News

Attend the SecWeb panel session

Written on 11.09.20 by Ben Stock

Dear all,

together with my colleague Stefano Calzavara from Venice, I am organizing a (virtualized) workshop called SecWeb (https://secweb.work/#program). As part of this, we have a panel this evening on the future of securing the Web. This panel includes several experts from industry and academia.… Read more

Dear all,

together with my colleague Stefano Calzavara from Venice, I am organizing a (virtualized) workshop called SecWeb (https://secweb.work/#program). As part of this, we have a panel this evening on the future of securing the Web. This panel includes several experts from industry and academia. If you are interested, feel free to join the Zoom call at https://zoom.us/j/91644362044?pwd=UmpLdFo1bkJLR2ZNMVRCY0sweXdBQT09 from 6pm tonight.

PhD positions

Written on 03.06.20 by Ben Stock

Hi all,

for those of you finishing their master's degrees soon, I want to point to the fact that CISPA has a couple of PhD positions open in the area of Web security. In particular, this is both in my group (see https://swag.cispa.saarland/jobs.html) and in the one of Cristian-Alexandru Staicu (see… Read more

Hi all,

for those of you finishing their master's degrees soon, I want to point to the fact that CISPA has a couple of PhD positions open in the area of Web security. In particular, this is both in my group (see https://swag.cispa.saarland/jobs.html) and in the one of Cristian-Alexandru Staicu (see https://www.staicu.org/job_post.html) who will be joining CISPA from October.

Even if you are not yet in the phase to consider the PhD, feel free to reach and discuss options with either one of us.

Video Call Backup Exam

Written on 06.04.20 by Marius Steffens

As preparation for the Backup Exam we ask you to create a Zoom account(at https://zoom.us/), as a recent change in their policies requires every participant of a call to have an account. Good Luck with the exams and see you then!

Backup exam

Written on 27.03.20 by Ben Stock

Due to the closures of kindergartens in Saarland, I can only make time for the exams in the week of April 6th in the afternoons. I have set up a Dudle (https://dudle.inf.tu-dresden.de/yRLDxCipmA/) to find the slot assignment. Please note which timeslots work for you only if you have registered… Read more

Due to the closures of kindergartens in Saarland, I can only make time for the exams in the week of April 6th in the afternoons. I have set up a Dudle (https://dudle.inf.tu-dresden.de/yRLDxCipmA/) to find the slot assignment. Please note which timeslots work for you only if you have registered successfully in the LSF. I will send out the final assignment of slots once all the answers are in.

Alternative mode of operation for backup exam

Written on 11.03.20 by Ben Stock

As some of you might have already heard, the semester is being postponed for four weeks (https://www.sr.de/sr/home/nachrichten/panorama/uni_und_htw_verschieben_semsterbeginn_wegen_corona_100.html). Hence, we will not be having a written exam in 3 weeks from now. Regardless of that, I want to evaluate… Read more

As some of you might have already heard, the semester is being postponed for four weeks (https://www.sr.de/sr/home/nachrichten/panorama/uni_und_htw_verschieben_semsterbeginn_wegen_corona_100.html). Hence, we will not be having a written exam in 3 weeks from now. Regardless of that, I want to evaluate the option to conduct the backup exam orally via video conference (I have to clear this up from a legal perspective first). If you are planning to take the backup exam and do not have a webcam, please let me know via email.

Nevertheless, stay safe and I hope we all get through this quickly!

Exam Inspection Updates

Written on 17.02.20 by Marius Steffens

We have updated the points according to the results of the exam inspection. 

Furthermore, we have decided to grade the exercise about the dimensions of XSS less strict, which is reflected in the updated points. 

Exam results & inspection

Written on 12.02.20 by Ben Stock

Thanks for the fast grading squad of Marius and Sebastian, the exam is graded and the points and grades visible in the CMS.

The date for the inspection is set for Friday this week between 1pm and 3pm. Unless you hear differently, it will happen in 0.07 in CISPA.

