WEB APPLICATION SECURITY

SHE Level 4
SCQF Credit Points 20.00
ECTS Credit Points 10.00
Module Code MHI125244
Module Leader Kenneth Ovens
School School of Computing, Engineering and Built Environment
Subject Cyber Security and Networks
Trimester
  • B (January start)

Pre-Requisite Knowledge

Ethical Hacking or equivalent.

Summary of Content

Web application vulnerabilities can pose serious problems to the security of an organisation as well as the security of its clients. The aim of this module is to provide students with an understanding of the most prevalent web application vulnerabilities, their causes, consequences as well as methodologies for testing for evidence of vulnerabilities within applications and protection against these. In this module students utilise techniques of ethical hacking to discover and exploit vulnerabilities in Web applications. Students use tools in this process as well as critically analyse the role of tools in the discovery of vulnerabilities. They critically evaluate security breaches that stem from vulnerabilities in web applications. This module has been designed to provide students with structured knowledge needed to discover vulnerabilities and recommend solutions for improving web application security and protecting data from potential attackers. The percentage of Work Based Learning for this module, as represented by the proportion of the Activity Types which take place off campus, is 78%. The percentage of Work Based Assessment for this module is 50%.

Syllabus

Common website vulnerabilities. Browser security. HTTP & HTTPS basics. Web application penetration tester's methodology. Web application attacks, including injection attacks, cross-site scripting. Exploiting design, implementation and logic flaws.

Learning Outcomes

On successful completion of this module a student should be able to:Critically appraise common Web application vulnerabilities. Discuss the implications of common vulnerabilities and recommend ways to rectify or mitigate them.Utilize appropriate penetration testing tools for a given scenario and understand their output. Understand the approaches and methodologies used when performing a penetration test.Implement a penetration testing strategy to identify and analyse Web application vulnerabilities.Exploit common vulnerabilities in web applications.

Teaching / Learning Strategy

Work Based Education aims to maximise the direct and digitally mediated contact time with students by practicing teaching and learning strategies that use authentic work based scenarios and encourage action learning, enquiry based learning, problem based learning and peer learning. All these approaches aim to directly involve the students in the process of learning and to encourage sharing of learning between students. The module team will determine the level and accuracy of knowledge acquisition at key points in the delivery, inputting when necessary either directly or with the support of external experts who will add to the authenticity, the credibility and application of the education and learning in the workplace. The Learning and Teaching Strategy is informed by the University's Strategy for Learning. The course material will be introduced through online presentations as well as guided reading material made available on GCULearn. These are supported by practical exercises, and there will be seminars on campus which will allow students to discuss key concepts and issues with peers and tutors. Students will be expected to undertake a significant level of independent study within the workplace, including practical activities, and links will be provided to appropriate external material such as articles, podcasts and videos to supplement the module content. Students will be encouraged to reflect upon the theoretical learning within the workplace and the application of newly learned concepts to the work environment, and this will form part of the module assessment. Students will receive feedback on their performance throughout the module through undertaking the practical assignments and tutorial exercises and participating in the seminars.

Indicative Reading

Stuttart, D. and Pinto M. (2011) The Web Application Hacker's Handbook, 2nd ed, John Wiley & Sons, Inc. Zalewski, M. (2011) The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press Clarke, J. (2009) SQL Injection Attacks and Defense, Syngress EC-Council (2010) Ethical Hacking and Countermeasures: Series, EC-Council

Transferrable Skills

Logical thinking and problem solving. Critical analysis. Communication skills (electronic, written, oral and listening) necessary to make effective presentation of a technical nature (information, ideas, problems and their solutions) to a range of audiences. Creativity, innovation and independent thinking. Ability to prioritise tasks and time management (organising and planning work).

Module Structure

Activity Total Hours
Lectures (FT) 24.00
Independent Learning (FT) 108.00
Seminars (FT) 24.00
Assessment (FT) 20.00
Practicals (FT) 24.00

Assessment Methods

Component Duration Weighting Threshold Description
Coursework 1 2.00 50.00 35% Lab exam
Exam (Exams Office) 2.00 50.00 35% Unseen written exam