Topics

This is a master list of topics relevant to this class. We definitely won’t get to all of them, and we definitely won’t cover them in order; this is mostly for my own mental collection of what topics can and should be covered in a class like this. XR is my shorthand for “cross reference” - means a different element in the outline is also relevant to this topic.

• The web platform

  • Browser-side

    High level goals are to teach enough to understand the web broadly, from an engineering and computer science based perspective - this will touch on a lot of networking topics as they relate to the web.

    • Components of a browser
      • DOM/CSSOM/JS
      • HTTP the protocol & Cookies for stateful requests
        • http history
        • http 1.1
        • cookies
      • HTTPS the protocol
        • Aside: DNS
        • Symmetric & Asymmetric crypto
        • TLS, certificate authorities, HSTS, HPKP
      • Advanced topics
        • QUIC
        • not THAT advanced: HTTP/2
        • HTTP/3
      • Misc
        • Plugins & Extensions
        • Browser auto-updating XR novices and experts
      • Features exposed through JavaScript
        • Local storage
        • Long polling, SSE, WS, WebRTC
        • Service Workers
        • PWAs, Electron Apps?
        • Laundry list of capabilities, XR web feature security WebAudio, WebUSB, WebBluetooth, accelerometer & gyroscope…
        • PostMessage & iframes, XR clickjacking, XR SOP

  • Server-side

    High level intention is that the first few assignments will progressively build up to a MEVN/MERN stack web app. What do students need to know when to get to that level?

    • Request routing and middleware
      • Express middleware
      • Front end servers / tls termination / load balancers
      • CDNs
    • Templating XR XSS
    • Session management
    • Backing store: data models, ORM, options for deploying and connecting to a database

  • Deployment-side (software engineering stuff)

    Organized loosely on the 12-factor model

    • MVC
      • Both on the server side as well as client side, MVVM (react/angular/vue)
    • Deployment
      • VMs vs containers vs bare metal isolation
      • Serverless
      • Infrastructure as Code: Terraform, Ansible, etc
      • Babel, WebPack, CDNs XR CSP
      • Where and how to keep secrets

    • APIs

      • REST, gRPC, SOAP-XML

      • Webhooks

        TLDR a webhook is an app that gets called by a 3rd party service rather than a user’s web browser so that its functionality can be included in that 3rd party service

    • Distributed Systems
      • Chaos Monkey
      • Storing configuration / secrets in etcd
      • Kubernetes
    • Logging/Telemetry
      • Centralized logging
      • Telemetry how it differs from logging
      • Canary rollouts
    • Performance testing / tuning
      • Basics of whole stack performance
        • serve static resources directly
        • Run it all through a CDN, XR cert delegation
      • Monkey testing / Gremlins
      • Load testing
        • https://k6.io/docs/
      • Application profiling
        • flamegraphs, good exercise
      • In-browser test like Google Lighthouse
    • Optimization/Monetization
      • XR Qualys test
      • Analytics / AB testing
      • SEO
      • How ads work
    • Back up: do you even need a webapp?
      • Static site generators
      • WordPress vs. webapp
      • Other frameworks and what they’re good for

• Security Organized loosely around the OWASP top 10, with an emphasis on socio-technical aspects as well as research results

  • Fundamentals
    • Threat modeling
    • Adversarial mindset
    • Principle of least privilege
    • Isolation (SOP)
  • OWASP top 10
    • XSS
      • DOM-based XSS, XR DOM
    • CSRF CSRF Tokens, SameSite cookies
    • SQLi SQLi in NoSQL environments
    • Security Misconfiguration
      • TLS misconfiguration, Qualys test
      • Lockdown information - least privilege
        • No version strings
        • No .maps on prod
        • No stack dumps
    • Low-tech broken access control
      • “google whacking,” oldie but goodie toolkit
    • Attack hardening
      • What is DoS/DDoS
        • resource exhaustion fundamentals
        • Syn flood
        • Full http
        • SlowLoris
        • ReDoS
      • Fail2ban
      • Captchas, recaptcha, recaptcha v3, XR privacy
  • Privacy
    • Fingerprinting * Tracking
      • Panopticlick
      • Cookieless Monster
      • Safari ITP, 3rd party cookie blocking
  • Security
    • CSP
    • Least privilege WRT browser capabilities
      • Cost-benefit feature analysis
    • Clickjacking / framebusting
  • OAUTH / SSO / API security
    • JWT and why / why not
    • SSOff
  • Security at scale
    • Google Safe Browsing How it scales, how it maintains (or doesn’t?) query privacy
    • Private telemetry, RAPPOR
    • Certificate Transparency (and HPKP)
    • Centralized App stores
  • Usable security
    • Perceptual attacks: clickjacking, phishing, typosquatting…
    • Passwords: requirements, strength, adherence
    • Two factor authentication
      • SMS/TOTP/U2F/webAuthNHow TOTP works, vulnerabilities of SMS 2fa, How U2F works
    • APF green lock adherence
  • Developer usability
    • Certificate verification
    • Cipher suite selection (XR JWT)
  • Misc?
    • Blackhat SEO