Exam Location GHH

Written on 12.02.20 by Marius Steffens

Since there happened to be a post in the Askbot which was since deleted, we still wanted to make it clear that the exam will take place in the Günter Hotz Hörsaal. Good luck and see you there. 

Exam qualification and registration

Written on 27.01.20 by Ben Stock

I have just checked the list of students with sufficient points and have manually admitted all to the exam. Please check your student status page to see if you have passed the necessary points. Should the scoreboard say you passed, but the CMS does not, please drop me an email.

Also, I have… Read more

I have just checked the list of students with sufficient points and have manually admitted all to the exam. Please check your student status page to see if you have passed the necessary points. Should the scoreboard say you passed, but the CMS does not, please drop me an email.

Also, I have imported the registration data from the CMS. As of now, little over half of the students that are admitted are also registered. Please ensure you register on time (hard deadline is February 5th). Otherwise, you will not be able to take the main exam even if you qualified.

Hints for Jeopardy Challenges / AskBot Questions

Written on 23.01.20 by Ben Stock

To keep all of you happily hacking, we are releasing hints for all challenges with less than 10 solves by today. Please find them below. Remember the deadline for solving them is January 27th, 10am.

In addition, don't forget to post your topics for the Q&A lecture at… Read more

To keep all of you happily hacking, we are releasing hints for all challenges with less than 10 solves by today. Please find them below. Remember the deadline for solving them is January 27th, 10am.

In addition, don't forget to post your topics for the Q&A lecture at https://cms.cispa.saarland/askbot/websec1920/question/183/topic-for-qa-lecture/

JINJA

  • Look at the example in the lecture to see what type of page might cause an attacker-controlled string to be used as a template.
  • The offset in the array of functions which are children of object varies from system to system.

PHP POP

  • https://www.php.net/manual/de/function.call-user-func-array.php
  • Just because a variable is by default boolean does not mean it has to be for every serialized object.
  • This challenge works best if done automatically in Python (otherwise c&p might really suck)

CRIME

  • In some cases, you'll have a hard time guessing a character because the compression works equally for others. If that happens, save your candidates and try the next one(s).
  • It also helps to repeat the string you are testing for a second time.

Owley Madison

  • Look for a way to steal a CSRF token. That should enable you to do certain things for the crawler.
  • It might be a good idea to outsource most of your attack to another script.
  • The way Owley works is that for privacy reasons, your favorites are only stored in localStorage, such that you can select them later for a chat.
  • Remember how document.domain works: once a page has set that, any of the subdomains of the target domain can access that page.

SSRF

  • The goal should be clear from the secret() function in the code.
  • Figure out what happens if for some reason, name resolution doesn't work.
  • The solution to the challenge is actually really easy.

Last minute cancelation of today's lecture

Written on 13.01.20 by Ben Stock

My second child did not want me to sleep long today, so I will not be in the office today at all. This means that the lecture will not happen today. I have uploaded both the slides and video from last semester, please use that to study the topics. Since there is only a single new jeopardy challenge… Read more

My second child did not want me to sleep long today, so I will not be in the office today at all. This means that the lecture will not happen today. I have uploaded both the slides and video from last semester, please use that to study the topics. Since there is only a single new jeopardy challenge out today, this should not cause too many problems.

Happy news: you can sleep longer!

Written on 09.01.20 by Ben Stock

I have decided to just upload the video from last semester for the lecture on Monday, meaning we can just take a different lecture hall.

So, the lecture will be in the regular slot (10:15), but in 0.01 (the room next to the CISPArtan).

Three new jeopardy challenges

Written on 06.01.20 by Ben Stock

We have just released the three jeopardy challenges for this week. Enjoy :-)

DNS Rebinding issues

Written on 06.01.20 by Ben Stock

It seems that the service we relied on for the exercise from Tavis Ormandy was shut down. I have instead now set up rebind.websec.saarland - so, resolving ac110001.8660e137.rebind.websec.saarland will flip-flop between the internal IP and our external IP.

I have also modified our Webserver config… Read more

It seems that the service we relied on for the exercise from Tavis Ormandy was shut down. I have instead now set up rebind.websec.saarland - so, resolving ac110001.8660e137.rebind.websec.saarland will flip-flop between the internal IP and our external IP.

