What you'll learn

Understand the common security problems in web applications
Understand the security aspects of the web technologies
Gain hands-on experiences from the labs (SEED Labs) developed by the instructor
Learn web applications can be attached and how to defend against those attacks

Course content

5 sections • 36 lectures • 7h 11m total length

Introduction7:26
Browser7:36
JavaScript and Sandbox16:33
Web Server15:56
Cookies and Sessions19:02
Explain why cookies are needed in a stateless web, how session and tracking cookies work, how cookies are set and attached to requests, and mention CSRF risks.
Ajax and WebSocket23:50
Summary1:20

Introduction2:51
Cross-Site Request and CSRF8:35
Explore cross-site request forgery (CSRF), how browsers attach cookies to requests, and how session cookies enable hijacking. Examine an inside home scenario with private IP devices vulnerable to such attacks.
CSRF Attack on GET Services16:10
Explains csrf attacks on get requests, using url parameters and image tricks, contrasts get and post methods, and demonstrates defenses in a social network lab.
CSRF Attack on POST Services13:44
Countermeasures22:06
Review and Summary6:03

Introduction6:34
How XSS Attack Works15:17
Attack 1: Add Friend21:00
Attack 2: Modify Profile12:39
Writing Self-Propagating XSS Worm15:26
Examine how a self-propagating XSS worm spreads across social networks by copying its payload into profiles, propagating to others through the DOM and getElementById techniques.
Countermeasures8:23
CSP: Content Security Policy14:58
Attack Generalization18:04
Review and Summary5:14

Introduction7:18
Brief Tutorial on SQL17:03
Set up a MySQL database in a container, initialize it with a root password and seed data, and perform create, insert, and select queries with where conditions.
SQL Injection Against SELECT Statement15:15
Demonstrates sql injection against a login form's select statement, showing how crafted input, comments, and logical operators can bypass passwords and access accounts.
Modify Database Using SQL Injection19:14
Similarity with Other Code Injection Attacks9:33
Countermeasure: Prepared Statement13:57
Learn how prepared statements separate code and data to prevent injection attacks, and how parameter binding with placeholders improves security and performance.
Review Questions and Summary12:28

Introduction2:08
Explore the clickjacking attack, how iframes work, and how the content security policy defends against it, in a hands-on lab setting up three web servers for experiments.
Iframe and its Properties7:00
Learn how iframes embed pages from other sites using the source attribute, explore sizing, overlapping, borders, and transparency, and understand how the click juking attack influences their use.
Clickjacking Attacks Using Transparent Iframe10:52
Clickjacking Attacks Using Small-Size Iframe9:18
Countermeasures9:05
Iframe's Security Features16:31
Explore iframe security features that enforce the same-origin policy, control parent-child and sibling access, and leverage sandbox options to isolate content, block scripts, and manage top navigation.
Summary3:01

Requirements

Have some basic programming background

Description

As the web has become more and more ubiquitous, the number of attacks on web applications have increased substantially. In this course, we systematically study the security problems in the web, including the security mechanisms implemented in the browse and server sides. We study several well-known attacks against web applications, such as cross-site request forgery, cross-site scripting, SQL injection, and clickjacking attacks. We also study how we can defend against these attacks when developing web applications.

The attacks are covered in this course with great technical details. The course won't just teach students the high-level concepts and theories. It would dive into the low-level technical details and fundamentals, so students can fully understand how exactly things work, and gain the knowledge in depth.

The course emphasizes hands-on learning. For each attack covered, students not only learn how the attack works in theory, they also learn how to actually conduct the attack, in a contained virtual machine and container environment. The hands-on exercises developed by the instructor are called SEED labs, and they are being used by over 1000 institutes worldwide. The course is based on the textbook written by the instructor. The book, titled "Computer & Internet Security: A Hands-on Approach, 2nd Edition", has been adopted by over 210 universities and colleges worldwide.

Who this course is for:

Anybody who is interested in ethical hacking
Anybody who is interested in learning how web applications can be attached and how to protect them
Anybody who is interested in web technologies

What you'll learn

Explore related topics

Course content

Web Security Basics7 lectures • 1hr 32min

Cross-Site Request Forgery Attack (CSRF)6 lectures • 1hr 9min

Cross-Site Scripting Attack (XSS)9 lectures • 1hr 58min

SQL Injection Attack7 lectures • 1hr 35min

Clickjacking Attack7 lectures • 58min

Requirements

Description

Who this course is for: