Course Level: Bachelor
Learning effort: min. of 150 hours of study (30 hrs. e-learning directed study, 15 hrs. collaborative online lab, 15 hrs. collaborative project, 60 hrs. preparation/follow up of labs/project, 30 hrs. follow up independent study and individual preparation for exam).
Credits: 6 ECTS
Teaching method:Blended Learning
The instructor answers students’ questions (Q&A), presents demos and moderates the presentation of case studies conducted by industry experts, moderates discussions using interactive systems e.g. webinar or video conference. These weekly supportive sessions are announced a priori to the participants.
Upon completing the course student is able to:
- Be aware of the most severe WEB application attacks occurring daily world-wide (OWASP TOP-10)
- Evaluate the impact of organizational risks associated with different WEB application threads
- Use the Penetration Testing Execution Standard as a guideline to create organized and well documented WEB application testing procedures
- Apply techniques and tools to test practical WEB application security level
- Repair practical WEB application security vulnerabilities revealed by penetration testing
- Apply in practice the principles recommended for designing, developing and implementing secure Web applications
Chapter 1: Introduction to WEB Application Security
- The role of web applications in modern society
- The new security threads introduced by web applications
Chapter 2: WEB Application Technologies and Frameworks
- Basic technologies of underlying technologies
- Diverse range of web applications
Chapter 3: WEB Application Defense Mechanisms
- Basic concepts of web application security
Chapter 4: Mapping the Application
- Reconnaissance activities of penetration testing process
- Information gathering
Chapter 5: By-passing Client Side Controls
- Commonly used techniques used to limit functionality in client side
- Bypass methods for Client Side Controls
Chapter 6: Attacking Authentication
- Introduction to authentication methods and functionalities
- Common authentication failures and exploits
Chapter 7: Attacking Session Management
- Introduction to session management
- Session management weaknesses
- Securing session management
Chapter 8: Attacking Access Controls
- Access control concept
- Common access control vulnerabilities
Chapter 9: Injecting code
- Code injection vulnerabilities and types of injections
- SQL-injection in detail
Chapter 10: Attacking Other Users
- Client side exploits
- The XSS and CSRF exploitation methods
Chapter 11: Other Exploitation Methods
- Commonly used exploitations.
Chapter 12: Web Application Security Tools
- The function of automated penetration testing
- Automated testing tools
Chapter 13: Penetration Testing Standards
- Penetration testing standards overview
- Penetration testing legislation
- Lab performance = 30% of the final grade.
- Project performance = 20% of the final grade.
- Discussions performance = 10% of the final grade.
- Written presence exam (60 min.) = 40% of the final grade. (conducted at the home university with a help of a trusted teacher)
The course focuses on threats to the WEB applications and the clients of the WEB applications. Most important attack vectors, as described by OWASP TOP-10, are considered. Attack vector combinations are considered and their combined impact on security is exposed. Special emphasis will be placed on practical security protection methods on multiple implementation platforms. Platform specific weaknesses are exposed and tested. WEB application stress testing will be conducted using a set of penetration testing tools. This will be applied to reveal application vulnerabilities security misconfigurations. The process of WEB application penetration testing will be based on relevant standards e.g. the Penetration Testing Execution Standard.
Lab experiments using a virtual lab will be assigned to the students. The labs are correlated with the multimedia interactive reading materials of each unit and make use of students' creativity and analysis capabilities. This requires them to prove their understanding of the materials and reflects their personal view on the topics. The lab results will be evaluated by the instructor of the course.
Collaborative and cumulative project:
A project will be assigned to the students. The project will be carried out in a collaborative manner by international teams of 2-3 students. It will be presented in a form of a wiki, a presentation or a portfolio. The project will be cumulative, i.e. each project step is based on the framework provided by the prior steps. The i-project results will be evaluated by the instructor of the course.
Throughout the course, students will be involved in e-discussions related to the course content through means specific to e-learning, such as forums, wikis, e-portfolios, etc. As part of the virtual community, each student will give feedback to at least two colleagues in the forums.
- Dafydd Stuttard, Marcus Pinto, ”The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws”, 2nd Edition. Indianapolis. John Wiley & Sons, Inc., 2011.
- Bryan Sullivan, Vincent Liu, ”Web Application Security, A Beginner's Guide”, 1st Edition, Mc Graw Hill, 2012.
- The Penetration Testing Execution Standard: http://www.pentest-standard.org/index.php/Main_Page
- Open Web Application Security Project: https://www.owasp.orghttps://www.owasp.org
- OWASP Top 10 Web Application Security Risks: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Kimmo Sauren Professor, Department of Information Technology, Metropolia University of Applied Sciences, Helsinki, Finland Research interests: Web Application security, Embedded systems. “In IT we constantly have to learn new skills. Especially in the field of security it is essential to have detailed knowhow in applied technologies. I find learning new ways of protecting systems challenging but extremely rewarding. And I like sports. During the summer you are likely to find me playing golf and during the winter on the shooting ranges Tervetuloa meidän kurssillemme!”