I have also modified our Webserver config and made sure that the challenge works properly.

Final jeopardy challenges.... (of this year :))

Written on 16.12.19 by Ben Stock

... are online now. Have fun exploiting LFI, POP, and Template Injection.

Please note that while we tried to secure the challenges as best as possible, you can still cause annoyance if you drop a fork bomb or such. Please don't, that's lame.

Otherwise, merry christmas, happy new year, and see… Read more

... are online now. Have fun exploiting LFI, POP, and Template Injection.

Please note that while we tried to secure the challenges as best as possible, you can still cause annoyance if you drop a fork bomb or such. Please don't, that's lame.

Otherwise, merry christmas, happy new year, and see you fresh on January 6th (which is also the evaluation day - if you only watch videos and look at the PDFs, this is the one lecture you should attend, as you can complain about all the things that are shitty :-))

Reset of exercise for blind SQLI

Written on 13.12.19 by Ben Stock

Hi all,

due to performance reasons, there was an unintended way of leaking the flag for blind SQLi. As this unintended code snippet was deployed after the first three students captured the flag, I have deleted the submissions for all but the first three students and changed the flag.

So, if you… Read more

Hi all,

due to performance reasons, there was an unintended way of leaking the flag for blind SQLi. As this unintended code snippet was deployed after the first three students captured the flag, I have deleted the submissions for all but the first three students and changed the flag.

So, if you did the exercise properly, you can run your script again to leak the flag. If you did it in the wrong way before, you now have to actually do it correctly.

Infrastructure downtime

Written on 12.12.19 by Ben Stock

Due to a necessary power outage, all CISPA servers will be offline from around midnight tonight until around 6am tomorrow morning. Given that we have to set up some stuff after the reboots, please expect Screecher and such to be offline until around noon.
 

New jeopardies and bugfix

Written on 09.12.19 by Ben Stock

We had a small bug in Screecher (read as: we forgot to install MongoDB and set up the PostgreSQL database correctly ¯\_(ツ)_/¯), which we fixed. In addition, we added another bug, which we also fixed now. I have taken the liberty to just pull in all VMs.

On top of that, we already released two new… Read more

We had a small bug in Screecher (read as: we forgot to install MongoDB and set up the PostgreSQL database correctly ¯\_(ツ)_/¯), which we fixed. In addition, we added another bug, which we also fixed now. I have taken the liberty to just pull in all VMs.

On top of that, we already released two new jeopardy challenges earlier today. Happy injecting :-)

New jeopardy challenges!

Written on 02.12.19 by Ben Stock

We have released three new challenges (XS-Leaks, Clickjacking, and HSTS Tracking). We are *not* releasing an update for Screecher this week.

Note that for both XS-Leaks and HSTS, you need to hash the flags with SHA3_256 (not SHA256!!!) and wrap them in SWAG{} before submissions.

Happy hacking

Lecture on January 13 moved

Written on 28.11.19 by Ben Stock

Since the CISPA lecture hall is needed for a talk on January 13th, we have to move the lecture. Given the fact that you were all *very* awake this Monday, we'll just start the lecture earlier: at 8:30am.

Don't worry though, since we can record the lecture if it is done in the lecture hall :)

New Challenge, new scoring system, some more hints, and more hacking

Written on 21.11.19 by Ben Stock

We have just released a new challenge, namely script gadgets. Please find it in the jeopardy part of the scoreboard. This might require some more time than other challenges.

Given this and also the fact that certain challenges are just harder than others, we have decided to change the scoring… Read more

We have just released a new challenge, namely script gadgets. Please find it in the jeopardy part of the scoreboard. This might require some more time than other challenges.

Given this and also the fact that certain challenges are just harder than others, we have decided to change the scoring system (for the scoreboard only, not for the admission to the exam!). In particular, certain challenges (we'll not tell you which though :)) give more points than others (default is 128 points, the harder ones yield 256). Furthermore, there is now a first blood bonus for the first three students to solve each challenge (+20%, +10%, and +5%). Again, this is only for the scoreboard, not the admission. We have already retroactively updated your scores for the previous challenges.

