Recent Topics in Web Security Ben Stock

News

19.08.2022

Grades and notes visible

Hi all,

I have added the grades and explanations for them into the CMS. You can see both in the "Personal Status" page. Note that I did not include all my notes, but mostly left info about the length of the presentation and if questions were handled... Read more

Hi all,

I have added the grades and explanations for them into the CMS. You can see both in the "Personal Status" page. Note that I did not include all my notes, but mostly left info about the length of the presentation and if questions were handled well. 

I'll upload the grades also to the LSF now.

04.08.2022

Room change

Hi all,

tomorrow we will meet in the lecture hall (0.05). This means only HDMI and DP (or USB-C) works.

See you there!

15.07.2022

Final meeting

For our final meeting, I wanted to clarify some aspects.

  • There is no mandatory practice talk. If you want to do it, please let me know by the end of next week so I can find a slot in my schedule.
  • You are required to submit questions for the paper if you are... Read more

For our final meeting, I wanted to clarify some aspects.

  • There is no mandatory practice talk. If you want to do it, please let me know by the end of next week so I can find a slot in my schedule.
  • You are required to submit questions for the paper if you are assigned to the topic. I added the submission accordingly (Deadline August 4, 23:59)
  • The plan is to start at 13:30 and finish by 18:00. The order will be the same as the original talks. For the exact timeline (2h + 30 min break + 2h or 1.5h + 15 min break + 1.5h + 15 min break + 1h), we can discuss on the day.

Looking forward to the final presentations!

04.07.2022

LSF registration - urgent

I noted that only three students had signed up for the proseminar in the LSF. I have asked the Studienbüro to re-open it. Please register for the proseminar *RIGHT AWAY*, otherwise you will not be able to get credits.

25.06.2022

Feedback for the talks

I have only received five submissions for the presentation about deployment of CSP and four for Service Workers and Inconsistencies. Note that you have to submit feedback for all talks except your own (i.e., even if you present in the meeting, you still have to... Read more

I have only received five submissions for the presentation about deployment of CSP and four for Service Workers and Inconsistencies. Note that you have to submit feedback for all talks except your own (i.e., even if you present in the meeting, you still have to provide feedback for the other talks!). I have re-opened the submissions until Monday 23:59. Make sure to submit the feedback by that time.

03.06.2022

Feedback for today's talk

Thanks all for attending today's session. Please upload your feedback for the talk through the CMS, I just opened the submission for it.

30.05.2022

Uploading questions

I have added submission items for the meetings. You only need to upload questions for the topics you are assigned to. If you have two topics for one meeting, just upload a ZIP file. I prefer if you can put your questions into a .txt file (possibly two inside the... Read more

I have added submission items for the meetings. You only need to upload questions for the topics you are assigned to. If you have two topics for one meeting, just upload a ZIP file. I prefer if you can put your questions into a .txt file (possibly two inside the zipped archive), since that allows me to easily copy them together.

16.05.2022

Talk by Stefano Calzavara from University of Venice on Web Security

Hi all,

I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom.  Please see below for details.

... Read more

Hi all,

I have a colleague from Italy visiting us this week. He'll give a talk on improving the science of Web Security on Thursday, May 19, 14:30. This will be a hybrid event, split between the CISPA lecture hall and Zoom.  Please see below for details.

https://cispa-de.zoom.us/j/94023681911?pwd=bUgrTlJaR0tFSDlnTi9IMDZzVXNWdz09

Title: Towards improving the science of web security

Abstract: Though useful, many web security papers (including mine!) do not satisfy traditional criteria of the scientific method. In this talk, I will provide a personal perspective on how the science of web security could be improved, by discussing recent work which (partially) tackled this issue. The talk will focus in particular on reproducibility and the importance of definitions for web security research.

Bio: Stefano Calzavara is an associate professor in Computer Science at Università Ca’ Foscari Venezia, Italy. Stefano’s research focuses on formal methods, computer security and their intersection, with a strong emphasis on web security. He has published ~50 papers on these topics at widely recognized international conferences and journals. He is pleased to regularly serve in the PC of a number of scientific events, including flagship conferences like ACM CCS, USENIX Security and TheWebConf (WWW). Stefano chaired the first three editions of the SecWeb workshop and is serving as the program chair of CSF 2022 and 2023.

Hope to see you there (in person or remote)

08.05.2022

Final presentation slot

I was made aware that Nebenläufige Programmierung added the exam slot on August 8 after I had checked for collisions. Given travel constraints on my end, I cannot do it on any other day of that week. Hence, the only alternative is to move it to Friday, August... Read more

I was made aware that Nebenläufige Programmierung added the exam slot on August 8 after I had checked for collisions. Given travel constraints on my end, I cannot do it on any other day of that week. Hence, the only alternative is to move it to Friday, August 5. 

Could you please let me know if any of you still need to attend the MfI 2 exam? I would then schedule the final session after that (13 - 17:30). If there is no constraint about that exam, I'd prefer we start at 10:00, take one hour break between 12:00 and 13:00, and finish at 15:00.

