The times when the web used to be a mere collection of “documents” are long gone. SGML and HTML frames are things of the past, and Flash may become soon. Nowadays, the web developer 2.0 speaks dozens of domain specific languages -ECMAScript, HTML5, CSS, SVG, XML, JSON, Perl, PHP, Python, SQL, …- and constantly preaches for AJAX.
To succeed in this fast paced domain, the IT professional must possess many diverse skills. She must fully understand the way data are exchanged between the components of the application, she must know a large palette of languages and tools and constantly keep up to date, and finally she must understand what are the critical entry points of her application and how to secure them from external attackers.
This course aims at giving the bases of modern dynamic web programming, with a spin on attack techniques and security analysis.
This wiki is yours. Use it, peruse it, abuse it (but not too much, please… it is software in development and it is quite vulnerable to XSS attacks). Please read How to use the wiki
5/28: The subject and solution of the exam are available.
4/30: Published page on using
4/25: Published instruction on the defense of the Final project.
3/27: A page on Hosting Node.js.
3/19: A page on Web graphics.
2/27: Published instruction for the Final project.
Instructor: Luca De Feo http://defeo.lu
Class: Wednesdays 1:30pm - 3pm, amphi B
Tutorial (Group 1): Tuesdays 9:45am - 1pm, salle D101
Tutorial (Group 2): Wednesdays 3:15pm - 6:30pm, salle G204
Exam: First session, Monday, May 13, 10am-12pm, amphi G Subject and solution
- Class 1 (01/30/2013)
- Class 2 (02/06/2013)
- HTML, the language of the web [no screencast this week, sorry!].
- Class 3 (02/13/2013)
- Cookies, persistence and permanent storage. [screencast]
- Class 4 (02/20/2013)
- The client side, CSS, DOM and JQuery. [screencast]
- Class 5 (02/27/2013)
- Asynchronous web applications. [screencast]
- Class 6 (03/06/2013)
- Large projects and Express, Code injections. [screencast]
- Class 7 (03/20/2013)
- Cross site scripting. [screencast]
- Class 8 (03/27/2013)
- AJAX security, Same Origin Policy and CSRF. [screencast]
- Class 9 (04/03/2013)
- Where is the Web going to. [screencast]
- Tutorial 1 (02/05/2013)
- Tutorial 2 (02/12/2013)
- HTML generation and forms.
- Tutorial 3 (02/19/2013)
- HTML generation and forms, Persistence with Node.js.
- Tutorial 4 (02/26/2013)
- Persistence with Node.js.
- Tutorial 5 (03/05/2013)
- Eventful clients.
- Tutorial 6 (03/19/2013)
- Eventful clients, User management.
- Tutorial 7 (03/26/2013)
- User management, Project work.
- 2011-2012 course.
- Two courses at Polytechnique by my colleague and friend Dominique Rossin:
- The WWW Consortium http://www.w3.org/;
- The W3 Schools http://www.w3schools.com/ and their HTML5 tutorial http://www.w3schools.com/html5/;
- The HTML validator http://validator.w3.org/ and the CSS validator http://jigsaw.w3.org/css-validator/;
- The Node.js main site http://www.nodejs.org/, manual http://www.nodemanual.org/ and API reference http://www.nodejs.org/api;
- The Express framework for Node.js.
- JQuery’s documentation http://docs.jquery.com/;
- The Firefox and Chrome browsers;
- Firefox add-ons https://addons.mozilla.org/ and their Web Development section;
- The OWASP project http://www.owasp.org/ and their WebGoat training application.
The bibliography on web programming is overblown. The Science Library shelves crack under the weight of redundant and obsolescent literature on the subject.
Here is a small selection of links and books that may be more useful than the average one.
- C. Porteneuve. Bien développer pour le Web 2.0.
- B. Catteau and N. Faugout. AJAX, Le Guide Complet
- 4ème édtion. Micro Application Éditions, 2009. ISBN: 978-2-300-022029. Côte BU: 005.71aja CAT. Introductory text on AJAX, with some advanced chapters treating design patrons and best practices.
- W3C. The Document Object Model.
- Level 2 (current) and Level 3 (upcoming) http://www.w3.org/DOM/DOMTR.
- Mozilla foundation. Mozilla DOM resources.
- The reference for the part of the DOM API supported by Firefox https://developer.mozilla.org/en/Gecko_DOM_Reference, and related documents https://developer.mozilla.org/en/DOM.
- T. Stubbs and G. Allain. JQuery, Le guide complet
- The Node.js manual.
- The Node.js API reference.
- M. Kiessling. The Node beginner guide.
- F. Geisendörfer. Node.js Guide
- Understandanding Connect and middleware
- W3Schools. HTML5 Tutorial
- http://www.w3schools.com/html5/. Very good tutorial for beginners, with plenty of examples that you can try online.
- W3Schools. CSS Tutorial
- http://www.w3schools.com/CSS/. Very good tutorial for beginners, with plenty of examples that you can try online.
- http://www.w3schools.com. Plenty of other tutorials are available on the W3Schools website.
- L. van Lancker. HTML5 et CSS3
- Eni Éditions, 2011. ISBN: 978-2-7460-6242-9. Côte BU: 005.71htm VAN. Introductory manual, mainly dealing with the basics of HTML and CSS (it could have been written for HTML4 and CSS2, but better to keep the pace, right?)
- B. Lawson and R. Sharp. Introduction à HTML5
- Pearson Education France, 2011. ISBN: 978-2-7440-2476-4. Côte BU: 005.71htm LAW. Intended for readers already familiar with HTML, who wish to learn the most salient new features in HTML5 and its scripting API.
- M. Zalewski. Browser Security Handbook.
- Google Inc 2009. http://code.google.com/p/browsersec/wiki/Main. Excellent review on browser security, Same Origin Policy and other experimental mechanisms.
- D. Seguy and P. Gamache. Sécurité PHP5 et MySQL.
- 2ème édition. Eyrolles 2009. ISBN: 978-2-212-12554-2. Côte BU: 005.8 SEG. Introductory book on web security. Chapter 2 treats XSS and CRSF. The following chapters focus more on the practical than the theoretical side and give tips to secure PHP+MySQL applications. Useful for your project!
- OWASP. OWASP development guide
- https://www.owasp.org/index.php/Category:OWASP_Guide_Project. Very complete guide from the OWASP foundation to securing web applications.
- OWASP. OWASP development guide
- https://www.owasp.org/. Wiki of the OWASP foundation, packed of excellent information on securing, testing and attaking web applications.
- R. Cannings, H.Dwivedi and Z. Lackey. Haking sur le Web 2.0
- Pearson Education France, 2008. ISBN: 978-2-7440-2306-4. Côte BU: 005.8 CAN. Badly written, translated even worse, and essentially an advertisement booklet for the authors’ company. Nevertheless, it is one of the few books on the security of web apps available at the library. It is divided in four parts, each ending with a case study. Part I is extremely interesting, so be sure to read it. Part II talks about CSRF, so read at least the first chapter and the case study.