We have also added another hint for base href, where it was not clear how to get to the flag (unless you had done unsafe hashes before, as it is basically the same application).

And, finally, if you liked the challenges thus far and want to spend more time hacking stuff, our local CTF team saarsec is playing ruCTFe (https://ructfe.org/) on Saturday. It's not all Web, but all hack, so you are welcome to join. If you want to, join us in 0.01 from around 10am (CTF starts at 11am) and bring a LAN adapter (if need be) for your laptop.

 

 

General hint for exfiltrating data

Written on 19.11.19 by Ben Stock

I have seen that some students struggled with exfiltration sensitive information out of screecher, e.g., because they run into issues with encoding of payloads and such.

An alternative approach to this is to have a "landing page" on your attacker domain to which you can redirect the crawler and… Read more

I have seen that some students struggled with exfiltration sensitive information out of screecher, e.g., because they run into issues with encoding of payloads and such.

An alternative approach to this is to have a "landing page" on your attacker domain to which you can redirect the crawler and pass the information you want to extract via the URL fragment. You can then use that "landing page" to do the heavy lifting of posting your to leak endpoint. That has the benefit of having that boilerplate code only once.

New jeopardy challenges: XSS all the things!

Written on 18.11.19 by Ben Stock

As promised in the lecture, we are releasing a number of new challenges. For now, it is "only" four, but there will be another two coming soon.

Please find them on the gameserver dashboard and enjoy bypassing our defenses.

XSSAuditor enabled for URL checker

Written on 14.11.19 by Marius Steffens

Just a quick clarification about the RSXSS exercise: We are crawling these URLs with a Chrome with version < 78. 
This means in particular, that the XSSAuditor is still enabled by default. 

You do not need to specifically bypass the Auditor(in contrast to the RCXSS exercise), however, you should… Read more

Just a quick clarification about the RSXSS exercise: We are crawling these URLs with a Chrome with version < 78. 
This means in particular, that the XSSAuditor is still enabled by default. 

You do not need to specifically bypass the Auditor(in contrast to the RCXSS exercise), however, you should take this into account when building your payload. Otherwise, you might accidentally trigger the Auditor. 

Display bug in Crawler interface

Written on 12.11.19 by Marius Steffens

Submitted URLs were not guaranteed to be displayed in the correct order. This lead to confusion, since seemingly no new URLs were being added by the crawler after URL submission (while they were displayed somewhere in the page rather than at the top).
This issue has been resolved, and the submitted… Read more

Submitted URLs were not guaranteed to be displayed in the correct order. This lead to confusion, since seemingly no new URLs were being added by the crawler after URL submission (while they were displayed somewhere in the page rather than at the top).
This issue has been resolved, and the submitted URLs should be displayed in the correct order now.

Bugfix for PM / general note on defenses/exploits

Written on 08.11.19 by Ben Stock

We have deployed a seemingly working fix today for the functionality checkers on the postMessage task. This was a race condition which only occured in about 4/100 attempts which made it incredibly hard to debug. Marius was nevertheless brave enough to slay that particular dragon. Should you still… Read more

We have deployed a seemingly working fix today for the functionality checkers on the postMessage task. This was a race condition which only occured in about 4/100 attempts which made it incredibly hard to debug. Marius was nevertheless brave enough to slay that particular dragon. Should you still encounter an issue, please let us know via the Askbot. More generally speaking, please use the askbot as much as possibly. Otherwise, if three students have the same question, we (mostly Marius) has to reply to three individual requests. Hence, only use that channel if you are sure that your question would leak parts of the answer.

Apart from that, based on the questions we have received, I wanted to provide a couple of hints regarding the exercises. Before reaching out to use about your fixes breaking your application, please use your instance of Screecher yourself. This is best achieved with the developer tools open, as you'll see both JavaScript errors and failed requests in the console. Virtually all questions thus far could have been answered by yourselves by following these steps.

