IERG4210, CUHK (2014-15 Term 2)

Information Engineering
Chinese University of Hong Kong

Lectures

Every Tuesday 15:30-18:15
NAH 213 (since Jan 27)
Instructor: Dr. Adonis Fung [phfung@ie]

Tutorials

Sections:
- Monday, 11:30 - 12:15, ERB 405
- Tuesday, 18:30 - 19:15, NAH 213
TAs:
- Wenrui Diao [dw013@ie]
- Benedict Mak [mlt014@ie]
- Shizhan Zhu [zs014@ie]

Course Contents & Tentative Schedule

  1. Jan 6 - Introductions
    - Course Matters
    - Overview of the Internet
    - Security Principles
    [Lecture Notes, Reading: Security Goals, Reading: Security Principles]
  2. Jan 13 - User Interface Design
    - HTML, CSS, Templating
    [Lecture Notes (PDF)]
    [Tutorial 1] [Assignment Marking Checklist for Phase 1 (v1.0)]
  3. Jan 20 - User Interface Programming
    - JavaScript, DOM, and Events
    [Lecture Notes (PDF), Reading: Object-Oriented JavaScript, Reading: Events]
    [Tutorial 2]
  4. Jan 27 - HTTP and Client-side Form Handling
    - HTTP Introduction
    - Form Controls, Validations (Controls, HTML5, JS), XHR/AJAX
    - Form Submissions: HTML, Programmatic, and AJAX
    [Lecture Notes (PDF), Reading: Asynchronous Model (Section 1 & 2 only)]
  5. Feb 3 - Server-side Form Handling (Using Node/PHP)
    - Web Server and Application: Features, Performance, Scalability
    - Validations, Sanitizations, Form Processing
    - Data Transfer Formatting: HTML, JSON, XML
    [Lecture Notes (PDF), Reading: Old Notes in PHP favor]
    [Tutorial 4]
  6. Feb 10 - Fast and Scalable Web and Database Servers
    - Fast and Scalable Web Server Platform
    - Persistent Storage: DB with SQL language
    - Temporary/Fast Storage: Memcached, NoSQL
    - Concerns: Performance, Availability, Distributabilty, Tradeoffs
    [Lecture Notes]
    [Tutorial 5, Assignment Marking Checklist for Phase 3 (v3.0)]
  7. Feb 17 - Authentication and Authorization
    - Session Storage: Cookies, localStorage, Server-side Session
    - Attacks and Defenses: Broken Authentication and Session Management, Missing Function Level Access Control, etc
    [Lecture Notes]
    [Tutorial 6]
  8. Feb 24 - Lunar New Year Vacation
    - No Lectures
  9. Mar 3 - Web Application Security I
    - Same Origin Policy (SOP)
    - Attacks and Defenses: Cross-Site Request Forgeries (CSRF), CAPTCHA
    - Attacks and Defenses: Cross-Site Scripting (XSS), Clickjacking
    - Cross-origin Communication and Security (XHR2, JSONP, postMessage(), etc)
    [Lecture Notes, Reading: Context-sensitive Output Escaping, Reading: Daswani07 10.5 XSS, Reading: CSRF and Clickjacking]
    [Tutorial 7, Assignment Marking Checklist for Phase 4 (v4.0)]
  10. Mar 10 - Quiz
    [Tutorial 8, Assignment Marking Checklist for Phase 4 (v4.1)]
  11. Mar 17 - Web Application Security II
    - Attacks and Defenses: Injections, Insecure Direct Object References, Unvalidated Redirects and Forwards, etc
    [Lecture Notes, Reading: Stuttard12 - SQL Injection, Reading: Stuttard12 - HTTP Response Splitting, Reading: Stuttard12 - Path Traversal]
    [Tutorial 9]
  12. Mar 24 - Transport Layer and Web Browser Security
    - TLS/SSL, PKI, Certificates, Digital Signatures, SSH
    - Attacks and Defenses: Man-in-the-middle, Side-channel, Wi-Fi, DNS, Phishing
    - Browser Security: Cert Pinning, 2FA, XSS Audits, Content Security Policy, Extensions, etc
    [Lecture Notes]
    [Assignment Marking Checklist for Phase 5-7A (v5.0)]
  13. Mar 31 - Optimizing Web Applications
    - Settings and Code Tweaks, Search Engine Optimizations, Analytics
    [Lecture Notes, Reading: Optimizing Performance, Reading: Using Promises, Reading: Search Engine Opimizations]
    [Tutorial 10]
  14. Apr 7 - Easter Holiday
    - No Lectures
  15. Apr 14 - Scanning Web Applications for Vulnerabilities
    - Automated Web Application Vulnerability Scanning - Crawling: hyperlink extractions, event enumerations, etc
    - Fuzzing: XSS, SQL, CSRF, etc
    - Invited Talk: Penetration Testing, Security Tools
    - Course Reviews
    [Lecture Notes, Penetration Testing]
    [Assignment Marking Checklist (v6.0)]