News
|
04.07.2022
|
Exam registration issuesSome students could not find the lecture for sign up for the exam (seemingly in particular MSc CySec). It seemed that "Foundations of Web Security" did not show up in the list of available courses, but instead "Web Security" (the lecture's old name) did without an... Read more Some students could not find the lecture for sign up for the exam (seemingly in particular MSc CySec). It seemed that "Foundations of Web Security" did not show up in the list of available courses, but instead "Web Security" (the lecture's old name) did without an option to sign up for an exam. If you have similar issues, please write an email to studium@cs.uni-saarland.de to ask for a manual registration (please use your student email address). If you take a course which does not support LSF in the first place, you can use the CMS to sign up. Note that the deadline for registering is July 20, 23:59. If you are not registered at that time, you will be unable to take the exam (no exceptions can be made). |
|
21.06.2022
|
EvaluationDear all, I have received the evaluation for the lecture. Could you please fill out https://qualis.uni-saarland.de/eva/?l=136465&p=540826. Since we do not really have a tutorial, please leave any feedback for both the lecture and the exercises in this one... Read more Dear all, I have received the evaluation for the lecture. Could you please fill out https://qualis.uni-saarland.de/eva/?l=136465&p=540826. Since we do not really have a tutorial, please leave any feedback for both the lecture and the exercises in this one link. Also as a reminder: the gameserver offers to store feedback for challenges you have solved. Leaving that feedback helps us to identify shortcomings in exercise descriptions for the next year, so we appreciate. Finally, we are always happy to receive anonymous feedback through the CMS or directly via email or Mattermost (many of you already noted certain typos and bugs, thanks for that!). |
|
09.06.2022
|
Distinguished Lecture Series: Nick Nikiforakis on Tuesday, June 14, 3pmAs part of CISPA's Distinguished Lecture Series, we will have a virtual visit from Nick Nikiforakis next week (Tuesday 3pm). Nick has been doing Web security research for a long time and is one of the most cited authors in this area. If you want to attend the talk,... Read more As part of CISPA's Distinguished Lecture Series, we will have a virtual visit from Nick Nikiforakis next week (Tuesday 3pm). Nick has been doing Web security research for a long time and is one of the most cited authors in this area. If you want to attend the talk, you can either join virtually (see https://cispa.de/en/news-and-events/distinguished-lecture-series/lectures/nikiforakis for the details and Zoom link) or physically in the lecture hall where we will stream the lecture. His talk will cover Web aspects in particular of mobile browsers, which we somewhat omit in the lecture. For more information, see the abstract below: Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones' cleaner UIs in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features. In this talk, we will discuss the idiosyncrasies of these mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop browsers. We will first present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. We will then focus on the ability of mobile browsers to enforce standard security mechanisms, such as, the HTTP Strict Transport Security mechanism and Content-Security Policy. We will show that mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Lastly, we will explore the workings of data-savings mobile browsers and how their unique design can open up users to attacks. |
|
05.06.2022
|
Internet back up at CISPASeems like the Internet issues has been fixed. Since the issues were related to a power failure Saturday morning, all servers were restarted. Your VMs are being restarted at the moment, but that could still take an hour or so for all of them to come up. All... Read more Seems like the Internet issues has been fixed. Since the issues were related to a power failure Saturday morning, all servers were restarted. Your VMs are being restarted at the moment, but that could still take an hour or so for all of them to come up. All jeopardies, team0 and Gitlab are back up. Mattermost is still offline, since that is a different server. I'm guessing it will be back soon (tm) |
|
05.06.2022
|
Downtime of CISPA servicesAs one of you already noticed, currently gameserver, mattermost, and all challenges are offline. This is because of an unknown issue with the network uplink between UdS and CISPA. This failed on Friday to Saturday night and I have no idea when it will be online... Read more As one of you already noticed, currently gameserver, mattermost, and all challenges are offline. This is because of an unknown issue with the network uplink between UdS and CISPA. This failed on Friday to Saturday night and I have no idea when it will be online again. Sorry for the inconvenience, I hope to have this fixed sooner rather than later. |
|
01.06.2022
|
Unintended / copied solutionsHi all, unfortunately, we found that some students copied in solutions from one challenge to others. Further, some people also used test accounts (test/test) to solve a challenge, which others then also used and found the readily available flags. Since we give... Read more Hi all, unfortunately, we found that some students copied in solutions from one challenge to others. Further, some people also used test accounts (test/test) to solve a challenge, which others then also used and found the readily available flags. Since we give points for solving challenges instead of merely finding flags, I have updated the database for a number of students who had quite obviously not done the exercises themselves. This also involves students that had solutions which were surprising similar to those of fellow participants or are copies of prior years' solutions. Should you be affected by this (your solution is flagged as solved after the deadline) and disagree with my above assumption, let me know. I would like to note again that each student must individually solve the exercises. Failing to do so may be grounds for not being admitted to the exam. Please see this as the final warning to anyone. If you found a flag which was (accidentally?) left there by others, please inform us right away so we can reset the challenge. If you only noticed it after submitting, we can reset the solved challenge for you and you can properly solve it. |
