Web Application Security
BASIC DATA
course listing
A - main register
course code
ICS0027
course title in Estonian
Veebirakenduste turvalisus
course title in English
Web Application Security
course volume CP
-
ECTS credits
6.00
to be declared
yes
assessment form
Pass/fail assessment
teaching semester
autumn
language of instruction
Estonian
English
Study programmes that contain the course
code of the study programme version
course compulsory
IVCM25/25
no
IVSB17/25
no
Structural units teaching the course
IC - IT College
Course description link
Timetable link
View the timetable
Version:
VERSION SPECIFIC DATA
course aims in Estonian
Kursuse eesmärgiks on sissejuhataval baastasemel tutvustus veebirakenduste turvalisusest. Kursus annab ülevaate levinuimast rünnetest veebirakenduste vastu, selgitab nende rünnetemehhanisme ja meetodeid ning kaitse loomise üldpõhimõtteid
course aims in English
This course is an introduction to web application security. Course gives an overview of common attacks against web applications, explains mechanisms and methods of attacks and how to create defences.
learning outcomes in the course in Est.
- Üliõpilane on kursis levinuimate veebirakenduste ründemeetoditega ja neid puudutavate põhimõistetega
- Üliõpilane on kursis veebirakenduste levinuimate kaitsevõimalustega
- Üliõpilane oskab kasutada veebirakenduste levinuimaid kaitsevõimalusi praktikas veebiteenuste juures

learning outcomes in the course in Eng.
After finishing the course a student:
- is able to explain common attack methods and concepts behind them.
- can explain defenses and apply them in practice against common attacks against web-applications.
brief description of the course in Estonian
Sissejuhatus. Teabeallikad, CVE. Klient-server side, HTTP-protokoll. HTTP-meetodid, GET versus POST. HTTP versus HTTPS. Sisendandmed. HTML-i ja HTML-i süstimisründed. JavaScript ja JavaScripti sissetungiründed. URL ja URL-i manipuleerimisründed. Brauseri turvapoliitika. Küpsised ja küpsistega manipuleerimine. Seansid ja seansi kaaperdusründed.
ja fikseerimise rünnakud.
OSRF/CSRF ründed. Redress-tüüpi ründed (sh ClickJacking ja CursorJacking). Paroolide turvalisus veebirakendustes. Autentimine ja autentimisega seotud ründed. Autoriseerimine ja ründed autoriseerimise vastu. Google'i häkkimine. Koodi ja käskude süstimisründed. Ründekoodi üleslaadimine, konfiguratsioon. Failide käitlemine (faililaiendid, avalikud kaustad, täitmine, loendamine jms). Failipõhised ründed - LFI, RFI, RCE, NULL-Byte jms. Logifailise põhised ründed. SQLi süstimisründed
brief description of the course in English
Introduction. Information sources, responsible disclosure, CVE. Client-Server communication, HTTP protocol. HTTP methods, GET vs POST
HTTP vs HTTPS. Input data. HTML and HTML injection attacks. JavaScript and JavaScript injection attacks. URL and URL manipulation attacks. Browser security policies. Cookies and cookie manipulation. Sessions and session hijacking and fixation attacks.
OSRF/CSRF (On-Site and Cross-Site Request Forgery). UI Redress Attacks (inc ClickJacking, CursorJacking). Password security in Web Application Context. Authentication and attacks against authentication. Authorization and attacks against authorization, Direct Object Reference mistakes. Business logic implementation errors
Google hacking. Code and Command injection
Source code and structure defence. Attack code upload, configuration. File handling (file extensions, public folder, execution, enumeration and guessing). File inclusion (LFI, RFI, RCE, NULL-Byte). File upload. Other file insertion vectors (log files). SQL injection
type of assessment in Estonian
-
type of assessment in English
-
independent study in Estonian
-
independent study in English
-
study literature
- Dafydd Stuttard, Marcus Pinto. The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws, 2nd Edition. Wiley, 2011
- Bryan Sullivan, Vincent Liu. Web Application Security, A Beginner's Guide, 1st Edition. McGraw-Hill, 2011
- Nitesh Dhanjani, Billy Rios, Brett Hardin. Hacking: The Next Generation. O'Reilly, 2009
study forms and load
daytime study: weekly hours
4.0
session-based study work load (in a semester):
lectures
2.0
lectures
-
practices
2.0
practices
-
exercises
0.0
exercises
-
lecturer in charge
-
LECTURER SYLLABUS INFO
semester of studies
teaching lecturer / unit
language of instruction
Extended syllabus
2025/2026 autumn
Ali Ghasempour, IC - IT College
English
    display more
    2024/2025 autumn
    Ali Ghasempour, IC - IT College
    English
      2023/2024 autumn
      Andres Käver, IC - IT College
      English
        2022/2023 autumn
        Andres Käver, IC - IT College
        English
          2021/2022 autumn
          Andres Käver, IC - IT College
          English
            2020/2021 autumn
            Andres Käver, IC - IT College
            English
              2019/2020 autumn
              Andres Käver, IC - IT College
              English
                Course description in Estonian
                Course description in English