BC4018 Web Security Syllabus:

BC4018 Web Security Syllabus – Anna University PG Syllabus Regulation 2021

COURSE OBJECTIVES:

 To provide the importance of Web Security
 To discuss the fundamentals of web application authentication and session management
 To study and practice fundamental techniques in developing secure web based applications
 To identify and find the vulnerabilities of web based applications and to protect those applications from attacks
 To examine the exploiting and preventing of path traversal vulnerability

UNIT I WEB APPLICATION TECHNOLOGIES

Introduction – Evolution of web applications – Web application security – Core defense mechanisms – Handling user access – Handling user input – Handling attackers – Managing the application – The OWASP top ten list Web Application Technologies : Web functionality – Encoding schemes – Mapping the Application – Enumerating the content and functionality – Analysing the application – Bypassing client side controls : Transmitting data via the client – Capturing user data – Handling client side data securely – Input Validation, Blacklist Validation – Whitelist Validation – The Defence-in-Depth Approach – Attack Surface Reduction Rules of Thumb

UNIT II WEB APPLICATION AUTHENTICATION AND SESSION MANAGEMENT

Web Application Authentication : Authentication Fundamentals- Two factor and Three Factor authentication – Password Based, Built in HTTP, single sign-on Custom Authentication- Secured Password based authentication: Attacks against password, Importance of password complexity – Design flaws in authentication mechanisms – Implementation flaws in authentication mechanisms – Securing authentication Session Management: Need – Weaknesses in Session Token Generation – Weaknesses in Session Token Handling – Securing Session Management; Access Control : Access Control overview, Common vulnerabilities – attacking access controls – Securing Access Controls

UNIT III WEB SECURITY PRINCIPLES

Web Security Principles: Origin Policy, Exceptions Cross Site Scripting, Cross site Forgery Scripting; File Security Principles: Source code Security, Forceful Browsing, Directory Traversals Classifying and Prioritizing Threats Origin Policy

UNIT IV WEB APPLICATION VULNERABILITY

Web Application Vulnerability: Understanding vulnerabilities in traditional client server application and web applications, client state manipulation, Cookie based attacks, SQL injection, cross domain attack (XSS/XSRF/XSSI) http header injection. SSL vulnerabilities and testing – Proper encryption use in web application – Session vulnerabilities and testing – Cross-site request forgery

UNIT V EXPLOITING SYSTEMS

Exploiting Systems: Path traversal – Finding and exploiting path traversal vulnerability – Preventing path traversal vulnerability – Information disclosure – Exploiting error messages – Securing compiled applications – Buffer overflow vulnerability – Integer vulnerability – Format string vulnerability

TOTAL: 45 PERIODS

PRACTICALS:

1. Exploration of web security in popular websites
2. Experimentation on Crawling a website
3. Implement the Vulnerability scanning
4. Implement the Cookie Stealing with cross site scripting
5. Implement the Commit identity theft
6. Implement the Website Security implementation – Apache hardening, MySQL hardening, PHP hardening
7. Implement the XSS and SQL injections
8. Experimentation on Password security
9. Experimentation on Browser security
10. Experimentation on Web application security assessment
11. Sample projects that can be given to students :
12. Experimentation on Broken Authentication and Session Management
13. Experimentation on Cross-site scripting
14. Experimentation on Insecure direct object references
15. Experimentation on Security misconfiguration
16. Experimentation on Missing function level access control
17. Experimentation on Cross-site request forgery
18. Implement using components with known vulnerabilities

COURSE OUTCOMES:

CO1: To understand common vulnerabilities plaguing today’s web applications
CO2: To understand security-related issues in web based systems and applications.
CO3: To understand the fundamental security mechanisms of a Web-based system.
CO4: To be able to develop and deploy customized exploits that can bypass common defenses
CO5: To be able to evaluate a web based system with respect to its security requirements.

TOTAL: 30 PERIODS

TOTAL:45+30=75 PERIODS

REFERENCES

1. B. Sullivan, V. Liu, and M. Howard, Web Application Security, A Beginner’s Guide. New York: McGraw-Hill Education, 2011.
2. D. Stuttard and M. Pinto, The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws, 2nd ed. Indianapolis, IN: Wiley, John & Sons, 2011.
3. W. Hanqing and L. Zhao, Web Security: A Whitehat Perspective. United Kingdom: Auerbach Publishers, 2015.
4. M. Shema and J. B. Alcover, Hacking Web Apps: Detecting and Preventing Web
Application Security Problems. Washington, DC, United States: Syngress Publishing, 2014.

Related posts:

  1. EC3401 Networks and Security Syllabus
  2. CP4391 Security Practices Syllabus
  3. NE4251 Network Security Syllabus
  4. MU4252 Media Security Syllabus
  5. MC4205 Cyber Security Syllabus
  6. BC4004 Biometric Security Syllabus
  7. BC4006 Cloud Security Syllabus
  8. BC4007 Firewall and VPN Security Syllabus
  9. ET4012 Embedded Systems Security Syllabus
  10. IF4301 Information and Network Security Syllabus
  11. NE4261 Network Security Laboratory Syllabus
  12. EL4004 Cryptography and Network Security Syllabus
  13. MC4028 Network Programming and Security Syllabus
  14. CE4151 Principles of Cyber Security Syllabus
  15. BC4003 Operating System Security Syllabus
  16. BC4011 Security in Cyber-Physical Systems Syllabus
  17. BC4016 Security Assessment and Risk Analysis Syllabus
  18. DS4016 Internet of Things System Design and Security Syllabus
  19. PS4001 Power System State Estimation and Security Assessment Syllabus