Additionally, there seemed to be a bit of confusion about what the crawler does when you submit a URL. This is specific on the task at hand, yet follows an easy pattern: set up the state correctly in the browser and then visit your link. That is, e.g., when the task is related to Screecher, our crawler will log in with the appropriate account to team0 and then visit your attacker URL. Hence, you can assume that the browser visiting your attacker page has valid authorization cookies for team0.screecher.de. Your task in then to conduct the necessary attack and leak the secret to the feedback URL at the gameserver.

Furthermore, if you are receiving this email, yet plan to not do the exercises / drop the course, please let us know. This allows us to disable the VMs and conserve some resources.

Bugfix for DNS rebinding

Written on 06.11.19 by Ben Stock

We just fixed a bug in the DNS rebinding crawler. Based on the attempts of students I have seen so far, first blood can be achieved within the next hour ;-)

New Secrets and Keys

Written on 05.11.19 by Marius Steffens

Due to some students accidentally leaking their secrets in the index.html file of their attacker folders, we decided to reset all credentials issued so far. This means in particular that old credentials including Gameserver Secrets, SSH keys and Gitlab credentials will no longer work. We have issued… Read more
Due to some students accidentally leaking their secrets in the index.html file of their attacker folders, we decided to reset all credentials issued so far. This means in particular that old credentials including Gameserver Secrets, SSH keys and Gitlab credentials will no longer work. We have issued new Gameserver Secrets and SSH keys and adjusted the CMS and your machines and the Gitlab accordingly. Please note that once you login at Gitlab again you will prompted with a password reset form. You can simply enter your NEW gameserver secret. Your CMS already has the updated Gameserver secret. We plan on not resetting any credentials again in the future so keep your secrets secret by choosing filenames in the attacker directory with sufficiently large entropy.

Submitting URLs

Written on 04.11.19 by Ben Stock

Note that when submitting a URL, you must select the correct checker. If you use DNS Rebinding as the checker to attack postMessages, you'll not be very successful.

New jeopardy challenge: DNS rebinding

Written on 04.11.19 by Ben Stock

We have released a new jeopardy challenge. Your goal is quite easy: gain access to the startpage of the 172.17.0.1 from the crawler's browser. The solution is not as easy :-)

To achieve that, you must run a DNS rebinding attack against the crawler. To that end, you must leverage the rbndr service… Read more

We have released a new jeopardy challenge. Your goal is quite easy: gain access to the startpage of the 172.17.0.1 from the crawler's browser. The solution is not as easy :-)

To achieve that, you must run a DNS rebinding attack against the crawler. To that end, you must leverage the rbndr service (for details see https://github.com/taviso/rbndr). The service will randomly return one of the two IP addresses specified in the hostname.

We have set up our infrastructure such that if the IP points to the websec server (134.96.225.55), you can access your attacker directory. In particular, the following URL will point to user 1's attacker directory: http://7f000001.8660e137.rbndr.us/1/. Naturally, this only works for 50% of all requests as the rbndr service will either return 127.0.0.1 or 134.96.225.55.

This also means that your solution is not necessarily deterministic. When you provide a URL to the crawler, it will remain on the page for 2 minutes. In that time, find a way to rebind. Our proof-of-concept works in around 50s, so you should be fine. Use your gameserver endpoint to leak the data. Note that since the attack is non-deterministic, you may need to submit the same URL multiple times. Based on pure chance, there should not be a need to submit the same URL more than ~4 times.

As a final hint: for flushing the DNS cache, we suggest you ensure that the lookup points to 127.0.0.0/8. If you use any other range, Chrome will attempt to establish a connection which times out. This will cost you important time (recall the 120s timeout).

With that, happy rebinding!

Delayed starting of checkers

Written on 04.11.19 by Ben Stock

Just as a quick note, the checkers for this week will be started tomorrow. There is a bug in Chrome 77 which requires preflight requests for all requests. We are working on a solution and will likely push updates to your git repositories.

Note that also the crawler for URLs you have submitted might… Read more

Just as a quick note, the checkers for this week will be started tomorrow. There is a bug in Chrome 77 which requires preflight requests for all requests. We are working on a solution and will likely push updates to your git repositories.

