Alex's Notes

Web Security - Stanford CS 253

Provides an overview of web security. Topics include Principles of web security, attacks and countermeasures, browser security model, and much more.

Website is at https://web.stanford.edu/class/cs253/

Notes are from 2019 lectures and 2021 materials.

Lecture Summaries

Client Side Security and Attacks

CS253 Lecture Summaries: Part I Basics

CS253 Lecture Summaries: Part II DNS, HTTP, Cookies

CS253 Lecture Summaries: Part III: Cookies

CS253 Lecture Summaries: Part IV: CSRF Same Origin Policy

CS253 Lecture Summaries: Part V: Exceptions to Same Origin

CS253 Lecture Summaries: Part VI: XSS

CS253 Lecture Summaries: Part VII: XSS Defences

CS253 Lecture Summaries: Part VIII: Fingerprinting

CS253 Lecture Summaries: Part IX: DOS, Phishing, Side Channels

Server Side Security and Attacks

CS253 Lecture Summaries: Part X: Code Injection

CS253 Lecture Summaries: Part XI TLS

CS253 Lecture Summaries: Part XII Real World HTTPS

CS253 Lecture Summaries: Part XIII Authentication

CS253 Lecture Summaries: Part XIV: WebAuthn

Readings

Basics

HTTP

Cookies

CSRF

Same Origin Policy

Cross-Site Scripting XSS

XSS Defences

Online Tracking

Online Tracking: A 1-million-site measurement and analysis

Most Websites don’t need to vibrate

Browser Fingerprinting

WebKit Ad Click Attribution

Protecting Browser STate from Web Privacy Attacks

Webkit Tracking Prevention Policy

Denial of Service, Phishing

Alice in Warningland

Clickjacking

Cross-Origin JS Capability Leaks

XS-Leaks

Code Injection

[Command Injection](https://owasp.org/www-community/attacks/Command%5FInjection#:~:text=Command%20injection%20is%20an%20attack,system%20via%20a%20vulnerable%20application.&text=In%20this%20attack%2C%20the%20attacker,privileges%20of%20the%20vulnerable%20application.)

SQL Injection

Authentication

NIST Digital Identity Guidelines

Links to this note