

For this course there are obligatory weekly web hacking exercises, which have to be done in pairs. There are two kind of lab assignments:

Deadline for the assignments is Monday 12:00 noon, so you have a full week to do them. ALL these exercises must be done in order for you to take the exam. At the exam we assume familiarity with the material in these exercises, so if you have not actually done the exercises you will have a problem.

If you want to try out more exercises, try out the Natas challenges.

April 16: lecture 1 Evolution of (attacks on) the internet & web; HTTP, URL, HTML [slides]
To read: Chapter 1 (Fundamental Concepts), Chapter 5.1 (Network Security Concepts), Chapter 7.1.1 (HTTP and HTML )
To do: look at HTTP traffic that demo_get_post.html produces
April 20: lab session 1 WebGoat 1a,2a,3a,4a & hackme lvl0.
Deadline: have your answer to lvl0 submitted by Monday April 27 noon.
April 23: lecture 2 Sessions (in URL or cookie), HTTPS [slides]
To read: Chapter 7.1.3 (HTTPS), 7.1.4 (sessions)
April 27 No lab session because of Koningsdag
April 30: lecture 3 Injection attacks on servers: OS command injection, path traversal, PHP injection, (blind) SQL injection, ... [slides]
To read: Chapter 7.3
May 11: lab session 2 WebGoat 8abc (sessions) & 5abcdefg (Command & SQL injection) & hackme lvl1, lvl2.
Deadline: have your answer to lvl1 and lvl2 submitted by Monday May 18 noon.
May 14 No lecture because of Ascension Day
May 18: lab session 3 WebGoat 6abc & 7abc & hackme lvl3, lvl4
Deadline: have your answer to lvl3 and lvl4 submitted by Monday May 25 noon.
May 21: lecture 4 JavaScript, DOM, XSS [slides]
To read: Chapter 7.1.3 (dynamic content), 7.2 (Attacks on clients)
To watch:movie on XSS.
May 25 No lab session because of Pentecost
May 28: lecture 5 More attacks on clients: ClickJacking/UI redressing & CSRF [slides]
To read: Chapter 7.2.3 (Click-Jacking), 7.2.7 (CRSF), 7.2.8 (Countermeasures against Client-Side Attacks)
To watch:movies on Forceful browsing and CSRF.
Also interesting to watch, but not exam material: ad explaining the Auto Clicker Bot and how to clickjack Facebook likes.
June 1: lab session 4 WebGoat 7de & hackme lvl5, lvl6
Deadline (extended!): have your answer to lvl5 and lvl6 submitted by Wednesday June 10 noon.
June 4: lecture 6 More attacks on clients: online privacy [slides].
To read: 7.2.5 (Privacy attacks)
To watch: Big Brother Pizza movie and movie about data gathered by telecom operator
To try out: your settings for supercookies and a cookie blocker such as Ghostery or DoNotTrackMe
June 8: lab session 5 Continued work on lvl5-lvl6 & WebGoat 9a, 10a
June 11: lecture 7 Attacks on sessions (incl. SSL stripping) [slides]
(For revision you can also watch Moxie Marlinspike's presentation at Blackhat 2009 [movie])
June 15 No lab session, for some mysterious reason that only course schedulers know.
18 juni lecture 8 Security requirements and attacker (business) models [slides];
June 25 8:30-11:30 tentamen in HG00.307. Exam material and what to expect
Friday August 7 12:30 - 15:30 hertentamen in HG01.028