Web Applications and Security

The times when the web used to be a mere collection of “documents” are long gone. SGML and HTML frames are things of the past, and Flash may become soon. Nowadays, the web developer 2.0 speaks dozens of domain specific languages -ECMAScript, HTML5, CSS, SVG, XML, JSON, Perl, PHP, Python, SQL, …- and constantly preaches for AJAX.

To succeed in this fast paced domain, the IT professional must possess many diverse skills. She must fully understand the way data are exchanged between the components of the application, she must know a large palette of languages and tools and constantly keep up to date, and finally she must understand what are the critical entry points of her application and how to secure them from external attackers.

This course aims at giving the bases of modern dynamic web programming, with a spin on attack techniques and security analysis.

This wiki is yours. Use it, peruse it, abuse it (but not too much, please… it is software in development and it is quite vulnerable to XSS attacks). Please read How to use the wiki


We’ve moved! Starting from 2013-2014, this course moves its home page at http://defeo.lu/aws.

5/28: The subject and solution of the exam are available.

4/30: Published page on using socket.io and was_framework.

4/25: Published instruction on the defense of the Final project.

3/27: A page on Hosting Node.js.

3/19: A page on Web graphics.

2/27: Say what you think of the course and give ideas for next year

2/27: Published instruction for the Final project.

Practical information

Instructor: Luca De Feo http://defeo.lu

Class: Wednesdays 1:30pm - 3pm, amphi B
Tutorial (Group 1): Tuesdays 9:45am - 1pm, salle D101
Tutorial (Group 2): Wednesdays 3:15pm - 6:30pm, salle G204

Exam: First session, Monday, May 13, 10am-12pm, amphi G Subject and solution


Class 1 (01/30/2013)
The World Wide Web, introduction to Javascript. [screencast]
Class 2 (02/06/2013)
HTML, the language of the web [no screencast this week, sorry!].
Class 3 (02/13/2013)
Cookies, persistence and permanent storage. [screencast]
Class 4 (02/20/2013)
The client side, CSS, DOM and JQuery. [screencast]
Class 5 (02/27/2013)
Asynchronous web applications. [screencast]
Class 6 (03/06/2013)
Large projects and Express, Code injections. [screencast]
Class 7 (03/20/2013)
Cross site scripting. [screencast]
Class 8 (03/27/2013)
AJAX security, Same Origin Policy and CSRF. [screencast]
Class 9 (04/03/2013)
Where is the Web going to. [screencast]


Tutorial 1 (02/05/2013)
First steps in JavaScript.
Tutorial 2 (02/12/2013)
HTML generation and forms.
Tutorial 3 (02/19/2013)
HTML generation and forms, Persistence with Node.js.
Tutorial 4 (02/26/2013)
Persistence with Node.js.
Tutorial 5 (03/05/2013)
Eventful clients.
Tutorial 6 (03/19/2013)
Eventful clients, User management.
Tutorial 7 (03/26/2013)
User management, Project work.

Help topics

Useful links


The bibliography on web programming is overblown. The Science Library shelves crack under the weight of redundant and obsolescent literature on the subject.

To deepen your understanding of HTML, Javascript, etc., you can basically take any book from the library and quickly read through. Avoid old books, though: check that the first edition (not the last) hasn’t been written more than, say, five years ago.

Here is a small selection of links and books that may be more useful than the average one.

