CS361, Web Security, Fall 2017

Lecturer: Nick Nikiforakis
Teaching Assistant: Harpreet Singh Chawla (office hours)
Time:MW 5:30 PM - 6:50 PM
Office Hours: Thursday 4:00 PM - 5:00 PM, Friday 4:00PM - 5:00 PM, and by appointment
Contact: nick[email squiggly thingy] cs.stonybrook.edu

  • Most of your requests (clarifications, questions about upcoming deadlines, projects, etc.) should be publicly asked on Piazza, so that other students can benefit from Q&As.
  • If you need to ask me something personal (that does not apply to the entire class), then you can send me an email. If you need to reach me through email, make sure your title starts with "[CSE 361]" (without the quotes). Mislabeled or unlabeled emails will, most likely, not be read.


Class Description

In this class, we will together explore the concepts behind web security. We will look at the core principles behind secure (and insecure) systems and how these principles apply to web applications. We will learn how the web works, how to find vulnerabilities, how attackers compromise web applications, and how to avoid these vulnerabilities when implementing and deploying your own web applications.

The course will consist of lectures, hands-on labs (likely done on the laptops of the students in class), a few select paper presentations by teams of students, and one (or two) small projects.

Some of the topics that we will cover are the following:


Following a long-standing tradition in security courses, there is no official textbook for this course. I am drawing inspiration mostly from the following books:

Requirements and Grading

Subject to minor tweaks throughout the semester.

Schedule and Reading Assignments

Date Topic Reading Assignment(s)
8/28/2017Introduction, Motivation and DefinitionsReflections on Trusting Trust
9/04/2017Labor Day, no class
9/06/2017Authentication (continued)
9/11/2017Authentication (continued)
9/13/2017How the web works
9/18/2017Lab 1 (in class)
9/20/2017How the web works (continued)
9/25/2017How the web works (continued)
9/27/2017Access Control
10/02/2017Access Control (continued)
10/04/2017Crash course on cryptography
10/09/2017SSL and TLS
10/11/2017 SSL and TLS (continued)
10/16/2017 Lab 2 (in class)
10/18/2017 Midterm (in class)
10/23/2017 No class (instructor away on research travel)
10/25/2017 SSL and TLS (continued)
10/30/2017 Attacks against the client-side of web applications
11/01/2017 No class (instructor away on research travel)
11/06/2017 Attacks against the client-side of web applications (continued)
11/08/2017 Attacks against the client-side of web applications (continued)The Security Impact of HTTPS Interception
11/13/2017 Attacks against the server-side of web applications
11/15/2017 Attacks against the server-side of web applications (continued)
11/20/2017 Attacks against the user of web applications
11/22/2017 No class (Thanksgiving break)
11/27/2017 Firewalls, IDs, Honeypots, and DoS attacks
11/29/2017 A brief introduction to online tracking
12/04/2017 Project presentations
12/06/2017 Project presentations


Note: If you have a physical, psychological, medical or learning disability that may impact on your ability to carry out assigned course work, please contact the staff in the Disabled Student Services office (DSS), Room 133, Humanities, 632-6748v/TDD. DSS will review your concerns and determine with you what accommodations are necessary and appropriate. All information and documentation of disability are confidential.

Note: Each student must pursue his or her academic goals honestly and be personally accountable for all submitted work. Representing another person's work as your own is always wrong. Any suspected instance of academic dishonesty will be reported to the Academic Judiciary. For more comprehensive information on academic integrity, including categories of academic dishonesty, please refer to the academic judiciary website at http://www.stonybrook.edu/commcms/academic_integrity/.