CSCI 5931 Web Security
Springl 2004 (1/20 - 5/6 + final)
Wednesdays 1-3:50pm (D242)
Prerequisite: Computer Security (csci5233)
and Internet Application Development (csci4230), or
Note: If you do not have
either of the prerequisites, you MUST talk to the instructor. It
assumed that students enrolled in this class are already familiar with fundamental topics such as cryptography (symmetric vs
asymmetric encryptions/decryptions), security protocols (RSA, DES,
Triple-DES, digital signatures, digital certificates, etc.), and n-tier
web applications development.
The primary objective of this course is to study and practice fundamental techniques in
developing secure web based applications, including vulnerability of
web based applications and how to protect those applications from
attacks. Students are encouraged to pursue research projects in the
area of Internet security.
Format: Lectures are combined with
discussions and, if applicable, student presentations and
discussions of advanced topics. Students are expected to be
active participants, by studying the relevant chapters and/or research
papers and participating at in-class discussions. Programming
projects employing the various security techniques and n-tier web
based architecture are part of the course . Students are
expected to make an oral presentation of topics related to
Instructor: Dr. T. A.
- (office) Delta 106
- office hours (NOTE: If
the suite office is locked, you may use the phone outside the office to
call me, by entering the extension 3835).
You are highly encouraged to send your questions to me by
e-mails or by posting
the question at the discussion board .
You, however, are responsible for describing the problem(s) you have
encountered, the solution(s) you have tried, and the outcome you have
got from these solution(s).
- (phone#) (281) 283-3835 (Please leave a message if not
- (email address)
email@example.com (Note: Emails without a proper subject
line and your
full name will be discarded. Here is a sample subject line:
"CSCI931 project #1, question 1".
- (web site) http://sce.uhcl.edu/yan
- Email: BooraS4963@uhcl.edu
- Office Hours: Tue. 12pm to 4pm; Wed. 4pm
to 8pm; Thur. 12pm to 6pm
- Location: PC
lab \ TA
(or Secure SHell) is a protocol for creating a secure
connection between two systems. In the SSH protocol, the client machine
initiates a connection with a server machine ...
- Useful information about Java mail:
- HTTP & History of the
Internet X.509 Public Key Infrastructure Operational
Protocols: FTP and HTTP. R. Housley, P. Hoffman. May 1999.
PROPOSED STANDARD. local copy of rfc2585
Hypertext Transfer Protocol -- HTTP/1.1. R. Fielding, J.
Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, T. Berners-Lee
June. June 1999. DRAFT STANDARD. local
copy of rfc2616
HTTP Authentication: Basic and Digest Access
Authentication. J. Franks, P. Hallam-Baker, J. Hostetler,
S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999. DRAFT
STANDARD. local copy of
HTTP State Management Mechanism. D. Kristol, L.
Montulli. October 2000. PROPOSED STANDARD.
local copy of rfc2965
- Other Books:
- Pistoia, Marco, Duane F. Reller, Deepak Gupta,
Milind Nagnur, Ashok Ramani, Java 2
Network Security, 2 nd Edition , Prentice Hall, 2000.
- Rescorla , Eric, SSL and TLS: Designing and Building Secure Systems , Addison Wesley Professional, 2001.
- Schneier, Bruce,
Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2
nd Edition ,
- Related Articles:
- Andrews, Gregory R., "Partitions and principles for
secure operating systems", Proceedings of the 1975 ACM annual
conference, January 1975.
- Viega, John, Tadayoshi Kohno, and Bruce Potter, "Trust
(and mistrust) in secure applications", Communications of the ACM,
Volume 44 Issue 2 , February 2001.
- Bashir, Imran, Enrico Serafini, and Kevin Wall, "Securing
network software applications: introduction", Communications of
the ACM, Volume 44 Issue 2, February 2001.
- News articles:
- Aug. 1, 2002. "HP Wimps Cower Behind DMCA",
Brett Glass. ExtremeTech Security .
- July 31, 2002. "Clarke Lambastes Software
Industry", by Dennis Fisher. eWeek .
- March 20, 2002. "What's a Chief Security Officer Make?
Depends on Where You Look", by Jeff Moad. eWeek .
- July 1, 2002. "What It Takes to Be a CSO (Chief
Security Officer)?". eWeek .
- July 19, 2002. "Microsoft Shelled Out Millions on
Security", by Dennis Fisher. eWeek .
- July 19, 2002. "Army Research Web Site Hacked",
by Dennis Fisher. eWeek .
Topics, Notes & Schedule
- The due dates are fixed and will not be extended.
Start your work early!
