About this course

Learning Outcomes

This course provides an overview on the problems and challenges related to software security in the context of Web applications, focusing on the main current solutions (namely, testing techniques). The student will familiarize with general cybersecurity principles (such as cryptography and security properties as confidentiality, integrity, and availability) and with the main cybersecurity issues in the Web (such as the OWASP top 10 web app security risks, and the main knowledge bases such as the CWE, CVE, NVD, CAPEC). The student will be asked to critically analyze the security of Web applications and ultimately to provide evidences of cyber-insecurities in Web applications (using learning platforms such as the OWASP Juice Shop). Alongside the “hacking her way to cybersecurity” approach, the student will be made aware of the current unfalsifiability of necessary security claims, and subsequent lack of clear understanding of what a cybersecure web application should look like.

No specific skill is required but the basic understanding of programming is presupposed. Within the course, an introduction to the basic concepts of HTML, JavaScript, SQL will be provided.

Course Resources

Learning Platforms and Softwares


L0. 19-January-2021 (Tuesday) [14.00-18.00]

  1. An introduction to Cybersecurity [theory 1h]
    • #whoami & course overview
    • Beliefs on Cybersecurity
    • Infosec and the CIA-triad evolution (1970-today)
    • Attacker vs Hacker, Blue and Red Teams, …
    • Hacker Ethics and Laws against Attackers
    • Cybersecurity Resources: CVE, CWE, CAPEC, WASC, NVD
    • Cybersecurity Resources: OWASP, DEFCON, PHRAK, IEEE S&P
  2. Coffee break [10m]
  3. Lab Configuration [lab 1h]
  4. Hacking the HTTP [theory 30m + lab 1h30m]
    • The WebGoat platform [15m]
    • The HTTP protocol and the Client-Server architecture [15m]
    • Webgoat lesson (General->HTTPBasic) [1h30m]
      • ZAP HUD Tutorial [OPTIONAL]
Lesson 0 - Resources

L1. 26-January-2021 (Tuesday) [14.00-18.00]

  1. Cybersecurity Topic #1 - SQL-injection [theory 30m + lab 2h]
    • Intro to Databases and DBMS [15m]
    • WebGoat lesson (A1 - Injection, path traversal excluded) [2h]
  2. Coffee break [10m]
  3. Open Discussion [30m]
Lesson 1 - Resources

L2. 1-February-2021 (Monday) [14.00-18.00]

  1. Intro to JavaScript & HTML [30m]
  2. Cybersecurity Topic #3 - XSS
    • XSS short intro [15m]
    • WebGoat exercises (A7 - Cross-site Scripting) [1h]
  3. Cofee break [10m]
  4. XSS Game [1h30m]
Lesson 2 - Resources

L3. 9-February-2021 (Tuesday) [14.00-18.00]

  1. Crypto Overview & Integrity Deep Dive [1h30m]
    • Steganography, Encryption & Decryption
    • Symmetric and Asymmetric Encryption
    • Overview of Cryptographic Algorithms (One-Time Pad and RSA)
    • Attacks on Protocol Logic (man-in-the-middle, reflection, …)
    • Trust and Authentication (PKI)
  2. Coffee break [10m]
  3. Cybersecurity Topic #4 - CSRF
    • WebGoat lesson (A8:2013 Request Forgery) [1h]
Lesson 3 - Resources

L4. 16-February-2021 (Tuesday) [14.00-18.00]

  1. OWASP Juice Shop [2h50m]
  2. Coffee break [10m]
  3. Results Review & Discussion [1h]