News
Call for Web Developers!Written on 22.03.23 by Sebastian Roth Have you ever developed a Web site? If so, we want to hear from you! We're looking for developers that are interested in Web security concepts and techniques. If this sounds like you, if you want to learn something new, and if you want to earn 50€: Take a look at tt-study.cispa.de and participate… Read more Have you ever developed a Web site? If so, we want to hear from you! We're looking for developers that are interested in Web security concepts and techniques. If this sounds like you, if you want to learn something new, and if you want to earn 50€: Take a look at tt-study.cispa.de and participate in our study to help us understand the challenges of deploying a mechanism to defend against client-side XSS. |
Exam resultsWritten on 21.10.22 by Ben Stock The results of the backup exam are in. You should have received an email if you participated in the exam already. The exam inspection is set for November 4, 9-11 in CISPA, room 0.02. |
Exam inspection Wednesday 10-12Written on 30.07.22 by Ben Stock The exam inspection will happen next Wednesday, August 3, from 10-12 at CISPA's 0.07 meeting room (straight across the main entrance). To ensure we finish on time, make sure to arrive until 11:30 at the latest. |
Exam detailsWritten on 23.07.22 by Ben Stock All students participating in the exam should now have a seat assigned and visible in "Personal Status" page. Please make sure to arrive at Günter Hotz Hörsaal by 9:20. Put your bags to the sides and only take pens, drinks & snacks, your student ID, and if needed a dictionary to your seat. You may not… Read more All students participating in the exam should now have a seat assigned and visible in "Personal Status" page. Please make sure to arrive at Günter Hotz Hörsaal by 9:20. Put your bags to the sides and only take pens, drinks & snacks, your student ID, and if needed a dictionary to your seat. You may not bring anything else (e.g., a cheat sheet). |
Exam prep lectureWritten on 14.07.22 by Ben Stock Next week (July 20), we will have the exam prep lecture. You can already take a look at the Sample Exam I uploaded to the materials section. If you have any specific questions, please post them into the Exam Prep channel in Mattermost. You can also react to other people's posts with a thumbs up to… Read more Next week (July 20), we will have the exam prep lecture. You can already take a look at the Sample Exam I uploaded to the materials section. If you have any specific questions, please post them into the Exam Prep channel in Mattermost. You can also react to other people's posts with a thumbs up to "upvote" the topic. Cut-off for this is Tuesday 16:00, after that I'll prepare the slides. Note that the lecture is earlier than usual. It will start at 10:15! Also, this is your regular reminder to register for the exam until July 20, 23:59. |
Next lectures, exam registration, and evaluationWritten on 12.07.22 by Ben Stock Hi folks, while we finished the exam-relevant content of the lecture, we still have two meetings to go. There will be a lecture this week on some of our groups recent research to give you an idea of what it is like to work in the area. Next week, we will do the Q/A lecture including the prize… Read more Hi folks, while we finished the exam-relevant content of the lecture, we still have two meetings to go. There will be a lecture this week on some of our groups recent research to give you an idea of what it is like to work in the area. Next week, we will do the Q/A lecture including the prize giving ceremony (in the hopes of many people attending in person and giving the top three a round of applause). Also, don't forget to register for the exam through LSF or CMS (deadline for both is July 20, 23:59). And if you haven't done so yet, please make sure to evaluate the lecture through https://qualis.uni-saarland.de/eva/?l=136465&p=540826 |
Exam registration issuesWritten on 04.07.22 by Ben Stock Some students could not find the lecture for sign up for the exam (seemingly in particular MSc CySec). It seemed that "Foundations of Web Security" did not show up in the list of available courses, but instead "Web Security" (the lecture's old name) did without an option to sign up for an exam. If you… Read more Some students could not find the lecture for sign up for the exam (seemingly in particular MSc CySec). It seemed that "Foundations of Web Security" did not show up in the list of available courses, but instead "Web Security" (the lecture's old name) did without an option to sign up for an exam. If you have similar issues, please write an email to studium@cs.uni-saarland.de to ask for a manual registration (please use your student email address). If you take a course which does not support LSF in the first place, you can use the CMS to sign up. Note that the deadline for registering is July 20, 23:59. If you are not registered at that time, you will be unable to take the exam (no exceptions can be made). |
