News
11.09.2020
|
Attend the SecWeb panel sessionDear all, together with my colleague Stefano Calzavara from Venice, I am organizing a (virtualized) workshop called SecWeb (https://secweb.work/#program). As part of this, we have a panel this evening on the future of securing the Web. This panel includes several... Read more Dear all, together with my colleague Stefano Calzavara from Venice, I am organizing a (virtualized) workshop called SecWeb (https://secweb.work/#program). As part of this, we have a panel this evening on the future of securing the Web. This panel includes several experts from industry and academia. If you are interested, feel free to join the Zoom call at https://zoom.us/j/91644362044?pwd=UmpLdFo1bkJLR2ZNMVRCY0sweXdBQT09 from 6pm tonight. |
03.06.2020
|
PhD positionsHi all, for those of you finishing their master's degrees soon, I want to point to the fact that CISPA has a couple of PhD positions open in the area of Web security. In particular, this is both in my group (see https://swag.cispa.saarland/jobs.html) and in the... Read more Hi all, for those of you finishing their master's degrees soon, I want to point to the fact that CISPA has a couple of PhD positions open in the area of Web security. In particular, this is both in my group (see https://swag.cispa.saarland/jobs.html) and in the one of Cristian-Alexandru Staicu (see https://www.staicu.org/job_post.html) who will be joining CISPA from October. Even if you are not yet in the phase to consider the PhD, feel free to reach and discuss options with either one of us. |
06.04.2020
|
Video Call Backup ExamAs preparation for the Backup Exam we ask you to create a Zoom account(at https://zoom.us/), as a recent change in their policies requires every participant of a call to have an account. Good Luck with the exams and see you then! |
27.03.2020
|
Backup examDue to the closures of kindergartens in Saarland, I can only make time for the exams in the week of April 6th in the afternoons. I have set up a Dudle (https://dudle.inf.tu-dresden.de/yRLDxCipmA/) to find the slot assignment. Please note which timeslots work for you... Read more Due to the closures of kindergartens in Saarland, I can only make time for the exams in the week of April 6th in the afternoons. I have set up a Dudle (https://dudle.inf.tu-dresden.de/yRLDxCipmA/) to find the slot assignment. Please note which timeslots work for you only if you have registered successfully in the LSF. I will send out the final assignment of slots once all the answers are in. |
11.03.2020
|
Alternative mode of operation for backup examAs some of you might have already heard, the semester is being postponed for four weeks (https://www.sr.de/sr/home/nachrichten/panorama/uni_und_htw_verschieben_semsterbeginn_wegen_corona_100.html). Hence, we will not be having a written exam in 3 weeks from now.... Read more As some of you might have already heard, the semester is being postponed for four weeks (https://www.sr.de/sr/home/nachrichten/panorama/uni_und_htw_verschieben_semsterbeginn_wegen_corona_100.html). Hence, we will not be having a written exam in 3 weeks from now. Regardless of that, I want to evaluate the option to conduct the backup exam orally via video conference (I have to clear this up from a legal perspective first). If you are planning to take the backup exam and do not have a webcam, please let me know via email. Nevertheless, stay safe and I hope we all get through this quickly! |
17.02.2020
|
Exam Inspection UpdatesWe have updated the points according to the results of the exam inspection. Furthermore, we have decided to grade the exercise about the dimensions of XSS less strict, which is reflected in the updated points. |
12.02.2020
|
Exam results & inspectionThanks for the fast grading squad of Marius and Sebastian, the exam is graded and the points and grades visible in the CMS. The date for the inspection is set for Friday this week between 1pm and 3pm. Unless you hear differently, it will happen in 0.07 in CISPA. |
12.02.2020
|
Exam Location GHHSince there happened to be a post in the Askbot which was since deleted, we still wanted to make it clear that the exam will take place in the Günter Hotz Hörsaal. Good luck and see you there. |
27.01.2020
|
Exam qualification and registrationI have just checked the list of students with sufficient points and have manually admitted all to the exam. Please check your student status page to see if you have passed the necessary points. Should the scoreboard say you passed, but the CMS does not, please drop... Read more I have just checked the list of students with sufficient points and have manually admitted all to the exam. Please check your student status page to see if you have passed the necessary points. Should the scoreboard say you passed, but the CMS does not, please drop me an email. Also, I have imported the registration data from the CMS. As of now, little over half of the students that are admitted are also registered. Please ensure you register on time (hard deadline is February 5th). Otherwise, you will not be able to take the main exam even if you qualified. |
23.01.2020
|
Hints for Jeopardy Challenges / AskBot QuestionsTo keep all of you happily hacking, we are releasing hints for all challenges with less than 10 solves by today. Please find them below. Remember the deadline for solving them is January 27th, 10am. In addition, don't forget to post your topics for the Q&A... Read more To keep all of you happily hacking, we are releasing hints for all challenges with less than 10 solves by today. Please find them below. Remember the deadline for solving them is January 27th, 10am. In addition, don't forget to post your topics for the Q&A lecture at https://cms.cispa.saarland/askbot/websec1920/question/183/topic-for-qa-lecture/ JINJA
PHP POP
CRIME
Owley Madison
SSRF
|
13.01.2020
|
