Instructor: Michael L. Nelson mln@cs.odu.edu
Office Hours: Mondays 6-7 and by appointment
Time: Mondays 7:10pm - 9:50pm
Place: online to start the semester -- contact mln@cs.odu.edu for the Zoom URL. We'll consider moving to a hybrid format (in room ECSB 2120) as the pandemic allows.
Class Email list: https://groups.google.com/group/cs595-s22
CRNs: 31657 (495) and 31659 (595)
The goal of this course is to review common web security vulnerabilities and exploits, as well as their corresponding defenses. There is an inherent tension between "web as simple document reader" and "web as application environment", and as the functionality of the web ecosystem increases, so do the vulnerabilities.
General concepts that students will learn: principles of web security, attacks and countermeasures, the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, techniques for writing secure code, web archiving, rehosting.
Specific technologies that students will learn: Git/GitHub, DOM/Javascript, CLI, Node.js, Twitter, Youtube.
This course is based on CS 253 Web Security, Stanford, Fall 2019. Special thanks to Feross Aboukhadijeh for generously sharing his course materials (although any errors are mine).
-
Week 01 - January 10 - Introduction and Administrivia, Document Object Model, Javascript, HTTP, Security fundamentals
- Git/GitHub 1, 2, 3
- Markdown 1, 2
- Node.js
- Document Object Model: Introduction to the DOM, Easy Way to Understand How the DOM Works
- JavaScript Crash Course, JavaScript DOM Crash Course Parts 1--4
- A Re-Introduction to JavaScript
- The Missing Semester of Your CS Education
- Inside look at modern web browser: 1, 2, 3
- Architecture of the World Wide Web, Volume One
- Class slides
-
Week -- - January 17 - MLK Jr. -- No Classes
-
Week 02 - January 24 - Cookies, Sessions
-
Week 03 - January 31 - Cross-Site Request Forgery, Same Origin Policy
-
Week 04 - February 7 - Exceptions to the Same Origin Policy
-
Week 05 - February 14 - Cross-Site Scripting (XSS)
-
Week 06 - February 21 - XSS and Content Security Policy (CSP)
-
Week 07 - February 28 - Fingerprinting and Privacy
-
Week -- - March 7 - Spring Break -- No Classes
-
Week 08 - March 14 - Transport Layer Security
-
Week 09 - March 21 - HSTS, Certificate Transparency
-
Week 10 - March 28 - Authentication
-
Week 11 - April 4 - Local HTTP Server Security
-
Week 12 - April 11 - DNS rebinding attacks
-
Week 13 - April 18 - UI Denial-of-service, Phishing, Side Channels
-
Week 14 - April 25 - Rehosting, Web Archiving
-
Week 15 - May 2 - Exam
-
Weekly review of current events: #cs595s22
-
Assignment 1: Basics of HTML, Javascript, and Node
-
Assignment 2: Getting Started with Node.js, Express, and Cookies
-
Assignment 3: Cookie Report
-
Assignment 4: Frames
-
Assignment 5: Same-origin Policy, CORS, CSP
-
Assignment 6: Fingerprinting
- Due: April 18
-
Assignment 7: Phishing
- Due: May 2