Fall 2019

This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers improve their understanding of web security issues.

We'll be covering the fundamentals as well as the state-of-the-art in web security.

Topics include: Principles of web security, attacks and countermeasures, the browser security model, web app vulnerabilities, injection, denial-of-service, TLS attacks, privacy, fingerprinting, same-origin policy, cross site scripting, authentication, JavaScript security, emerging threats, defense-in-depth, and techniques for writing secure code. Course projects include writing security exploits, defending insecure web apps, and implementing emerging web standards.

Meeting time and place

Tuesdays and Thursdays, 1:30 PM - 2:50 PM in classroom 380-380Y

Course Staff

Instructor

Feross Aboukhadijeh (feross@cs.stanford.edu)

Teaching Assistant

Esther Goldstein (egolds@stanford.edu)

Office Hours

Schedule

Sep 24: What is Web Security? HTML & JavaScript Review

Sep 26: HTTP, Cookies, Sessions

Oct 01: Session Attacks

Oct 03: Cross-Site Request Forgery, Same Origin Policy

Oct 08: Exceptions to the Same Origin Policy, Cross-Site Script Inclusion

Oct 10: Cross-Site Scripting (XSS)

Oct 15: Cross-Site Scripting Defenses

Oct 17: Fingerprinting and Privacy on the Web

Oct 22: Denial-of-service, Phishing, Side Channels

Oct 24: Code Injection

Oct 29: Transport Layer Security

Oct 31: HTTPS in the Real World: A Spooky Tale

Nov 05: Authentication

Nov 07: WebAuthn - The future of user authentication on the web 🤞

Nov 12: No class

Nov 14: Managing security concerns in a large Open Source project

Nov 19: Server security: Safe coding practices

Nov 21: Server security: Side Channels, Local HTTP servers

Dec 03: Browser Architecture, Plugins

Dec 05: Ecosystem Issues

Assignments

Assignment 0 – Web Programming Adventure ✈️

Assignment 1 – Journey to the Dark Side 🌘

Assignment 2 – Oh What a Tangled Web We Weave 🕸

Assignment 3 – TBD

Assignment 4 – TBD

Course Policies

Communication

We will primarily use Piazza for sending out course announcements and answering questions. Please make sure to sign up.

We use Gradescope for assignment submissions. Enroll with the code 97BGZB.

To submit anonymous feedback to us at any point during the quarter, you may use this form.

Prerequisites

CS 142, or an equivalent amount of web development experience, is a prerequisite. You should also be curious about web security and excited to learn clever attacks, defenses, and techniques for writing secure code.

An introductory security course, such as CS 155, is not a formal prerequisite. The material in this course is focused specifically on the web, while CS 155 covers security more broadly.

Attendence

Attendance at lectures is mandatory. Do not enroll in this course if you are taking another course that meets at the same time.

Grading

Each assignment is worth 15%. There is no midterm.

Final exam

Collaboration Policy

You may discuss the assignments with other students and you may work together to come up with solutions to the problems. If you do so, you must list the name of your collaborators in the submission. Each student must write up their solutions independently.

Late Submissions

You get three “late days” in total during the quarter. You may use a late day to submit an assignment after the deadline. You can use at most three late days for any single assignment, and you may only use late days in one-day increments (no partial late days).

If you submit an assignment more than 72 hours after the deadline, or if you submit an assignment late after running out of late days, you will receive no credit for the submission. Please submit your assignments on time and save your late days for extraordinary situations.

If you have questions about these policies, please ask us.