Syllabus
Course Info
Course Number: CSE 591 (27169)
Instructor: Prof. Adam Doupé
Email: [email protected]
Office: BYENG 472
Office Hours: Thursday, 3pm–4pm and by appointment
Meeting Times: Tuesday and Thursday, 1:30pm–2:45pm (BYAC 150)
Course Mailing List: [email protected]
Course TA: Raymond Tu
TA Email: [email protected]
TA Office: BYENG 469CC
TA Office Hours: Friday, 9:15am–10:15am and by appointment
Course Description
This course is about hacking web applications manually and automatically. Students will study web applications and how they operate; learn, study, and exploit the latest in web application vulnerabilities; understand automated vulnerability analysis tools; learn the state-of-the-art in web application automated vulnerability analysis tools; and develop a novel automated vulnerability analysis tool. We will also cover how to use these techniques legally and ethically.
The first half of the course will focus on understanding web applications and how to exploit web applications, and these topics will be reinforced with practical, hands-on, homework assignments. The second half of the course will focus on the state-of-the-art in automated vulnerability analysis of web applications via reading and presenting research papers.1
Prerequisites
This course will be challenging, and students are expected to learn the necessary technologies. Students will expected to already understand networking and the TCP/IP stack. Students with strong skills in at least one scripting language (Python, Ruby, PHP, etc.) and web development experience will be at an advantage.
Recommended Textbook
The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
Dafydd Stuttard & Marcus Pinto
ISBN: 1118026470 / 978-1118026472
Course Communication
All announcements and communications for the class will take place
through the class mailing list. Students are required to subscribe to
the class mailing list:
https://groups.google.com/d/forum/cse591-security-s15
Student may use the class mailing list to ask questions or clarifications, and the TA, Instructor, or other students can answer. Note that sharing solutions or answers is expressly prohibited.
Course Topics
Topics may include:
- The Web
- Web application construction
- Web application security
- Bypassing client-side protection
- Attacking web application authentication
- Attacking web application sessions
- Attacking web application access control
- Attacking the date store
- Attacking application logic flaws
- Advanced cross-site scripting vulnerabilities
- Automated vulnerability analysis tools
- Client-side web application security
- Mobile web application security
Technologies covered:
- HTTP
- HTML
- CSS
- JavaScript
- AJAX
- SQL
- Scripting languages
Assessment
Students will be evaluated on their performance on homework, exams, paper presentation, and final project.
Homework Assignments
There will be three or four homework assignments in the first half of the course, covering the material presented in the lectures, with the goal to have the students become familiar with web applications and web application exploitation.
Midterm Exam
There will be a midterm exam. The exam will cover the material discussed from the lectures and the assignments. No notes or outside material/devices will be allowed.
Paper Presentation
Students will be required to present a state-of-the-art research paper in vulnerability analysis to the class, and all students will be required to read all papers. Schedules and paper assignments will be decided at a later date. Paper presentation may be done in groups depending on the number of students in the class.
Final Project
There will be a final project for the second half of the course. Students will be required to propose a new/interesting project in the area of automated vulnerability analysis. Students are expected to present their project to the class. Final projects may be done in groups depending on the number of students in the class.
Final Exam
There will be a final exam that will cover all material presented throughout the course, with an emphasis on material from the second half of the class. No notes or outside material/devices will be allowed.
Discretionary
Discretionary points are given at the end of the course. These depend on a variety of things, including attendance, class participation, effort, etc.
Grading Options
Students will have the option of choosing Grading Option A or B. Student will select their grading option when submitting the first homework assignment, and it cannot be changed after that point.
Note that only students in Grading Option B are eligible to include this class as an MSC Portfolio class.
Grading Option A
Area | Weight % |
---|---|
Homework | 25 |
Midterm Exam | 20 |
Paper Presentation | 10 |
Final Project | 20 |
Final Exam | 20 |
Discretionary | 5 |
Grading Option B
Area | Weight % |
---|---|
Homework | 25 |
Midterm Exam | 15 |
Paper Presentation | 10 |
Final Project | 30 |
Final Exam | 15 |
Discretionary | 5 |
Homework Due Dates and Exam Dates
Homework due dates and exam dates will be posted well in advance on the class website and announced in class.
Homework assignments must be submitted at the beginning of the class on the date that they are due. For each day an assignment is late, a 20% deduction will be assessed. Exams will be given in class and are closed book, closed note, unless otherwise stated. Makeup exams are typically not given unless under extenuating circumstances. Laptops, phones, and other smart devices are not allowed during exams, but approved devices like calculators are acceptable.
Plagiarism and Cheating
Plagiarism or any form of cheating in assignments, projects, or exams is subject to serious academic penalty. To understand your responsibilities as a student read: ASU Student Code of Conduct and ASU Student Academic Integrity Policy
Syllabus Update
Information in the syllabus, may be subject to change with reasonable advance notice.
-
© Copyright 2014 Adam Doupé as to this syllabus, all lectures, and course-related written materials. During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course.↩