Dan Boneh, Hristo Bojinov, Elie Bursztein & John Mitchell
|// july 24 - 27|
USA 2010 Weekday Training Session //July 26-27
The Web Security course gives a 360-degree overview of web application security, with in-depth treatment of several significant topics such as user authentication, browser security, business logic, data handling, and distributed threats. For every area presented we cover motivating attacks, defense mechanisms, and security tools and techniques. Throughout the course, we balance cutting-edge research results with practical skill development.
Key Learning Objectives:
Introduction (Day 1, 1.5 hrs)
- Web stack (Application, HTTP, SSL, TCP/IP, DNS)
- Browser architecture (rendering, storage, browser comparison)
- Threat models, types of attacks/attackers
Browser security (Day 1, 2 hrs)
- Same origin policy
- Cookies security
- Secure content policy
- Extension security
- Client side abuse
HTTP and network security (Day 1, 1.5 hrs)
- SSL and mixed content
- Session Hijhacking and sidejacking
- HTTP splitting
Web Application security
- Authentication (Day 1, 2 hrs)
- Passwords & phishing, APIs (OpenID, fbConnect), PKI & SSL
- Multi-factor authentication
- Humans vs. bots (Captchas, geolocation)
- Business logic, and data handling (Day 2, 1.5 hrs)
- CSRF and mixed content
- SQL injection
- Motivation for abuse. Detection and prevention (Day 2, 1.5 hrs)
- Content analysis
- Types of malware
Class project (Day 2, 3.5 hrs)
- Manually identify vulnerabilities in a small website
- Create and demonstrate exploits for the website
- Use tools to scan a website for vulnerabilities
- Evaluate and augment password security policy for an intranet web application (both client and server-side components)
DAY TWO: Wrap-up (0.5 hrs)
- Course overview
- Techniques and tools
- Big picture on web security
Please look at the syllabus for durations of different components. Roughly, we will spend the first day on introduction material, network security and browser security. The second day focus on web application security and a class project. As a result we have greater emphasis on security higher up in the stack, and the teaching is split logically around the breaks. The lecture time includes demonstrations and small exercises at the end which flow into the subsequent break time.
The course is a mixture of lecture+demonstration time, and hands-on lab exercises. Students use their own laptops (running a VM supplied by us), and connect to our web server to experiment with attack and defense techniques.
What to bring:
Students must bring a laptop with VMware Player installed. The laptop should be powerful enough to run a basic VM with a web browser running inside. The laptop will also need to have WiFi and wired LAN capabilities.
What you get:
- Course notes for use in class and future reference
- VM image for lab exercises in class
Hristo Bojinov is a PhD candidate in Computer Science at Stanford University. His areas of research are web security and mobile security. He is currently working on extending the Android platform with security mechanisms such as ASLR. Prior to Stanford, Hristo spent several years designing and implementing storage security products in various engineering and management capacities at Decru, Inc. and Decru, A NetApp Company. Prior to that he developed Oracle's application server technology for mobile devices. Hristo holds a S.B. in Computer Science and Engineering from MIT.
Dan Boneh heads the applied crypto group at the Computer Science department at Stanford University. Dr. Boneh's research focuses on applications of cryptography to computer security. His work includes cryptosystems with novel properties, security for handheld devices, web security, digital copyright protection, and cryptanalysis. He is a recipient of the Packard Award, the Alfred P. Sloan Award, and the Terman Award.
Elie Bursztein is a post-doctoral researcher at the Stanford Computer Security Lab. He holds a PhD in computer science and an Engineering degree in computer systems, networks and security. His research focus is network security, web security, and offensive technologies. He is currently working on using machine learning techniques to break and build better CAPTCHA, and reversing Windows API to build forensic tools. He has been teaching computer and network security since 2002. He started teaching web security at Stanford in 2009.
John Mitchell is the Mary and Gordon Crary Family Professor in the Stanford Computer Science Department. His research in computer security focuses on web security, network security, privacy, and distributed authorization management. He has also worked on programming language analysis and design, formal methods, and applications of mathematical logic to computer science. Prof. Mitchell currently leads research projects funded by the US Air Force, the Office of Naval Research, private companies and foundations, and he is the Stanford Principal Investigator of the multidisciplinary TRUST NSF Science and Technology Center. He is a consultant and advisor to a number of companies and is the author of over 140 research articles and two books.