In addition to reviewing traditional web application security threats (such as XSS, XSRF, and SQL injection), this course provides depth in security issues that arise specifically in Web 2.0 applications that take advantage of AJAX, XmlHttpRequest, mash-ups and frameworks that help automate the development of Web 2.0 applications such as GWT and Dojo. The course also builds on knowledge of traditional cross-domain threats and covers same-origin-policy (SOP) violations that can occur due to DNS rebinding, timing, and user tracking attacks. A hands-on, 1 day lab in which students conduct advanced SQL injection attacks against a Facebook application, and then use a web application firewall (WAF) is included with the course.

Topics Include:

Web 1.0 Refresher / Overview of web technologies (cookies, Javascript, caching, session mgmt)

XHR and Web frameworks (GWT, Dojo, etc)

Security threats: CSS, XSRF, frames, SQL injection

SOP violations: user tracking, timing, DNS rebinding

Hands-on, 1 day lab:

Lab #1: SQL Injection against a Facebook application

Lab #2: Using a web application firewall