News
Reminder: Backup exam registrationWritten on 01.10.24 by Ben Stock As a reminder, our backup exam is next Wednesday, therefore the deadline to register (through LSF or CMS, if you cannot register on LSF) is tomorrow, 23:59. Anyone not registered in time will be unable to take the exam. |
Extended exam inspectionWritten on 01.08.24 by Ben Stock Given the overlap with data networks (which should not be an overlap if the exam is just two hours), we have extended the inspection time. I will be around until 12:45 (probably moving to 0.02 at 12). You may still come and take a look if you arrive by 12:15. After that, the alternative will be to… Read more Given the overlap with data networks (which should not be an overlap if the exam is just two hours), we have extended the inspection time. I will be around until 12:45 (probably moving to 0.02 at 12). You may still come and take a look if you arrive by 12:15. After that, the alternative will be to inspect it no earlier than August 26 (exact date TBD). |
Exam and inspectionWritten on 29.07.24 by Ben Stock Dear all, a reminder for those students at UdS that we will have the exam on Wednesday at GHH. Please arrive by 9:50 at the latest. The inspection will take place on Friday, August 2, 10-12 in CISPA's meeting room 0.07 (right opposite to the main entrance). We will only allow you to enter until… Read more Dear all, a reminder for those students at UdS that we will have the exam on Wednesday at GHH. Please arrive by 9:50 at the latest. The inspection will take place on Friday, August 2, 10-12 in CISPA's meeting room 0.07 (right opposite to the main entrance). We will only allow you to enter until 11:30, such that we can surely finish on time. |
Exam prep lecture - topicsWritten on 16.07.24 by Ben Stock Please state which topics you would like to see discuss through https://cms.cispa.saarland/askbot/fows24/question/2/topics-for-the-exam-preparation-lecture/ until Tuesday, July 23, 9am. |
Exam prep lecture (24.7.) - moved in time and roomWritten on 15.07.24 by Ben Stock Dear all, due to a summer school at CISPA, we cannot hold our lecture in the regular room on July 24. To add insult to injury, no rooms were available in our slot either on campus. Therefore, our final lecture will be starting at 8:30 in HS001 in E1 3.
|
ENOWARS CTF on July 20Written on 11.07.24 by Ben Stock Dear all, if you enjoyed the challenges thus far, you have been inadvertently exposed to playing CTFs (both Jeopardy and Attack/Defence!). If you want to see how much you have learned already, you are invited to join the CTF team saarsec for playing ENOWARS (https://8.enowars.com/) on July 20th. We… Read more Dear all, if you enjoyed the challenges thus far, you have been inadvertently exposed to playing CTFs (both Jeopardy and Attack/Defence!). If you want to see how much you have learned already, you are invited to join the CTF team saarsec for playing ENOWARS (https://8.enowars.com/) on July 20th. We will meet in Kaiserstraße 21 in St. Ingbert (CISPA's D1 location). The CTF starts at 2pm, but please make sure to be there around 1pm at the latest. Bring your laptop, as you will have much more fun if you get your hands dirty there. If you want to join or have questions, please reach out to me on Mattermost (so I know how many of you to expect). Cheers Ben |
*TWO* Topics to be covered this weekWritten on 24.06.24 by Ben Stock Hi folks, apologies for not letting you know earlier (it admittedly slipped my mind): this week we will be talking about code execution and assorted server-side issues. Both sets of slides were already available, I just forgot to mention this last week. Since I will be travelling in the week of… Read more Hi folks, apologies for not letting you know earlier (it admittedly slipped my mind): this week we will be talking about code execution and assorted server-side issues. Both sets of slides were already available, I just forgot to mention this last week. Since I will be travelling in the week of July 10, we will have to skip that lecture. See you Wednesday :-) |
EvaluationWritten on 14.06.24 (last change on 14.06.24) by Ben Stock Hi all, please take a few minutes to evaluate the lecture through https://qualis.uni-saarland.de/eva/?l=150329&p=ryve1d If you have additional comments which we can still address this year, feel free to reach out to us through Mattermost or the anonymous feedback feature on CMS.
Hi all, please take a few minutes to evaluate the lecture through https://qualis.uni-saarland.de/eva/?l=150329&p=ryve1d If you have additional comments which we can still address this year, feel free to reach out to us through Mattermost or the anonymous feedback feature on CMS.