|
31.05.2022
|
Tomorrow: Solution ExplanationHi, As a reminder: Tomorrow, the lecture will not be a content lecture but a solutions explanation, where I will present you our solutions for the first nine jeopardy challenges. If time permits, we will also discuss some screecher challenges. Given that I... Read more Hi, As a reminder: Tomorrow, the lecture will not be a content lecture but a solutions explanation, where I will present you our solutions for the first nine jeopardy challenges. If time permits, we will also discuss some screecher challenges. Given that I just came back from a business trip on a fully booked flight, we will make this session fully virtual such that everybody stays safe. See you in Zoom tomorrow, |
|
20.05.2022
|
Online-Only Q/A Session next weekNext week, I will be traveling and Jannis will do the live meeting. Since he is also not in Saarbrücken, the lecture will be fully remote through Zoom. We'll be back live on June 1st with the solutions to the first batch of exercises. Note that all Jeopardies which... Read more Next week, I will be traveling and Jannis will do the live meeting. Since he is also not in Saarbrücken, the lecture will be fully remote through Zoom. We'll be back live on June 1st with the solutions to the first batch of exercises. Note that all Jeopardies which have been released to date are due by June 1. |
|
16.05.2022
|
Talk by Stefano Calzavara from University of Venice on Web SecurityHi all, I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom. Please see below for details. Hi all, I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom. Please see below for details. https://cispa-de.zoom.us/j/94023681911?pwd=bUgrTlJaR0tFSDlnTi9IMDZzVXNWdz09 Title: Towards improving the science of web security Abstract: Though useful, many web security papers (including mine!) do not satisfy traditional criteria of the scientific method. In this talk, I will provide a personal perspective on how the science of web security could be improved, by discussing recent work which (partially) tackled this issue. The talk will focus in particular on reproducibility and the importance of definitions for web security research. Bio: Stefano Calzavara is an associate professor in Computer Science at Università Ca’ Foscari Venezia, Italy. Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. He has published ~50 papers on these topics at widely recognized international conferences and journals. He is pleased to regularly serve in the PC of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security and TheWebConf (WWW). Stefano chaired the first three editions of the SecWeb workshop and is serving as the program chair of CSF 2022 and 2023.
Hope to see you there (in person or remote) |
|
11.05.2022
|
Clarification for exercisesHi all, If you plan to use a Middleware for the CSP task, this middleware *must* be screecher.middleware.CSPMiddleware. This means you have to add a class to the middleware file already in place (which also contains the MigrationsMiddleware as an example).... Read more Hi all, If you plan to use a Middleware for the CSP task, this middleware *must* be screecher.middleware.CSPMiddleware. This means you have to add a class to the middleware file already in place (which also contains the MigrationsMiddleware as an example). Otherwise our checkers will not like you :-) |
|
08.05.2022
|
Timing change for exam preparation lectureDue to travel constraints, I have to move up the final lecture into the slot before. That is, the exam preparation lecture will happen on July 20, 10:15 - 11:45. As usual, everything will be streamed and recorded. |
|
20.04.2022
|
Technical Issues Solved!Hi, First of all, sorry for the technical issues during today's lecture. In order to lower the number of disconnects during the lecture, we asked the CISPA IT to provide a more stable connection in the lecture hall such that we do not rely on eduroam anymore. Hi, First of all, sorry for the technical issues during today's lecture. In order to lower the number of disconnects during the lecture, we asked the CISPA IT to provide a more stable connection in the lecture hall such that we do not rely on eduroam anymore. Regarding the technical issues of the Gameserver and the Infrastructure: We have already uploaded the InfrastructureHowTo slides to the CMS. However, the recording(s) need to be put together due to the disconnects and will be online soon (latest tomorrow). In case you still face technical issues, do not hesitate to write me on Mattermost (or via Email). |
|
05.04.2022
|
Lecture format for week 1Welcome to the Foundations of Web Security lecture for summer 2022! Our first lecture will happen on Wednesday, April 13, starting at 12 c.t.. Note that while we plan to have as much in-person experience as possible, the first lecture will only be held... Read more Welcome to the Foundations of Web Security lecture for summer 2022! Our first lecture will happen on Wednesday, April 13, starting at 12 c.t.. Note that while we plan to have as much in-person experience as possible, the first lecture will only be held online. Further, all lectures, even if in-person, will be offered in a hybrid format, i.e., will be streamed through Zoom as well. For the details of how to access the Zoom call, see the respective section in the information section. We will provide more updates regarding in-person lectures. Note that for the foreseeable future, CISPA will mandate masks be worn in our building. Hence, even if UdS does not require masks, they will be required when you attend the in-person lecture in the CISPA building. |
Foundations of Web Security (formerly known as Web Security)
(meaning: you cannot take it if you already passed Web Security)
Please read the entire course description carefully before using the self-assessment tool to register for the course.
