Course Content

• Web Background: Motivation, brief history, what constitutes a web page, browser internals, web protocols, session management, server internals Practical sessions will cover Firefox/Chrome browser developer tools to inspect/edit web pages and network requests and OWASP ZAP for web application security testing
• Server Side Attacks and Defense: SQL (Structured Query Language) Injection, Server Side Request Forgery (SSRF), Information Disclosure, Command Injection, File Upload Vulnerabilities, Authentication and Authorization, Oauth, Path Traversal, Vulnerabilities in APIs, DOS Attacks, JWT Attacks. Practical sessions will explore a subset of these server-side attacks and defenses hands-on.
• Client Side Attacks and Defense: Cross Site Request Forgery (CSRF), Cross Origin Resource Sharing (CORS), Cross Site Scripting (XSS), Web Sockets, Clickjacking. Practical sessions will explore a subset of these client-side attacks and defenses hands-on
• Web Security Landscape: Anatomy of web attacks, OWASP top 10, CVE database, and CVSS scores, Overall Defense, Web Application Firewalls and Best Practices

System of Evaluation

A participant is awarded a grade based on his/her performance in examinations/assignments in every course registered by him/her. These grades are described by the letter AA, AB, BB, etc. and have a numerical equivalent called grade points as given below: