News
15.05.2023
|
Clarification: lecture datesDue to a small bug, the course's main page noted that there would be no lecture on May 17 (it technically specified May 17 would be both a lecture and no lecture). Just to avoid misunderstandings: we will have a regular meeting on May 17, but no meeting on May 24. |
13.05.2023
|
Small bug in CSP PlaygroundDue to a small bug in our logic, the base.html requires a change also for playground to work. Please make sure you update that accordingly (as we did in the live demo) before asking our crawler to check your instance. |
02.05.2023
|
Lecture on May 3 - Start timeHi all, due to an important meeting within CISPA, the lecture hall will be inaccessible until approx 10:10am tomorrow. Please make sure that you do not arrive too early, since you will be unable to enter. See you tomorrow! |
17.04.2023
|
PyCharm and Reminder for GitlabFor our course, we will exclusively support PyCharm for the tasks. History has shown that random deployments of Linux subsystems, zsh, and the latest version of Arch Linux lead to situations where students are stuck for all the wrong reasons :-) Therefore, our... Read more For our course, we will exclusively support PyCharm for the tasks. History has shown that random deployments of Linux subsystems, zsh, and the latest version of Arch Linux lead to situations where students are stuck for all the wrong reasons :-) Therefore, our infrastructure introduction will explain the next steps of your development life as part of the Screecher team within PyCharm. For this to work, we ask two things if possible: install PyCharm Professional. You can get a free license from JetBrains as long as you are a student (i.e., have an email address from a recognized university, see https://www.jetbrains.com/community/education/#students). Also, while I usually appreciate your undivided attention during the Q/A sessions, feel free to bring your laptop and follow along with what we'll be showing you. Also note that you must login to the Gitlab once until Wednesday's lecture. Otherwise, you might not get a VM set up for you and will therefore be unable to participate in the exercises (and, thus, the exam). We will be removing students who do not actively participate in the exercises from the course. All other relevant information about the exercises will be shared on Wednesday (including the release of the first task). As a reminder: the lecture recording might take some time to become available, please attend live if you can. |
12.04.2023
|
Mattermost Sign Up BugHi all, unfortunately, there was a small bug in copy/pasting the link for the Mattermost invite. If you already joined, you are now in the 2022 edition of FoWS. Please use https://cms-mattermost.cispa.de/signup_user_complete/?id=ropxbfnzzb8atp7bcaiybdtbae instead... Read more Hi all, unfortunately, there was a small bug in copy/pasting the link for the Mattermost invite. If you already joined, you are now in the 2022 edition of FoWS. Please use https://cms-mattermost.cispa.de/signup_user_complete/?id=ropxbfnzzb8atp7bcaiybdtbae instead to join the 2023 edition. Also, the recording is now available. Thanks :) |
11.04.2023
|
First lecture and registration snafuHi all, we meet tomorrow at 10:15 in CISPA's lecture hall for the first lecture. Note that the lecture will not be streamed live and uploads of the videos may be delayed. Also, I realized only today that there was a misconfiguration in the self-assessment... Read more Hi all, we meet tomorrow at 10:15 in CISPA's lecture hall for the first lecture. Note that the lecture will not be streamed live and uploads of the videos may be delayed. Also, I realized only today that there was a misconfiguration in the self-assessment tool, which incorrectly told students that the lecture was full. If you know anyone who is still interested in attending the lecture, feel free to let them know that there are still slots available and that the self-assessment tool has been fixed. See you tomorrow! |
Foundations of Web Security
Note that this lecture will not be offered as a hybrid course at Saarland University.
Please read the entire course description carefully before using the self-assessment tool to register for the course.
Requirements, expectations, and registration
While the name might be giving away a different idea, this lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you. To self-assess whether this is the right course for you, please visit https://self-assessment.websec.saarland/ to guide you through the process. Note that you can only register through a token handed out in that tool (which you'll get irrespective of the amount of points you score on the self-assessment test).
Due to hardware limitations, this course can only accommodate up to 80 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019, WS2019, WS2020, SS2021, and SS2022 about this.
Teaching plan for summer 2023
After positive feedback from students, the lecture will be taught as an inverted classroom. We will release videos of the lectures each week and have a meeting one week after that. These session will be a combination of quizzes, a chance for you to ask questions, and live coding tasks to help deepen your understanding of the topics and prepare you for the exercises. Further, we will use a Mattermost instance to allow for easy communication between students and teaching staff.
Schedule (Lecture slot: Wednesday 10-12)
- 12.4.2023: Organizational matters and History of the Web (live lecture)
- 19.4.2023: Introduction to Django&PyCharm / Release of Video 2 (Basic Client-Side Technology)
- 26.4.2023: Q/A session for Basic Client-Side Technology / Release of Video 3 (Cross-Site Scripting)
- 3.5.2023 Q/A session for Cross-Site Scripting / Release of Video 4 (Content Security Policy)
- 10.5.2023: Q/A session for Content Security Policy / Release of Video 5 (Cross-Origin Communication)
- 17.5.2023: Q/A session for Cross-Origin Communication / Release of Video 6 (Cross-Origin Attacks)
- 24.5.2023: No Lecture
- 31.5.2023: Q/A session for Cross-Origin Attacks / Release of Video 7 (Database Insecurity)
- 7.6.2023: Q/A session for Database Insecurity / Release of Video 8 (Code Execution)
- 14.6.2023: Q/A session for Code Execution / Release of Video 9 (Assorted Server-Side Issues)
- 21.6.2023: Q/A session for Assorted Server-Side Issues / Release of Video 10 (Infrastructure Security)
- 28.6.2023: Q/A session for Infrastructure Security
- 5.7.2023: Current research & Beyond the classical models (live lecture)
- 12.7.2023: Presentation of jeopardy challenge solutions
- 19.7.2023: Exam preparation
Exams
- Main exam: 24.7. 9:30 - 11:30 (GHH)
- Backup exam: 17.10. 10:00 - 12:00 (HS 002)
Exercises
In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.
- Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge. In total, this roughly sums up to 15 offensive points and 17 defensive points.
- Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services. In total, we plan to have around 20-22 jeopardy challenges.
Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx. 60% of all points. More details on how to work on the exercises and submit flags will be provided in the introductory session about our infrastructure.