- The modules column is subject to change when the
class moves on. Check with the instructor if you have doubt.
| wk (dates)
| Due Dates
| 1 (1/21)
|| Syllabus, projects, presentations, etc.
module 1: A web security forensic lesson (MSS:
Part 1 intro.)
module 2: Overview of N-tier web
| 2 (1/28)
3: On-line Shopping (MSS: Ch. 3)
Discussion of projects (list of projects)
| Form teams; Sign-up for
| 3 (2/4)
| module 4: Web
Hacking Basics (MSS: Ch. 4, 5, 6)
|| Assignment 1
| 4 (2/11)
|| module 5: HTML Source Sifting and Site Linkage
Analysis (MSS: Ch. 7, 8)
module 7: The
Core Java Security Model (GS: Ch. 7)
| 5 (2/18)
| Demonstration of project one
| 6 (2/25)
|module 8: SSL
(GS: Ch. 9)
+ a case study of SSL and
Man-in-the-Middle attack (or local
+ Man in the
middle attack as explained on Wikipedia, the free encyclopedia
Explorer SSL Vulnerability (08/05/02)
|Email the topic and an
abstract of your presentation
| 7 (3/3)
|discussion of veriSign's Technical Brief: "Building an E-Commerce Trust
Infrastructure: SSL Server Certificates and Online Payment
+ questions and sample answers
break; no class meetings
||5-minute presentation of your
Internet security topics
NOTE: Your Power Point
slides must be sent to me 24 hours
before the presentation (i.e., by 1pm 3/23), in order to be
posted in time for your presentation.
| 11 (3/31)
||module 9: Applet
Security (GS: Ch. 7) + Secure JDBC
connection for Java applets behand the firewall
|| Project 2 part A
| 12 (4/7)
module 10: Securing a
Database (GS: Ch. 10) + supplementalNotes:
+ Two sample applications using Oracle JDBC drivers: a) secure
thin JDBC; b) secure
OCI JDBC (thick client)
| 13 (4/14)
||module 11: Servlets
Security (GS: Ch. 8)
module 12: EJB Security (GS:
| Project 2 part A
| 14 (4/21)
||module 13: JAAS
(GS: Ch. 8)
module 14: Securing Large
Applications (GS: Ch. 11)
| Project 2 Part B (secure
JDBC connection) design
| 15 (4/28)
||module 15: Cyber
Graffiti (MSS: Ch. 9)
module 16: E-Shoplifting
(MSS: Ch. 10)
| Assignment 3
| 16 (5/5)
||Project 2 demo
||Project 2 Part B
Cumulative final exam: Wed. 5/12, 1-3:50pm
| final exam
http://sce.uhcl.edu/computing.asp for lab information, open hours,
| final exam
NOTE: The accumulated points from all the categories determine a
person's final grade. There will be no extra-credit projects.
93% or above
90% - 92%
87% - 89%
84% - 86%
80% - 83%
77% - 79%
74% - 76%
70% - 73%
59% or below
Both analytic and
synthetic abilities are emphasized. Being able to apply the learned
knowledge toward problem solving are also highly emphasized in the
Assignments/Projects and Late Penalty:
projects will be posted at the class web site. Assignments &
projects are due before the beginning of the class on the due day.
See Topics and Notes for the due
Points will be deducted from late assignments:
20% for the first 24 hours after the due time, 40% for the next 24
hours, 70% for the third 24 hours, and
100% after that. No extension will be granted except for
documented emergency. Starting to work on the assignments as early
as possible is always the best strategy.
otherwise specified, all assignments and projects are individual
work. Students should take caution not to violate the academic
honesty policies. See
http://b3308-adm.uhcl.edu/PolicyProcedures/Policy.html for details of the
- Identification page: All assignments must have your name,
and course name/number/section number (e.g., CSCI5931-02 or
CSCI5333-03) at the top of the first page.
- Proper stapling: Staple all the pages together at
the top-left corner. NOTE:
Do not use paper clips.
- Order ! Order! Arrange the solutions following the
sequence of the questions. Write the question number at the top-right
corner of each page.
- Word processing: It is required that you type
your reports (e.g., print them using a printer). Use a word processor
and appropriate typesetting and drawing tools to do the assignments.
- Check the spelling and the grammar for the whole document
before handing it in. You may loose points due to spelling or
- Use proper commenting and structure in your programs.
will involve the design and implementation of a secure N-tier web based
the development of a secure Java online application using various
technology. Students are expected to employ the theories and
techniques learned in the class to design
and implement the system.
You are expected to
attend all classes. If you ever miss a class, it is your responsibility
to get hold of whatever may have been discussed in that class.
- Unless due to unexpected,
documented emergency, no make-up exams will be given. No
make-up exams will be granted once the exams have been
corrected and returned to the class.
- Important: If you think you have lost some
points due to grading errors, make sure you approach the instructor
within a week after the assignment, project, or test is returned to you.
- To get the most out of this class, you
need to read the textbooks and spend time using computers regularly.
Be prepared for a class by preview the material to be covered in
and participate in discussions and problem-solving exercises, if
applicable, in the class.
- Due to the intensive nature
of graduate classes, 15-20 hours per week are expected of students in
studying the textbook/notes and working on the assignments, in addition
to class attendance. Expect to spend more hours
during summer sessions.
Go to the