Security and Vulnerability Analysis - S15

CSE 591


Course Info

Course Number: CSE 591 (27169)
Instructor: Prof. Adam Doupé
Office: BYENG 472
Office Hours: Thursday, 3pm–4pm and by appointment
Meeting Times: Tuesday and Thursday, 1:30pm–2:45pm (BYAC 150)
Course Mailing List:

Course TA: Raymond Tu
TA Email:
TA Office: BYENG 469CC
TA Office Hours: Friday, 9:15am–10:15am and by appointment

Course Description

This course is about hacking web applications manually and automatically. Students will study web applications and how they operate; learn, study, and exploit the latest in web application vulnerabilities; understand automated vulnerability analysis tools; learn the state-of-the-art in web application automated vulnerability analysis tools; and develop a novel automated vulnerability analysis tool. We will also cover how to use these techniques legally and ethically.

The first half of the course will focus on understanding web applications and how to exploit web applications, and these topics will be reinforced with practical, hands-on, homework assignments. The second half of the course will focus on the state-of-the-art in automated vulnerability analysis of web applications via reading and presenting research papers.1


This course will be challenging, and students are expected to learn the necessary technologies. Students will expected to already understand networking and the TCP/IP stack. Students with strong skills in at least one scripting language (Python, Ruby, PHP, etc.) and web development experience will be at an advantage.

Recommended Textbook

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
Dafydd Stuttard & Marcus Pinto
ISBN: 1118026470 / 978-1118026472

Course Communication

All announcements and communications for the class will take place through the class mailing list. Students are required to subscribe to the class mailing list:

Student may use the class mailing list to ask questions or clarifications, and the TA, Instructor, or other students can answer. Note that sharing solutions or answers is expressly prohibited.

Course Topics

Topics may include:

  • The Web
  • Web application construction
  • Web application security
  • Bypassing client-side protection
  • Attacking web application authentication
  • Attacking web application sessions
  • Attacking web application access control
  • Attacking the date store
  • Attacking application logic flaws
  • Advanced cross-site scripting vulnerabilities
  • Automated vulnerability analysis tools
  • Client-side web application security
  • Mobile web application security

Technologies covered:

  • HTTP
  • HTML
  • CSS
  • JavaScript
  • AJAX
  • SQL
  • Scripting languages


Students will be evaluated on their performance on homework, exams, paper presentation, and final project.

Homework Assignments

There will be three or four homework assignments in the first half of the course, covering the material presented in the lectures, with the goal to have the students become familiar with web applications and web application exploitation.

Midterm Exam

There will be a midterm exam. The exam will cover the material discussed from the lectures and the assignments. No notes or outside material/devices will be allowed.

Paper Presentation

Students will be required to present a state-of-the-art research paper in vulnerability analysis to the class, and all students will be required to read all papers. Schedules and paper assignments will be decided at a later date. Paper presentation may be done in groups depending on the number of students in the class.

Final Project

There will be a final project for the second half of the course. Students will be required to propose a new/interesting project in the area of automated vulnerability analysis. Students are expected to present their project to the class. Final projects may be done in groups depending on the number of students in the class.

Final Exam

There will be a final exam that will cover all material presented throughout the course, with an emphasis on material from the second half of the class. No notes or outside material/devices will be allowed.


Discretionary points are given at the end of the course. These depend on a variety of things, including attendance, class participation, effort, etc.

Grading Options

Students will have the option of choosing Grading Option A or B. Student will select their grading option when submitting the first homework assignment, and it cannot be changed after that point.

Note that only students in Grading Option B are eligible to include this class as an MSC Portfolio class.

Grading Option A

Area Weight %
Homework 25
Midterm Exam 20
Paper Presentation 10
Final Project 20
Final Exam 20
Discretionary 5

Grading Option B

Area Weight %
Homework 25
Midterm Exam 15
Paper Presentation 10
Final Project 30
Final Exam 15
Discretionary 5

Homework Due Dates and Exam Dates

Homework due dates and exam dates will be posted well in advance on the class website and announced in class.

Homework assignments must be submitted at the beginning of the class on the date that they are due. For each day an assignment is late, a 20% deduction will be assessed. Exams will be given in class and are closed book, closed note, unless otherwise stated. Makeup exams are typically not given unless under extenuating circumstances. Laptops, phones, and other smart devices are not allowed during exams, but approved devices like calculators are acceptable.

Plagiarism and Cheating

Plagiarism or any form of cheating in assignments, projects, or exams is subject to serious academic penalty. To understand your responsibilities as a student read: ASU Student Code of Conduct and ASU Student Academic Integrity Policy

Syllabus Update

Information in the syllabus, may be subject to change with reasonable advance notice.

  1. © Copyright 2014 Adam Doupé as to this syllabus, all lectures, and course-related written materials. During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course.