CS142 Web Programming and Security

Course Syllabus

Winter 2009

 
Lecture 1:
1/ 7/09
(JO)
HTML   [ppt]
Reading:
None
 
Lecture 2:
1/ 9/09
(JO)
Reading:
See lecture notes
 
Week # 2
 
Lecture 3:
1/12/09
(JO)
Finish CSS; URLs and links   [ppt]
Reading:
None
 
Lecture 4:
1/14/09
(JO)
Reading:
Javascript, The Definitive Guide, pages 1-146
 
Lecture 5:
1/16/09
(JCM)
Malicious Javascript; Phishing attacks   [ppt]
Reading:
See slides for required pages of each of the following readings.
 
Week # 3
 
Holiday:   
1/19/09
MLK: no classes
 
Lecture 6:
1/21/09
(JO)
Reading:
None
 
Lecture 7:
1/23/09
(CJ)
Frame isolation and basic same origin principal   [ppt]
Reading:
Securing Browser Frame Communication. Adam Barth, Collin Jackson, and John C. Mitchell
 
Week # 4
 
Lecture 8:
1/26/09
(JO)
Reading:
None
 
Lecture 9:
1/28/09
(JO)
Reading:
None
 
Lecture 10:
1/30/09
(DB)
Cookie same origin policy; Basic cross site scripting attacks (XSS)   [pdfppt]
Reading:
Same origin policy for cookies
Beware of Finer-Grained Origins. Collin Jackson and Adam Barth
 
Week # 5
 
Lecture 11:
2/ 2/09
(DB)
Secure session management   [pdfppt]
Reading:
Secure Session Management With Cookies for Web Applications. Chris Palmer
 
Lecture 12:
2/ 4/09
(CJ)
Cross site request forgery   [pdfppt]
Reading:
Robust Defenses for Cross-Site Request Forgery. Adam Barth, Collin Jackson, and John C. Mitchell
 
Lecture 13:
2/ 6/09
(JCM)
More on cross site scripting defenses   [ppt]
Reading:
  • OWASP Cross-site Scripting (XSS) page.
  • Microsoft Anti-Cross Site Scripting Library Kevin Lam
  • The Web Application Hackers Handbook, pages 375-390 on basic XSS attacks and pages 423-428 on preventing XSS attacks.
  •  
    Week # 6
     
    Lecture 14:
    2/ 9/09
    (JO)
    Reading:
    Read Chapter 1, skim Chapters 2-7 in "The Ruby Programming Language"
     
    Lecture 15:
    2/11/09
    (JO)
    Reading:
    Rails book Chapters 1-8, Chapters 20-22
     
    Lecture 16:
    2/13/09
    (DB)
    SQL injection attacks   [pdfppt]
    Reading:
    SQL Injection attacks, Chris Anley
     
    Week # 7
     
    Holiday:   
    2/16/09
    Presidents day: no classes
     
    Lecture 17:
    2/18/09
    (JO)
    Reading:
    "Agile Web Development with Rails", Chapters 17, 18
     
    Lecture 18:
    2/20/09
    (JCM)
    Language based isolation: ADsafe, FBJS   [ppt]
    Reading:
    Sections 1-3 of Language-based isolation of malicious JavaScript by S. Maffeis, J. Mitchell, and A. Taly.
     
    Week # 8
     
    Lecture 19:
    2/23/09
    (JO)
    Finish ActiveRecord, start Forms   [ppt]
    Reading:
    "Agile Web Development with Rails", Chapter 16
     
    Lecture 20:
    2/25/09
    (JO)
    Reading:
    "Agile Web Development with Rails", Sections 22.4-22.8, Section 19.1
     
    Lecture 21:
    2/27/09
    (JCM)
    User authentication and password management   [ppt]
    Reading:
  • Sections 1-4 and 8 of Stronger Password Authentication Using Browser Extensions, Blake Ross, Collin Jackson, Nicholas Miyake, Dan Boneh and John C. Mitchell.
  • Sections 1, 2 and 4 of An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks, Collin Jackson, Dan Simon, Desney Tan, and Adam Barth.
  •  
    Week # 9
     
    Lecture 22:
    3/ 2/09
    (JO)
    Events   [ppt]
    Reading:
    None
     
    Lecture 23:
    3/ 4/09
    (JO)
    Finish events; AJAX   [ppt]
    Reading:
    "Agile Web Development with Rails", pp. 521-538
     
    Lecture 24:
    3/ 6/09
    (DB)
    HTTPS: certificates, the lock icon, mixed content   [pdfppt]
    Reading:
    ForceHTTPS: Protecting High-Security Web Sites from Network Attacks. Collin Jackson and Adam Barth
     
    Week # 10
     
    Lecture 25:
    3/ 9/09
    (CJ)
    Mitigating malware   [pdfppt]
    Reading:
    The Security Architecture of the Chromium Browser. Adam Barth, Collin Jackson, Charles Reis, and the Google Chrome Team
     
    Lecture 26:
    3/11/09
    (PK)
    Guest Lecture: Pedram Keyani from Facebook
    Reading:
    See www.facebook.com
     
    Lecture 27:
    3/13/09
    (DB)
    Browser plugins and the Flash player security model
    Reading:
    TBA