Last minute cancelation of today's lectureMy second child did not want me to sleep long today, so I will not be in the office today at all. This means that the lecture will not happen today. I have uploaded both the slides and video from last semester, please use that to study the topics. Since there is... Read more My second child did not want me to sleep long today, so I will not be in the office today at all. This means that the lecture will not happen today. I have uploaded both the slides and video from last semester, please use that to study the topics. Since there is only a single new jeopardy challenge out today, this should not cause too many problems. |
09.01.2020
|
Happy news: you can sleep longer!I have decided to just upload the video from last semester for the lecture on Monday, meaning we can just take a different lecture hall. So, the lecture will be in the regular slot (10:15), but in 0.01 (the room next to the CISPArtan). |
06.01.2020
|
Three new jeopardy challengesWe have just released the three jeopardy challenges for this week. Enjoy :-) |
06.01.2020
|
DNS Rebinding issuesIt seems that the service we relied on for the exercise from Tavis Ormandy was shut down. I have instead now set up rebind.websec.saarland - so, resolving ac110001.8660e137.rebind.websec.saarland will flip-flop between the internal IP and our external IP. I have... Read more It seems that the service we relied on for the exercise from Tavis Ormandy was shut down. I have instead now set up rebind.websec.saarland - so, resolving ac110001.8660e137.rebind.websec.saarland will flip-flop between the internal IP and our external IP. I have also modified our Webserver config and made sure that the challenge works properly. |
16.12.2019
|
Final jeopardy challenges.... (of this year :))... are online now. Have fun exploiting LFI, POP, and Template Injection. Please note that while we tried to secure the challenges as best as possible, you can still cause annoyance if you drop a fork bomb or such. Please don't, that's lame. Otherwise, merry... Read more ... are online now. Have fun exploiting LFI, POP, and Template Injection. Please note that while we tried to secure the challenges as best as possible, you can still cause annoyance if you drop a fork bomb or such. Please don't, that's lame. Otherwise, merry christmas, happy new year, and see you fresh on January 6th (which is also the evaluation day - if you only watch videos and look at the PDFs, this is the one lecture you should attend, as you can complain about all the things that are shitty :-)) |
13.12.2019
|
Reset of exercise for blind SQLIHi all, due to performance reasons, there was an unintended way of leaking the flag for blind SQLi. As this unintended code snippet was deployed after the first three students captured the flag, I have deleted the submissions for all but the first three students... Read more Hi all, due to performance reasons, there was an unintended way of leaking the flag for blind SQLi. As this unintended code snippet was deployed after the first three students captured the flag, I have deleted the submissions for all but the first three students and changed the flag. So, if you did the exercise properly, you can run your script again to leak the flag. If you did it in the wrong way before, you now have to actually do it correctly. |
12.12.2019
|
Infrastructure downtimeDue to a necessary power outage, all CISPA servers will be offline from around midnight tonight until around 6am tomorrow morning. Given that we have to set up some stuff after the reboots, please expect Screecher and such to be offline until around noon. |
09.12.2019
|
New jeopardies and bugfixWe had a small bug in Screecher (read as: we forgot to install MongoDB and set up the PostgreSQL database correctly ¯\_(ツ)_/¯), which we fixed. In addition, we added another bug, which we also fixed now. I have taken the liberty to just pull in all VMs. On top of... Read more We had a small bug in Screecher (read as: we forgot to install MongoDB and set up the PostgreSQL database correctly ¯\_(ツ)_/¯), which we fixed. In addition, we added another bug, which we also fixed now. I have taken the liberty to just pull in all VMs. On top of that, we already released two new jeopardy challenges earlier today. Happy injecting :-) |
02.12.2019
|
New jeopardy challenges!We have released three new challenges (XS-Leaks, Clickjacking, and HSTS Tracking). We are *not* releasing an update for Screecher this week. Note that for both XS-Leaks and HSTS, you need to hash the flags with SHA3_256 (not SHA256!!!) and wrap them in SWAG{}... Read more We have released three new challenges (XS-Leaks, Clickjacking, and HSTS Tracking). We are *not* releasing an update for Screecher this week. Note that for both XS-Leaks and HSTS, you need to hash the flags with SHA3_256 (not SHA256!!!) and wrap them in SWAG{} before submissions. Happy hacking |
28.11.2019
|
Lecture on January 13 movedSince the CISPA lecture hall is needed for a talk on January 13th, we have to move the lecture. Given the fact that you were all *very* awake this Monday, we'll just start the lecture earlier: at 8:30am. Don't worry though, since we can record the lecture if it... Read more Since the CISPA lecture hall is needed for a talk on January 13th, we have to move the lecture. Given the fact that you were all *very* awake this Monday, we'll just start the lecture earlier: at 8:30am. Don't worry though, since we can record the lecture if it is done in the lecture hall :) |
21.11.2019
|
