Module Database Search

MODULE DESCRIPTOR
Module Title
Web Security
Reference	CM3105	Version	5
Created	June 2022	SCQF Level	SCQF 9
Approved	July 2016	SCQF Points	15
Amended	July 2022	ECTS Points	7.5

Aims of Module
To provide students with an understanding of the main security threats to web based systems. To develop the students' skills in identifying weaknesses in web based systems and how to prevent or harden the systems against attack.

Learning Outcomes for Module
On completion of this module, students are expected to be able to:
1	Identify and analyse web systems for possible security weaknesses.
2	Understand and explain how web system weaknesses can be exploited.
3	Critically appraise security techniques for the design of web based systems.
4	Implement security features to harden web based systems against attack.
5	Exploit known vulnerabilities to test the security of web based systems.

Indicative Module Content
Key concepts of identifying, exploiting and defending against web application or web system attacks. This will include aspects, which are the responsibility of the developer or system administrator such as server configuration, authentication mechanisms and application language configuration. The module will demonstrate a number of exploits and attacks that can be performed on web systems and methods to protect against them, including defacement, shell scripting, privilege escalation, cache poisoning, XPATH and XQUERY languages and injection, Cross-site request forging and application coding errors like SQL injection and cross-site scripting. The module will also look at vulnerabilities in the execution environments including web and mobile browser vulnerabilities and exploits. Standards and Best Practice Guides: ISO 27001, ISO 27014, ISO 27034.

Indicative Module Content

Key concepts of identifying, exploiting and defending against web application or web system attacks. This will include aspects, which are the responsibility of the developer or system administrator such as server configuration, authentication mechanisms and application language configuration. The module will demonstrate a number of exploits and attacks that can be performed on web systems and methods to protect against them, including defacement, shell scripting, privilege escalation, cache poisoning, XPATH and XQUERY languages and injection, Cross-site request forging and application coding errors like SQL injection and cross-site scripting. The module will also look at vulnerabilities in the execution environments including web and mobile browser vulnerabilities and exploits. Standards and Best Practice Guides: ISO 27001, ISO 27014, ISO 27034.

Module Delivery
Key concepts on design and development practices are introduced through the 1 hour lectures. The main emphasis of the course will be focused on the lab sessions where the students will be introduced to practical demonstrations of the exploits and defences being studied. The module will give the students access to custom configured web systems and applications with known vulnerabilities. Although these systems will be hosted in safe, sandboxed environments they will provide the students with a realistic platform on which to carry out simulated attack and defence practices. The final week of the module will pit the students against each other in a capture the flag exercise where teams will take turns to attack and defend a provided system.

Module Delivery

Key concepts on design and development practices are introduced through the 1 hour lectures. The main emphasis of the course will be focused on the lab sessions where the students will be introduced to practical demonstrations of the exploits and defences being studied. The module will give the students access to custom configured web systems and applications with known vulnerabilities. Although these systems will be hosted in safe, sandboxed environments they will provide the students with a realistic platform on which to carry out simulated attack and defence practices. The final week of the module will pit the students against each other in a capture the flag exercise where teams will take turns to attack and defend a provided system.

Indicative Student Workload	Full Time	Part Time
Contact Hours	30	N/A
Non-Contact Hours	120	N/A
Placement/Work-Based Learning Experience [Notional] Hours	N/A	N/A
TOTAL	150	N/A
Actual Placement hours for professional, statutory or regulatory body

ASSESSMENT PLAN
If a major/minor model is used and box is ticked, % weightings below are indicative only.
Component 1
Type:	Coursework	Weighting:	100%	Outcomes Assessed:	1, 2, 3, 4, 5
Description:	Short term release and submit coursework covering all learning outcomes.

MODULE PERFORMANCE DESCRIPTOR
Explanatory Text
The calculation of the overall grade for this module is based on 100% weighting of C1. An overall minimum grade of D is required to pass this module.
Module Grade	Minimum Requirements to achieve Module Grade:
A	The student needs to achieve an A in C1.
B	The student needs to achieve a B in C1.
C	The student needs to achieve a C in C1.
D	The student needs to achieve a D in C1.
E	The student needs to achieve an E in C1.
F	The student needs to achieve an F in C1.
NS	Non-submission of work by published deadline or non-attendance for examination

Module Requirements
Prerequisites for Module	None.
Corequisites for module	None.
Precluded Modules	None.

INDICATIVE BIBLIOGRAPHY
1	SPASOJEVIC, B., 2015. Gray Hat Hacking The Ethical Hacker's Handbook. 4th ed.
2	SHEMA, M., 2012. Hacking web apps: detecting and preventing web application security problems. Syngress.
3	LONG, J., 2016. Google Hacking for Penetration Testers. Elsevier.
4	Computer Security Student - Web hacking tutorials https://computersecuritystudent.com [Accessed: July 2016].

Robert Gordon University, Aberdeen

Module Database Search