BC4018 Web Security Syllabus:
BC4018 Web Security Syllabus – Anna University PG Syllabus Regulation 2021
COURSE OBJECTIVES:
To provide the importance of Web Security
To discuss the fundamentals of web application authentication and session management
To study and practice fundamental techniques in developing secure web based applications
To identify and find the vulnerabilities of web based applications and to protect those applications from attacks
To examine the exploiting and preventing of path traversal vulnerability
UNIT I WEB APPLICATION TECHNOLOGIES
Introduction – Evolution of web applications – Web application security – Core defense mechanisms – Handling user access – Handling user input – Handling attackers – Managing the application – The OWASP top ten list Web Application Technologies : Web functionality – Encoding schemes – Mapping the Application – Enumerating the content and functionality – Analysing the application – Bypassing client side controls : Transmitting data via the client – Capturing user data – Handling client side data securely – Input Validation, Blacklist Validation – Whitelist Validation – The Defence-in-Depth Approach – Attack Surface Reduction Rules of Thumb
UNIT II WEB APPLICATION AUTHENTICATION AND SESSION MANAGEMENT
Web Application Authentication : Authentication Fundamentals- Two factor and Three Factor authentication – Password Based, Built in HTTP, single sign-on Custom Authentication- Secured Password based authentication: Attacks against password, Importance of password complexity – Design flaws in authentication mechanisms – Implementation flaws in authentication mechanisms – Securing authentication Session Management: Need – Weaknesses in Session Token Generation – Weaknesses in Session Token Handling – Securing Session Management; Access Control : Access Control overview, Common vulnerabilities – attacking access controls – Securing Access Controls
UNIT III WEB SECURITY PRINCIPLES
Web Security Principles: Origin Policy, Exceptions Cross Site Scripting, Cross site Forgery Scripting; File Security Principles: Source code Security, Forceful Browsing, Directory Traversals Classifying and Prioritizing Threats Origin Policy
UNIT IV WEB APPLICATION VULNERABILITY
Web Application Vulnerability: Understanding vulnerabilities in traditional client server application and web applications, client state manipulation, Cookie based attacks, SQL injection, cross domain attack (XSS/XSRF/XSSI) http header injection. SSL vulnerabilities and testing – Proper encryption use in web application – Session vulnerabilities and testing – Cross-site request forgery
UNIT V EXPLOITING SYSTEMS
Exploiting Systems: Path traversal – Finding and exploiting path traversal vulnerability – Preventing path traversal vulnerability – Information disclosure – Exploiting error messages – Securing compiled applications – Buffer overflow vulnerability – Integer vulnerability – Format string vulnerability
TOTAL: 45 PERIODS
PRACTICALS:
1. Exploration of web security in popular websites
2. Experimentation on Crawling a website
3. Implement the Vulnerability scanning
4. Implement the Cookie Stealing with cross site scripting
5. Implement the Commit identity theft
6. Implement the Website Security implementation – Apache hardening, MySQL hardening, PHP hardening
7. Implement the XSS and SQL injections
8. Experimentation on Password security
9. Experimentation on Browser security
10. Experimentation on Web application security assessment
11. Sample projects that can be given to students :
12. Experimentation on Broken Authentication and Session Management
13. Experimentation on Cross-site scripting
14. Experimentation on Insecure direct object references
15. Experimentation on Security misconfiguration
16. Experimentation on Missing function level access control
17. Experimentation on Cross-site request forgery
18. Implement using components with known vulnerabilities
COURSE OUTCOMES:
CO1: To understand common vulnerabilities plaguing today’s web applications
CO2: To understand security-related issues in web based systems and applications.
CO3: To understand the fundamental security mechanisms of a Web-based system.
CO4: To be able to develop and deploy customized exploits that can bypass common defenses
CO5: To be able to evaluate a web based system with respect to its security requirements.
TOTAL: 30 PERIODS
TOTAL:45+30=75 PERIODS
REFERENCES
1. B. Sullivan, V. Liu, and M. Howard, Web Application Security, A Beginner’s Guide. New York: McGraw-Hill Education, 2011.
2. D. Stuttard and M. Pinto, The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws, 2nd ed. Indianapolis, IN: Wiley, John & Sons, 2011.
3. W. Hanqing and L. Zhao, Web Security: A Whitehat Perspective. United Kingdom: Auerbach Publishers, 2015.
4. M. Shema and J. B. Alcover, Hacking Web Apps: Detecting and Preventing Web
Application Security Problems. Washington, DC, United States: Syngress Publishing, 2014.