Programme:                                 M. Tech              Semester:              Second Course: ELECTIVE-III WEB APPLICATION SECURITY

Instruction: 3 Periods/week Time: 3 Hours Credits:3 Internal: 30 Marks External: 70 Marks Total: 100 Marks 

Unit 1: Web Application Security and Core Defense mechanisms, Evolution of Web Applications, Web Application Security, Core Defense Mechanisms: Handling User access, Handling User Input, Handling Attackers 

Unit 2: Web Application Technologies and mapping applications, HTTP Protocol, Web functionality, Encoding Schemes, Mapping the Application: Enumerate the content and Functionality, Analyzing the application 

Unit 3: Client side and Authentication Attacks Bypassing, Client-side controls: Transmitting data via the client, Capturing the user data- HTML Forms and Browser extensions, Handling client side data securely Attacking Authentication: Authentication Technologies, Design flaws in authentication, Implementation flaws in authentication, securing authentication. 

Unit 4: Session management attacks and Access, Controls Session States, weaknesses in Token generation and Session Token handling, Securing session management Common vulnerabilities and attacking access controls, securing access controls. 

Unit 5: Attacking Data stores and Back end components, Bypassing logging, Injecting into SQL: Exploiting Basic Vulnerability, Injecting into different statement types, Finding SQL Injection Bugs, Fingerprinting the database, The UNION Operator, Extracting data, Bypassing filters, Second order SQL Injection, Attack escalation, SQL exploitation tools, preventing SQL Injection, Injecting OS commands, manipulating file paths, Injecting into backend HTTP requests 

Unit 6: Attacking Users XSS- reflected, stored and DOM, XSS attack payloads and delivery mechanisms. Finding and exploiting XSS vulnerabilities and preventing, CSRF basic examples, Client side injection attacks like HTTP header injection, Cookie Injection attacks, Attacking Browsers: logging keystrokes, stealing browser history and search queries, wnumerating currently used applications, port scanning, exploiting browser bugs, DNS rebinding, browser exploitation and Man in the middle attacks. 

Unit 7: Attacking Application Server and architecture Attacking Application Architecture, Attacking the application server, Approaches to code review, Signatures of common vulnerabilities 

Text Book: The Web Application Hacker’s Handbook, 2nd Edition, Dafydd Stuttard, Marcus Pinto 

Reference: 

1. Bryan and Vincent, “Web Application Security, A Beginners Guide”, McGraw-Hill, 2011 

2. Web Security Basics, by Shweta Bhasin, Prima Tech