This lecture covers the fundamental security problems that are prevalent on the Web as well as security mechanisms to mitigate them. A particular focus lies on the offensive side of Web security, whereas defense mechanisms merely need to be added to stop the attacks. In contrast, the Secure Web Development course is more focussed on architectural and engineering aspects of secure Web applications, including code review techniques and full message processing pipelines. You can take both courses, but neither requires the other to follow the course material.
Requirements, expectations, and registration
While the name might be giving away a different idea, this lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you. To self-assess whether this is the right course for you, please visit https://self-assessment.websec.saarland/ to guide you through the process. Note that you can only register through a token handed out in that tool (which you'll get irrespective of the amount of points you score on the self-assessment test).
Due to hardware limitations, this course can only accommodate up to 80 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019, WS2019, WS2020, and SS2021 about this.
Teaching plan for summer 2022
After positive feedback from students, the lecture will be taught as an inverted classroom. We will release videos of the lectures each week and have a meeting one week after that. These session will be a combination of quizzes, a chance for you to ask questions, and live coding tasks to help deepen your understanding of the topics and prepare you for the exercises. Further, we will use a Mattermost instance to allow for easy communication between students and teaching staff.
Schedule (Lecture slot: Wednesday 12-14)
- 13.4.2022: Organizational matters and History of the Web (live lecture)
- 20.4.2022: Introduction to Django&PyCharm / Release of Video 2 (Basic Client-Side Technology)
- 27.4.2022: Q/A session for Basic Client-Side Technology / Release of Video 3 (Cross-Site Scripting)
- 4.5.2022 Q/A session for Cross-Site Scripting / Release of Video 4 (Content Security Policy)
- 11.5.2022: Q/A session for Content Security Policy / Release of Video 5 (Cross-Origin Communication)
- 18.5.2022: Q/A session for Cross-Origin Communication / Release of Video 6 (Cross-Origin Attacks)
- 25.5.2022: Q/A session for Cross-Origin Attacks / Release of Video 7 (Database Insecurity)
- 1.6.2022: Presentation of first batch of jeopardy challenge solutions
- 8.6.2022: Q/A session for Database Insecurity / Release of Video 8 (Code Execution)
- 15.6.2022: Q/A session for Code Execution / Release of Video 9 (Assorted Server-Side Issues)
- 22.6.2022: Q/A session for Assorted Server-Side Issues / Release of Video 10 (Infrastructure Security)
- 29.6.2022: Q/A session for Infrastructure Security
- 6.7.2022: Presentation of second batch of jeopardy challenge solutions
- 13.7.2022: Current research & Beyond the classical models (live lecture)
- 20.7.2022: Exam preparation
Exams
- Main exam: 27.7.2022 9:30 - 11:30 (GHH)
- Backup exam: 21.10.2022 9:30 - 11:30 (E1 3, HS 002)
Exercises
In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.
- Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge. In total, this roughly sums up to 15 offensive points and 17 defensive points.
- Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services. In total, we plan to have around 20-22 jeopardy challenges.
Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx. 60% of all points. More details on how to work on the exercises and submit flags will be provided in the introductory session about our infrastructure.
Teaser video