• To report a missing link at this page, please drop a note to yang@uhcl.edu. Thanks.
T. Andrew Yang

Email: yang@uhcl.edu
Web page:  http://sce.uhcl.edu/yang/
Tel.: (281) 283-3835

Last updated: 1/04

CSCI 5931 Web Security

Springl 2004  (1/20 - 5/6 + final)

Lecture Notes & Schedule
- Print and bring the lecture notes to the class.
Individual Presentation Schedule
Assignments / Projects
Office Hours
Important!  To be accepted into the discusssion group, make sure you use your full name as your yahoo id.

Time (Classroom):

Wednesdays 1-3:50pm  (D242)

Prerequisite:   Computer Security (csci5233) and Internet Application Development (csci4230), or instructor's approval. 
Note: If you do not have either of the prerequisites, you MUST talk to the instructor.  It is assumed that students enrolled in this class are already familiar with f
undamental topics such as cryptography (symmetric vs asymmetric encryptions/decryptions), security protocols (RSA, DES, Triple-DES, digital signatures, digital certificates, etc.), and n-tier web applications development.

Course Objectives:    The primary objective of this course is to study and practice fundamental techniques in developing secure web based applications, including vulnerability of web based applications and how to protect those applications from attacks. Students are encouraged to pursue research projects in the area of Internet security.

Class Format:  Lectures are combined with discussions and, if applicable, student presentations and discussions of advanced topics.  Students are expected to be active participants, by studying the relevant chapters and/or research papers and participating at in-class discussions.  Programming projects employing the various security techniques and n-tier web based architecture are part of the course .  Students are expected to make an oral presentation of topics related to Internet  security.

Instructor:   Dr. T. A. Yang 

  • (office) Delta 106
  • office hours (NOTE: If the suite office is locked, you may use the phone outside the office to call me, by entering the extension 3835).
You are highly encouraged to send your questions to me by e-mails or by posting the question at the discussion board . You, however, are responsible for describing the problem(s) you have encountered, the solution(s) you have tried, and the outcome you have got from these solution(s).
  • (phone#) (281) 283-3835 (Please leave a message if not available.)
  • (email address) yang@uhcl.edu (Note: Emails without a proper subject line and your full name will be discarded.   Here is a sample subject line: "CSCI931 project #1, question 1".
  • (web site)  http://sce.uhcl.edu/yan

Teaching Assistant:

Sudheer Boora

  • Email:  BooraS4963@uhcl.edu
  • Office Hours: Tue. 12pm to 4pm; Wed. 4pm  to 8pm; Thur. 12pm to 6pm

  • Location:  PC lab \ TA office (D238) \ NTlab

Required Text:

MSS: McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking:
attacks and defense.
Addison Wesley. 2003. (ISBN: 0201761769)
profJavaSecurity GS: Garms, Jess and Daniel Somerfield. Professional Java Security.
Wrox. 2001.  (ISBN: 1861004257)

Note: If you have difficulty finding a copy of this book, check out the Amazon.com used book sale.
+ Instructor's handout in the class and/or on the Web

Supplemental Materials:
  • SSH:
    • SSH (or Secure SHell) is a protocol for creating a secure connection between two systems. In the SSH protocol, the client machine initiates a connection with a server machine ...
  • RFCs related to HTTP:
  • RFCs related to TLS:
  • Other Related RFCs:
  • Other Books:
    • Pistoia, Marco, Duane F. Reller, Deepak Gupta, Milind Nagnur, Ashok Ramani, Java 2 Network Security, 2 nd Edition , Prentice Hall, 2000.
    • Rescorla , Eric, SSL and TLS: Designing and Building Secure Systems , Addison Wesley Professional, 2001.
    • Schneier, Bruce, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2 nd Edition , Wiley, 1996.
  • Related Articles:
    • Andrews, Gregory R., "Partitions and principles for secure operating systems", Proceedings of the 1975 ACM annual conference, January 1975.
    • Viega, John, Tadayoshi Kohno, and Bruce Potter, "Trust (and mistrust) in secure applications", Communications of the ACM, Volume 44 Issue 2 , February 2001.
    • Bashir, Imran, Enrico Serafini, and Kevin Wall, "Securing network software applications: introduction", Communications of the ACM, Volume 44 Issue 2, February 2001.

