This course is suitable for students with a background in computer science or web development who are interested in learning about the principles and techniques of securing web applications and servers.

This is the first edition of the book. Published on January 7, 2023

Module 1 - Introduction to Web Security: This module covers the basic concepts and principles of web security, including types of threats and vulnerabilities, and common technologies and tools. It introduces students to the key issues and challenges related to protecting web applications, web servers, and networks from attack and exploitation.

Module 2 - Identification, Authentication, and Access Control: This module introduces digital identity along with its associated processes such as determining the validity of an identity claim (Authentication) and dictating who is authorized to access information resources (Access Control). This chapter explains security flaws associated with Identification, Authentication, and Access Control. Different attack vectors are presented, and prevention measures and techniques are outlined.

Module 3 - Cryptographic Failures: This module explains the root cause of sensitive data exposure; namely, Cryptographic Failures. Different attack vectors are presented, and prevention measures and techniques are outlined.

Module 4 - Injection: This module covers the types of injection attacks, including SQL injection, command injection, and script injection. The module also covers the methods that attackers use to carry out injection attacks and the countermeasures that can be taken to prevent or mitigate these attacks.

Module 5 - Insecure Design: This module covers the common web application design and architecture vulnerabilities that can be exploited by attackers and the best practices for avoiding these vulnerabilities. The module also covers the importance of following secure design principles throughout the development life cycle and the role of secure design in mitigating the risks of web security threats and vulnerabilities.

Module 6 - Security Misconfiguration: This module covers the common web application security misconfigurations that can be exploited by attackers and the best practices for avoiding these misconfigurations.

Module 7 - Vulnerable and Outdated Components: This module covers the principles and practices of identifying and managing the risks of using vulnerable and outdated software components in web applications, with a focus on the common vulnerabilities that can be introduced by using vulnerable and outdated components, and the best practices for avoiding these vulnerabilities.

Module 8 - Software and Data Integrity Failures: This module covers the principles and practices of protecting the integrity of software and data in web applications, with a focus on the common integrity failures that can be exploited by attackers, and the best practices for avoiding these failures.

Module 9 - Security Logging and Monitoring Failures: The module covers the principles and practices of security logging and monitoring in web applications, with a focus on the common logging and monitoring failures that can be exploited by attackers, and the best practices for avoiding these failures. The module also covers topics such as log management, event logging, and incident response.

Module 10 - Server-Side Request Forgery: The module covers the principles and practices of protecting web applications and servers from Server-Side Request Forgery (SSRF) attacks. SSRF is a type of attack in which an attacker is able to send arbitrary requests to a server from a vulnerable web application, in order to access protected resources or perform unauthorized actions.

Some of the product names and company names used in this course have been used for identification purposes only and may be trademarks or registered trademarks of their respective organizations. The software tools and applications in this course are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes. The author does not offer any warranties or representations, nor does he accept any liabilities with respect to the programs.
© 2022-2023 Samer Aoudi