Web applications are vulnerable to many types of attacks to which traditional client-server applications are not as susceptible. These vulnerabilities, over the past several years, have resulted in attacks that have exposed companies to monetary losses and reputation damage. This course covers these vulnerabilities, how attacks are constructed based on them, and techniques that can be used to mitigate such vulnerabilities. Example web vulnerabilities covered in this course include client-state manipulation, cookie-based attacks, SQL injection, cross domain attacks (XSS / XSRF / XSSI), and HTTP header injection.
We use a running example of a web-based, person-to-person payment service to illustrate the attacks discussed in this course, and we demonstrate how to fix the vulnerabilities upon which the attacks are based.
Hands-on, 1 day lab:
Steal a user’s cookies by mounting a cross-site scripting (XSS) attack.
Transfer money from a victim to an attackers account using a cross-site request forgery (XSRF) attack.
Write code to prevent XSS and XSRF attacks.
View sensitive user data using a SQL injection attack.
Steal and counterfeit money using a SQL injection attack.
Write code to prevent SQL injection attacks.
Overview of Web Technologies
Browser Security Model
Secure Web Site Design – Dan Boneh (25 sec)