Instructor: Kritika Garg
Email: kgarg001@odu.edu
Syllabus: Syllabus.pdf
Class Canvas: https://canvas.odu.edu/courses/187687
Class Announcements: https://canvas.odu.edu/courses/187687/announcements
Office Hours: Fridays, 12-2pm via Zoom or In-person (ECSB 3102) or email for an appointment.
Class Timings: This is an asynchronous course offered online through Canvas. This course does not have any required lecture times.
The goal of this course is to review common web security vulnerabilities and exploits, along with the defenses designed to counter them. We will explore the ongoing tension between the web as a "simple document reader" and the web as an "application environment". As the web ecosystem grows in functionality, so too do its vulnerabilities"
By the end of this course, you’ll understand the core principles of web security and how different attacks and defenses work. Topics include the browser security model, web application vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, the same-origin policy, cross-site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, writing secure code, web archiving, and rehosting.
You’ll also get hands-on experience with key technologies such as Git and GitHub, DOM and JavaScript, the command line interface (CLI), Node.js, and utilize platforms like X (Twitter) and YouTube.
Prerequisites: Unix/Linux, Web, HTML
This course builds upon the foundation established by Dr. Michael L. Nelson, who originally designed and previously taught the course. We will continue to benefit from his contributions by using the recorded video lectures and slides he developed as part of the weekly learning materials.
The design and inspiration for this course also draw from CS 253: Web Security, Stanford, Fall 2019. A special thanks to Feross Aboukhadijeh for generously sharing his course resources (though any mistakes remain my own).
(subject to change; slides will be updated prior to class)
Week 01 - Introduction and Administrivia, Document Object Model, Javascript, HTTP, Security fundamentals
- Git/GitHub 1, 2, 3
- Markdown 1, 2
- Node.js
- Document Object Model: Introduction to the DOM, Easy Way to Understand How the DOM Works
- JavaScript Crash Course, JavaScript DOM Crash Course Parts 1--4
- A Re-Introduction to JavaScript
- The Missing Semester of Your CS Education
- Inside look at modern web browser: 1, 2, 3
- Architecture of the World Wide Web, Volume One
- Class slides
- SameSite Cookies Explained
- Incrementally Better Cookies
- CSRF Is Dead
- Same Origin policy
- Cross-Site Request Forgery Prevention
- Origin
- Class slides
- Content Security Policy (CSP)
- CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
- Defence in Depth: The medieval castle approach to internet security
- Class slides
- Browser Fingerprinting: An Introduction and the Challenges Ahead
- Class slides (2019), (2021 version)
- Strict-Transport-Security
- Protecting Against HSTS Abuse
- HTTP Public Key Pinning (HPKP) (now redirects to Certificate Transparency; archived version; Wikipedia HPKP)
- Certificate Transparency
- Class slides
- Millions of Streaming Devices Are Vulnerable to a Retro Web Attack
- Protecting Browsers from DNS Rebinding Attacks
- Class slides
- The Annoying Site
- Phishing with Unicode Domains
- The inception bar: a new phishing method
- Class slides
- Rewriting History: Changing the Archived Web from the Present (slides, video, DSHR blog post)
- Thinking like a hacker: Security Considerations for High-Fidelity Web Archives (DSHR blog post)
- Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites (slides, video)
-
Weekly review of current events related to web security on social media (Use #cs533f25):
- Canvas Discusssion Forum
-
Assignment 1: Basics of HTML, Javascript, and Node
-
Assignment 2: Getting Started with Node.js, Express, and Cookies
(subject to change)
| Week | Date | Topic | Homework Assigned | Homework Due |
|---|---|---|---|---|
| 1 | August 26, 2025 | Introduction and Administrivia, Document Object Model, Javascript, HTTP, Security fundamentals | Assignment 1: Basics of HTML, Javascript, and Node | Due: September 7, 2025 |
| 2 | September 2, 2025 | Cookies, Sessions | ||
| 3 | September 9, 2025 | Cross-Site Request Forgery, Same Origin Policy | Assignment 2: Getting Started with Node.js, Express, and Cookies | Due: September 21, 2025 |
| 4 | September 16, 2025 | Exceptions to the Same Origin Policy | ||
| 5 | September 23, 2025 | Cross-Site Scripting (XSS) | Assignment 3: Cookie Report | Due: October 5, 2025 |
| 6 | September 30, 2025 | XSS and Content Security Policy (CSP) | ||
| 7 | October 7, 2025 | Fingerprinting and Privacy | Assignment 4: Frames | Due: October 19, 2025 |
| 8 | October 14, 2025 | Transport Layer Security | ||
| 9 | October 21, 2025 | HSTS, Certificate Transparency | Assignment 5: Same-origin Policy, CORS, CSP | Due: November 2, 2025 |
| 10 | October 28, 2025 | Authentication | ||
| 11 | November 4, 2025 | Local HTTP Server Security | Assignment 6: Fingerprinting | Due: November 16, 2025 |
| 12 | November 11, 2025 | DNS rebinding attacks | ||
| 13 | November 18, 2025 | UI Denial-of-service, Phishing, Side Channels | Assignment 7: Phishing | Due: December 2, 2025 |
| 14 | November 25, 2025 | Thanksgiving Break | ||
| 15 | December 2, 2025 | Rehosting, Web Archiving |