Web Security

Hi all,

for those of you finishing their master's degrees soon, I want to point to the fact that CISPA has a couple of PhD positions open in the area of Web security. In particular, this is both in my group (see https://swag.cispa.saarland/jobs.html) and in the one of Cristian-Alexandru Staicu (see https://www.staicu.org/job_post.html) who will be joining CISPA from October.

Even if you are not yet in the phase to consider the PhD, feel free to reach and discuss options with either one of us.

After the feedback from the students in the exam inspection, we have had another look at the task about server-side requests. Unfortunately, the lecture did not really discuss three names for attacks, but the sample solution contained those. We have thus decided that each correct description of an attack gives 2 points and not just 1 (for missing the name). Hence, a number of students now have more points there.

Also, regarding the POP task, I explicitly said this topic would not be covered in the exam. I only noticed the issue when looking at the graded exams. Hence, I decided that in order to get 100% of all points, you did not have to fill that task, i.e., 100% equaled 114 points. Accordingly, to pass, you needed 57 points. If you wrote an answer there, we nevertheless gave you points for correct answers.

Please see the CMS for the final results (which I will upload to LSF/HISPOS now).

Due to a great effort by Marius and Sebastian, the exams are already graded. Please find the results in the CMS.

As I am travelling both this and all of next week, the first date we can do for the inspection is October 23 from 9 to 11. Please note that the inspection will again happen in my office, which can at most hold three students at a time.

Yesterday in the inspection, there were several questions regarding improving one's grade in the backup exam. The Prüfungsordnung says explicitly that this must be announced at the beginning of the term. We did not announce this, hence by default, this means that the exam grade cannot be improved.

However, after lengthy discussions with both Prüfungsamt and Prüfungsausschuss, I have decided to allow improving grades in the backup exam. This is seemingly the practice for advanced lectures even in the absence of explicitly stating that the grade can be improved. I will also make sure that next year's lecture explicitly states if the grade can be improved.

Notably, though, just allowing this would create an unfairness towards those students who (knowing the examination rules) skipped the main exam to not pass with a bad grade, as just attending the backup exam would not give them the chance to improve the grade (which can only occur within the same semester). The solution is as follows: we will offer two additional exams. This way, any student who has skipped the main exam has one attempt to improve their grade, even if they pass the first backup exam. Further, any student who did not take the main exam can make an appointment with me to have a look at the main exam including solutions (essentially an exam inspection of the sample solution) within the next two weeks (until August 7). Any student who has passed the main exam can choose to join either one of the two exams. However, if you passed the exam this week and pass the first backup, you cannot take the second backup (the exam regulations specifically say you can attempt to improve once).

The date for the first of the two exams is set for September 18, 13-15 in HS 002. The second one will remain in the original slot for the backup exam, October 7, 14-16 in GHH.

TL;DR
- Two additional exams (September 18 and October 7)
- Students who passed this week can choose either to improve their grade
- Students who skipped this week can write the first exam and improve in the second

Today I received the result of the evaluation, you can find them in the Materials section. First of all, thank you for your positive votes. Moreover, to all those who suggested improvements, another thank you for helping me to make the lecture better in the future. If you have further comments, feel free to drop them via email or the CMS.

Happy studying and see you Monday!

Due to the supply line works right before CISPA the water supply for the building will be interrupted on Thursday. Thus, we have to move this weeks tutorial slot from Thursday to Friday 8-10. 

We hope that you are able to join us on Friday. If you can not attend, feel free to watch the recordings of the tutorial and/or ask your questions in the AskBot. 

We are experiencing a downtime of our WebSec server at the moment, the Gameserver, Gitlab, and all Screecher instances might be offline for a few hours. Sorry for that inconvenience.

Because there was no lecture and because the exercise sheet is running until next week, we will have no tutorial this week. If you encounter questions while solving the exercise sheet or if you have general questions regarding the lecture content, feel free to use the askbot or write an email to Sebastian and/or Marius.

Please note that due to new regulations, everyone who is not registered within a week before the exam (meaning at latest July 14th) will not be able to take the exam. Please sign up in LSF/HISPOS if you can; from time to time, I will import the information into the CMS, so your status will be visible here as well. Should your study course not allow for that, you should be able to register yourself in the CMS.

Should that not work, drop me an email.

Note again that you will not be able to take the exam if you fail to register in time.

Hi Folks,

The first exercise on the current exercise sheet was way harder to exploit as planned.
Thus, some actions have taken place:
  - There is a fix pushed into the screecher repos that disables the same-site cookies
  - We have removed the mime-type detection for jpgs from your attacker domain
  - Your attacker folders are no longer protected via basic-auth
Sorry for that inconvenience.  

Hi all,

Exercise Sheet 10 is online! For those that already started working on the exercise sheet, there was a small problem regarding the version check, thus you might need to pull again to get the newest screecher version from the reposiotry.

Due to public holiday there will be no tutorial this week, but we will dicuss the solutions for exercise 9 in next week.

Have Fun!

Due to both Marius and myself being on a trip yesterday (and today for Marius), the preliminary slides have only just been uploaded. 

Also due to this, there will be a slight delay in releasing the exercises (most likely still today, though).

Finally, as tomorrow is a public holiday, there will not be a tutorial. The solutions for the sheet from last week will be presented alongside those of this next in the tutorial on June 6th.

According to the preliminary results of the Doodle, the lecture will take place at the 12-14 timeslot in the CISPA lecture hall.
For those who can not attend, we will supply the recordings of the lecture as soon as possible. 
In addition to that, the preliminary for the lecture is already available in the materials section.

Due to a short notice event, the lecture hall in CISPA is unavailable at our usual timeslot.
Since we want to provide you with the recording of the lecture and the real lecture experience, we need to reschedule the lecture to one slot earlier/later.
Please fill out the following Doodle such that we know which timeframe suits you most.
Deadline: 14.05.2019 (tomorrow) 12:00
https://doodle.com/poll/fqxbva6q2xevursd

You can now find the new exercise sheet in the materials section of the CMS. As discussed yesterday in the Lecture, there will be no Tutorial today since we have no undiscussed sheet left. If there happen to be questions concerning past exercises/lecture content, please refer to the Askbot. As always: have fun with the new exercises!

Apparently, some folks registered in our Gitlab which was not intended, we also disabled registration altogether now.

You can login with your CMS username and your secret displayed in the CMS as password, there will be a project called screecher waiting for you.

Any self-registered account will not work for our projects. 

The information on how lecture recordings can be accessed is available through the CMS at https://cms.cispa.saarland/websec19/4/Lecture_Recordings

The doodle for the tutorial slot is available at https://doodle.com/poll/syfirvezgkku6k7b

Finally, should you decide to not take the course, please let us know so we can unregister you. Due to hardware restrictions, we can only provide 80 VMs and only students enrolled in the CMS will get a VM. For now, there are 75 students signed up for the course.