Aug 25: Course Overview

Aug 26: SQL Injection

Readings:

• SQL Tutorial (if you don't know basic SQL)
• SQL Injection Attacks by Example. Steve Friedl

Aug 29: Cross-Site Scripting

Readings:

• HTTP Overview. (if you don't know how HTTP works)
• DOM Reference. (if you don't know what the DOM is)
• An XSS Attack Archive.
• Another XSS Attack Archive.
• OWASP's XSS Prevention Cheat Sheet

Aug 30: Request Forgery

Readings:

• CSRF Overview. Jesse Burns

Sept 1: Clickjacking

Readings:

• Overview by Robert Hansen (SecTheory) & Jeremiah Grossman (WhiteHat Security)
• Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson.

Sept 2: Session Management

Readings:

• Secure Session Management With Cookies for Web Applications. Chris Palmer
• Protecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell

Sept 6, 8: Introduction to Cryptography

Readings:

• Wikipedia on Cryptography. .
• New Directions in Cryptography. Whitfield Diffie and Martin Hellman.

Sept 9, 12: Authentication and Identity

Readings:

• The Laws of Identity. Kim Cameron
• Who Goes There? Authentication through the lens of privacy (chapter 5). National Academy of Sciences

Sept 13: Threat Modelling

Readings:

• Larry Osterman Blog--follow the first-sentence links.
• Uncover Security Design Flaws Using the STRIDE Approach. Shawn Herman and Scott Lambert and Tomasz Ostwald and Adam Shostack. (This is the tutorial we followed for lecture today)
• Software [In]security: Software Security Top 10 Surprises. Gary McGraw, Brian Chess, Sammy Migues

Sept 15: Access Control

Readings:

• XML Security: Control information access with XACML. Manish Verma

Sept 16: Capabilities

Readings:

• What is a capability, anyway?. Jonathan Shapiro
• ACLs Don't. Tyler Close.
• Google Caja

Sept 19-20: Attacking C Code

Readings:

• Smashing the Stack for Fun and Profit. Aleph One
• Shellcoding for Linux and Windows Tutorial. Steve Hanna
• Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Crispin Cowan, et al.
• Exploiting Format String Vulnerabilities.
• Hacking: The Art of Exploitation (code link on page). Jon Erickson
• GDB quick reference

Sept 22-23: Robust C Programming

Readings:

• Robust Programming. Matt Bishop

Sept 26, 27, 30: Case Study Presentations

October 3, 7, 10: Case Study Presentations