07.05.2022

Topics assigned / slot on May 20 skipped

Hi all,

since I received yet another last last-minute drop request, we will skip the first meeting on May 20 to give more time to the first presenters. Given the preferences, this also means we skip the first two topics and stick to the remaining original... Read more

Hi all,

since I received yet another last last-minute drop request, we will skip the first meeting on May 20 to give more time to the first presenters. Given the preferences, this also means we skip the first two topics and stick to the remaining original timeline. Given these constraints added after the fact, I had to assign two topics for Q/A without the explicit bid from the respective students. I tried to pick areas that are close to the ones those students selected, though.

Please find your topic assignments here: https://cms.cispa.saarland/retows/2/Topic_assignment. Note that Q/A 1 and Q/A 2 do not mean that you have to only ask questions for the first or second iteration of presentations ;-)

06.05.2022

Kickoff slides and next steps

I have uploaded the slides from today's meeting. Looking forward to your topic preference until 23:59 today

04.05.2022

Kickoff on Friday

Hi folks,

I'm looking forward to the kickoff on Friday. Since the timeline is quite tight around the first talks, please go ahead and get a feeling for the papers listed on the main page and try to identify four areas you'd be interested in either presenting or... Read more

Hi folks,

I'm looking forward to the kickoff on Friday. Since the timeline is quite tight around the first talks, please go ahead and get a feeling for the papers listed on the main page and try to identify four areas you'd be interested in either presenting or stating questions for. I'll try to do the assignment of topics as early as possible then. 

We will meet in CISPA's 0.02 (when you enter the building, just turn right). In the building, there is a mask mandate, but the room itself offers sufficient distance to take it off when seated.

See you Friday at 10:15!

Show all
 

Registration for the proseminar is not possible directly. Please use the CS department assignment system to register your interest.

Recent Topics in Web Security

Unless absolutely necessary due to Covid, this proseminar will be held in person and you must attend in person. There is no option for a hybrid course. Our seminar room at the CISPA building enables us to host 10 students with proper distancing of 1.5m. 

This course is about the discussion and presentation of recent topics in Web Security. Each student will be assigned one topic to present and two additional topics for discussion. For the presentation topic, each student will have two presentations: one during the semester and one in a full-day session in the semester break. For each topic, there will be two papers (one to be presented during the semester, the other in the break). Each student will also be assigned two topics for discussion: this implies that the student reads the paper to be presented and needs to prepare three questions to be discussed with the presenter. Furthermore, after each presentation, all students provide feedback to the presenter on what to improve in the presentation. Attendance during the presentations and feedback after is mandatory. Failing to join the proseminar without a sick note may be grounds for flunking the course. 

Due to the personal constraints, the timeline starts somewhat later than other proseminars. The planned agenda is as follows (see below for order of topics):

  • Friday, May 6, 10-12, Kickoff&Topic Assignment
  • Friday, May 20, 10-12, Presentations 1&2
  • Friday, June 3, 10-12, Presentations 3&4
  • Friday, June 24, 10-12, Presentations 5&6 (one week delay because of "Brückentag" the week before)
  • Friday, July 1, 10-12, Presentations 7&8
  • Friday, July 15, 10-12, Presentations 9&10
  • Monday, August 8, 10-12; 13-15; 15:30-16:30 Final presentations

Each student must make an appointment for a practice talk at least one week before their presentation. Each presentation is meant to last 20 minutes with 10 minutes of Q/A after. 

Presentation topics

  1. Client-Side Cross-Site Scripting: 25 Million Flows Later - Large-scale Detection of DOM-based XSS, Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites
  2. Cross-Origin Attacks: PMForce: Systematically Analyzing postMessage Handlers at ScaleCan I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web 
  3. Technical Challenges of Content Security Policy: CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security PolicyWho’s Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI
  4. Deployment Struggles of Content Security Policy: Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies, 12 Angry Developers - A Qualitative Study of Developers' Struggles with CSP
  5. Security Inconsistencies: Uncovering HTTP Header Inconsistencies and the Impact on Desktop/Mobile WebsitesThe Security Lottery: Measuring Client-Side Web Security Inconsistencies
  6. Security of Service Workers: Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications, Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage
  7. Fingerprinting through Browser Extensions: Fingerprinting in Style: Detecting Browser Extensions via Injected Style SheetsUnleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention
  8. Server-Side (In)security: FUSE: Finding File Upload Bugs via Penetration TestingSaphire: Sandboxing PHP Applications with Tailored System Call Allowlists
  9. (Un)usability of HTTPS: "I have no idea what I'm doing" - On the Usability of Deploying HTTPSThe web's identity crisis: understanding the effectiveness of website identity indicators
  10. Web Cache Deception: Cached and Confused: Web Cache Deception in the Wild, Web Cache Deception Escalates!

Grading

Grading for this course is based on the presentations and quality of the questions. The final grade is decided by the grade for the first presentation (30%), the grade for the final presentation (50%) and the questions (20%). Note that failing to present or to submit questions (without a doctor's note) implies flunking the proseminar.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators