Web Security Ben Stock

News

25.10.2019

Updates after exam inspection / clarification about POP

After the feedback from the students in the exam inspection, we have had another look at the task about server-side requests. Unfortunately, the lecture did not really discuss three names for attacks, but the sample solution contained those. We have thus decided... Read more

After the feedback from the students in the exam inspection, we have had another look at the task about server-side requests. Unfortunately, the lecture did not really discuss three names for attacks, but the sample solution contained those. We have thus decided that each correct description of an attack gives 2 points and not just 1 (for missing the name). Hence, a number of students now have more points there.

Also, regarding the POP task, I explicitly said this topic would not be covered in the exam. I only noticed the issue when looking at the graded exams. Hence, I decided that in order to get 100% of all points, you did not have to fill that task, i.e., 100% equaled 114 points. Accordingly, to pass, you needed 57 points. If you wrote an answer there, we nevertheless gave you points for correct answers.

Please see the CMS for the final results (which I will upload to LSF/HISPOS now).

23.10.2019

Exam Inspection Location Update 2.11

Since Ben is unavailable today, the exam inspection will take place in office 2.11.
Unfortunately, this office hosts at most 2 students. 

See you soon!

08.10.2019

Backup exam #2 results and exam inspection

Due to a great effort by Marius and Sebastian, the exams are already graded. Please find the results in the CMS.

As I am travelling both this and all of next week, the first date we can do for the inspection is October 23 from 9 to 11. Please note that the... Read more

Due to a great effort by Marius and Sebastian, the exams are already graded. Please find the results in the CMS.

As I am travelling both this and all of next week, the first date we can do for the inspection is October 23 from 9 to 11. Please note that the inspection will again happen in my office, which can at most hold three students at a time.

30.09.2019

Re-Re-exam registration

Please check in the LSF for your registration status. You have to be registered by 23:59 today to take the exam and also be unregistered if you don't want to take it. You cannot take the exam if you are not registered by 23:59 today (no exceptions).

28.09.2019

Exam inspect

The exam inspection for the first backup exam will take place on Monday, 30.10., from 10 to 12 in my office (2.09). Please note that we will not let anyone in after 11:30, as we want to be finished by 12

18.09.2019

Exam results are online

Results are online. Please let me know if you want take a look so I can arrange a slot.

16.09.2019

Location change for 1st backup exam

Given the small number of people taking the backup exam on Wednesday, it will not happen in HS0.02, but instead in CISPA's lecture hall.

07.08.2019

Access to VMs

You will have access to the Websec VMs which host screecher up until the first backup exam (18.09.). After that we will shutdown these VMs and you will solely have access to the Git. Similarly, we will shutdown the Git after the second backup exam (07.10.).  

27.07.2019

Sample solution inspection

The date for the sample solution viewing is now set for Tuesday, July 30, from 13:00 to 15:00, which should not collide with exams. The inspection will happen in my office 2.09 in CISPA, meaning at any given time, at most three students can take a look at the exam.

25.07.2019

Improving grades in backup exam

Yesterday in the inspection, there were several questions regarding improving one's grade in the backup exam. The Prüfungsordnung says explicitly that this must be announced at the beginning of the term. We did not announce this, hence by default, this means that... Read more

Yesterday in the inspection, there were several questions regarding improving one's grade in the backup exam. The Prüfungsordnung says explicitly that this must be announced at the beginning of the term. We did not announce this, hence by default, this means that the exam grade cannot be improved.

However, after lengthy discussions with both Prüfungsamt and Prüfungsausschuss, I have decided to allow improving grades in the backup exam. This is seemingly the practice for advanced lectures even in the absence of explicitly stating that the grade can be improved. I will also make sure that next year's lecture explicitly states if the grade can be improved.

Notably, though, just allowing this would create an unfairness towards those students who (knowing the examination rules) skipped the main exam to not pass with a bad grade, as just attending the backup exam would not give them the chance to improve the grade (which can only occur within the same semester). The solution is as follows: we will offer two additional exams. This way, any student who has skipped the main exam has one attempt to improve their grade, even if they pass the first backup exam. Further, any student who did not take the main exam can make an appointment with me to have a look at the main exam including solutions (essentially an exam inspection of the sample solution) within the next two weeks (until August 7). Any student who has passed the main exam can choose to join either one of the two exams. However, if you passed the exam this week and pass the first backup, you cannot take the second backup (the exam regulations specifically say you can attempt to improve once).

The date for the first of the two exams is set for September 18, 13-15 in HS 002. The second one will remain in the original slot for the backup exam, October 7, 14-16 in GHH.

TL;DR
- Two additional exams (September 18 and October 7)
- Students who passed this week can choose either to improve their grade
- Students who skipped this week can write the first exam and improve in the second

23.07.2019

Exam inspection

Thanks for all for reaching out to me about the inspection. I have therefore reserved room 0.07 in the CISPA building for Wednesday. The inspection is planned from 9 to 11, but we will not let anyone new in starting from 10:45 (such that are done by 11).

22.07.2019

Exam results

... are online the CMS. Please let me know if you plan to attend the exam inspection so I know what size room I need to reserve.

19.07.2019

Important note: server downtime

Due to a schedule maintenance of our power grid tomorrow, we have to shut down all CISPA servers tonight. This includes the CMS and the server hosting the recordings. This will hopefully be back online at some point tomorrow. Please make sure you download all... Read more

Due to a schedule maintenance of our power grid tomorrow, we have to shut down all CISPA servers tonight. This includes the CMS and the server hosting the recordings. This will hopefully be back online at some point tomorrow. Please make sure you download all materials you need to study for the exam today.

19.07.2019

Evaluation results

Today I received the result of the evaluation, you can find them in the Materials section. First of all, thank you for your positive votes. Moreover, to all those who suggested improvements, another thank you for helping me to make the lecture better in the future.... Read more

Today I received the result of the evaluation, you can find them in the Materials section. First of all, thank you for your positive votes. Moreover, to all those who suggested improvements, another thank you for helping me to make the lecture better in the future. If you have further comments, feel free to drop them via email or the CMS.

Happy studying and see you Monday!

17.07.2019

Final slides

Unfortunately, the issues Sebastian faced with his computer were actual an issue with the media system in the lecture hall. Hence, there is no recording for today's Q&A lecture - but the slides are up :)

16.07.2019

Recordings

Due to the responsible admin being out for a bit, there was a delay in uploading the recordings. I have now uploaded all recordings we had (both lectures and tutorials), so please find them in the regular place.

15.07.2019

Updated slides for Lecture #7

For lecture 7, I updated the slides (specifically, slide 13) to better show how ALLOW-FROM works in browsers and fixed a bug in the final entry (was "ALLOW FROM" instead of "ALLOW-FROM").

09.07.2019

This weeks Tutorial will take place on Friday

Due to the supply line works right before CISPA the water supply for the building will be interrupted on Thursday. Thus, we have to move this weeks tutorial slot from Thursday to Friday 8-10. 

We hope that you are able to join us on Friday. If you can not attend,... Read more

Due to the supply line works right before CISPA the water supply for the building will be interrupted on Thursday. Thus, we have to move this weeks tutorial slot from Thursday to Friday 8-10. 

We hope that you are able to join us on Friday. If you can not attend, feel free to watch the recordings of the tutorial and/or ask your questions in the AskBot. 

03.07.2019

Server downtime & Tutorial

We are experiencing a downtime of our WebSec server at the moment, the Gameserver, Gitlab, and all Screecher instances might be offline for a few hours. Sorry for that inconvenience.

Because there was no lecture and because the exercise sheet is running until... Read more

We are experiencing a downtime of our WebSec server at the moment, the Gameserver, Gitlab, and all Screecher instances might be offline for a few hours. Sorry for that inconvenience.

Because there was no lecture and because the exercise sheet is running until next week, we will have no tutorial this week. If you encounter questions while solving the exercise sheet or if you have general questions regarding the lecture content, feel free to use the askbot or write an email to Sebastian and/or Marius.

01.07.2019

Registration for the exam

Please note that due to new regulations, everyone who is not registered within a week before the exam (meaning at latest July 14th) will not be able to take the exam. Please sign up in LSF/HISPOS if you can; from time to time, I will import the information into the... Read more

Please note that due to new regulations, everyone who is not registered within a week before the exam (meaning at latest July 14th) will not be able to take the exam. Please sign up in LSF/HISPOS if you can; from time to time, I will import the information into the CMS, so your status will be visible here as well. Should your study course not allow for that, you should be able to register yourself in the CMS.

