About this course

Learning Outcomes

This course provides an overview on the problems and challenges related to software security in the context of Web applications, focusing on the main current solutions (namely, testing techniques). The student will familiarize with general cybersecurity principles (such as cryptography and security properties as confidentiality, integrity, and availability) and with the main cybersecurity issues in the Web (such as the OWASP top 10 web app security risks, and the main knowledge bases such as the CWE, CVE, NVD, CAPEC). The student will be asked to critically analyze the security of Web applications and ultimately to provide evidences of cyber-insecurities in Web applications (using learning platforms such as the OWASP Juice Shop). Alongside the “hacking her way to cybersecurity” approach, the student will be made aware of the current unfalsifiability of necessary security claims, and subsequent lack of clear understanding of what a cybersecure web application should look like.

No specific skill is required but the basic understanding of programming is presupposed. Within the course, an introduction to the basic concepts of HTML, JavaScript, SQL will be provided.

Course Material

Learning Platforms

Main Testing Tools Presented in the Course


L0. 02-December-2020 (Wednesday) [9.15-13.15]

  1. An introduction to Cybersecurity [theory 1h]
    • #whoami & course overview
    • Beliefs on Cybersecurity
    • Infosec and the CIA-triad evolution (1970-today)
    • Attacker vs Hacker, Blue and Red Teams, …
    • Hacker Ethics and Laws against Attackers
    • Cybersecurity Resources: CVE, CWE, CAPEC, WASC, NVD
    • Cybersecurity Resources: OWASP, DEFCON, PHRAK, IEEE S&P
  2. Brainstorming session - what is a cybersecure web app? [lab 1h]
    • Students
      • (if) working individually, propose up to 10 keywords related to cybersecurity [15m]
      • (elif) working in group, propose (duckduckgo is your friend) a definition of cybersecurity (in the context of web apps) [30m]
    • Proposals Review & Open Discussion [45/30m]
  3. Coffee break [10m]
  4. Hacking the HTTP [theory 30m + lab 1h30m]
    • The WebGoat platform [15m]
    • The HTTP protocol and the Client-Server architecture [15m]
    • Webgoat lesson (General->HTTPBasic) [1h30m]
      • ZAP HUD Tutorial

L1. 09-December-2020 (Wednesday) [9.15-13.15]

  1. Cybersecurity Topic #1 - SQL-injection [theory 30m + lab 2h]
    • Intro to Databases and DBMS [15m]
    • Introduction to SQLmap with examples [15m]
    • WebGoat lesson (A1 - Injection, path traversal excluded) [2h]
  2. Coffee break [10m]
  3. Open Discussion [30m]
  4. Cybersecurity Topic #2 - Path Traversal [lab 30m]
    • WebGoat lesson (A1 - Injection -> Path Traversal) [30m]

L2. 14-December-2020 (Monday) [9.15-13.15]

  1. Intro to JavaScript & HTML [30m]
  2. Cybersecurity Topic #3 - XSS
    • XSS short intro [15m]
    • WebGoat exercises (A7 - Cross-site Scripting) [1h]
  3. Cofee break [10m]
  4. XSS Game [1h30m]

L3. 16-December-2020 (Wednesday) [9.15-13.15]

  1. Crypto Overview & Integrity Deep Dive [1h30m]
    • Steganography, Encryption & Decryption
    • Symmetric and Asymmetric Encryption
    • Overview of Major Cryptographic Algorithms (RSA, AES, …)
    • Attacks on Protocol Logic (man-in-the-middle, reflection, …)
    • Authenticated Key Agreement
    • Trust, authentication, non-repudiation
    • Are quantum channels & protocols of any help?
  2. Coffee break [10m]
  3. Cybersecurity Topic #4 - CSRF
    • WebGoat lesson (A8:2013 Request Forgery) [1h]
  4. Cybersecurity Topic #5 - Broken Authentication
    • WebGoat exercises [1h]

L4. 21-December-2020 (Monday) [9.15-13.15]

  1. OWASP Juice Shop [2h50m]
  2. Coffee break [10m]
  3. Results Review & Discussion [1h]


  1. CTF & Bug Bounty Programs
  2. Hacker101 CTF [3h]
  3. Open Discussion [1h]