שנה"ל תשע"ו

אבטחת מערכות וישומים ברשת
Web System and Application Security

0368-3250-01

מדעים מדויקים


סמ' ב'	0900-1200	'א	101	לימודי הסביבה	שיעור	ד"ר מובשוביץ דוד

D:\Inetpub\shared\yedion\syllabus\03\2015\0368\0368325001_desc.txt סילבוס מקוצר .Web based systems are facing unique threats from information security perspective, both on the network layer as well as in the application layer. In the course we will discuss the threats to the network and how to mitigate them using firewalls to control the access the web system network, and the SSL protocol to ensure secure communication over the internet. In addition, we will learn how to perform threat modeling and risk analysis to a web system, and how to prevent web infrastructure vulnerabilities by implementing best practices. In the application layer, we will discuss the unique aspects of authentication, authorization, and session management in web applications, as well as web application vulnerabilities and related attacks, focusing on browser base attacks. We will learn how to prevent them by implementing secure coding best practices, and will discuss the unique security aspects to Web 2.0 (or AJAX based) and to cloud computing (as time permit מדעים מדויקים 0368-3250-01 אבטחת מערכות וישומים ברשת Web System and Application Security שנה"ל תשע"ו \| סמ' ב' \| ד"ר מובשוביץ דוד סילבוס מפורט/דף מידע ב"ה שם הקורס: אבטחת ישומים ברשת (Web Application Security) מרצה הקורס: ד"ר דוד מובשוביץ שעות הקורס: יום א' בין השעות 9:00 ל 12:00 רקע לקורס: Web based systems are facing unique threats from information security perspective, both on the network layer as well as in the application layer. In the course we will discuss the threats to the network and how to mitigate them using firewalls to control the access the web system network, and the SSL protocol to ensure secure communication over the internet. In addition, we will learn how to perform threat modeling and risk analysis to a web system, and how to prevent web infrastructure vulnerabilities by implementing best practices. In the application layer, we will discuss the unique aspects of authentication, authorization, and session management in web applications, as well as web application vulnerabilities and related attacks, focusing on browser base attacks. We will learn how to prevent them by implementing secure coding best practices, and will discuss the unique security aspects to Web 2.0 (or AJAX based) and to cloud computing (as time permit). הנושאים שילמדו בקורס: In the course we will learn: The unique security aspects and challenges of web security Web network layer security and firewall technologies Stateless and statefull packet filtering Network Address Translation (NAT and PAT) DMZ and related best practices Web Authentication & Session Management Web application authentication mechanisms Web application session management Web application Single Sign-On (SSO) and SAML Web infrastructure vulnerabilities and countermeasures Web environment risk analysis and threat modeling overview Web infrastructure hardening Web Authorization & Access Control Input Validation related vulnerabilities The causes for input validation related vulnerabilities (and related attacks) Insecure direct object reference Unvalidated redirect and forward Input validation based on positive security logic Input validation based on negative security logic Evasion techniques Injection attacks SQL Injection and related evasion techniques, LDAP/XPath and other Injection attacks, Best practices to prevent injection based attacks Error handling Threats related to error that are not handled properly Best practices for error handling Auditing & Logging Auditing and log analysis Central logging Browser based attacks XSS attacks XSS Categories Countermeasures Input Validation and evasion techniques Output encoding CSP XSRF Attack description Countermeasures Reducing attack surface Anti-XSRF token Security considerations for AJAX and Mobile applications רשימת של נושאי ההרצאות: Introduction to the unique aspects of web security (1 meeting) Information security terminology and concepts with focus on web based system (1 meeting) Firewalls and network access control (2 meetings) Web application authentication mechanisms (1 meeting) Web application session management – mechanisms, risks and mitigation techniques (1 meeting) Web application Single Sign-On (SSO) (1 meeting) Web authorization and access control (0.5 meeting) Web infrastructure vulnerabilities and countermeasures (2 meeting) Input validation and related attacks (1 meeting) Injection attacks (1 meeting) Error handling, logging and auditing (0.5 meeting) XSS attacks and mitigations (1 meeting) XSRF attacks and mitigations (0.5 meeting) AJAX & Web 2.0 Security issues (1 meeting) הערה: הרשימה אינה סופית ויתכנו שינויים במהלך הקורס. דרישות קדם לקורס: ידע מוקדם באבטחת מידע ולכן הקורס "מבוא לאבטחת מידע" מהוה דרישת קדם. ידע בפיתוח ישומים ובכתיבת קוד. ולכן הקורסים מבוא למדעי המחשב ואלגוריתמים מהווים דרישת קדם. כמו כן ידע מוקדם ב HTTP, HTML ו JavaScript יועיל לסטודנט (אנו נחזור על נושאים אלו בקצרה במהלך הקורס) הציון בקורס: הציון בקורס מורכב מציון בחינה ומציון על העבודות הבית שתתבקשו להכין במהלך הקורס. השקלול של הציון הוא: ציון מבחן מסכם –80% ציון עבודות בית –20% על מנת לעבור את הקורס על הסטודנט לקבל ציון מינימום של 60 במבחן המסכם וציון 60 בקורס. שעת קבלה: בכל שאלה ונושא ניתן לפנות למרצה בשעת הקבלה, או לשלוח אליו דואל אלקטרוני לכתובת dmovshovitz@gmail.com Bibliography (Required Readings) Note: Since the course is covering many topics and there is no text book that cover all the topics discussed in the course, there is no mandatory text book and the presentation are very detailed and cover all the subjects discussed in the course in details. There is of course recommended list of books for reading. Recommended Readings 1. Developer's Guide to Web Application Security, by Michael Cross 2. Web Application Vulnerabilities: Detect, Exploit, Prevent, by Steven Palmer 3. Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation 4. Developer's Guide to Web Application Security by Matt Fisher (Paperback - Jul 1, 2006) 5. Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation 6. J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) by Art Taylor, Brian Buege, and Randy Layman 7. Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed) by Joel Scambray, Mike Shema, Caleb Sima 8. Cross Site Scripting Attacks: XSS Exploits and Defense by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov

ש"ס: 3.0

סילבוס מקוצר

.Web based systems are facing unique threats from information security perspective, both on the network layer as well as in the application layer. In the course we will discuss the threats to the network and how to mitigate them using firewalls to control the access the web system network, and the SSL protocol to ensure secure communication over the internet. In addition, we will learn how to perform threat modeling and risk analysis to a web system, and how to prevent web infrastructure vulnerabilities by implementing best practices. In the application layer, we will discuss the unique aspects of authentication, authorization, and session management in web applications, as well as web application vulnerabilities and related attacks, focusing on browser base attacks. We will learn how to prevent them by implementing secure coding best practices, and will discuss the unique security aspects to Web 2.0 (or AJAX based) and to cloud computing (as time permit

מדעים מדויקים
0368-3250-01 אבטחת מערכות וישומים ברשת
Web System and Application Security
שנה"ל תשע"ו | סמ' ב' | ד"ר מובשוביץ דוד

666סילבוס מפורט/דף מידע

ב"ה

שם הקורס: אבטחת ישומים ברשת (Web Application Security)

מרצה הקורס: ד"ר דוד מובשוביץ

שעות הקורס: יום א' בין השעות 9:00 ל 12:00

רקע לקורס:

Web based systems are facing unique threats from information security perspective, both on the network layer as well as in the application layer. In the course we will discuss the threats to the network and how to mitigate them using firewalls to control the access the web system network, and the SSL protocol to ensure secure communication over the internet. In addition, we will learn how to perform threat modeling and risk analysis to a web system, and how to prevent web infrastructure vulnerabilities by implementing best practices. In the application layer, we will discuss the unique aspects of authentication, authorization, and session management in web applications, as well as web application vulnerabilities and related attacks, focusing on browser base attacks. We will learn how to prevent them by implementing secure coding best practices, and will discuss the unique security aspects to Web 2.0 (or AJAX based) and to cloud computing (as time permit).