Should that not work, drop me an email.

Note again that you will not be able to take the exam if you fail to register in time.

28.06.2019

Exercise Sheet 11 Exercise 1 Fix

Hi Folks,

The first exercise on the current exercise sheet was way harder to exploit as planned.
Thus, some actions have taken place:
  - There is a fix pushed into the screecher repos that disables the same-site cookies
  - We have removed the mime-type... Read more

Hi Folks,

The first exercise on the current exercise sheet was way harder to exploit as planned.
Thus, some actions have taken place:
  - There is a fix pushed into the screecher repos that disables the same-site cookies
  - We have removed the mime-type detection for jpgs from your attacker domain
  - Your attacker folders are no longer protected via basic-auth
Sorry for that inconvenience.  

19.06.2019

Exercise Sheet 10 is online

Hi all,

Exercise Sheet 10 is online! For those that already started working on the exercise sheet, there was a small problem regarding the version check, thus you might need to pull again to get the newest screecher version from the reposiotry.

Due to public... Read more

Hi all,

Exercise Sheet 10 is online! For those that already started working on the exercise sheet, there was a small problem regarding the version check, thus you might need to pull again to get the newest screecher version from the reposiotry.

Due to public holiday there will be no tutorial this week, but we will dicuss the solutions for exercise 9 in next week.

Have Fun!

12.06.2019

Better late than after..

The preliminary slides are online :-)

29.05.2019

Exercise Sheet 7

You can now find the newest exercise sheet in the CMS. As always: Have fun and see you next week!
29.05.2019

Lecture slides, tutorial, and slight delay in exercise sheets

Due to both Marius and myself being on a trip yesterday (and today for Marius), the preliminary slides have only just been uploaded. 

Also due to this, there will be a slight delay in releasing the exercises (most likely still today, though).

Finally, as... Read more

Due to both Marius and myself being on a trip yesterday (and today for Marius), the preliminary slides have only just been uploaded. 

Also due to this, there will be a slight delay in releasing the exercises (most likely still today, though).

Finally, as tomorrow is a public holiday, there will not be a tutorial. The solutions for the sheet from last week will be presented alongside those of this next in the tutorial on June 6th.

13.05.2019

Alternative Lecture Slot for this Wednesday (15-05-2019)

According to the preliminary results of the Doodle, the lecture will take place at the 12-14 timeslot in the CISPA lecture hall.
For those who can not attend, we will supply the recordings of the lecture as soon as possible. 
In addition to that, the preliminary... Read more

According to the preliminary results of the Doodle, the lecture will take place at the 12-14 timeslot in the CISPA lecture hall.
For those who can not attend, we will supply the recordings of the lecture as soon as possible. 
In addition to that, the preliminary for the lecture is already available in the materials section.

13.05.2019

Alternative Lecture Slot for this Wednesday (15-05-2019)

Due to a short notice event, the lecture hall in CISPA is unavailable at our usual timeslot.
Since we want to provide you with the recording of the lecture and the real lecture experience, we need to reschedule the lecture to one slot earlier/later.
Please fill... Read more

Due to a short notice event, the lecture hall in CISPA is unavailable at our usual timeslot.
Since we want to provide you with the recording of the lecture and the real lecture experience, we need to reschedule the lecture to one slot earlier/later.
Please fill out the following Doodle such that we know which timeframe suits you most.
Deadline: 14.05.2019 (tomorrow) 12:00
https://doodle.com/poll/fqxbva6q2xevursd

09.05.2019

Exercise Sheet 4 online; no Tutorial today

You can now find the new exercise sheet in the materials section of the CMS. As discussed yesterday in the Lecture, there will be no Tutorial today since we have no undiscussed sheet left. If there happen to be questions concerning past exercises/lecture... Read more
You can now find the new exercise sheet in the materials section of the CMS. As discussed yesterday in the Lecture, there will be no Tutorial today since we have no undiscussed sheet left. If there happen to be questions concerning past exercises/lecture content, please refer to the Askbot. As always: have fun with the new exercises!
02.05.2019

Gitlab Registration

Apparently, some folks registered in our Gitlab which was not intended, we also disabled registration altogether now.

