admiralarjun This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers to improve their understanding of web security issues. Fundamentals as well as the state-of-the-art in web security will be covered. Topics include: Principles of web security, attacks and countermeasures, the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, and techniques for writing secure code. Course projects include writing security exploits, defending insecure web apps, and implementing emerging web standards. Part 1: Basics #1 What is Web Security? Slides Reading Inside look at modern web browser (part 1) Inside look at modern web browser (part 2) Inside look at modern web browser (part 3) A Re-Introduction to JavaScript #2 DNS, HTTP Slides Reading An overview of HTTP A typical HTTP session Skim: HTTP headers #3 Same Origin Policy Slides Reading Same Origin policy Part 2: Client-side attacks and defenses #1 Cookies and Sessions Slides Reading HTTP Cookies #2 Session attacks, Cross-Site Request Forgery Slides Reading SameSite Cookies Explained Incrementally Better Cookies CSRF Is Dead Cross-Site Request Forgery Prevention #3 Cross-Site Scripting (XSS) Slides Reading Cross Site Scripting Prevention Cheat Sheet XSS Filter Evasion Cheat Sheet #4 Cross-Site Scripting Defenses Slides Reading Reining in the Web with Content Security Policy CSP is Dead: Long Live CSP Trusted Types Sanitising HTML: the DOM clobbering issue #5 Denial-of-service, Phishing Slides Reading Alice in Warningland: A Large-Scale Field Study of Browser Security Clickjacking Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense XS-Leaks #6 Online Tracking, What Can Be Done About it, and Who’s Doing it Guest Lecture by Pete Snyder (Brave) Slides Reading Online tracking: A 1-million-site measurement and analysis Most websites don’t need to vibrate: A cost-benefit approach to improving browser security Browser Fingerprinting: An Introduction and the Challenges Ahead WebKit Ad Click Attribution Protecting Browser State from Web Privacy Attacks Skim: WebKit Tracking Prevention Policy Part 3: Server-side attacks and defenses #1 Code Injection Slides Reading Command injection SQL injection #2 Server security, Safe coding practices Slides Reading Exploiting Buffer #3 HTTPS and the Lock Icon Guest Lecture by Dan Boneh (Stanford) Slides Reading Looking back at the Snowden revelations HTTPS encryption on the web #4 HTTPS in the Real World Guest Lecture by Joe DeBlasio (Google Chrome) Slides Reading DigiNotar on Wikipedia About Public Key Pinning What Is HPKP For? Rolling out Public Key Pinning with HPKP Reporting #5 Authentication Slides Reading Authentication Cheat Sheet #6 WebAuthn - The future of user authentication on the web Guest Lecture by Lucas Garron (GitHub) Slides Reading Guide to Web Authentication Part 4: Web security in the real world #1 Local HTTP server security Slides Reading None #2 Web Security in the Real World Guest Lecture by Yan Zhu (Brave) Slides Reading The Security Architecture of the Chromium Browser Cross-Origin Read Blocking (CORB) primer Skim: Cross-Origin Read Blocking (CORB) explainer Backdooring Your JavaScript Using Minifier Bugs I’m harvesting credit card numbers and passwords from your site. Here’s how. Major sites running unauthenticated JavaScript on their payment pages #3 DNS rebinding attacks Slides Reading Millions of Streaming Devices Are Vulnerable to a Retro Web Attack Protecting Browsers from DNS Rebinding Attacks Private Network Access #4 Browser architecture, Writing secure code Slides Reading Google Chrome Exploitation – A Case Study The Rule of 2 statement on event-stream compromise Browse: Socket: open source supply chain security SCA analysis tool Assignments Assignment 0 – Web Programming Adventure ✈️ Assignment 1 – Journey to the Dark Side 🌘 Assignment 2 – Oh What a Tangled Web We Weave 🕸 Assignment 3 – Somebody’s Always Watching 👁️ Assignment 4 - Swiss Cheese Security 🧀 Visit StandFord Course Web Page