In addition to reviewing traditional web application security threats (such as XSS, XSRF, and SQL injection), this course provides depth in security issues that arise specifically in Web 2.0 applications that take advantage of AJAX, XmlHttpRequest, mash-ups and frameworks that help automate the development of Web 2.0 applications such as GWT and Dojo. The course also builds on knowledge of traditional cross-domain threats and covers same-origin-policy (SOP) violations that can occur due to DNS rebinding, timing, and user tracking attacks. A hands-on, 1 day lab in which students conduct advanced SQL injection attacks against a Facebook application, and then use a web application firewall (WAF) is included with the course.
XHR and Web frameworks (GWT, Dojo, etc)
Security threats: CSS, XSRF, frames, SQL injection
SOP violations: user tracking, timing, DNS rebinding
Hands-on, 1 day lab:
Lab #1: SQL Injection against a Facebook application
Lab #2: Using a web application firewall