You can login with your CMS username and your secret displayed in the CMS as password, there will be a project called screecher waiting for... Read more

Apparently, some folks registered in our Gitlab which was not intended, we also disabled registration altogether now.

You can login with your CMS username and your secret displayed in the CMS as password, there will be a project called screecher waiting for you.

Any self-registered account will not work for our projects. 

01.05.2019

Tutorial Tomorow

Tomorrow we will have the first regular Tutorial in CISPA's lecture hall starting at 8:30. We will discuss the past project, but as usual you can ask questions to previous contents of the lecture.
24.04.2019

Changes to Exercise Sheet 3

In some cases, the ssh config which you should use to clone the GitLab is not working. If so, add the 'IdentityFile ~/.ssh/websec19' to your ssh config. The exercise sheet has been updated accordingly.
24.04.2019

Exercise Sheet is online!

Exercise Sheet 3 as well as the solution for Exercise Sheet 2 are online now.

In addition to that all parts of the infrastructure which you need for this exercise sheet should work fine.

Have Fun!

23.04.2019

Tutorial Slot

The Doodle has spoken! Thus, the Tutorial will take place every Thursday 8:30 - 10 in the CISPA Lecture Hall.
We will explain topics regarding the current project, answer questions, and if there are any solutions, we will present them to you.
See you all on... Read more

The Doodle has spoken! Thus, the Tutorial will take place every Thursday 8:30 - 10 in the CISPA Lecture Hall.
We will explain topics regarding the current project, answer questions, and if there are any solutions, we will present them to you.
See you all on Wednessday for the Django 101 Lecture.

15.04.2019

Lecture slides online

As part of an experiment I want to run, I have uploaded the slides for Wednesday's lecture so you can take notes on them. I have removed the quiz answers, but feel free to think about them beforehand :)

10.04.2019

Lecture recordings and tutorial date

The information on how lecture recordings can be accessed is available through the CMS at https://cms.cispa.saarland/websec19/4/Lecture_Recordings

The doodle for the tutorial slot is available at https://doodle.com/poll/syfirvezgkku6k7b

Finally, should you... Read more

The information on how lecture recordings can be accessed is available through the CMS at https://cms.cispa.saarland/websec19/4/Lecture_Recordings

The doodle for the tutorial slot is available at https://doodle.com/poll/syfirvezgkku6k7b

Finally, should you decide to not take the course, please let us know so we can unregister you. Due to hardware restrictions, we can only provide 80 VMs and only students enrolled in the CMS will get a VM. For now, there are 75 students signed up for the course.

09.04.2019

First lecture

The first lecture will commence tomorrow at 10:15 in the CISPA lecture hall. If you haven't been to CISPA before, to get to the lecture hall, please turn left when you enter the building and just go straight ahead. 

Show all
 

Web Security

After an extensive discussion within the group, we have decided to drop the requirement to successfully pass 50% of the exercise points. Instead, all exercises will be optional, yet we highly suggest you solve them, as the exam will be practical and harder to solve if you have not done the exercises.

The lecture will take place every Wednesday from 10-12, starting April 10th (unless excluded below)

This lecture is an advanced lecture in Web security. At the very least, having taking CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

Due to hardware limitations, this course can only accommodate up to 60 80 students.

Lectures not taking place

  • 24.4.2019 (Django 101 instead)
  • 3.7.2019

Exams 

  • Main exam: 22.7.2019 10-12
  • Backup exam: 7.10.2019 14-16

Exercises 

After each lecture, we will release exercises. These will typically consist of both theoretical questions and practical problems. For the practical tasks, each person will have their own VM with an installation of Screecher, our social network for owls. This will have new (vulnerable) features added each week, and your job is to a) migrate to the latest version of Screecher each week, b) find and fix the flaws in your installation and c) attack a centralized version of Screecher to steal secret information.

All exercises will be optional, yet we suggest you tackle them. For bragging rights, there will be a scoreboard and regular automated checks to see if your instance is running correctly and unexploited. Also, you have to submit the secret information to get additional points on the scoreboard.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators