T. Andrew Yang

Email: yang@uhcl.edu

Web page: http://sce.uhcl.edu/yang/

Tel.: (281) 283-3835

Last updated:

2/27/2013： schedule revised (midterm, etc.)

2/19/2013： schedule corrections

2/14/2013: lecture notes updated

1/17/2013: first published

CSCI 5234-01 Web Security

Spring 2013 (1/14 – 4/29 + final week)

Lecture Notes & Schedule
- Print and bring the lecture notes to the class.

Assignments / Projects

Office Hours

Join the discussing group for announcements and discussions: http://groups.google.com/group/csci5234spring2013.

Note: Everyone should be able to click the link above and request to join the group. If you’ve got problems sending the request or joining the group, contact the instructor right away (by, for example, sending an email request with your full name and id).

Installation of JCE security provider for unlimited strength security
Java source programs from the Professional Java Security book

Time (Classroom):

Thursday, 4-6:50pm (Delta 202)

Prerequisite: Web Applications Development (csci/cinf4230) and Computer Security (csci/cinf4233 or csci5233), or instructor's approval.

Note: If you do not have either of the prerequisites, you MUST talk to the instructor. It is assumed that students enrolled in this class are familiar with fundamental topics such as cryptography (symmetric vs asymmetric encryptions/decryptions), security protocols (RSA, DES, Triple-DES, digital signatures, digital certificates, etc.), and n-tier web applications development.

Course Description: Fundamental coverage of issues and techniques in developing secure web-based applications; related topics such as network security, web server security, application-level security and web database security, etc.

Course Objectives: The primary objective of this course is to study and practice fundamental techniques in developing secure web based applications, including vulnerability of web based applications and how to protect those applications from attacks. In addition, advanced topics related to Web, such as E-commerce security, Web 2.0, collaborative Web-based applications, etc., will also be studied. Students are encouraged to complete a publishable research paper on one of the related topics.

Learning Outcome:

1. Understand security-related issues in Web-based systems and applications.

2. Understand the fundamental security components of a computer system.

3. Be able to evaluate a Web-based system with respect to its security requirements.

4. Understand the process of developing secure networked systems.

5. Understand the fundamental mechanisms of securing a Web-based system.

6. Be able to implement security mechanisms to secure a Web-based application.

7. Understand security issues and common controls in electronic commerce systems.

Class Format: Lectures are combined with discussions and, if applicable, student presentations of advanced topics. Students are expected to be active participants in this class, by studying the relevant chapters and/or research papers, and actively participating at in-class and online discussions.

Programming projects employing the various security techniques and n-tier web based architecture are part of the course. Students are expected to engage in a research project of topics related to Internet security, and make both written and oral presentations of the project.

A few words about notes-taking: It is critical that a student takes proper notes while listening to the lecture. Pay attention to the line of reasoning presented by the instructor. Try to form a conceptual map out of the concepts discussed in class. After a class, review the notes to facilitate effective learning.

An active learner is more than just a passive listener; he or she always examines what is taught and tries to find any inconsistency in the conceptual map that is being formed out of the learning process.

Quality statement: It is expected that each student gives its best effort to aim for high quality of his/her work.

"The quality of a person's life is in direct proportion to their commitment to excellence, regardless of their chosen field of endeavor." -- Vince Lombardi

"It is easier to do a job right than to explain why you didn't." -- Martin Van Buren

"Be a yardstick of quality. Some people aren't used to an environment where excellence is expected." -- Steve Jobs

"Learning is a type of problem solving."

"The ultimate goal of learning is to learn how to learn effectively."

Instructor: Dr. T. A. Yang

(office) Delta 106
Office hours (NOTE: If the suite office is locked, you may use the phone outside the office to call me, by entering the extension 3835).

You are highly encouraged to send your questions to me by e-mails or by posting the question at the discussion board. You, however, are responsible for describing the problem(s) you have encountered, the solution(s) you have tried, and the outcome you have got from these solution(s).

(phone#) (281) 283-3835 (Please leave a message if not available.)
(Email address) yang@uhcl.edu (Note: Emails without a proper subject line and your full name will be discarded. Here is a sample subject line: "CSCI 5234 project #1, question 1".
(web site) http://sce.uhcl.edu/yang/

Teaching assistant info and office hours:

TA – Kiran Chamarthi (Kiran.chamarthi99@gmail.com)

TA Office Hours –

Tues 9:00AM to 1:00PM

Wedn 9:00AM to 1:00PM

Thur 10:00AM to 4:00PM

Note: Contact the instructor immediately if you’ve got any problem with the TA or the office hours.

