DFCS H3021: Web
Application Security
Short Title: Web Application Security APPROVED
Full Title: Web Application Security
Module Code: DFCS H3021
ECTS credits: 5
NFQ Level: 7
Module Delivered in no programmes
Module Contributor: Mark Cummins
Module Description: Modern cyber defense requires a realistic and thorough understanding of web application security issues.
This module will enable students to capably assess a web application's security posture and convincingly
demonstrate the impact of inadequate security that plagues most organisations. Students will come to
understand major web application flaws and their exploitation and, most importantly, learn a field-tested and
repeatable process to consistently find these flaws and convey what they have learned to their
organisations.
Learning Outcomes:
On successful completion of this module the learner will be able to
1. Apply a detailed methodology to your web application penetration tests.
2. Analyse the results from automated web testing tools to remove false positives and validate findings. Manually discover
key web application flaws.
3. Analyse traffic between the client and the server application using proxy tools to find security issues within the client-side
application code.
4. Create configurations and test payloads within other web attacks
Page 1 of 3
� DFCS H3021: Web
Application Security
Module Content & Assessment
Indicative Content
Overview of the web from a penetration tester's perspective
Exploring the various servers and clients. Discussion of the various web architectures. Discovering how session state works. Discussion of
the different types of vulnerabilities. Defining a web application test scope and process. Defining types of penetration testing
Reconnaissance and mapping
Discovering the infrastructure within the application. Identifying the machines and operating systems. Secure Sockets Layer (SSL)
configurations and weaknesses. Exploring virtual hosting and its impact on testing. Learning methods to identify load balancers. Software
configuration discovery. Exploring external information sources. Google hacking. Learning tools to spider a website. Scripting to automate
web requests and spidering. Application flow charting. Relationship analysis within an application. JavaScript for the attacker
Vulnerability discovery
Web app vulnerabilities and manual verification techniques. Interception proxies. Information leakage and directory browsing. Username
harvesting. Command Injection. Directory traversal. SQL injection. Blind SQL injection. Cross-Site Scripting (XSS). Cross-Site Request
Forgery (CSRF). Session flaws. Logic attacks. API attacks. Data binding attacks. Automated web application scanners
Exploitation
Exploring methods to zombify browsers. Discussing using zombies to port scan or attack internal networks. Exploring attack frameworks.
Exploiting the various vulnerabilities discoveries. Leveraging attacks to gain access to the system. How to pivot our attacks through a web
application. Exploiting applications to steal cookies. Executing commands through web application vulnerabilities
Indicative Assessment Breakdown %
Course Work Assessment % 100.00%
Course Work Assessment %
Assessment Type Assessment Description Outcome % of Assessment
addressed total Date
Project Preform reconnaissance and mapping stage of a web 1,2 25.00 Week 5
penetration test
Project Perform discovery and exploitation stage of a web penetration 3,4 25.00 Week 10
test.
Practical/Skills Perform a complete web penetration test. 1,2,3,4 50.00 Week 12
Evaluation
No Final Exam Assessment %
Indicative Reassessment Requirement
Coursework Only
This module is reassessed solely on the basis of re-submitted coursework. There is no repeat written examination.
ITB reserves the right to alter the nature and timings of assessment
Page 2 of 3
� DFCS H3021: Web
Application Security
Indicative Module Workload & Resources
Indicative Workload: Full Time
Frequency Indicative Average Weekly Learner Workload
Every Week 2.00
Every Week 2.00
Every Week 3.00
Indicative Workload: Part Time
Frequency Indicative Average Weekly Learner Workload
Every Week 2.00
Every Week 2.00
Every Week 3.00
Resources
Recommended Book Resources
Dafydd Stuttard, Marcus Pinto, The Web Application Hacker's Handbook, Wiley [ISBN: 1118026470]
Michal Zalewski, The Tangled Web, No Starch Press [ISBN: 1593273886]
Supplementary Book Resources
Bryan Sullivan, Vincent Liu, Web Application Security, A Beginner's Guide, McGraw-Hill Osborne Media [ISBN: 0071776168]
This module does not have any article/paper resources
Other Resources
Website: The Open Web Application Security Project (OWASP)
https://www.owasp.org/
Page 3 of 3
