Security for the Web: Introduction

Loading...

來自 University of Maryland, College Park 的課程

Software Security

684 個評分

University of Maryland, College Park

Software Security

684 個評分

課程 2（共 5 門，Specialization Cybersecurity）

This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them -- such as buffer overflows, SQL injection, and session hijacking -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a "build security in" mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Successful learners in this course typically have completed sophomore/junior-level undergraduate work in a technical field, have some familiarity with programming, ideally in C/C++ and one other "managed" program language (like ML or Java), and have prior exposure to algorithms. Students not familiar with these languages but with others can improve their skills through online web tutorials.

從本節課中

WEB SECURITY

Web security: Attacks and defenses

Security for the Web: Introduction3:33

Web Basics10:31

SQL Injection10:35

SQL Injection Countermeasures9:17

Web-based State Using Hidden Fields and Cookies13:51

Session Hijacking6:55

Cross-site Request Forgery - CSRF6:36

Cross-site Scripting13:39

Interview with Kevin Haley21:13

與講師見面

Michael Hicks
Professor
Department of Computer Science

[SOUND] So

far, we have focused on programs written in C and C++.

We've examined how vulnerabilities in programs written in these languages

can lead to attacks that violate memory safety.

Resulting in code injection or lack of sensitive data.

We've also looked at various defenses against these attacks,

one effective defense is to use a memory safe programming language.

In this unit, we turn our attention to internet security

focusing on applications that are part of the World-Wide Web.

While many web applications are implemented in type-safe languages, and

thus avoid memory safety issues, they have their own sets of problems.

These problems go by names like SQL injection, Cross-site Scripting,

Cross-site Request Forgery, and Session Hijacking.

Interestingly, the issue's underlying web vulnerabilities are sometimes very similar

to memory vulnerabilities.

For example, sequel injection, SQL injection and

cross side scripting arise because like buffer overflows the applications failure

to properly validate it's input results in it treating data as if it were code.

Modern web, sometimes called web 2.0,

brings in the additional complication of mobile code.

In particular when you visit a website,

code from that site will be silently downloaded to your machine, and then run.

Well how do you ensure that this code does not violate the security of other programs

running in your browser or on your machine the outline for this unit is as follows.

First, we will look into the technical details of the basic world wide web.

We will see how typical web applications are structured at the client and

at the server.

We'll examine HTTP, the hypertext transfer protocol which client and

servers use to communicate.

We'll see how improper interaction with the database on the server

can enable an attack called sequel injection.

Next we'll look at how web applications implement a femoral,

that is short lived, non persistent state.

Such state is useful during a long lived session.

Typically a femoral state is implemented using hidden form fields and cookies.

Unfortunately, sloppy use of these features can lead to attacks such as

session hijacking and cross-site request forgery or CSRF.

With these attacks, an adversary can take over a user's account or

manipulate an application to act for that user.

But in the adversaries interests.

Finally we'll look at so called web 2.0 which characterizes the modern web.

The modern web makes heavy use of mobile code,

often written in the language JavaScript.

JavaScript programs originate at a server but run at the client.

Running code at the client creates new possibilities for attack.

One of which is called Cross-site Scripting of XSS.

With XSS, a user's tricked into running code he thinks is from a trusted website.

But in fact it's from a malicious source.

Throughout the unit, we will look at various defenses to these attacks.

One common theme of all of the defenses should be familiar, validate your input.

So let's begin by looking at the basics of the web 1.0.

探索我們的目錄

免費加入並獲得個性化推薦、更新和優惠。

Coursera 致力於普及全世界最好的教育，它與全球一流大學和機構合作提供在線課程。

© 2018 Coursera Inc. 保留所有權利。

通過 App Store 下載

通過 Google Play 獲取