New Challenge, new scoring system, some more hints, and more hackingWe have just released a new challenge, namely script gadgets. Please find it in the jeopardy part of the scoreboard. This might require some more time than other challenges. Given this and also the fact that certain challenges are just harder than others, we have... Read more We have just released a new challenge, namely script gadgets. Please find it in the jeopardy part of the scoreboard. This might require some more time than other challenges. Given this and also the fact that certain challenges are just harder than others, we have decided to change the scoring system (for the scoreboard only, not for the admission to the exam!). In particular, certain challenges (we'll not tell you which though :)) give more points than others (default is 128 points, the harder ones yield 256). Furthermore, there is now a first blood bonus for the first three students to solve each challenge (+20%, +10%, and +5%). Again, this is only for the scoreboard, not the admission. We have already retroactively updated your scores for the previous challenges. We have also added another hint for base href, where it was not clear how to get to the flag (unless you had done unsafe hashes before, as it is basically the same application). And, finally, if you liked the challenges thus far and want to spend more time hacking stuff, our local CTF team saarsec is playing ruCTFe (https://ructfe.org/) on Saturday. It's not all Web, but all hack, so you are welcome to join. If you want to, join us in 0.01 from around 10am (CTF starts at 11am) and bring a LAN adapter (if need be) for your laptop.
|
19.11.2019
|
General hint for exfiltrating dataI have seen that some students struggled with exfiltration sensitive information out of screecher, e.g., because they run into issues with encoding of payloads and such. An alternative approach to this is to have a "landing page" on your attacker domain to which... Read more I have seen that some students struggled with exfiltration sensitive information out of screecher, e.g., because they run into issues with encoding of payloads and such. An alternative approach to this is to have a "landing page" on your attacker domain to which you can redirect the crawler and pass the information you want to extract via the URL fragment. You can then use that "landing page" to do the heavy lifting of posting your to leak endpoint. That has the benefit of having that boilerplate code only once. |
18.11.2019
|
New jeopardy challenges: XSS all the things!As promised in the lecture, we are releasing a number of new challenges. For now, it is "only" four, but there will be another two coming soon. Please find them on the gameserver dashboard and enjoy bypassing our defenses. |
14.11.2019
|
XSSAuditor enabled for URL checkerJust a quick clarification about the RSXSS exercise: We are crawling these URLs with a Chrome with version < 78. You do not need to specifically bypass the Auditor(in contrast to the... Read more Just a quick clarification about the RSXSS exercise: We are crawling these URLs with a Chrome with version < 78. You do not need to specifically bypass the Auditor(in contrast to the RCXSS exercise), however, you should take this into account when building your payload. Otherwise, you might accidentally trigger the Auditor. |
12.11.2019
|
Display bug in Crawler interfaceSubmitted URLs were not guaranteed to be displayed in the correct order. This lead to confusion, since seemingly no new URLs were being added by the crawler after URL submission (while they were displayed somewhere in the page rather than at the top). Submitted URLs were not guaranteed to be displayed in the correct order. This lead to confusion, since seemingly no new URLs were being added by the crawler after URL submission (while they were displayed somewhere in the page rather than at the top). |
08.11.2019
|
Bugfix for PM / general note on defenses/exploitsWe have deployed a seemingly working fix today for the functionality checkers on the postMessage task. This was a race condition which only occured in about 4/100 attempts which made it incredibly hard to debug. Marius was nevertheless brave enough to slay that... Read more We have deployed a seemingly working fix today for the functionality checkers on the postMessage task. This was a race condition which only occured in about 4/100 attempts which made it incredibly hard to debug. Marius was nevertheless brave enough to slay that particular dragon. Should you still encounter an issue, please let us know via the Askbot. More generally speaking, please use the askbot as much as possibly. Otherwise, if three students have the same question, we (mostly Marius) has to reply to three individual requests. Hence, only use that channel if you are sure that your question would leak parts of the answer. Apart from that, based on the questions we have received, I wanted to provide a couple of hints regarding the exercises. Before reaching out to use about your fixes breaking your application, please use your instance of Screecher yourself. This is best achieved with the developer tools open, as you'll see both JavaScript errors and failed requests in the console. Virtually all questions thus far could have been answered by yourselves by following these steps. Additionally, there seemed to be a bit of confusion about what the crawler does when you submit a URL. This is specific on the task at hand, yet follows an easy pattern: set up the state correctly in the browser and then visit your link. That is, e.g., when the task is related to Screecher, our crawler will log in with the appropriate account to team0 and then visit your attacker URL. Hence, you can assume that the browser visiting your attacker page has valid authorization cookies for team0.screecher.de. Your task in then to conduct the necessary attack and leak the secret to the feedback URL at the gameserver. Furthermore, if you are receiving this email, yet plan to not do the exercises / drop the course, please let us know. This allows us to disable the VMs and conserve some resources. |
06.11.2019
|
Bugfix for DNS rebindingWe just fixed a bug in the DNS rebinding crawler. Based on the attempts of students I have seen so far, first blood can be achieved within the next hour ;-) |
05.11.2019
|
New Secrets and Keys
Due to some students accidentally leaking their secrets in the index.html file of their attacker folders, we decided to reset all credentials issued so far.
