Web 攻防技術 (FJU-CSIE-Fall09)

Web Hacking and Defending
Web攻防技術

Class Time: Wed 9:10-Noon Location: SF648
Instructor: Dr. Hsing Mei Office: SF625 (or Second Life / Lively Dr'M's Office )
Email: mei@csie.fju.edu.tw Phone: 29053704
Hour in Office and SL: Tue 9a-Noon, Wed, Fri 1:40-4:30p, or by appointment
Second Life:
(1) Join WECO Group,
(2) Profile/1st Life/Info: ie9x5xyy, Course Name, Blog URL
(3) Second Life SIG meeting: Fri 12:30-1:30p, SF651
TA: 岑志豪 anfa@weco.net, 蔡忠潔 jeffean@weco.net (SF638)
Objective:
The objective of this course is to introduce the security issues associated with Web 2.0, which including hacking and defending methodologies. Students are expected to apply coding techniques to protect the web applications.

Prerequisites:
Web Fundamentals.

Post-studies:
Distributed Systems, Web Computing.

Grade Enquiries:
Class Participation (4 SLS Post x 3%): 12% + Bonus
Quiz: 15% (3 x 5%)
Midterm Exam: 23%
Team Collaborated Notes Report: 20%
Term Project (Survey/Implementation): 30%

(1) Survey and/or implementation one of the Collaborated Note topics.
(2) Working on Collaborated Notes.
(3) Written project proposal due 9/29 on SLS course group.
(4) Team Leader is responsible for ALL post on SLS.
(5) ALL member should participate the final demo and presentation.
(6) Cross Grading
Intra-team effort: 70% Team grade, 30% Individual grade
Inter-team grade: Due after each demo/oral presentation class
共同筆記 2.0 「Web攻防技術」 Topics (11 Topics):
http://sls.weco.net/CollectiveNote20/Security
0. Google Hacking
1. Network Security
2. Web2.0 安全衝擊與評估
3. Footpringting, Discovery, Profiling, and Crawling
4. XSS and CSRF
5. RSS, Meshup, Widget安全, 掃瞄方法
6. SOA安全與攻擊向量(Attack Vector)
7. 防禦方法
8 PHP駭客攻防
9 Botnet (殭屍網路)
A. Web2.0 安全工具與參考資料
PS: 同學網路內容的發表請注意智慧財產權相關規定. 其它有關課程使用Social Learning Space (SLS), 課程活動(Google Calendar), 投影片下載, 上課錄影(YouTube), 3D虛擬世界系統(包括 Second Life), 社交網路應用 (包括Facebook)等網路應用上本課程相關群組/頻道/社群的使用, 課程參與(含共同筆記)的計分, 及一般課程及上課注意事項, 請詳閱 HW0.
E: Shreeraj Shah, Web 2.0 Security - Defending AJAX, RIA, AND SOA, Charles River Media, Dec 2007.
http://my.safaribooksonline.com/9781584505501
http://shreeraj.blogspot.com
C: 網頁程式駭客攻防實戰--以 PHP 為例, GIJOE著/柯志傑譯, 出版社:旗標
http://www.flag.com.tw/book/5105.asp?bokno=FS274
Date Course Content Video
9/16 Syllabus, SLS, 智慧財產權投影片 Link
9/23 Network Security Fundamentals (PKI) Link
9/30 Web2.0 and Web2.0 Security Fundamentals (E: Chap 1, 2)
SLS Post#1 Due
Link
10/7 (10a-1p) Security Impact and Assessment Methodologies (E: Chap 3, 4)
Quiz 1
Link
10/14 Footprinting, Discovery, Profiling, and Crawling (E: Chap 5, 6) Link
10/21 XSS and CSRF (E: Chap 7, 8) Link
10/28 PHP Review
Quiz 2
Link
11/4 PHP Attack and Defense (C: Chap 1, 2, 3, 5)
SLS Post #2 Due
Link
11/11 Midterm
11/18 RSS, Mashup, Widget security, and Scanning Method (E: Chap 9, 10) Link
11/25 SOA Security and Attack Vectors (E: Chap 11, 12) Link
12/2 Defense methods and approaches (E: Chap 13, 14) Link
12/9 Team Collaborated Note Report (Oral)
Quiz 3
12/16 Project Presentation Link
12/23 Project Presentation
Post #3 Due
Link
12/30 Project Presentation Link
1/6 Project Presentation
Post #4 Due
Link
1/13 Written Project Report Due