CS 253 Web Security
This course is a comprehensive overview of web security. The goal is to build an understanding of the most common web attacks and their countermeasures. Given the pervasive insecurity of the modern web landscape, there is a pressing need for programmers and system designers improve their understanding of web security issues.
We'll be covering the fundamentals as well as the state-of-the-art in web security.
Meeting time and place
Tuesdays and Thursdays, 1:30 PM - 2:50 PM in classroom 380-380Y
Feross Aboukhadijeh (email@example.com)
Esther Goldstein (firstname.lastname@example.org)
- Feross: Thursday 3-5pm, Gates 323
- Esther: Monday 3-5pm, Wednesday 3-5pm, Huang Basement
Sep 26: HTTP, Cookies, Sessions
Oct 01: Session Attacks
Oct 03: Cross-Site Request Forgery, Same Origin Policy
Oct 08: Exceptions to the Same Origin Policy, Cross-Site Script Inclusion
Oct 10: Cross-Site Scripting (XSS)
Oct 15: Cross-Site Scripting Defenses
Oct 17: Fingerprinting and Privacy on the Web
- Guest Lecture by Pete Snyder (Brave Software)
- Online tracking: A 1-million-site measurement and analysis
- Most websites don't need to vibrate: A cost-benefit approach to improving browser security
- Browser Fingerprinting: An Introduction and the Challenges Ahead
- WebKit Ad Click Attribution
- Protecting Browser State from Web Privacy Attacks
- Skim: WebKit Tracking Prevention Policy
Oct 22: Denial-of-service, Phishing, Side Channels
Oct 24: Code Injection
Oct 29: Transport Layer Security
Oct 31: HTTPS in the Real World: A Spooky Tale
- Guest Lecture by Emily Stark & Chris Palmer (Google Chrome)
Nov 05: Authentication
Nov 07: WebAuthn - The future of user authentication on the web 🤞
Nov 12: No class
Nov 14: Managing security concerns in a large Open Source project
- Guest Lecture by Myles Borins (Node.js technical steering committee, Google)
Nov 19: Server security, Safe coding practices
Nov 21: Local HTTP server security
Dec 03: DNS rebinding attacks
Dec 05: Browser architecture, Writing secure code
- The Security Architecture of the Chromium Browser
- Cross-Origin Read Blocking (CORB) primer
- Skim: Cross-Origin Read Blocking (CORB) explainer
- I’m harvesting credit card numbers and passwords from your site. Here’s how.
- Assigned: Tuesday, September 24
- Due: Friday, October 4 at 5:00pm
- Assigned: Tuesday, October 8
- Due: Friday, October 18 at 5:00pm
- Assigned: Saturday, October 26
- Due: Thursday, November 7 at 11:59pm
Assignment 3 – TBD
- Assigned: Approx. Tuesday, November 12
- Due: Friday, November 22 at 5:00pm
Assignment 4 – TBD
- Assigned: Approx. Mon, November 25
- Due: Friday, December 6 at 5:00pm
We use Gradescope for assignment submissions. Enroll with the code
To submit anonymous feedback to us at any point during the quarter, you may use this form.
CS 142, or an equivalent amount of web development experience, is a prerequisite. You should also be curious about web security and excited to learn clever attacks, defenses, and techniques for writing secure code.
An introductory security course, such as CS 155, is not a formal prerequisite. The material in this course is focused specifically on the web, while CS 155 covers security more broadly.
Attendance at lectures is mandatory. Do not enroll in this course if you are taking another course that meets at the same time.
- Assignments (75%)
- Final Exam (25%)
Each assignment is worth 15%. There is no midterm.
- Tuesday, December 10, 3:30pm - 6:30pm in 200-305
- Closed laptop/notes. Cheat sheet comprised of two pieces of paper, double-sided is permitted.
You may discuss the assignments with other students and you may work together to come up with solutions to the problems. If you do so, you must list the name of your collaborators in the submission. Each student must write up their solutions independently.
You get three “late days” in total during the quarter. You may use a late day to submit an assignment after the deadline. You can use at most three late days for any single assignment, and you may only use late days in one-day increments (no partial late days).
If you submit an assignment more than 72 hours after the deadline, or if you submit an assignment late after running out of late days, you will receive no credit for the submission. Please submit your assignments on time and save your late days for extraordinary situations.
If you have questions about these policies, please ask us.