Detailed Course Description:
This course aims to fill the gap in security courses offered by Purdue University. There is information security (which touches upon web application security), network security, and software security, but no course focused on web application security. The textbook that I propose to follow is: The Web Application Hackers Handbook (2nd Edition), Dafydd Stuttard, Marcus Pinto (ISBN: 978-1-118-02647-2). This book is widely respected and highly recommended within the security community. The chapters I would focus on include: Chapter 1 (Web Application (In)security), Chapter 2 (Core Defense Mechanisms), Chapter 6-21. Notable chapters in 6-21 are: Automating Customized Attacks, Finding Vulnerabilities in Source Code, and more.
To supplement the textbook, there are exercises at https://overthewire.org/wargames/natas/ which “teaches the basics of serverside web-security”, https://www.hackthebox.com, Web Security Academy, and https://www.hackthissite.org/. These have pre-made practice problems and labs to provide a rich learning experience in a safe and segmented environment. I chose these labs because they have a defined completion case, which will automatically inform me if I
successfully completed the problem. The weekly exercises would each have a report associated with them detailing the vulnerability, exploit, and a patch to remedy the underlying issue.
For a final project, I propose that I would create a vulnerable web application with multiple flaws, create automated exploits for the vulnerabilities, then patch the server and show that it is no longer vulnerable. With this course, I will be able to explore recent and relevant web application issues and be able to market myself as a well rounded security professional.