IT 662 WEB AND INTERNET SECURITY - FALL 2009
PROFESSOR
Dr. Constantine Coutras
Office: 163 William Street, 2nd Floor, Office 216
Phone number: (212) 346-1006
e-mail: ccoutras@pace.edu
Office Hours: Mondays 3:45 - 6:00 and Wednesdays 2:45 - 5:30
DESCRIPTION
This course examines various threats faced by Web applications and Web sites, and solutions to keep them secure.
Topics include: HTTP and Web application technologies, core defense mechanisms, mapping web applications, bypassing
client-side controls, attacking authentication, attacking session management, attacking aceess controls, injecting code,
exploiting path traversal, attacking application logic, attacking other users, automating bespoke attacks, exploiting
information disclosure, attacking compiled applications, attacking application architecture, attacking Web servers, and
finding vulnerabilities in source code.
PREREQUISITE
Graduate status.
REQUIRED TEXT
The Web Application Hacker's Handbook, by Dafydd Stuttard and Marcus Pinto, published by Wiley Publishing, Inc.
GRADING
Homework Lab Assignments 40%
Group Project and Presentation 60%
TENTATIVE SCHEDULE
09/22 Web Application (In)security, Core Defense Mechanisms, Web Application Technologies
09/29 Mapping the Application, Bypassing Client-Side Controls
10/06 Attacking Authentication, Attacking Session Management
10/13 Attacking Access Controls, Injecting Code
10/20 Injecting Code
10/27 Exploiting Path Traversal, Attacking Application Logic
11/03 Attacking Other Users
11/10 Automating Bespoke Attacks, Exploiting Information Disclosure, Attacking Compiled Applications
11/17 Attacking Application Architecture, Attacking the Web Server
11/24 Finding Vulnerabilities in Source Code
12/01 A Web Application Hacker's Toolkit, A Web Application Hacker's Methodology
12/08 Group Presentations