Web Security

We want to offer a special Re-Exam preparation tutorial.
In this tutorial, we will address topics from the main exam which have low average points as well as frequent flaws.
To find a suitable timeslot as well as getting an approximation for the demand, please fill out the following Doodle.
https://doodle.com/poll/c4dw7hdxagppr6mc
If there are any topics that you would like to be explained in detail during the tutorial please write them in the associated thread in the Askbot (https://cms.cispa.saarland/askbot/websec18/question/287/topics-for-the-re-exam-preparation-tutorial/) or upvote them if they are already present.

The exam results are now visible in the CMS. You can find the exact points for each of the tasks as well as the grade table there. The inspection will be on Friday, 9-11, most likely (and unless your hear otherwise) in CISPA's room 0.07 (meeting room next to the foyer). 

If you cannot make it due to another exam, please write me an email such that we can arrange a separate slot.

Good night (*yawn*)!

Hi all,

just in time there now is HDD issue with our VM host, which needs to be fixed by the CISPA admins. I hope this will be fixed on Monday, but to avoid any additional integrity damage, I have taken offline the VMs and gitlab for now. Since you should all have your own git repositories locally, I hope this does not interfere with your exam preparation

Sadly, just a couple hours to late, the evaluation results have arrived. They are available at https://cms.cispa.saarland/websec18/dl/39/Evaluation_results.pdf

First of all, thanks for the positive feedback. It seems like many of you enjoyed the course as much as I did. Thank you also for suggested improvements. I want to address a couple of them here:

• As for the exercise bugs, these were related to us developing screecher alongside the lecture, which is kind of fixed "by design" for the next iteration.
• The assignment of teams is a known issue: scaling things up to 60 VMs seems infeasible (also for grading reasons), and reducing the course to 30 people would have left half of you not attending the lecture :) More tutors are not really an option, as we get no funding from the university for advanced lectures.
• I doubt that there will be a script, but we can add comments about related books.

Thanks again for those items. We will try to incorporate the feedback in the next iteration!

The grading for sheet 9 is online since last night. As in the previous weeks, please approach me if you have questions regarding the grading/feedback.

For sheet 10, please note that you naturally have another key than we do for the CRIME attack. Hence, just giving you key from the config is pointless. Also, if you run into trouble with the attack, try to make sure that you add more redundancy to your message to best leverage the compression oracle.

Last, but not least, regarding the Q&A lecture: as this requires a bit of preparation, make sure that all your desired topics and votes are in the Askbot before Tuesday, 8am. After that, I will feel free to ignore any additional questions coming in, to make sure that those questions asked early are being addressed properly in the lecture.

The grading for exercise #7 is now stored. If you have questions, please direct them to me and not Sebastian.

For sheet 8, please note that your solution must still work with our checkers which use python requests. We have had some issues related to encodings of cookies - so please make sure that your fix not only works for Chrome, but that our checker is satisfied :) 

I have finished the grading for sheet 5 and the results are in the CMS. If you have questions about your points, please direct them to me and not Sebastian.

Moreover, next week is the evaluation week for all courses. I will distribute the evaluation sheets in the middle of the lecture - this way you get a break and have fun evaluating :-) If possible, please think of things you want to improve in advance, such that you already have those things in mind when you come in.

Since not all of you attended the tutorial today, let me fill you in on a couple of things:

• The gameserver only checks one specific exploit. Just because this does not work anymore does not mean that your fix was correct, only that our one exploit stopped working. Please double check your code to see that the flaw is actually gone (e.g., by attacking it with your own exploit).
• We have deducted points from answers that are not brief. We don't this out of spite, but rather to give you feedback that an answer was too long. We do this now where it does not hurt too much, rather than having you answer only half the questions in the exam in a verbose manner, not allowing you to have time for any other tasks.
• Starting from sheet #4, you'll get brief feedback on why we deducted points via CMS. If you still feel the need to discuss any specifics with Sebastian, today's slides show his office hours.

Last but not least: there will be no lecture next week. This is why this week's sheet has 60 points and is due on May, 30th.

Since I saw this with some of the already submitted exercises: please read the instructions carefully! You must provide the hash of the commit you want us to consider for the fixed version as well as the exploits. Also, create a merge request in Gitlab for your changes once you are done. 

If the commit hash is missing from the uploaded PDF, we will not consider any code in the Git repository. Please make sure that you understand all instructions on the sheet. If not, please state your questions on Askbot for us to answer (and all others to see).

I have uploaded a new version of the lecture slides, which fixes a couple of typos.

Also, if you have questions about how to use Git or the workflow, please state them in the Askbot. Many things can likely be answered by your fellow students. Since this question already came up: you cannot push changes to the master branch. This is so that when submitting your solution, you can create a merge request, which we can use for grading. Please branch before changing anything (if you have questions about this, ask them in the Askbot or on Friday).

For the exercises, we will use Git, specifically Gitlab to a) deploy new tasks to your VMs and b) have you submit your solutions (fixes and attacks) as pull requests. Please go ahead and register yourself in https://gitlab.websec.saarland. For now, you will not be able to access any groups or create projects. Please use the email address you use for CMS and provide your real name when registering.

As I feared, the snafus in the media controls also resulted in the lecture not being recorded. We'll try again in two weeks.

More importantly: please find your team partners until April, 25th and mail your team info to Sebastian. Whoever does not name their team or at least indicate that they want to participate but have not found a team mate yet will not be able to take part in the practical exercises (i.e., will not reach the required points for admission to the exam).