EvaluationWritten on 21.06.22 by Ben Stock Dear all, I have received the evaluation for the lecture. Could you please fill out https://qualis.uni-saarland.de/eva/?l=136465&p=540826. Since we do not really have a tutorial, please leave any feedback for both the lecture and the exercises in this one link. Also as a reminder: the gameserver… Read more Dear all, I have received the evaluation for the lecture. Could you please fill out https://qualis.uni-saarland.de/eva/?l=136465&p=540826. Since we do not really have a tutorial, please leave any feedback for both the lecture and the exercises in this one link. Also as a reminder: the gameserver offers to store feedback for challenges you have solved. Leaving that feedback helps us to identify shortcomings in exercise descriptions for the next year, so we appreciate. Finally, we are always happy to receive anonymous feedback through the CMS or directly via email or Mattermost (many of you already noted certain typos and bugs, thanks for that!). |
Distinguished Lecture Series: Nick Nikiforakis on Tuesday, June 14, 3pmWritten on 09.06.22 by Ben Stock As part of CISPA's Distinguished Lecture Series, we will have a virtual visit from Nick Nikiforakis next week (Tuesday 3pm). Nick has been doing Web security research for a long time and is one of the most cited authors in this area. If you want to attend the talk, you can either join virtually (see … Read more As part of CISPA's Distinguished Lecture Series, we will have a virtual visit from Nick Nikiforakis next week (Tuesday 3pm). Nick has been doing Web security research for a long time and is one of the most cited authors in this area. If you want to attend the talk, you can either join virtually (see https://cispa.de/en/news-and-events/distinguished-lecture-series/lectures/nikiforakis for the details and Zoom link) or physically in the lecture hall where we will stream the lecture. His talk will cover Web aspects in particular of mobile browsers, which we somewhat omit in the lecture. For more information, see the abstract below: Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones' cleaner UIs in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features. In this talk, we will discuss the idiosyncrasies of these mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop browsers. We will first present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. We will then focus on the ability of mobile browsers to enforce standard security mechanisms, such as, the HTTP Strict Transport Security mechanism and Content-Security Policy. We will show that mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Lastly, we will explore the workings of data-savings mobile browsers and how their unique design can open up users to attacks. |
Internet back up at CISPAWritten on 05.06.22 by Ben Stock Seems like the Internet issues has been fixed. Since the issues were related to a power failure Saturday morning, all servers were restarted. Your VMs are being restarted at the moment, but that could still take an hour or so for all of them to come up. All jeopardies, team0 and Gitlab are back up.… Read more Seems like the Internet issues has been fixed. Since the issues were related to a power failure Saturday morning, all servers were restarted. Your VMs are being restarted at the moment, but that could still take an hour or so for all of them to come up. All jeopardies, team0 and Gitlab are back up. Mattermost is still offline, since that is a different server. I'm guessing it will be back soon (tm) |
Downtime of CISPA servicesWritten on 05.06.22 by Ben Stock As one of you already noticed, currently gameserver, mattermost, and all challenges are offline. This is because of an unknown issue with the network uplink between UdS and CISPA. This failed on Friday to Saturday night and I have no idea when it will be online again. Sorry for the inconvenience, I… Read more As one of you already noticed, currently gameserver, mattermost, and all challenges are offline. This is because of an unknown issue with the network uplink between UdS and CISPA. This failed on Friday to Saturday night and I have no idea when it will be online again. Sorry for the inconvenience, I hope to have this fixed sooner rather than later. |
Unintended / copied solutionsWritten on 01.06.22 by Ben Stock Hi all, unfortunately, we found that some students copied in solutions from one challenge to others. Further, some people also used test accounts (test/test) to solve a challenge, which others then also used and found the readily available flags. Since we give points for solving challenges instead… Read more Hi all, unfortunately, we found that some students copied in solutions from one challenge to others. Further, some people also used test accounts (test/test) to solve a challenge, which others then also used and found the readily available flags. Since we give points for solving challenges instead of merely finding flags, I have updated the database for a number of students who had quite obviously not done the exercises themselves. This also involves students that had solutions which were surprising similar to those of fellow participants or are copies of prior years' solutions. Should you be affected by this (your solution is flagged as solved after the deadline) and disagree with my above assumption, let me know. I would like to note again that each student must individually solve the exercises. Failing to do so may be grounds for not being admitted to the exam. Please see this as the final warning to anyone. If you found a flag which was (accidentally?) left there by others, please inform us right away so we can reset the challenge. If you only noticed it after submitting, we can reset the solved challenge for you and you can properly solve it. |
