Carnegie Mellon University

Web Application Security


Benoit Morel

Number of Lectures


Course Description

This course is intended as an introduction to the vast and confusing world of web application security. We are still in the process of discovering this world, which is growing fast. In this course we will take several complementary perspectives. We will first use the framework of the Open Web Application Security (OWASP) which is the gold standard in web application security, to classify the major kinds of attacks, and discuss how they are addressed. We will try to make sense of the fact that the threat represented by those attacks is increasing, not decreasing.

We will analyze some attacks in detail (Cross site Scripting, SQL Code Injections, and Cross Site Request Forgery). These attacks are possible because of the properties of languages such as HTML and javascript, the same properties that make those languages so powerful. Browsers play a central role in web application security. Browsers are the interface between the users and the web. They must support the new functionalities introduced regularly on the web. They must be able to run in large real time applications. In order to do that, they have to use technologies, such as Just In Time compiling. Those technologies generate points of entry for attacks.

Browsers are targets for attack in a variety of ways. They are a conduit to attack against the computer they run in, they can be hijacked and manipulated by attackers to abuse users in a variety of ways. Browsers play an important role in protecting users. But they do not provide adequate protection against many attacks, despite the fact that those attacks take place through them. How to improve the security of browsers is work in progress, with a lot of progress to be made.

The properties of languages HTML and Javascript, as well SQL and of the protocol HTTP, which underlie web technology offer attackers a wealth of opportunities for malicious activities. In this course, we also look at web security from the point of view of those technologies, which happen to be regularly modified and improved. The logic of their improvement leans toward more functionality, rather than more security... There seems to be almost a tradeoff between security and functionality.

We examine the process of innovation to see what prevents a culture of security from being developed. 



Recommended Textbook



  • Lecture 1:   Introduction
  • Lecture 2:   OWASP Top Ten
  • Lecture 3:   XSS (1):  Introduction to Cross Site Scripting
  • Lecture 4:   XSS (2):  How to Avoid XSS?
  • Lecture 5:   Cross Site REquest Forgery (CSRF)
  • Lecture 6:   SQL Injection (1):  Intro
  • Lecture 7:   SQL Injection (2):  More Advanced
  • Lecture 8:   Browser Security (1):  How Do Browsers Enter in the Secruity Equation?
  • Lecture 9:   Browser Security (2):  Why Are Attacks Like Man in the Browser Possible?
  • Lecture 10: Browser Security (3):  What Difference Browsers Do and Can Do?
  • Lecture 11: OWASP Top Ten Other Than Injection, SXX and CSRF
  • Lecture 12: AJAX, Web 2.0, and Web Application Security
  • Lecture 13: Defense:  Security Tools for Web Applications
  • Lecture 14: Mobile Devices and the Cloud
  • Lecture 15: Looking for the Origins of Web Application Security Problems
  • Lecture 16: Web Application Innovation