JavaScript and AJAX

Mozilla Developer Network. JavaScript Guide.
In English https://developer.mozilla.org/en-US/docs/JavaScript/Guide and French https://developer.mozilla.org/fr/docs/JavaScript/Guide. The first place to look for help on Javascript.
Marijn Haverbeke. Eloquent Javascript.
In English http://eloquentjavascript.net/ and French http://fr.eloquentjavascript.net/. Very nice introductory book on JavaScript.
D. Crockford. JavaScript. Gardez le meilleur !.
Pearson 2008. ISBN: 978-2-7440-2328-6. Côte BU: 005.13jaS CRO. Reference book on JavaScript syntax.
I. Wetzel and Z. Yi Jiang. JavaScript Garden.
http://bonsaiden.github.com/JavaScript-Garden/. A guide to the more obscure features of JavaScript.
C. Porteneuve. Bien développer pour le Web 2.0.
2ème édition. Eyrolles, 2009. ISBN: 978-2-212-12391-3. Côte BU: 005.71aja POR. Excellent book to learn how to write modern and compliant JavaScript and AJAX, with an emphasis on best practices. Online examples are available from Eyrolles website. The first edition is very good too, although slightly outdated (2006).
N. C. Zakas. Professional JavaScript for Web Developers.
3rd edition. John Wiley & Sons, 2012. ISBN: 978-1-118-02669-4. Côte BU: 005.71jas ZAK. Very complete book, treating only client side JavaScript. It contains a complete reference to JavaScript and the DOM, plus extra material on modern features such as Canvases and Web Sockets.
B. Catteau and N. Faugout. AJAX, Le Guide Complet
4ème édtion. Micro Application Éditions, 2009. ISBN: 978-2-300-022029. Côte BU: 005.71aja CAT. Introductory text on AJAX, with some advanced chapters treating design patrons and best practices.
W3C. The Document Object Model.
Level 2 (current) and Level 3 (upcoming) http://www.w3.org/DOM/DOMTR.
Mozilla foundation. Mozilla DOM resources.
The reference for the part of the DOM API supported by Firefox https://developer.mozilla.org/en/Gecko_DOM_Reference, and related documents https://developer.mozilla.org/en/DOM.
T. Stubbs and G. Allain. JQuery, Le guide complet
Micro Application Éditions, 2011. ISBN: 978-2-300-036194. Côte BU: 005.71jsp ALL. For the programmer who already knows Javascript and wishes to get the best out of the advanced features of JQuery.


The Node.js manual.
The Node.js API reference.
M. Kiessling. The Node beginner guide.
in English http://www.nodebeginner.org/ and French http://nodejs.developpez.com/tutoriels/javascript/node-js-livre-debutant/.
F. Geisendörfer. Node.js Guide
Understandanding Connect and middleware
A. MacCaw. JavaScript Web Applications.
O’Reilly 2011. ISBN: 978-1-449-30351-8. Côte BU: 005.71jsp MAC. Advanced book discussing both client side and server side JavaScript. It focuses on development patterns (mostly MVC), control delegation and JavaScript frameworks.


W3Schools. HTML5 Tutorial
http://www.w3schools.com/html5/. Very good tutorial for beginners, with plenty of examples that you can try online.
W3Schools. CSS Tutorial
http://www.w3schools.com/CSS/. Very good tutorial for beginners, with plenty of examples that you can try online.
http://www.w3schools.com. Plenty of other tutorials are available on the W3Schools website.
L. van Lancker. HTML5 et CSS3
Eni Éditions, 2011. ISBN: 978-2-7460-6242-9. Côte BU: 005.71htm VAN. Introductory manual, mainly dealing with the basics of HTML and CSS (it could have been written for HTML4 and CSS2, but better to keep the pace, right?)
B. Lawson and R. Sharp. Introduction à HTML5
Pearson Education France, 2011. ISBN: 978-2-7440-2476-4. Côte BU: 005.71htm LAW. Intended for readers already familiar with HTML, who wish to learn the most salient new features in HTML5 and its scripting API.


M. Zalewski. Browser Security Handbook.
Google Inc 2009. http://code.google.com/p/browsersec/wiki/Main. Excellent review on browser security, Same Origin Policy and other experimental mechanisms.
D. Seguy and P. Gamache. Sécurité PHP5 et MySQL.
2ème édition. Eyrolles 2009. ISBN: 978-2-212-12554-2. Côte BU: 005.8 SEG. Introductory book on web security. Chapter 2 treats XSS and CRSF. The following chapters focus more on the practical than the theoretical side and give tips to secure PHP+MySQL applications. Useful for your project!
OWASP. OWASP development guide
https://www.owasp.org/index.php/Category:OWASP_Guide_Project. Very complete guide from the OWASP foundation to securing web applications.
OWASP. OWASP development guide
https://www.owasp.org/. Wiki of the OWASP foundation, packed of excellent information on securing, testing and attaking web applications.
R. Cannings, H.Dwivedi and Z. Lackey. Haking sur le Web 2.0
Pearson Education France, 2008. ISBN: 978-2-7440-2306-4. Côte BU: 005.8 CAN. Badly written, translated even worse, and essentially an advertisement booklet for the authors’ company. Nevertheless, it is one of the few books on the security of web apps available at the library. It is divided in four parts, each ending with a case study. Part I is extremely interesting, so be sure to read it. Part II talks about CSRF, so read at least the first chapter and the case study.