Web Hacking/Security

Short Course

If you know the enemy and know yourself, you need not fear the result of hundred battles” – Sun Tzu, Art of War

Course Title: Web Hacking/Security

Who can attend: This course’s primary audience is anyone who has a personal or professional interest in attacking and securing web applications. It is also aimed at anyone responsible for developing and administering web applications. Whether you are a business leader attempting to understand the threat space for your business, an engineer tasked with writing the code for those sites, or a security engineer attempting to identify and mitigate the threats to your applications, this course is an invaluable source of understanding cutting-edge cyber-weapons technology.

Requirements: We assume that you are familiar with core security concepts such as logins and access controls and that you have a basic grasp of core web technologies such as browsers, web servers, and HTTP. However, any gaps in your current knowledge of these areas will be easy to remedy, through either the explanations in the course or references elsewhere.

Duration: 4 days (Weekend)

Dates*: February 11-14, 2015

Location: Information and Computer Science Department, KFUPM, Al-Dhahran, Saudi Arabia.

Instructor: Dr. Sami Zhioua

Course Fees: 3000 SAR (Special fees available for KFUPM students and staff)

Registration: Department of Continuing Education, Building 54, Room 107.

For Course Information: zhioua@kfupm.edu.sa 

Course Poster [PDF]

Web Hacking and Security Course Overview:

The time is fast approaching when the only client software that most computer users will need is a web browser. The reason is simple: businesses live on the Web today. Along with this growth has come the uncomfortable realization that the security of web applications is not keeping pace.

Firewalls, Antiviruses, operating system security, and the latest patches are all powerless to stop a new generation of attacks that are increasing in frequency and sophistication: Web Attacks.
The Web has become the primary vector for infecting computers. The web developers themselves, are barely aware of the extent of the threats to their sites and the fragility of the code they write.
This intensive course is centered around Web Attacks. As a participant, you will be exposed to two main aspects. First, we catalog the greatest attacks that web applications can face and explain in detail how they work. These include Online Password Cracking, advanced SQL Injection, exotic Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), UI Redress, etc. Second, we illustrate how web developers and users can protect against these attacks.
 

Interesting Facts about Web Technology and Security

  • There is no escaping the reality that businesses live on the Web today.
  • For consumers, the Web has become the place where they do the majority of their business as well.
  • By any estimation, business on the Web is an enormous part of the economy and growing rapidly. But along with this growth has come the uncomfortable realization that the security of this segment of commerce is not keeping pace.
  • Indeed, Security researchers have observed a trend away from direct attacks toward more stealthy attacks that wait for victims to visit malicious Web sites. The Web has become the primary vector for infecting computers.
  • The web developers themselves, are barely aware of the extent of the threats to their sites, the fragility of the code they write, or the lengths to which online attackers will go to gain access to their systems.
  • Web-based attacks have significant advantages for attackers. First, they are stealthier and not as “noisy” as active attacks, making it easier to continue undetected for a longer time.
  • Gartner Group says 75 percent of hacks are at the web app level and, that out of 300 audited sites, 97 percent are vulnerable to attack.
  • WhiteHat Website Security Statistics Report, Fall 2009, says 83 percent of web sites have had at least one serious vulnerability
Course Content     

1. Introduction to Web Technology:

HTTP Protocol, HTML, Cookies, Dynamic websites
Client-Side Technology
Server-Side Technology
Encoding Schemes

2. Web Spidering

Mapping Websites
Discovering Hidden Content

3. Attacking Authentication

Bypassing Brute-Forcing Protection
Exploiting Password Change Functionality
Exploiting Forgotten Password Functionality

4. Attacking Session Management

Exploiting Poor Cookie Generation
Exploiting Poorly Protected Cookies

5. Attacking Databases: SQL Injection

Bypassing Login
Blind SQL Injection
Time-Delay SQL Injection

6. Attacking the Server

OS Command Injection
Path Traversal
HTTP Parameter Pollution

7. Cross-Site Scripting (XSS)

Reflected Vs Stored XSS
Bypassing Defensive Filters
Beating Sanitization

8. Cross-Site Request Forgery (CSRF)

Cross-Site Vs On-Site Request Forgery
Defeating Anti-CSRF Tokens
Attacking the Browser

     

 

1.     About the Course Instructor: Dr. Sami Zhioua

Dr. Sami Zhioua is assistant professor at the Information and Computer Science department of KFUPM. Before, he was a post-doctoral research and teaching fellow at McGill University, Canada. He graduated from Laval University, Canada (Ph.D. 2008 and M.Sc. 2003). His research interests include information security, ethical hacking and anonymity protocols. He is the author of three books, several journal and conference papers and one patent. He already taught several security and Hacking related courses including:

·         ICS 444 – Computer and Network Security

·         ICS 343 – Fundamentals of Computer Networks

·         Short Courses:

  • Ethical Hacking

  • Malware Development and Analysis

He also gave several public seminars about security and hacking related topics including:

·         Know your Enemy: Hacking Exposed

·         Know your Enemy: Hacking with Malwares

Web page: http://faculty.kfupm.edu.sa/ICS/zhioua/

A Seminar on Hacking by Dr. Sami Zhioua (November 2011):

 

 

 

Sami Zhioua, May 2013