Web Security

Elie Bursztein

Register Now

USA 2011 Weekday Training Session //Aug 1 - 2


The Web Security course gives a 360-degree overview of web application security, with in-depth treatment of several significant topics such as user authentication, browser security, business logic, data handling, and distributed threats. For every area presented we cover motivating attacks, defense mechanisms, and security tools and techniques. Throughout the course, we balance cutting-edge research results with practical skill development.

The goal of the course is to teach modern web application security to IT professionals who have some prior understanding of web technologies (e.g. HTML, CSS, JavaScript), and to give IT decision-makers the tools necessary to evaluate and navigate this complex landscape.

Key Learning Objectives:

Introduction (Day 1, 1.5 hrs)

  • Web stack (Application, HTTP, SSL, TCP/IP, DNS)
  • Browser architecture (rendering, storage, browser comparison)
  • Threat models, types of attacks/attackers

Browser security (Day 1, 2 hrs)

  • Same origin policy
  • Cookies security
  • Secure content policy
  • Extension security
  • Client side abuse

HTTP and network security (Day 1, 1.5 hrs)

  • SSL and mixed content
  • Session Hijhacking and sidejacking
  • HTTP splitting

Web Application security

  • Authentication (Day 1, 2 hrs)
  • Passwords & phishing, APIs (OpenID, fbConnect), PKI & SSL
  • Multi-factor authentication
  • Humans vs. bots (Captchas, geolocation)
  • Business logic, and data handling (Day 2, 1.5 hrs)
  • CSRF and mixed content
  • XSS
  • SQL injection
  • Motivation for abuse. Detection and prevention (Day 2, 1.5 hrs)
  • Redirection
  • Content analysis
  • Types of malware

Class project (Day 2, 3.5 hrs)

  • Manually identify vulnerabilities in a small website
  • Create and demonstrate exploits for the website
  • Use tools to scan a website for vulnerabilities
  • Evaluate and augment password security policy for an intranet web application (both client and server-side components)

DAY TWO: Wrap-up (0.5 hrs)

  • Course overview
  • Techniques and tools
  • Big picture on web security

Course Timeline:

Please look at the syllabus for durations of different components. Roughly, we will spend the first day on introduction material, network security and browser security. The second day focus on web application security and a class project. As a result we have greater emphasis on security higher up in the stack, and the teaching is split logically around the breaks. The lecture time includes demonstrations and small exercises at the end which flow into the subsequent break time.

Teaching Methods:

The course is a mixture of lecture+demonstration time, and hands-on lab exercises. Students use their own laptops (running a VM supplied by us), and connect to our web server to experiment with attack and defense techniques.


Basic understanding of web technologies such as HTML, CSS, JavaScript. Basic understanding of networking, such as client-server interactions, DNS. Understanding of cryptography is not necessary. Basic programming skills are required.

What to bring:

Students must bring a laptop with VMware Player installed. The laptop should be powerful enough to run a basic VM with a web browser running inside. The laptop will also need to have WiFi and wired LAN capabilities.

What you get:

  • Course notes for use in class and future reference
  • VM image for lab exercises in class


Elie Bursztein is a post-doctoral researcher at the Stanford Computer Security Lab. He holds a PhD in computer science and an Engineering degree in computer systems, networks and security. His research focus is network security, web security, and offensive technologies. He is currently working on using machine learning techniques to break and build better CAPTCHA, and reversing Windows API to build forensic tools. He has been teaching computer and network security since 2002. He started teaching web security at Stanford in 2009.

Ends April 30
Ends June 15
Ends July 29