News

Wrap up

Written on 02.08.21 by Cristian-Alexandru Staicu

Thank you all for your participation. We hope that by attending this proseminar you learned quite a bit about giving a good scientific presentation, and about (our) ongoing research in web security. The grades should be registered in LSF by now, so please double-check that that is indeed the case. Let… Read more

Thank you all for your participation. We hope that by attending this proseminar you learned quite a bit about giving a good scientific presentation, and about (our) ongoing research in web security. The grades should be registered in LSF by now, so please double-check that that is indeed the case. Let us know if you have any ideas on how to improve this proseminar or questions about the grade. Good luck with your studies and we hope to see you around!

Invited Talk in our Web Sec Lecture Series

Written on 10.06.21 by Ben Stock

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom linkhttps://cispa-de.zoom.us/j/96775779464?pwd=WFQ1aW9Xb2c1OHMybWlEUDIralN5QT09

Read more

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom linkhttps://cispa-de.zoom.us/j/96775779464?pwd=WFQ1aW9Xb2c1OHMybWlEUDIralN5QT09

Speaker: Stefano Calzavara 

Title: May I take your subdomain? Exploring same-site attacks on the modern Web


Abstract: Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this talk we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

Short Bio: Stefano Calzavara is a tenure-track assistant professor at Università Ca' Foscari Venezia. His research focuses on formal methods, computer security and their intersection, with a particular emphasis on web security. Stefano is also happy to serve as the co-leader of the Italian chapter of the Open Web Application Security Project (OWASP).

Topic Assignment and Schedule Change

Written on 16.04.21 (last change on 16.04.21) by Cristian-Alexandru Staicu

Please find the topic assignment table here: https://cms.cispa.saarland/psadweb/3/Topic_assignment. As discussed in the kickoff meeting, for each topic we have three students assigned: one for presenting the topic and two for asking questions. Also, we decided to drop one topic and skip the first… Read more

Please find the topic assignment table here: https://cms.cispa.saarland/psadweb/3/Topic_assignment. As discussed in the kickoff meeting, for each topic we have three students assigned: one for presenting the topic and two for asking questions. Also, we decided to drop one topic and skip the first session, so that the first presenters have more time to prepare. See you all on the 5th of May!

Welcome to SADWeb

Written on 13.04.21 by Ben Stock

Welcome to the proseminar! We'll have the first meeting on April 14th at 2pm (sharp!). Please see the Zoom Access page, which is accessible once you are logged in via the CMS. 

(p)SADWeb: (Pro)Seminar on Attacks & Defense on the Web

 

Registration: to register for the proseminar, you have to use the central seminar system of the CS department.

 

(P)SADWeb provides students an overview over recent papers in the broader area of Web security. As the primary purpose of a proseminar is to familiarize yourself with a topic and learn presentation skills, the seminar will feature two presentations from each student.

In the first half of the semester, we will have presentations of two topics each week. After each presentation, the fellow students and lecturers will provide feedback on how to improve the presentation. This general feedback must then be taken into account for the second half of the semester, where again each student will do the second presentation. To not bore the audience, though, this paper will be different from the previously presented one.

The first presentations will count towards 30% of the overall grade, the second presentation will count towards 70% of the overall grade. Attendance in the proseminar meetings is mandatory. At most one session can be skipped, after that you need to bring a doctor’s note to excuse your absence. In addition, submitting feedback to each talk is mandatory, where also at most the talks on one date may be missing (which would naturally occur if you skip one session).

To ensure the quality of presentations is high, you have to set a meeting with the topic advisor one week before the first presentation to discuss the slides. For the second presentation, this meeting is optional, but if desired by the student must be a week before the meeting.

Important: the time for the proseminar is fixed for Wednesday 2-4pm. If you have conflicting courses, please do not bid on the proseminar. The kickoff will be on April 14. The first presentations will start on April 28.

Tentative timeline

  • 14.4.2021 Kickoff
  • 28.4.2021: No meeting
  • 5.5.2021: Phishing, Fingerprinting
  • 12.5.2021: Availability, Supply Chain Attacks
  • 19.5.2021: Client-Side XSS, CSP
  • 26.5.2021: [starting at 2:30pm] Mobile Web Apps
  • 2.6.2021: Service Workers, WebAssembly
  • 9.6.2021: ML for Web, XSLeaks
  • 16.6.2021: Phishing, Fingerprinting,
  • 23.6.2021: Availability, Supply Chain Attacks
  • 30.6.2021: Client-Side XSS, CSP
  • 7.7.2021: Service Workers
  • 14.7.2021: Mobile Web Apps, WebAssembly
  • 21.7.2021: ML for Web, XSLeaks

Topics & Papers

  1. Phishing (Giada Martina Stivala)
  2. Fingerprinting (Cris Staicu)
  3. Availability (Cris Staicu)
  4. Supply Chain Attacks (Cris Staicu)
  5. Client-Side XSS (Marius Steffens / Ben Stock)
  6. Content Security Policy (Sebastian Roth / Ben Stock)
  7. Inconsistencies (Ben Stock)
    • Reining in the Web’s Inconsistencies with Site Policy [NDSS 2021]
    • A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web [USENIX 2020]
  8. Service Workers (Francis Somé)
  9. Browser Extensions (Aurore Fass)
  10. Mobile Web Apps (Cris Staicu)
  11. WebAssembly (Cris Staicu)
  12. ML for Web (Cris Staicu)
  13. XSLeaks (Cris Staicu)
Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.