PTCCS374 Web Application Security Syllabus:

PTCCS374 Web Application Security Syllabus – Anna University Part time Regulation 2023

COURSE OBJECTIVES:

 To understand the fundamentals of web application security
 To focus on wide aspects of secure development and deployment of web applications
 To learn how to build secure APIs
 To learn the basics of vulnerability assessment and penetration testing
 To get an insight about Hacking techniques and Tools

UNIT I FUNDAMENTALS OF WEB APPLICATION SECURITY

The history of Software Security-Recognizing Web Application Security Threats, Web Application Security, Authentication and Authorization, Secure Socket layer, Transport layer Security, Session Management-Input Validation

UNIT II SECURE DEVELOPMENT AND DEPLOYMENT

Web Applications Security – Security Testing, Security Incident Response Planning,The Microsoft Security Development Lifecycle (SDL), OWASP Comprehensive Lightweight Application Security Process (CLASP), The Software Assurance Maturity Model (SAMM)

UNIT III SECURE API DEVELOPMENT

API Security- Session Cookies, Token Based Authentication, Securing Natter APIs: Addressing threats with Security Controls, Rate Limiting for Availability, Encryption, Audit logging, Securing service-to-service APIs: API Keys , OAuth2, Securing Microservice APIs: Service Mesh, Locking Down Network Connections, Securing Incoming Requests.

UNIT IV VULNERABILITY ASSESSMENT AND PENETRATION TESTING

Vulnerability Assessment Lifecycle, Vulnerability Assessment Tools: Cloud-based vulnerability scanners, Host-based vulnerability scanners, Network-based vulnerability scanners, Databasebased vulnerability scanners, Types of Penetration Tests: External Testing, Web Application Testing, Internal Penetration Testing, SSID or Wireless Testing, Mobile Application Testing.

UNIT V HACKING TECHNIQUES AND TOOLS

Social Engineering, Injection, Cross-Site Scripting(XSS), Broken Authentication and Session Management, Cross-Site Request Forgery, Security Misconfiguration, Insecure Cryptographic Storage, Failure to Restrict URL Access, Tools: Comodo, OpenVAS, Nexpose, Nikto, Burp Suite, etc.

30 PERIODS
PRACTICAL EXERCISES: 30 PERIODS

1. Install wireshark and explore the various protocols
a. Analyze the difference between HTTP vs HTTPS
b. Analyze the various security mechanisms embedded with different protocols.
Identify the vulnerabilities using OWASP ZAP tool
Create simple REST API using python for following operation
. GET
a. PUSH
b. POST
c. DELETE
Install Burp Suite to do following vulnerabilities:
. SQL injection
a. cross-site scripting (XSS)
Attack the website using Social Engineering method

COURSE OUTCOMES:

CO1: Understanding the basic concepts of web application security and the need for it
CO2: Be acquainted with the process for secure development and deployment of web applications
CO3: Acquire the skill to design and develop Secure Web Applications that use Secure APIs
CO4: Be able to get the importance of carrying out vulnerability assessment and penetration testing
CO5: Acquire the skill to think like a hacker and to use hackers tool sets

TOTAL :60 PERIODS
TEXT BOOKS

1. Andrew Hoffman, Web Application Security: Exploitation and Countermeasures for Modern Web Applications, First Edition, 2020, O’Reilly Media, Inc.
2. Bryan Sullivan, Vincent Liu, Web Application Security: A Beginners Guide, 2012, The McGrawHill Companies.
3. Neil Madden, API Security in Action, 2020, Manning Publications Co., NY, USA.

REFERENCES

1. Michael Cross, Developer’s Guide to Web Application Security, 2007, Syngress Publishing, Inc.
2. Ravi Das and Greg Johnson, Testing and Securing Web Applications, 2021, Taylor & Francis Group, LLC.
3. Prabath Siriwardena, Advanced API Security, 2020, Apress Media LLC, USA. 4. Malcom McDonald, Web Security for Developers, 2020, No Starch Press, Inc.
5. Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams Grey Hat Hacking: The Ethical Hacker’s Handbook, Third Edition, 2011, The McGraw-Hill Companies.