Topics, Notes &  Schedule

  • The due dates are fixed and will not be extended.  Start your work early!
  • The modules column is subject to change when the class moves on.  Check with the instructor if you have doubt.
wk (dates)
Due Dates
1 (1/21) Syllabus, projects, presentations, etc.
module 1: A web security forensic lesson (MSS: Part 1 intro.)
module 2: Overview of N-tier web applications

2  (1/28)
module 3: On-line Shopping (MSS: Ch. 3)
Discussion of projects (list of projects)
Form teams; Sign-up for presentations
3 (2/4)
module 4: Web Hacking Basics (MSS: Ch. 4, 5, 6) Assignment 1
4 (2/11) module 5: HTML Source Sifting and Site Linkage Analysis (MSS: Ch. 7, 8)
module 7:  The Core Java Security Model (GS: Ch. 7)

5 (2/18)
Demonstration of project one Project 1
6  (2/25)
module 8: SSL (GS: Ch. 9)
+ a case study of SSL and Man-in-the-Middle attack (or local copy)
+ Man in the middle attack as explained on Wikipedia, the free encyclopedia
+ Internet Explorer SSL Vulnerability (08/05/02)
Email the topic and an abstract of your presentation
7 (3/3)
discussion of veriSign's Technical Brief: "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services"
+ questions and sample answers
Assignment 2
8 (3/10)
Midterm Midterm exam
9 (3/17)
  spring break;  no class meetings

10 (3/24) 5-minute presentation of your Internet security topics
NOTE: Your Power Point slides must be sent to me 24 hours before the presentation (i.e., by 1pm 3/23), in order to be posted in time for your presentation.
oral presentation
11 (3/31) module 9: Applet Security (GS: Ch. 7) + Secure JDBC connection for Java applets behand the firewall Project 2 part A (SSL sessions) design
12 (4/7)

module 10: Securing a Database (GS: Ch. 10) + supplementalNotes: TunnelServer.doc

+ Oracle Roadmap: JDBC
+ Two sample applications using Oracle JDBC drivers: a) secure thin JDBC; b) secure OCI JDBC (thick client)

13 (4/14) module 11: Servlets Security (GS: Ch. 8)
module 12: EJB Security (GS: Ch. 8)
Project 2 part A
14 (4/21) module 13: JAAS (GS: Ch. 8)
module 14: Securing Large Applications (GS: Ch. 11)
Project 2 Part B (secure JDBC connection) design
15 (4/28) module 15: Cyber Graffiti (MSS: Ch. 9)
module 16: E-Shoplifting (MSS: Ch. 10)
Assignment 3
16 (5/5) Project 2 demo Project 2 Part B
17 final
Cumulative final exam: Wed. 5/12, 1-3:50pm
final exam

Computer Labs & Hours

Check http://sce.uhcl.edu/computing.asp for lab information, open hours, FAQs, etc.

final exam
NOTE:  The accumulated points from all the categories determine a person's final grade. There will be no extra-credit projects.
Grading Scale:

93% or above
90% - 92%
87% - 89%
84% - 86%
80% - 83%
77% - 79%
74% - 76%
70% - 73%
59% or below
Both analytic and synthetic abilities are emphasized. Being able to apply the learned knowledge toward problem solving are also highly emphasized in the tests. 
Assignments/Projects and Late Penalty:
Assignments and projects will be posted at the class web site. Assignments & projects are due before the beginning of the class on the due day.  See Topics and Notes for the due dates. 

Points will be deducted from late assignments: 20% for the first 24 hours after the due time, 40% for the next 24 hours, 70% for the third 24 hours, and 100% after that. No extension will be granted except for documented emergency.  
Starting to work on the assignments as early as possible is always the best strategy.

NOTE: Unless otherwise specified, all assignments and projects are individual work.  Students should take caution not to violate the academic honesty policies.  See http://b3308-adm.uhcl.edu/PolicyProcedures/Policy.html for details of the University policies.
Assignments/Projects Guidelines:
  • Identification page: All assignments must have your name, and course name/number/section number (e.g., CSCI5931-02 or CSCI5333-03) at the top of the first page.
  • Proper stapling:  Staple all the pages together at the top-left corner. NOTE: Do not use paper clips.
  • Order ! Order!  Arrange the solutions following the sequence of the questions. Write the question number at the top-right corner of each page.
  • Word  processing:  It is required that you type your reports (e.g., print them using a printer). Use a word processor and appropriate typesetting and drawing tools to do the assignments.
  • Check the spelling and the grammar for the whole document before handing it in. You may loose points due to spelling or grammatical errors.
  • Use proper commenting and structure in your programs.


The projects will involve the design and implementation of a secure N-tier web based application demonstrating the development of a secure Java online application using various technology.  Students are expected to employ the theories and techniques learned in the class to design and implement the system.  

Attendance Policy:

You are expected to attend all classes. If you ever miss a class, it is your responsibility to get hold of whatever may have been discussed in that class.
Instructor's Notes:
  • Unless due to unexpected, documented emergency, no make-up exams will be given.  No make-up exams will be granted once the exams have been corrected and returned to the class. 
  • Important:   If you think you have lost some points due to grading errors, make sure you approach the instructor within a week after the assignment, project, or test is returned to you.  
  • To get the most out of this class, you need to read the textbooks and spend time using computers regularly.  Be prepared for a class by preview the material to be covered in that class and participate in discussions and problem-solving exercises, if applicable, in the class.
  • Due to the intensive nature of graduate classes, 15-20 hours per week are expected of students in studying the textbook/notes and working on the assignments, in addition to class attendance.   Expect to spend more hours during summer sessions.

Go to the  Index

dd   Main Page

dd   Biography

dd   Teaching

dd    Research

dd    Services

dd     Other Links