News
20.05.2022
|
Online-Only Q/A Session next weekNext week, I will be traveling and Jannis will do the live meeting. Since he is also not in Saarbrücken, the lecture will be fully remote through Zoom. We'll be back live on June 1st with the solutions to the first batch of exercises. Note that all Jeopardies which... Read more Next week, I will be traveling and Jannis will do the live meeting. Since he is also not in Saarbrücken, the lecture will be fully remote through Zoom. We'll be back live on June 1st with the solutions to the first batch of exercises. Note that all Jeopardies which have been released to date are due by June 1. |
16.05.2022
|
Talk by Stefano Calzavara from University of Venice on Web SecurityHi all, I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom. Please see below for details. Hi all, I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom. Please see below for details. https://cispa-de.zoom.us/j/94023681911?pwd=bUgrTlJaR0tFSDlnTi9IMDZzVXNWdz09 Title: Towards improving the science of web security Abstract: Though useful, many web security papers (including mine!) do not satisfy traditional criteria of the scientific method. In this talk, I will provide a personal perspective on how the science of web security could be improved, by discussing recent work which (partially) tackled this issue. The talk will focus in particular on reproducibility and the importance of definitions for web security research. Bio: Stefano Calzavara is an associate professor in Computer Science at Università Ca’ Foscari Venezia, Italy. Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. He has published ~50 papers on these topics at widely recognized international conferences and journals. He is pleased to regularly serve in the PC of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security and TheWebConf (WWW). Stefano chaired the first three editions of the SecWeb workshop and is serving as the program chair of CSF 2022 and 2023.
Hope to see you there (in person or remote) |
11.05.2022
|
Clarification for exercisesHi all, If you plan to use a Middleware for the CSP task, this middleware *must* be screecher.middleware.CSPMiddleware. This means you have to add a class to the middleware file already in place (which also contains the MigrationsMiddleware as an example).... Read more Hi all, If you plan to use a Middleware for the CSP task, this middleware *must* be screecher.middleware.CSPMiddleware. This means you have to add a class to the middleware file already in place (which also contains the MigrationsMiddleware as an example). Otherwise our checkers will not like you :-) |
08.05.2022
|
Timing change for exam preparation lectureDue to travel constraints, I have to move up the final lecture into the slot before. That is, the exam preparation lecture will happen on July 20, 10:15 - 11:45. As usual, everything will be streamed and recorded. |
20.04.2022
|
Technical Issues Solved!Hi, First of all, sorry for the technical issues during today's lecture. In order to lower the number of disconnects during the lecture, we asked the CISPA IT to provide a more stable connection in the lecture hall such that we do not rely on eduroam anymore. Hi, First of all, sorry for the technical issues during today's lecture. In order to lower the number of disconnects during the lecture, we asked the CISPA IT to provide a more stable connection in the lecture hall such that we do not rely on eduroam anymore. Regarding the technical issues of the Gameserver and the Infrastructure: We have already uploaded the InfrastructureHowTo slides to the CMS. However, the recording(s) need to be put together due to the disconnects and will be online soon (latest tomorrow). In case you still face technical issues, do not hesitate to write me on Mattermost (or via Email). |
05.04.2022
|
Lecture format for week 1Welcome to the Foundations of Web Security lecture for summer 2022! Our first lecture will happen on Wednesday, April 13, starting at 12 c.t.. Note that while we plan to have as much in-person experience as possible, the first lecture will only be held... Read more Welcome to the Foundations of Web Security lecture for summer 2022! Our first lecture will happen on Wednesday, April 13, starting at 12 c.t.. Note that while we plan to have as much in-person experience as possible, the first lecture will only be held online. Further, all lectures, even if in-person, will be offered in a hybrid format, i.e., will be streamed through Zoom as well. For the details of how to access the Zoom call, see the respective section in the information section. We will provide more updates regarding in-person lectures. Note that for the foreseeable future, CISPA will mandate masks be worn in our building. Hence, even if UdS does not require masks, they will be required when you attend the in-person lecture in the CISPA building. |
Foundations of Web Security (formerly known as Web Security)
(meaning: you cannot take it if you already passed Web Security)
Please read the entire course description carefully before using the self-assessment tool to register for the course.
This lecture covers the fundamental security problems that are prevalent on the Web as well as security mechanisms to mitigate them. A particular focus lies on the offensive side of Web security, whereas defense mechanisms merely need to be added to stop the attacks. In contrast, the Secure Web Development course is more focussed on architectural and engineering aspects of secure Web applications, including code review techniques and full message processing pipelines. You can take both courses, but neither requires the other to follow the course material.
Requirements, expectations, and registration
While the name might be giving away a different idea, this lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you. To self-assess whether this is the right course for you, please visit https://self-assessment.websec.saarland/ to guide you through the process. Note that you can only register through a token handed out in that tool (which you'll get irrespective of the amount of points you score on the self-assessment test).
Due to hardware limitations, this course can only accommodate up to 80 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019, WS2019, WS2020, and SS2021 about this.
Teaching plan for summer 2022
After positive feedback from students, the lecture will be taught as an inverted classroom. We will release videos of the lectures each week and have a meeting one week after that. These session will be a combination of quizzes, a chance for you to ask questions, and live coding tasks to help deepen your understanding of the topics and prepare you for the exercises. Further, we will use a Mattermost instance to allow for easy communication between students and teaching staff.
Schedule (Lecture slot: Wednesday 12-14)
- 13.4.2022: Organizational matters and History of the Web (live lecture)
- 20.4.2022: Introduction to Django&PyCharm / Release of Video 2 (Basic Client-Side Technology)
- 27.4.2022: Q/A session for Basic Client-Side Technology / Release of Video 3 (Cross-Site Scripting)
- 4.5.2022 Q/A session for Cross-Site Scripting / Release of Video 4 (Content Security Policy)
- 11.5.2022: Q/A session for Content Security Policy / Release of Video 5 (Cross-Origin Communication)
- 18.5.2022: Q/A session for Cross-Origin Communication / Release of Video 6 (Cross-Origin Attacks)
- 25.5.2022: Q/A session for Cross-Origin Attacks / Release of Video 7 (Database Insecurity)
- 1.6.2022: Presentation of first batch of jeopardy challenge solutions
- 8.6.2022: Q/A session for Database Insecurity / Release of Video 8 (Code Execution)
- 15.6.2022: Q/A session for Code Execution / Release of Video 9 (Assorted Server-Side Issues)
- 22.6.2022: Q/A session for Assorted Server-Side Issues / Release of Video 10 (Infrastructure Security)
- 29.6.2022: Q/A session for Infrastructure Security
- 6.7.2022: Presentation of second batch of jeopardy challenge solutions
- 13.7.2022: Current research & Beyond the classical models (live lecture)
- 20.7.2022: Exam preparation
Exams
- Main exam: 27.7.2022 9:30 - 11:30 (GHH)
- Backup exam: 21.10.2022 9:30 - 11:30 (E1 3, HS 002)
Exercises
In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.
- Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge. In total, this roughly sums up to 15 offensive points and 17 defensive points.
- Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services. In total, we plan to have around 20-22 jeopardy challenges.
Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx. 60% of all points. More details on how to work on the exercises and submit flags will be provided in the introductory session about our infrastructure.
Teaser video