ODU CS 433/533 Web Security, Fall 2023

Instructor: Michael L. Nelson mln@cs.odu.edu

Office Hours: Wednesdays 2-4 and by appointment

Time: Wednesdays 4:20pm - 7:00pm

Place: online to start the semester -- contact mln@cs.odu.edu for the Zoom URL.

Syllabus

Class Email list: https://groups.google.com/group/cs533-f23

CRNs: 23043, 23044, 23045 (433) and 23046, 23047, 23048 (533)

Course Objectives

The goal of this course is to review common web security vulnerabilities and exploits, as well as their corresponding defenses. There is an inherent tension between "web as simple document reader" and "web as application environment", and as the functionality of the web ecosystem increases, so do the vulnerabilities.

General concepts that students will learn: principles of web security, attacks and countermeasures, the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, techniques for writing secure code, web archiving, rehosting.

Specific technologies that students will learn: Git/GitHub, DOM/Javascript, CLI, Node.js, Twitter, Youtube.

Course Inspiration

This course is based on CS 253 Web Security, Stanford, Fall 2019. Special thanks to Feross Aboukhadijeh for generously sharing his course materials (although any errors are mine).

Class Schedule (subject to change; slides will be updated prior to class)

• Week 01 - August 30 - Introduction and Administrivia, Document Object Model, Javascript, HTTP, Security fundamentals

  • Git/GitHub 1, 2, 3
  • Markdown 1, 2
  • Node.js
  • Document Object Model: Introduction to the DOM, Easy Way to Understand How the DOM Works
  • JavaScript Crash Course, JavaScript DOM Crash Course Parts 1--4
  • A Re-Introduction to JavaScript
  • The Missing Semester of Your CS Education
  • Inside look at modern web browser: 1, 2, 3
  • Architecture of the World Wide Web, Volume One
  • Class slides

• Week 02 - September 6 - Cookies, Sessions

  • An overview of HTTP
  • HTTP Cookies
  • HTTP Headers
  • Class slides

• Week 03 - September 13 - Cross-Site Request Forgery, Same Origin Policy

  • SameSite Cookies Explained
  • Incrementally Better Cookies
  • CSRF Is Dead
  • Same Origin policy
  • Cross-Site Request Forgery Prevention
  • Origin
  • Class slides

• Week 04 - September 20 - Exceptions to the Same Origin Policy

  • X-Frame-Options, RFC 7034
  • Frame Hijacking
  • Busting Frame Busting
  • Class slides

• Week 05 - September 27 - Cross-Site Scripting (XSS)

  • Cross Site Scripting Prevention Cheat Sheet
  • XSS Filter Evasion Cheat Sheet
  • Class slides

• Week 06 - October 4 - XSS and Content Security Policy (CSP)

  • Content Security Policy (CSP)
  • CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
  • Defence in Depth: The medieval castle approach to internet security
  • Class slides

• Week 07 - October 11 - Fingerprinting and Privacy

  • Browser Fingerprinting: An Introduction and the Challenges Ahead
  • Class slides (2019), (2021 version)

• Week 08 - October 18 - Transport Layer Security

  • Looking back at the Snowden revelations
  • HTTPS encryption on the web
  • Class slides

• Week 09 - October 25 - HSTS, Certificate Transparency

  • Strict-Transport-Security
  • Protecting Against HSTS Abuse
  • HTTP Public Key Pinning (HPKP) (now redirects to Certificate Transparency; archived version; Wikipedia HPKP)
  • Certificate Transparency
  • Class slides

• Week 10 - November 1 - Authentication

  • Authentication Cheat Sheet
  • Class slides

• Week 11 - November 8 - Local HTTP Server Security

  • Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
  • Class slides

• Week 12 - November 15 - DNS rebinding attacks

  • Millions of Streaming Devices Are Vulnerable to a Retro Web Attack
  • Protecting Browsers from DNS Rebinding Attacks
  • Class slides

• Week - November 22 - Thanksgiving -- no classes

• Week 13 - November 29 - UI Denial-of-service, Phishing, Side Channels

  • The Annoying Site
  • Phishing with Unicode Domains
  • The inception bar: a new phishing method
  • Class slides

• Week 14 - December 6 - Rehosting, Web Archiving

  • Rewriting History: Changing the Archived Web from the Present (slides, video, DSHR blog post)
  • Thinking like a hacker: Security Considerations for High-Fidelity Web Archives (DSHR blog post)
  • Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites (slides, video)

• Week 15 - December 13 - Exam

Assignments (subject to change)

• Weekly review of current events: #cs533f23

• Assignment 1: Basics of HTML, Javascript, and Node

  • Due: September 13

• Assignment 2: Getting Started with Node.js, Express, and Cookies

  • Due: September 27

• Assignment 3: Cookie Report

  • Due: October 18

• Assignment 4: Frames

  • Due: November 1

• Assignment 5: Same-origin Policy, CORS, CSP

  • Due: November 15

• Assignment 6: Fingerprinting

  • Due: November 29

• Assignment 7: Phishing

  • Due: December 13