Web攻防技術 (FJU-CSIE-Fall10)

Class Time: Fri 1:40-4:30pm Location: SF638
Instructor: Dr. Hsing Mei Office: SF625 (or Second Life Dr'M's Office )
Email: mei@csie.fju.edu.tw Phone: 29053704
Hour in Office and SL: Tue/Fri Noon-1:30p, Web 1:30-2:30, Thur 1:40-4:30p, or by appointment
Second Life:
(1) Join WECO Group,
(2) Profile/1st Life/Info: ie9x5xyy, Course Name, Blog URL
(3) Second Life SIG meeting: Thur 12:30-1:30p, SF651
TA:蔡忠潔 jeffean@weco.net>: Wed 15:30 - 17:30 , 鄭筱頻azrael@weco.net>: Thu 15:30 - 17:30 (SF638)

※ Grading:
Class Participation: 5 SLS Post 15% (5x3%) + Collaborated Note +Bonus
Quiz: 15% (3 x 5%)
Midterm Exam: 30%
Term Project (Survey/Implementation): 25%

※ 課程應注意事項: 除非有不可抗拒的原因, 本課程
1. 第一次上課遲到或未到, 未選課者請勿加選. 已選課者, 建議退選.
2. Quiz 及考試無補考.
3. 放棄Grading配分中任一項 , 學期總成績以不及格計.
4. 點名遲到或未到, 可看完課程錄影後於Facebook及SLS發表心得補點名, 若出席未及點名次數之1/2, 則期末考扣考, 學期總成績以不及格計.
5. 課堂中想睡覺者, 請自行出教室清醒, 趴下睡覺者, 以點名缺席計.
6. 課堂中發生任何影響上課秩序行為(e.g. 交談, 電動, ...), 將逐出教室5分鐘, 逐出教室不回者, 以點名缺席計.

PS: 同學網路內容的發表請注意智慧財產權相關規定. 其它有關課程使用Social Learning Space (SLS), 課程活動(Google Calendar), 投影片下載, 上課錄影(YouTube), 3D虛擬世界系統(包括 Second Life), 社交網路應用 (包括Facebook)等網路應用上本課程相關群組/頻道/社群的使用, 課程參與(含共同筆記)的計分, 及一般課程及上課注意事項, 請詳閱 HW0: 輔大資工選修 Weco Lab課程使用 宅學習Social Learning Space (SLS)注意事項 (Fall-10).

Laboratory Assignment :

Lab1 : Browser Extenstions
Lab2 : System Tools / Proxy
Lab3 : WebGoat

Team Report (Team of 3 or 4)
(1) Survey and/or implementation one of the Collaborated Note topics.
(2) Working on Collaborated Notes.
(3) Written project proposal due 9/29 on SLS course group.
(4) Team Leader is responsible for ALL post on SLS.
(5) ALL member should participate the final demo and presentation.
(6) Cross Grading:
 Intra-team effort: 70% Team grade, 30% Individual grade
 Inter-team grade: Due after each demo/oral presentation class
共同筆記 2.0「Web攻防技術」Topics:
(第一堂課後, 在宅學習WebHack課程版開放Topic Coordinator (版主)競標)
http://sls.weco.net/ColleciveNote20/Security

1. Google Hacking
2. Network Security
3. Web2.0 安全衝擊與評估
4. Footpringting, Discovery, Profiling, and Crawling
5. XSS and CSRF
6. RSS, Meshup, Widget安全, 掃瞄方法
7. SOA安全與攻擊向量(Attack Vector)
8. 防禦方法
9 PHP駭客攻防
10 Botnet (殭屍網路)
11 Web2.0 安全工具與參考資料

E: Shreeraj Shah, Charles River Media, Dec 2007:
「Web 2.0 Security - Defending AJAX, RIA, AND SOA」

http://my.safaribooksonline.com/9781584505501
http://my.safaribooksonline.com/9781584505501

Jeff Heaton, Heaton Research, Inc. July 2007:
「Scripting Recipes for Second Life」

C: 柯志傑譯, 旗標出版社, 2007 :
「網頁程式駭客攻防實戰--以 PHP 為例」
Cyber Joe, PHP CyberTero no Giho – Kogeki to Bogyo no Jissai, Socym(Japan), 2005

A. Belapurkar, etc., Distributed Systems Security – Issues, Process, and Solutions, Wiley, 2009

W. Stallings, Cryptography and Network Security. Principles and Practice, 3rd edition, Prentice Hall, 2002

施威銘研究室, 最新 PHP + MySQL + Ajax 網頁程式設計, 旗標出版社, 2009

D. Stuttard and M. Pinto, The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, Wiley, 2007

John Erickson, Hacking: The Art of Exploitation, 2nd Edition, No Starch Press, 2008

Page: http://sls.weco.net/f10-webhack
Group: http://sls.weco.net/course/webhack
Bookmarking: http://del.icio.us/FJU_Security
Calendar:Online Game and Animation Technologies(線上遊戲動畫技術, FJU-CSIE)
Grade Enquiries: http://www.elearn.fju.edu.tw/icanxp/
日期 內容 影片
9/17 Syllabus, SLS Link
9/24 Network Security Fundamentals (PKI) Link
10/1 Software Security Overview Link
10/8 Web2.0 and Web2.0 Security Fundamentals (E: Chap 1, 2), SLS Post#1 Due Link
10/15 (10a-1p)
Security Impact and Assessment Methodologies (E: Chap 3, 4), Quiz 1
Link
10/22 Footprinting, Discovery, Profiling, and Crawling (E: Chap 5, 6), Lab1 Due Link
10/29 XSS and CSRF (E: Chap 7, 8)
11/5 PHP Review, SLS Post #2 Due, Quiz 2
11/12 Midterm Exam
11/19 PHP Attack and Defense (C: Chap 1, 2, 3, 5), Lab2 Due
11/26 RSS, Mashup, Widget security, and Scanning Method (E: Chap 9, 10),
SLS Post #3 Due
12/10 Defense methods and approaches (E: Chap 13, 14), Lab3 Due
12/17 Project Presentation ,SLS Post #4 (on Collaborated Note) Due, Quiz 3
12/24 Project Presentation
12/31 Project Presentation
1/7 Project Presentation, SLS Post #5 Due
1/14 Written Project Report Due