הנושאים שילמדו בקורס:

In the course we will learn:

The unique security aspects and challenges of web security
Web network layer security and firewall technologies
- Stateless and statefull packet filtering
- Network Address Translation (NAT and PAT)
- DMZ and related best practices
Web Authentication & Session Management
- Web application authentication mechanisms
- Web application session management
- Web application Single Sign-On (SSO) and SAML
Web infrastructure vulnerabilities and countermeasures
- Web environment risk analysis and threat modeling overview
- Web infrastructure hardening
- Web Authorization & Access Control
Input Validation related vulnerabilities
- The causes for input validation related vulnerabilities (and related attacks)
  - Insecure direct object reference
  - Unvalidated redirect and forward
- Input validation based on positive security logic
- Input validation based on negative security logic
  - Evasion techniques
Injection attacks
- SQL Injection and related evasion techniques,
- LDAP/XPath and other Injection attacks,
- Best practices to prevent injection based attacks
Error handling
- Threats related to error that are not handled properly
- Best practices for error handling
Auditing & Logging
- Auditing and log analysis
- Central logging
Browser based attacks
- XSS attacks
  - XSS Categories
  - Countermeasures
    - Input Validation and evasion techniques
    - Output encoding
    - CSP
- XSRF
  - Attack description
  - Countermeasures
    - Reducing attack surface
    - Anti-XSRF token
Security considerations for AJAX and Mobile applications

רשימת של נושאי ההרצאות:

Introduction to the unique aspects of web security (1 meeting)
Information security terminology and concepts with focus on web based system (1 meeting)
Firewalls and network access control (2 meetings)
Web application authentication mechanisms (1 meeting)
Web application session management – mechanisms, risks and mitigation techniques (1 meeting)
Web application Single Sign-On (SSO) (1 meeting)
Web authorization and access control (0.5 meeting)
Web infrastructure vulnerabilities and countermeasures (2 meeting)
Input validation and related attacks (1 meeting)
Injection attacks (1 meeting)
Error handling, logging and auditing (0.5 meeting)
XSS attacks and mitigations (1 meeting)
XSRF attacks and mitigations (0.5 meeting)
AJAX & Web 2.0 Security issues (1 meeting)

הערה: הרשימה אינה סופית ויתכנו שינויים במהלך הקורס.

דרישות קדם לקורס:

ידע מוקדם באבטחת מידע ולכן הקורס "מבוא לאבטחת מידע" מהוה דרישת קדם.

ידע בפיתוח ישומים ובכתיבת קוד. ולכן הקורסים מבוא למדעי המחשב ואלגוריתמים מהווים דרישת קדם.

כמו כן ידע מוקדם ב HTTP, HTML ו JavaScript יועיל לסטודנט (אנו נחזור על נושאים אלו בקצרה במהלך הקורס)

הציון בקורס:

הציון בקורס מורכב מציון בחינה ומציון על העבודות הבית שתתבקשו להכין במהלך הקורס. השקלול של הציון הוא:

ציון מבחן מסכם –80%
ציון עבודות בית –20%

על מנת לעבור את הקורס על הסטודנט לקבל ציון מינימום של 60 במבחן המסכם וציון 60 בקורס.

שעת קבלה:

בכל שאלה ונושא ניתן לפנות למרצה בשעת הקבלה, או לשלוח אליו דואל אלקטרוני לכתובת dmovshovitz@gmail.com

Bibliography (Required Readings)

Note: Since the course is covering many topics and there is no text book that cover all the topics discussed in the course, there is no mandatory text book and the presentation are very detailed and cover all the subjects discussed in the course in details. There is of course recommended list of books for reading.

Recommended Readings

1. Developer's Guide to Web Application Security, by Michael Cross

2. Web Application Vulnerabilities: Detect, Exploit, Prevent, by Steven Palmer

3. Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation

4. Developer's Guide to Web Application Security by Matt Fisher (Paperback - Jul 1, 2006)

5. Improving Web Application Security: Threats and Countermeasures by Microsoft Corporation

6. J2EE & Java: Developing Secure Web Applications with Java Technology (Hacking Exposed) by Art Taylor, Brian Buege, and Randy Layman

7. Hacking Exposed Web Applications, 2nd Ed. (Hacking Exposed) by Joel Scambray, Mike Shema, Caleb Sima

8. Cross Site Scripting Attacks: XSS Exploits and Defense by Seth Fogie, Jeremiah Grossman, Robert Hansen, Anton Rager, Petko D. Petkov

להצהרת הנגישות