Web Application Security

Christoph von Praun und Ralf Reinhardt

Summer 2011

Entry of this class in the course catalog.
This lecture has been evaluated on June 17. Here are the results.

News Feed

Date and Place

Friday, 9:45-13:00, Room W209; recitation class in Q413

Saturday 9:30-17:30 (block), Room W209; recitation class in Q413

Topics and Schedule (tentative)

Date Topic Assignment, Literature

Friday 25.03. Overview, Introduction to Web-Applications, Legislation [cvp]
Exercise: Simple Webpage Analysis
[Slides pdf] [Assignment 1: pdf], [HttpFox], [1]
Friday 08.04. Java Script Concepts [cvp]
Exercise: Simple JavaScript development, debugging JavaScript with FireBug
[Slides pdf (Update on April 21)] [Assignment 2: pdf] [2, 3]
Friday 15.04. Advanced JavaScript: Hiding and Obfuscating Code in Webpages [cvp]
Exercise: Reading and writing simple snippets of obfuscated code
[Slides pdf] [Assignment 3: pdf]
Saturday 30.04.
OWASP Top-10 [rr]
Exercise: Hands-on security vulnerabilities and exploits
Friday 06.05. Engineering Malware [cvp]
Exercise: Deconstructing JavaScript worms
[Slides pdf] [Assignment 4: pdf] [4, 5]
Friday 13.05. Exercise: Deconstructing JavaScript worms (continued)
Friday 20.05. Malware Protection [cvp]
Exercise: Content Security Policy (CSP)
[Slides pdf] [Assignment 5: pdf] [graph_example.html] [10]
Saturday 21.05.
OWASP Top-10 [rr]
Exercise: Hands-on security vulnerabilities and exploits
Saturday 04.06.
OWASP Top-10 [rr]
Exercise: Hands-on security vulnerabilities and exploits
Friday 17.06. Client-Side State [cvp]
Exercise: HTTP Cookies
[Slides pdf (updated on June 17)] [Assignment 6: pdf]
Privacy Leaks [cvp]
[Slides pdf] [11, 12]
Saturday 02.07.
OWASP Top-10 [rr]
Exercise: Hands-on security vulnerabilities and exploits


Web Applications

  1. Mario Heiderich, Christian Matthies, Johannes Dahse, fukami: Sichere Webanwendungen: Das Praxisbuch - Kapitel 2: Rechtslage, Galileo Computing, 2008.


  1. JavaScript: Principles, Object Model, Security Model. Several references, e.g. Doug Crockford's Google Tech Talk: JavaScript: The Good Parts [youtube]
  2. Douglas Crockford: JavaScript: the Good Parts, O'Reilly, 2008.


  1. Samy Kamkar: Technical explanation of The MySpace Worm, last visit on 18-03-2011. [html]
  2. George Ledin, Jr.: The growing harm of not teaching malware, Communications of the ACM, Volume 54 Issue 2, February 2011. [pdf]

Client-Side State and browser security

  1. Billy Hoffman, Bryan Sullivan: Ajax Security - Chapter 8: Attacking Client-Side Storage, Addison Wesley, 2008. [online-book]
  2. Artur Janc, Lukasz Olejnik: Feasibility and Real-World Implications of Web Browser History Detection. [paper-pdf]
  3. Collin Jackson, Andrew Bortz, Dan Boneh, John C. Mitchell: Protecting Browser State from Web Privacy Attacks, WWW Conference, 2006. [paper-pdf]
  4. Peter Eckersley: How Unique Is Your Web Browser? [paper-pdf]
  5. Brandon Sterne: Content Security Policy [www] [CSP bookmarklet] [CSP bookmarklet source]


  1. Arnold Roosendaal: Facebook tracksand traces everyone: Like this!, SSRN Report, 2010. [paper-pdf]
  2. Balachander Krishnamurthy, Craig E. Wills: Privacy Diffusion on the Web: A Longitudinal Perspective, WWW Conference, 2009. [paper-pdf]

Firefox / Plugins

  1. Mozilla Foundation: Plug-In Development Overview, last visit on 18-03-2011. [html]

Security Vulnerabilities

  1. The Open Web Application Security Project (OWASP): Top 10, last visit on 18-03-2011. [pdf]

Last Change: June 17, 2011.