Textbooks:

Required

WEB APPLICATION HACKER'S HANDBOOK

Stuttard and Pinto. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, Second Edition. Wiley. 2011. (ISBN: 9781118026472).

+ Instructor's handout in the class and/or on the Web

If you know your enemies and know yourself, you can win a hundred battles without a single loss.

If you only know yourself, but not your opponent, you may win or may lose.

If you know neither yourself nor your enemy, you will always endanger yourself.

— Sun Tzu (http://en.wikipedia.org/wiki/The_Art_of_War)

Supplemental Materials

JDBC Security:

o Oracle's secure JDBC

Oracle related links:

o Architecture of Oracle Net Services

o Listener Architecture

o Oracle's Listener Control Utility (lsnrctl)

o Transparent Network Substrate (TNS)

o Complimentary Oracle Database Security Resource Kit

Useful information about Java mail:

o To implement the JavaMail in program, you need to go to Sun's website to download the APIs: http://java.sun.com/products/javamail/

o Sample code fragment of using JavaMail: sendMail.java

Servlet Security & certificates:

o SSL Configuration HOW-TO, the Apache Tomcat 5.5 Servlet/JSP Container: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Glossaries, RFCs, Related Websites, etc.

Internet Glossaries

o RFC2828: Internet Security Glossary. R. Shirey. May 2000.

o http://www.rsa.com/glossary/: RSA’s Information Security Glossary

o http://www.netlingo.com: searchable online dictionary

o http://www.sharpened.net/glossary/index.php: Definitions of Computer and Internet Terms

HTTP & History of the WWW:

o [HTTP 1991] The Original HTTP as defined in 1991.

o [HTTP 1992] Basic HTTP as defined in 1992.

o [HTTP 1996] RFC1945 : Hypertext Transfer Protocol -- HTTP/1.0. T. Berners-Lee, R. Fielding, H. Frystyk. May 1996. Informational. (Note: This document also defines HTTP/0.9.) local copy

o [HTTP 1999] RFC2616 : Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee. June 1999. DRAFT STANDARD. local copy

o [irt.org 1998] WWW – How It All Began.

o [isoc.org 2000] The Internet Society. A Brief History of the Internet. August 4, 2000.

RFCs related to HTTP:

o   Searching the RFC database: http://www.rfc-editor.org/cgi-bin/rfcsearch.pl

o   The Internet Engineering Task Force (IETF): http://www.ietf.org/

o   RFC2616: Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee June. June 1999. DRAFT STANDARD. local copy of rfc2616

o   RFC2617: HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999. DRAFT STANDARD. local copy of rfc2617

o   RFC2965: HTTP State Management Mechanism. D. Kristol, L. Montulli. October 2000. PROPOSED STANDARD. local copy of rfc2965

o   RFC2585: Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP. R. Housley, P. Hoffman. May 1999. PROPOSED STANDARD. local copy of rfc2585 “This document specifies the conventions for using the File Transfer Protocol (FTP) and the Hypertext Transfer Protocol (HTTP) to obtain certificates and CRLs from PKI repositories. Additional mechanisms addressing PKI repository access are specified in separate documents.”

RFCs related to TLS:

o   RFC2246: The TLS Protocol Version 1.0. T. Dierks, C. Allen. January 1999. PROPOSED STANDARD. local copy of rfc2246

o   RFC2712: Addition of Kerberos Cipher Suites to Transport Layer Security (TLS). A. Medvinsky, M. Hur. October 1999. PROPOSED STANDARD. local copy of rfc2712

o   RFC2817: Upgrading to TLS within HTTP/1.1. R. Khare, S. Lawrence. May 2000. PROPOSED STANDARD (Updates RFC2616). local copy of rfc2817

o   RFC2818: HTTP over TLS. E. Rescorla. May 2000. INFORMATIONAL. local copy of rfc2818

o   RFC2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security. J. Hodges, R. Morgan, M. Wahl. May 2000. PROPOSED STANDARD (Updated by RFC3377). local copy of rfc2830

o   RFC3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS). P. Chown. June 2002. PROPOSED STANDARD. local copy