Tomorrow: Solution ExplanationWritten on 31.05.22 by Sebastian Roth Hi, As a reminder: Tomorrow, the lecture will not be a content lecture but a solutions explanation, where I will present you our solutions for the first nine jeopardy challenges. If time permits, we will also discuss some screecher challenges. Given that I just came back from a business trip on… Read more Hi, As a reminder: Tomorrow, the lecture will not be a content lecture but a solutions explanation, where I will present you our solutions for the first nine jeopardy challenges. If time permits, we will also discuss some screecher challenges. Given that I just came back from a business trip on a fully booked flight, we will make this session fully virtual such that everybody stays safe. See you in Zoom tomorrow, |
Online-Only Q/A Session next weekWritten on 20.05.22 by Ben Stock Next week, I will be traveling and Jannis will do the live meeting. Since he is also not in Saarbrücken, the lecture will be fully remote through Zoom. We'll be back live on June 1st with the solutions to the first batch of exercises. Note that all Jeopardies which have been released to date are due… Read more Next week, I will be traveling and Jannis will do the live meeting. Since he is also not in Saarbrücken, the lecture will be fully remote through Zoom. We'll be back live on June 1st with the solutions to the first batch of exercises. Note that all Jeopardies which have been released to date are due by June 1. |
Talk by Stefano Calzavara from University of Venice on Web SecurityWritten on 16.05.22 (last change on 16.05.22) by Ben Stock Hi all, I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom. Please see below for details. Hi all, I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom. Please see below for details. https://cispa-de.zoom.us/j/94023681911?pwd=bUgrTlJaR0tFSDlnTi9IMDZzVXNWdz09 Title: Towards improving the science of web security Abstract: Though useful, many web security papers (including mine!) do not satisfy traditional criteria of the scientific method. In this talk, I will provide a personal perspective on how the science of web security could be improved, by discussing recent work which (partially) tackled this issue. The talk will focus in particular on reproducibility and the importance of definitions for web security research. Bio: Stefano Calzavara is an associate professor in Computer Science at Università Ca’ Foscari Venezia, Italy. Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. He has published ~50 papers on these topics at widely recognized international conferences and journals. He is pleased to regularly serve in the PC of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security and TheWebConf (WWW). Stefano chaired the first three editions of the SecWeb workshop and is serving as the program chair of CSF 2022 and 2023.
Hope to see you there (in person or remote) |
Clarification for exercisesWritten on 11.05.22 by Ben Stock Hi all, If you plan to use a Middleware for the CSP task, this middleware *must* be screecher.middleware.CSPMiddleware. This means you have to add a class to the middleware file already in place (which also contains the MigrationsMiddleware as an example). Otherwise our checkers will not like you :-) |
Timing change for exam preparation lectureWritten on 08.05.22 by Ben Stock Due to travel constraints, I have to move up the final lecture into the slot before. That is, the exam preparation lecture will happen on July 20, 10:15 - 11:45. As usual, everything will be streamed and recorded. |
Technical Issues Solved!Written on 20.04.22 by Sebastian Roth Hi, First of all, sorry for the technical issues during today's lecture. In order to lower the number of disconnects during the lecture, we asked the CISPA IT to provide a more stable connection in the lecture hall such that we do not rely on eduroam anymore. Hi, First of all, sorry for the technical issues during today's lecture. In order to lower the number of disconnects during the lecture, we asked the CISPA IT to provide a more stable connection in the lecture hall such that we do not rely on eduroam anymore. Regarding the technical issues of the Gameserver and the Infrastructure: We have already uploaded the InfrastructureHowTo slides to the CMS. However, the recording(s) need to be put together due to the disconnects and will be online soon (latest tomorrow). In case you still face technical issues, do not hesitate to write me on Mattermost (or via Email). |
Lecture format for week 1Written on 05.04.22 by Ben Stock Welcome to the Foundations of Web Security lecture for summer 2022! Our first lecture will happen on Wednesday, April 13, starting at 12 c.t.. Note that while we plan to have as much in-person experience as possible, the first lecture will only be held online. Further, all lectures, even if in-person,… Read more Welcome to the Foundations of Web Security lecture for summer 2022! Our first lecture will happen on Wednesday, April 13, starting at 12 c.t.. Note that while we plan to have as much in-person experience as possible, the first lecture will only be held online. Further, all lectures, even if in-person, will be offered in a hybrid format, i.e., will be streamed through Zoom as well. For the details of how to access the Zoom call, see the respective section in the information section. We will provide more updates regarding in-person lectures. Note that for the foreseeable future, CISPA will mandate masks be worn in our building. Hence, even if UdS does not require masks, they will be required when you attend the in-person lecture in the CISPA building. |