Identifying security flows and then securing a web application. The student is expected to deliver a report of the identified security flows, the process followed for identifying this, and a proposal for fixing the problems/issues found.
50%
Exams:
Closed book unseen examination (2 hours)
50%
Qualifying Condition(s)
A weighted aggregate mark of 50% is required to pass the module.
Module Overview
Today almost no business can survive without the utilisation of the Internet as a mean to provide services or products to customers or other businesses. Web applications have become robust and easy to use; therefore the largest population now is more intrigued to use the Web as a mean of purchasing, banking or even communicating with other people. Therefore, such applications have become a good target to hackers who would try to exploit every vulnerable point that may become available to them. Due to the continuously increasing need for more robust and faster Web applications, technologies need to change and adapt, causing new security flows, therefore requiring taking continuous measures to discover and fix security holes. By exposing the weaknesses of such Web applications and discovering how attacks are made should provide the basis to secure a Web application.
Prerequisites/Co-requisites
Familiarisation with Web application principles, protocols and implementation, and also with basic security principles. The students should have attended either Enterprise Systems Development (COMM030) or Agile Web Development (COMM013). Modules related to security such as Computer Security (COMM024) or Network Security (COMM026) is also desirable but not essential.
Module Aims
The aim of this module is to make the students aware of the need and importance of security in Web applications and to investigate ways of thinking and solving such security problems. The students will explore in practice the vulnerable points of weak Web applications and the different attacking methods that hackers perform then and learn how to prevent such attacks.
Learning Outcomes
By the end of the module the students should be able to:
understand the vulnerability of web applications and the need for securing them
categorise the different attack methods and learn how each can affect the application’s security
examine and secure a web application to prevent it from attacks
put theory in practice through the usage of comprehensive tools in order to discover vulnerable points in a web application and then securing the application to prevent attacks.
Module Content
Introduction Web Applications security
What is Web hacking and why is it important
Tools and automation
Attacking methods and countermeasures
Web Platforms: detecting evasion techniques and countermeasures for popular web platforms
Web Authentication: password based, multifactor (e.g. SecureID, Passmark, etc), and online authentication services (e.g. Microsoft Passport)
Web Authorisation: session analysis, hijacking, and fixation techniques
Web Datastores: SQL injection (e.g. blind method or platform specific)
XML Web Services: SOAP vulnerability, WSDL disclosure, input injection, external entity injection, XPath injection
Web Application Management: vulnerabilities in remote server management, web content management/authoring, admin misconfigurations, and developer-driven mistakes
Web Clients: IE and Firefox exploits
Denial of Service (DoS): click fraud, infrastructure DoS, application layer Distributed DoS (DDoS)
Humans: phishing
Web 2.0 Vulnerability:
HTML and JavaScript Injection
Thick Clients: Cookies; Flash; Ajax
Testing and securing the Web application
Testing tools; Scanners
Prevention
Methods of Teaching/Learning
The module will consist of approximately 25 hours of lectures and 5 hours of lab sessions.
Selected Texts/Journals
Recommended books are:
Scambray, J., Shema, M. and Sima, C., Hacking Exposed Web Applications, Second Edition: Web Application Security Secrets and Solutions, McGraw-Hill Osborne; 2 edition, 2006, ISBN: 0072262990
Stuttard, D. and Pinto, M., The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, John Wiley & Sons, 2007, ISBN: 0470170778
Cannings, R., Dwivedi, H. and Lackey Z., Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions, McGraw-Hill Osborne, 2008, ISBN: 0071494618