Now with the correct link, see above |
Reminder: turn off protection mechanisms when doing the exercisesWritten on 10.06.24 by Ben Stock Since this has come up specifically for the statistics task: you have to turn off protections for all our tasks (i.e., no intelligent tracking prevention, Brave Shields, adblockers, etc.). If you want to be on the safe side, use a current Chrome in a separate profile - this is precisely what our crawlers use. |
AskbotWritten on 10.05.24 by Ben Stock We received some feedback which suggested activating the Askbot for more structured questions. We have now enabled it, but will not allow anonymous postings as it is then often hard to impossible for us to debug issues. Please also do not expect immediate answers or interactive discussions there, as… Read more We received some feedback which suggested activating the Askbot for more structured questions. We have now enabled it, but will not allow anonymous postings as it is then often hard to impossible for us to debug issues. Please also do not expect immediate answers or interactive discussions there, as we will keep those on Mattermost. Beyond that, please feel free to reach out to the team through a direct message if you have exercise-specific questions that you do not want to share with everyone in Town Square. |
Slight delay in lecture start on May 8Written on 07.05.24 by Ben Stock Due to some technicians coming in the morning, we will start 15 minutes later than usual (i.e. 10:30) in the Bernd Therre lecture hall. |
Slight adjustment of lecture scheduleWritten on 06.05.24 by Ben Stock Due to my attendance of EuroS&P in July, we will have to skip the slot on July 10. Since last year, the Q/A for §8 and §9 was rather short, I have decided to merge the two meetings and move up the schedule a bit for infrastructure. Please find the updated version in the CMS. We will also adjust the… Read more Due to my attendance of EuroS&P in July, we will have to skip the slot on July 10. Since last year, the Q/A for §8 and §9 was rather short, I have decided to merge the two meetings and move up the schedule a bit for infrastructure. Please find the updated version in the CMS. We will also adjust the schedule for exercises because of this, but will inform you early enough about the changes (note: you will have strictly more time than before). |
Video 2 online - meeting on May 8Written on 25.04.24 by Ben Stock Hi folks, thanks to a quick reminder on Mattermost (if you are not there, you should join soon ;)), I made the video for Lecture 2 available. The accompanying slides + Q/A slides are available in the Materials section. Please check into the questions we pose there as we want to discuss these in the… Read more Hi folks, thanks to a quick reminder on Mattermost (if you are not there, you should join soon ;)), I made the video for Lecture 2 available. The accompanying slides + Q/A slides are available in the Materials section. Please check into the questions we pose there as we want to discuss these in the next lecture slot. Note that due to the public holiday next week, the next lecture will be on May 8 10:15 in the Bernd Therre lecture hall in CISPA. |
Bring your laptopWritten on 24.04.24 by Ben Stock For today, feel free to bring and use your laptop to follow along the howto of our infrastructure. We will of course record everything, so don’t worry if you cannot follow along live. |
First lecture / unregistrationWritten on 15.04.24 by Ben Stock Dear all, we start our lectures this week on Wednesday at 10 am (c.t.) in CISPA's 0.05 lecture hall (when you enter the building, it's on your left behind the counter). Note that with the currently signed up students, it will be crowded, so please don't leave any spaces between each other. Also,… Read more Dear all, we start our lectures this week on Wednesday at 10 am (c.t.) in CISPA's 0.05 lecture hall (when you enter the building, it's on your left behind the counter). Note that with the currently signed up students, it will be crowded, so please don't leave any spaces between each other. Also, given that we have reached our capacity a while back, I closed the ability for other to register. I have received a number of requests to join, so should want to not attend the lecture after all, please use the option to unregister from the course. This may allow others to take the course. And while I have your attention here, let me remind you that this is not your average 6CP course and you will have to invest significant time and effort (but I promise, you will learn a lot). Note that we will be recording the Q/A sessions we do weekly, but uploading of those may be delayed. Therefore, I strongly encourage you to attend the weekly meetings. |
Foundations of Web Security
Note that this lecture will not be offered as a hybrid course at Saarland University.
Please read the entire course description carefully before using the self-assessment tool to register for the course.
Requirements, expectations, and registration
While the name might be giving away a different idea, this lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you. To self-assess whether this is the right course for you, please visit https://self-assessment.websec.saarland/ to guide you through the process. Note that you can only register through a token handed out in that tool (which you'll get irrespective of the amount of points you score on the self-assessment test).
Due to hardware limitations, this course can only accommodate up to 80 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019, WS2019, WS2020, SS2021, SS2022 and SS2023 about this.
Teaching plan for summer 2024
After positive feedback from students, the lecture will be taught as an inverted classroom. We will release videos of the lectures each week and have a meeting one week after that. These session will be a combination of quizzes, a chance for you to ask questions, and live coding tasks to help deepen your understanding of the topics and prepare you for the exercises. Further, we will use a Mattermost instance to allow for easy communication between students and teaching staff.
Schedule (Lecture slot: Wednesday 10-12)
- 17.4.2024: Organizational matters and History of the Web (live lecture)
- 24.4.2024: Introduction to Django&PyCharm / Release of Video 2 (Basic Client-Side Technology)
- 1.5.2024: No lecture (public holiday)
- 8.5.2024: Q/A session for Basic Client-Side Technology / Release of Video 3 (Cross-Site Scripting)
- 15.5.2024 Q/A session for Cross-Site Scripting / Release of Video 4 (Content Security Policy)
- 22.5.2024: No lecture
- 29.5.2024: Q/A session for Content Security Policy / Release of Video 5 (Cross-Origin Communication)
- 5.6.2024: Q/A session for Cross-Origin Communication / Release of Video 6 (Cross-Origin Attacks)
- 12.6.2024: Q/A session for Cross-Origin Attacks / Release of Video 7 (Database Insecurity)
- 19.6.2024: Q/A session for Database Insecurity / Release of Video 8 (Code Execution) and Video 9 (Assorted Server-Side Issues)
- 26.6.2024: Q/A session for Code Execution and Assorted Server-Side Issues / Release of Video 10 (Infrastructure Security)
- 3.7.2024: Q/A session for Infrastructure Security
- 10.7.2024: No lecture
- 17.7.2024: Current research & Beyond the classical models (live lecture)
- 24.7.2024: Exam preparation (8-10am; HS001)
Exams
- Main exam: 31.7. 10-12 (GHH)
- Backup exam: 9.10. 10-12 (HS002)
Exercises
In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.
- Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge. In total, this roughly sums up to 15 offensive points and 17 defensive points.
- Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services. In total, we plan to have around 20-22 jeopardy challenges.
Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx. 60% of all points. More details on how to work on the exercises and submit flags will be provided in the introductory session about our infrastructure.