Web Hacking and Defending Web 攻防技術 (FJU-CSIE-Fall 2015)

 

Class Time: Tue 9:10a - Noon Location: SF648
Instructor: Dr. Hsing Mei Office: SF625
Email: mei@csie.fju.edu.tw Phone: 29053704
Office Hour: Mon/Thur 1:30-4:30pm, or by appointment
TA: 陳皓瀚 kk12ll55@weco.net (SF638)
Office Hour of TA: Fri 9a-Noon

 

 

Course Objective:
The objective of this course is to introduce the security issues associated with Web 2.0, which including hacking and defending methodologies. Students are expected to apply coding and management techniques to protect the web applications.

 

 

 

Prerequisites: Web Fundamentals.

 

 

Post-studies: Distributed System, Web Computing.

 

※ Grading:
Class Participation (2 SLS Post x 5%): 10% + Bonus
Labs: 45% + Bonus
Collaborated Note: 20%
Term Project (Survey/Implementation): 25%
 

 

※ Text Book:
http://sls.weco.net/CollectiveNote20/Security
W: H. Wu, and L Zhao, Web Security: A WhiteHat Perspective, Auerbach Publications, April 2015, ISBN-13: 978-1466592612
E: Shreeraj Shah, Web 2.0 Security - Defending AJAX, RIA, AND SOA, Charles River Media, Dec 2007, ISBN-13: 978-1584505501.
http://my.safaribooksonline.com/9781584505501
http://shreeraj.blogspot.com
Dafydd Stuttard, and Marcus Pinto, The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition, Wiley, September 2011,ISBN-13: 978-1118026472
Hanqing Wu, and Liz Zhao, Web Security: A WhiteHat Perspective, Auerbach Publications, April 2015,ISBN-13: 978-1466592612
C: 柯志杰譯, 網頁程式駭客攻防實戰--以 PHP 為例, 旗標出版社, 2007, ISBN:9789574424603.Cyber Joe, PHP CyberTero no Giho – Kogeki to Bogyo no Jissai, Socym(Japan), 2005

 

※References Book:
A. Belapurkar, etc., Distributed Systems Security – Issues, Process, and Solutions, Wiley, 2009
W. Stallings, Cryptography and Network Security. Principles and Practice, 3rd edition, Prentice Hall, 2002
施威銘研究室, 最新 PHP + MySQL + Ajax 網頁程式設計, 旗標出版社, 2009
D. Stuttard and M. Pinto, The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws, Wiley, 2007
John Erickson, Hacking: The Art of Exploitation, 2nd Edition, No Starch Press, 2008
Page: http://sls.weco.net/f15-webhack
SLS Group: http://sls.weco.net/course/webhack
Bookmarking: http://del.icio.us/FJU_Security
Grade Enquiries: http://www.elearn.fju.edu.tw/icanxp/
 

 

Team Report(Team of 3-4):
(1) Survey and/or implementation one of the Collaborated Note topics.
(2) Working on Collaborated Notes.
(3) Written project proposal due 9/29 on SLS course group.
(4) Team Leader is responsible for ALL post on SLS.
(5) ALL member should participate the final demo and presentation.
(6) Cross Grading
Intra-team effort: 70% Team grade, 30% Individual grade
Inter-team grade: Due after each demo/oral presentation class
 
共同筆記 2.0 “Web攻防技術” Topics (11 Topics): 第一堂課後, 在宅學習WebHack課程版開放Topic Coordinator (版主)競標:
http://sls.weco.net/ColleciveNote/Security
0. Google Hacking
1. Network Security
2. Web2.0 安全衝擊與評估
3. Footpringting, Discovery, Profiling, and Crawling
4. XSS and CSRF
5. RSS, Meshup, Widget安全, 掃描方法
6. SOA安全與攻擊向量(Attack Vector)
7. 防禦方法
8 PHP駭客攻防
9 Botnet (殭屍網路)
A. Web2.0 安全工具與參考資料
 
PS:
同學網路內容的發表請注意智慧財產權相關規定. 其它有關課程使用Social Learning Space (SLS), 課程活動(Google Calendar), 投影片下載, 上課錄影(YouTube), 3D虛擬世界系統(包括 Second Life), 社交網路應用 (包括Facebook)等網路應用上本課程相關群組/頻道/社群的使用, 課程參與(含共同筆記)的計分, 及一般課程及上課注意事項, 請詳閱 HW0.

 

Date Course Content Video
9/15 Syllabus, SLS, Web Technology Overview

Link

9/22 Security Overview
(7-9p) NISRA: 網頁應用程式安全-1 (Allen SF234)

Link

9/29 網頁應用程式安全-2 (Allen SF648)
(7-9p) NISRA: Information Leakage and Google Hacking-1 (Shaolin SF234)

Link

10/6 Information Leakage and Google Hacking-2 (Shaolin)
(7-9p) NISRA: 台灣資安事件攻防-1 (Bowen SF234)

Link

10/13 台灣資安事件攻防-2 (Bowen)
SLS Post#1 Due

Link

10/20 WarGame and OWASP Top 10 (Sky)

Link

10/27 Web vulnerability (Steve)

Link

11/3 SQL Injection攻防-1

Link

11/10 SQL Injection攻防-2

Link

11/17 XSS 攻防-1

Link

11/24 XSS 攻防-2
SLS Post#2 Due

Link

12/1 CSRF 攻防

Link

12/8 PHP Security
(7-9p) NISRA: WebView and APP Security (Anfa SF234)

Link

12/15 WebView and APP Security (Anfa),SLS Post #3 (on Collaborated Note) Due  
12/22 攻擊與阻斷IBM Security Network Protection (Will)  
12/29 HTML Security  
1/5 IoT/Wearable Security  
1/12 專題發表工作坊