Other Related RFCs:

o RFC2827/BCP0038: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. P. Ferguson, D. Senie. May 2000. BEST CURRENT PRACTICE. local copy

o RFC3377: Lightweight Directory Access Protocol (v3): Technical Specification. J. Hodges, R. Morgan. September 2002. PROPOSED STANDARD. local copy of rfc3377

Related Web Sites & Documents:

o Man in the middle attack as explained on Wikipedia

o Bejtlick, Richard. "Implementing Network Security Monitoring with Open Source Tools": Interesting discussions of net monitoring issues, including open source tools such as tcpdump, argus, snort, trafd/trafshow, sguil, etc.

o VeriSign Technical Brief. "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services"

o www.cybercrime.gov: Computer Crime and Intellectual Property Section (CCIPS) of the Criminal Division of the US Dept. of Justice
** Computer crime

o Value of Authentication: Authentication is critical to online security - free Thawte guide (user registration required), local copy

o The archived World Wide Web Security FAQ: http://www.w3.org/Security/faq/

o Cryptography FAQ Index: http://www.faqs.org/faqs/cryptography-faq/

o Cryptography.org: http://www.cryptography.org/

o The Open SSL Project (SDKs for free download): http://www.openssl.org/

o Discussion about Windows Security: http://www.windowsitpro.com/categories/category/security

Answers to chapter-end questions

Topics, Notes & Schedule

The due dates are fixed and will not be extended, unless specifically announced. Start your work early!
The topics column is subject to change when the class moves on. Check with the instructor if you have doubt concerning the teaching schedule.

wk (dates)	Topics (Chapter)	Due Dates
1 (1/17)	- Syllabus, projects, presentations, etc. A. Overview and Security Mechanisms - Overview: security components and mechanisms - Discussion/selection of projects	Form your project team for the hacking projects.
2 (1/24)	- Why Web applications are insecure? (Ch. 1) - Core defense mechanisms (Ch. 2)
3 (1/31)	- HTTP (in)security (Ch. 3) - SSL + SSL and Man-in-the-Middle attack (local copy) + Man in the middle attack + Internet Explorer SSL Vulnerability (08/05/02)
4 (2/7)	- IP security	Team project title and team membership due - Publish them in the discussion group.
5 (2/14)	B. Hacker's Techniques - Mapping the application (Ch. 4) - Reconnaissance attacks
6 (2/21)	- SSL Intercept whitepaper - Hacker's Toolkit (Ch. 20)	Abstract and literature survey of the research project - Publish it the topic in the class discussion board ~~and give a 5-minute presentation in class~~.
7 (2/28)	~~Midterm Exam~~ <no class meeting> Extra-credit exercise (see the discussion board)	~~Midterm exam~~
8 (3/7)	Midterm Exam	Midterm exam
~~9 (3/14)~~	~~Spring break. No class meetings.~~
10 (3/21)	Presentation and/or Prototyping (5~10 minutes per team) - Bypassing client-side controls (Ch. 5) - Attacking authentication (Ch. 6)	Hacking project design (system setup, testing method, etc.) - Publish it in the class discussion board before the class.
11 (3/28)	Research project presentation - Attacking session management (Ch. 7) - Attacking access controls (Ch. 8)	Abstract and literature survey of the research project - Publish the abstract in the class discussion board, and give a 5-minute presentation in class.
12 (4/4)	Project demonstration (20~30 minutes per team) NOTE: Each team's Power Point slides must be published 24 hours before the presentation.	Hacking project demonstration and final report - Publish it in the discussion board.
13 (4/11)	- Attacking data stores (Ch. 9)
14 (4/18)	- Attacking back-end components (Ch. 10)	Research Project DRAFT report - Publish it in the class discussion board to collect comments.
15 (4/25)	- Attacking application logic (Ch. 11)	Research Project final report - Send it to yang@uhcl.edu.
16 (5/2)	Final exam (open-book, comprehensive)	Final exam

Computer Labs & Hours

The Windows Lab (Delta 119) is equipped with computers that have been properly configured to run Java applications requiring JCE and JDK. Check http://sce.uhcl.edu/computing.asp for lab information, open hours, FAQs, etc.

