University of Surrey - Guildford

Registry > Module Catalogue
View Module List by A.O.U. and Level  Alphabetical Module Code List  Alphabetical Module Title List  Alphabetical Old Short Name List  View Menu 
2010/1 Module Catalogue
Module Provider: Computing Short Name: COMM036
Level: M Module Co-ordinator: VRUSIAS BL Dr (Computing)
Number of credits: 15 Number of ECTS credits: 7.5
Module Availability
Spring Semester
Assessment Pattern
Unit(s) of Assessment
Weighting Towards Module Mark (%)

Identifying security flows and then securing a web application. The student is expected to deliver a report of the identified security flows, the process followed for identifying this, and a proposal for fixing the problems/issues found.


Closed book unseen examination (2 hours)

Qualifying Condition(s) 

A weighted aggregate mark of 50% is required to pass the module.

Module Overview

Today almost no business can survive without the utilisation of the Internet as a mean to provide services or products to customers or other businesses. Web applications have become robust and easy to use; therefore the largest population now is more intrigued to use the Web as a mean of purchasing, banking or even communicating with other people. Therefore, such applications have become a good target to hackers who would try to exploit every vulnerable point that may become available to them. Due to the continuously increasing need for more robust and faster Web applications, technologies need to change and adapt, causing new security flows, therefore requiring taking continuous measures to discover and fix security holes. By exposing the weaknesses of such Web applications and discovering how attacks are made should provide the basis to secure a Web application.


Familiarisation with Web application principles, protocols and implementation, and also with basic security principles. The students should have attended either Enterprise Systems Development (COMM030) or Agile Web Development (COMM013). Modules related to security such as Computer Security (COMM024) or Network Security (COMM026) is also desirable but not essential.

Module Aims

The aim of this module is to make the students aware of the need and importance of security in Web applications and to investigate ways of thinking and solving such security problems. The students will explore in practice the vulnerable points of weak Web applications and the different attacking methods that hackers perform then and learn how to prevent such attacks.

Learning Outcomes

By the end of the module the students should be able to:

  1. understand the vulnerability of web applications and the need for securing them
  2. categorise the different attack methods and learn how each can affect the application’s security
  3. examine and secure a web application to prevent it from attacks
  4. put theory in practice through the usage of comprehensive tools in order to discover vulnerable points in a web application and then securing the application to prevent attacks.
Module Content

Introduction Web Applications security

  • What is Web hacking and why is it important
  • Tools and automation

Attacking methods and countermeasures

  • Web Platforms: detecting evasion techniques and countermeasures for popular web platforms
  • Web Authentication: password based, multifactor (e.g. SecureID, Passmark, etc), and online authentication services (e.g. Microsoft Passport)
  • Web Authorisation: session analysis, hijacking, and fixation techniques
  • Input Validation: cross-site scripting, HTTP response splitting, buffer overflows, dot-dot-slash, metacharacters, encoding techniques
  • Web Datastores: SQL injection (e.g. blind method or platform specific)
  • XML Web Services: SOAP vulnerability, WSDL disclosure, input injection, external entity injection, XPath injection
  • Web Application Management: vulnerabilities in remote server management, web content management/authoring, admin misconfigurations, and developer-driven mistakes
  • Web Clients: IE and Firefox exploits
  • Denial of Service (DoS): click fraud, infrastructure DoS, application layer Distributed DoS (DDoS)
  • Humans: phishing

Web 2.0 Vulnerability:

  • HTML and JavaScript Injection
  • Thick Clients: Cookies; Flash; Ajax

Testing and securing the Web application

  • Testing tools; Scanners
  • Prevention
Methods of Teaching/Learning

The module will consist of approximately 25 hours of lectures and 5 hours of lab sessions.

Selected Texts/Journals
Recommended books are:
  • Scambray, J., Shema, M. and Sima, C., Hacking Exposed Web Applications, Second Edition: Web Application Security Secrets and Solutions, McGraw-Hill Osborne; 2 edition, 2006, ISBN: 0072262990
  • Stuttard, D. and Pinto, M., The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, John Wiley & Sons, 2007, ISBN: 0470170778
Cannings, R., Dwivedi, H. and Lackey Z., Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions, McGraw-Hill Osborne, 2008, ISBN: 0071494618
Last Updated
16 September 2009