Note that also the crawler for URLs you have submitted might not work just now. We will release another jeopardy challenge soon, though, to keep you entertained.

Info for Tutorial 31-10-19

Written on 30.10.19 by Sebastian Roth

Hey,
usually, we will present the solutions for last week's practical exercise sheets in the tutorials. However, due to lasts week's exercise being only theoretical, we will use tomorrow's tutorial to help you with infrastructural problems or problems with the current exercise. You can also drop by… Read more

Hey,
usually, we will present the solutions for last week's practical exercise sheets in the tutorials. However, due to lasts week's exercise being only theoretical, we will use tomorrow's tutorial to help you with infrastructural problems or problems with the current exercise. You can also drop by and ask questions about the sample solution of the first exercise sheet or any content that has been presented in the lecture so far.

See you tomorrow,
Sebastian & Marius

Clarification about Askbot and Exercise Submission

Written on 28.10.19 by Marius Steffens

For the theoretical exercises(those that do not involve attacking/defending a system), there is no need to hand in anything. In particular, this means that you do not have to hand in anything for exercise sheet 1. If you have any questions that do not leak solutions to exercises, we ask you to… Read more
For the theoretical exercises(those that do not involve attacking/defending a system), there is no need to hand in anything. In particular, this means that you do not have to hand in anything for exercise sheet 1. If you have any questions that do not leak solutions to exercises, we ask you to place them in the Askbot, a StackOverflow like forum in the CMS. This way, your fellow students can help you with your questions and any answer will be public.

Regarding breaks in the lecture, part 2

Written on 27.10.19 by Ben Stock

The doodle has spoken: 14 wanted no break, 12 wanted a break. Hence, there will not be a break and we start 10:15

Upcoming task using an old Chrome

Written on 25.10.19 by Ben Stock

Hi all,

for one of the XSS-related tasks, you will need Chrome/Chromium in a version less than 78 (which will be released shortly). Please make sure to download an installer of version 77 now, as otherwise you'll have to rely on some third-party sites to download it.

Thanks :)

Recordings available

Written on 25.10.19 by Marius Steffens

The recordings of this week's Lecture and Tutorial are now online! The slide set uploaded for the Django 101 was not presented in the Tutorial and is intended to be a supplementary source of information. If you were unable to attend, you might want to have a look at the recording of the Tutorial.

Regarding breaks in the lecture

Written on 21.10.19 by Ben Stock

Between my cold and the content of today's lecture, I totally forgot to ask the "shall we have a break?" question.

As I have a teaching commitment right after the Web Security lecture, I cannot make the lecture run longer. Instead, we'd have to start at 10:10.

Please fill out the Doodle at… Read more

Between my cold and the content of today's lecture, I totally forgot to ask the "shall we have a break?" question.

As I have a teaching commitment right after the Web Security lecture, I cannot make the lecture run longer. Instead, we'd have to start at 10:10.

Please fill out the Doodle at https://doodle.com/poll/xnrcs29xrxaxxz2k until Friday. Based on this, I will let you know if Monday's lecture (and all following ones) will start earlier or not.

Exercise Sheet 1 Online and Timetable update

Written on 21.10.19 by Marius Steffens

We have just released exercise sheet 1, which you can find in the materials section of the CMS. Furthermore, we entered the Tutorials into the timetable. Have fun and see you on Thursday!
Show all

Web Security

The lecture will take place every Monday from 10-12, starting October 21st. Due to personal reasons, the lecture will end early, i.e., the last content lecture is on January 13th. There will be a Q&A lecture for exam preparation on February 3rd.

This lecture is an advanced lecture in Web security. At the very least, having taking CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

Due to hardware limitations, this course can only accommodate up to 60 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018 and SS2019 about this.

Exams 

  • Main exam: 12.2.2020 10-12
  • Backup exam: 2.4.2020 10-12

Exercises 

In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.

  • Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge.
  • Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit bugs in our services.

Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx 67% of all points. More details on how to work on the exercises and submit flags will be provided in the tutorial.

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.