The University of Arizona
banner image

CSc 397b -- Secure Web Application Development with PHP and MySQL

Fall 2008

Contact Information
Please see the syllabus to know who to direct your specific questions to.
Instructor
Instructor of Record
Justin Samuel
Email: jsamuel
 Rick Mercer
Email: mercer
Date Notes
Week 1:
Aug 25		 The plan
  • Course Introduction
  • Go through syllabus
  • Walk through download and usage of a userspace WAMP system: Uniform Server.
  • Walk through download and usage of Eclipse+PDT all-in-one package
  • High level discussion of how web applications work.
  • Security demostration: Cross-Site Scripting (XSS). Just a quick demo to give an initial idea of how web applications can be insecure. We will delve into more details throughout the rest of the course.
Assignment
Before 2nd class (two weeks after 1st class, due to holiday), please:
  • Make sure you have Uniform Server and Eclipse+PDT working in the lab - email Justin if you have difficulties with either of these.
  • Read Bruce Schneier's article Debating Full Disclosure
  • Read The Chilling Effect from CSOOnline.com.
Week 2:
Sep 1		 No class

I can has Labor day?
Week 3:
Sep 8		 The plan
  • Students will be encouraged to sign up for the ua-cs397b-fall08 Google Group. This will be a place for students to ask questions, for announcements can be made, etc.
  • Make sure everyone has Uniform Server up and running.
  • For those who didn't get Eclipse+PDT working, that's fine, Textpad can be used and is already installed in the lab.
  • Discuss the articles everyone read (see above) and super emphasize use of paranoia with respect to pen testing (that is, pen test locally installed apps, not live apps).
  • Go through lesson 2 [Zip file]
    • Intro to HTML
    • Intro to CSS
    • Intro to PHP
    • Intro to forms and form data processing
  • Discuss non-persistent Cross Site Scripting (XSS) attacks
    • Show how using htmlspecialchars (with ENT_QUOTES) isn't enough to always protect against XSS.
    • Discuss and demonstrate filter evasion.
    • Useful resource for learning and testing: XSS Cheat Sheet
Week 4:
Sep 15		 The plan
  • Lesson 3 [Zip file]
    • Further discussion of Non-persistent XSS
    • Intro to JavaScript
    • OOP in PHP
    • PHP Sessions
    • Session hijacking
Week 5:
Sep 22		 The plan
  • Lesson 4 [Zip file]
    • Intro to Databases! (that is, MySQL)
      • Using phpMyAdmi
      • Creating a database
      • Talking to MySQL through PHP
      • INSERTing and SELECTing
      • Sanitizing user input and SQL injection
Week 6:
Sep 29		 The plan
  • Lesson 5 [Zip file]
    • The rest of the fundamental SQL
      • WHERE clause power
      • UPDATE statement
      • DELETE statement
    • And we'll write some php and mysql code from scratch in class!
Week 7:
Oct 6		 The plan
  • Lesson 6 [Zip file]
    • More with SQL/databases
      • Database abstraction layers
      • More practice!
    • And we'll talk about a new type of attack: Cross-Site Request Forgery (CSRF)
Week 8:
Oct 13		 The plan
  • Lesson 7 [Zip file]
    • Ajax
    • Sending emails from PHP
    • Exploiting and protecting against Cross-Site Request Forgery (CSRF)
Week 9:
Oct 20		 The plan
Week 10:
Oct 27		 The plan
Week 11:
Nov 3		 The plan
  • Lesson 10 [Zip file]
    • SSL
    • Storing sensitive data
    • Examples of storing hashed passwords
Week 12:
Nov 10		 Announcement
  • Tonight: Lockheed Martin Computer Challenge, 6:45 in the atrium and then GS 906. [pdf]
The plan
  • Lesson 11 [Zip file]
    • Error handling (it's important for security, too!)
    • Credit card processing
    • Webserver power and flexibility
    • Web design
Week 13:
Nov 17		 The plan
Week 14:
Nov 24		 The plan
  • Talk about vulnerability analysis tools.
Week 15:
Dec 1		 The plan
  • Lesson 13 [Zip file]
    • JavaScript in more detail and fun with the DOM