- Windows Lab account information at: http://sce.uhcl.edu/accountSearch.html

UNIX Lab (Delta 158B) information: http://sce.uhcl.edu/UnixLabFAQ/
Computer & Network Security Lab (Delta 158A)

Evaluation:

category	percentage
In-class exercises	10%
Team projects	20%

research paper

20%

Midterm exam	20%
Final exam	20%

participation (in class and in the discussion board)

10%

NOTE: The accumulated points from all the categories determine a person's final grade. There will be no extra-credit projects.

Grading Scale:

Percentile	Grade
93% or above	A
90% - 92%	A-
87% - 89%	B+
84% - 86%	B
80% - 83%	B-
77% - 79%	C+
74% - 76%	C
70% - 73%	C-
60%-69%	D
59% or below	F

Tests:

Both analytic and synthetic abilities are emphasized. Being able to apply the learned knowledge toward problem solving is also highly emphasized in the tests.

Assignments/Projects and Late Penalty:

Assignments and projects will be posted at the class web site. Assignments & projects are due before the beginning of the class on the due day. See Topics and Notes for the due dates.

Points will be deducted from late assignments: 20% for the first 24 hours after the due time, 40% for the next 24 hours, 70% for the third 24 hours, and 100% after that. No extension will be granted except for documented emergency. Starting to work on the assignments as early as possible is always the best strategy.

NOTE: Unless otherwise specified, all assignments and projects are individual work. Students should take caution not to violate the academic honesty policies. See http://b3308-adm.uhcl.edu/PolicyProcedures/Policy.html for details of the University policies.

"The supreme quality for leadership is unquestionably integrity. Without it, no real success is possible, no matter whether it is on a section gang, a football field, in an army, or in an office." -- Dwight D. Eisenhower

Assignments/Projects Guidelines:

·       Identification page: All assignments must have your name, and course name/number/section number (e.g., CSCI234-01 or CSCI5333-03) at the top of the first page.

·       Proper stapling: Staple all the pages together at the top-left corner. NOTE: Do not use paper clips.

·       Order! Order! Arrange the solutions following the sequence of the questions. Write the question number at the top-right corner of each page.

·       Word processing: It is required that you type your reports (e.g., print them using a printer). Use a word processor and appropriate typesetting and drawing tools to do the assignments.

·       Check the spelling and the grammar for the whole document before handing it in. You may lose points due to spelling or grammatical errors.

·       Use proper commenting and structure in your programs.

Projects:

The projects will involve the design and implementation of a secure N-tier web based application demonstrating the development of a secure Java online application using various technology. Students are expected to employ the theories and techniques learned in the class to design and implement the system.

Attendance Policy:

You are expected to attend all classes. If you ever miss a class, it is your responsibility to get hold of whatever may have been discussed in that class.

Instructor's Notes:

Unless due to unexpected, documented emergency, no make-up exams will be given. No make-up exams will be granted once the exams have been corrected and returned to the class.

Important: If you think you have lost some points due to grading errors, make sure you approach the instructor within a week after the assignment, project, or test is returned to you.

To get the most out of this class, you need to read the textbooks and spend time using computers regularly. Be prepared for a class by preview the material to be covered in that class and participate in discussions and problem-solving exercises, if applicable, in the class.

Due to the intensive nature of graduate classes, 15-20 hours per week are expected of students in studying the textbook/notes and working on the assignments, in addition to class attendance. Expect to spend more hours during summer sessions.

Related Links:

· UHCL General Program Requirements: http://www.uhcl.edu/XDR/Render/catalog/archives/125/06/

· Withdrawals, Appeals, GPA, Repeated Courses, and the 6 Drop Rule: http://www.uhcl.edu/XDR/Render/catalog/archives/125/06/%23A0110#A0110

· ASSESSMENT FOR ACCREDITATION: The School of Science and Computer Engineering may use assessment tools in this course and other courses for curriculum evaluation. Educational assessment is defined as the systematic collection, interpretation, and use of information about student characteristics, educational environments, learning outcomes, and client satisfaction to improve program effectiveness, student performance, and professional success. This assessment will be related to the learning objectives for each course and individual student performance will be disaggregated relative to these objectives. This disaggregated analysis will not impact student grades, but will provide faculty with detailed information that will be used to improve courses, curriculum, and student performance.

Go to the Index