This means in particular that old credentials including Gameserver Secrets, SSH keys and Gitlab credentials... Read more
Due to some students accidentally leaking their secrets in the index.html file of their attacker folders, we decided to reset all credentials issued so far.
This means in particular that old credentials including Gameserver Secrets, SSH keys and Gitlab credentials will no longer work.
We have issued new Gameserver Secrets and SSH keys and adjusted the CMS and your machines and the Gitlab accordingly.
Please note that once you login at Gitlab again you will prompted with a password reset form. You can simply enter your NEW gameserver secret.
Your CMS already has the updated Gameserver secret.
We plan on not resetting any credentials again in the future so keep your secrets secret by choosing filenames in the attacker directory with sufficiently large entropy.
|
04.11.2019
|
Submitting URLsNote that when submitting a URL, you must select the correct checker. If you use DNS Rebinding as the checker to attack postMessages, you'll not be very successful. |
04.11.2019
|
New jeopardy challenge: DNS rebindingWe have released a new jeopardy challenge. Your goal is quite easy: gain access to the startpage of the 172.17.0.1 from the crawler's browser. The solution is not as easy :-) To achieve that, you must run a DNS rebinding attack against the crawler. To that end,... Read more We have released a new jeopardy challenge. Your goal is quite easy: gain access to the startpage of the 172.17.0.1 from the crawler's browser. The solution is not as easy :-) To achieve that, you must run a DNS rebinding attack against the crawler. To that end, you must leverage the rbndr service (for details see https://github.com/taviso/rbndr). The service will randomly return one of the two IP addresses specified in the hostname. We have set up our infrastructure such that if the IP points to the websec server (134.96.225.55), you can access your attacker directory. In particular, the following URL will point to user 1's attacker directory: http://7f000001.8660e137.rbndr.us/1/. Naturally, this only works for 50% of all requests as the rbndr service will either return 127.0.0.1 or 134.96.225.55. This also means that your solution is not necessarily deterministic. When you provide a URL to the crawler, it will remain on the page for 2 minutes. In that time, find a way to rebind. Our proof-of-concept works in around 50s, so you should be fine. Use your gameserver endpoint to leak the data. Note that since the attack is non-deterministic, you may need to submit the same URL multiple times. Based on pure chance, there should not be a need to submit the same URL more than ~4 times. As a final hint: for flushing the DNS cache, we suggest you ensure that the lookup points to 127.0.0.0/8. If you use any other range, Chrome will attempt to establish a connection which times out. This will cost you important time (recall the 120s timeout). With that, happy rebinding! |
04.11.2019
|
Delayed starting of checkersJust as a quick note, the checkers for this week will be started tomorrow. There is a bug in Chrome 77 which requires preflight requests for all requests. We are working on a solution and will likely push updates to your git repositories. Note that also the... Read more Just as a quick note, the checkers for this week will be started tomorrow. There is a bug in Chrome 77 which requires preflight requests for all requests. We are working on a solution and will likely push updates to your git repositories. Note that also the crawler for URLs you have submitted might not work just now. We will release another jeopardy challenge soon, though, to keep you entertained. |
30.10.2019
|
Info for Tutorial 31-10-19Hey, Hey, See you tomorrow, |
28.10.2019
|
Clarification about Askbot and Exercise Submission
For the theoretical exercises(those that do not involve attacking/defending a system), there is no need to hand in anything.
In particular, this means that you do not have to hand in anything for exercise sheet 1.
If you have any questions that do not leak... Read more
For the theoretical exercises(those that do not involve attacking/defending a system), there is no need to hand in anything.
In particular, this means that you do not have to hand in anything for exercise sheet 1.
If you have any questions that do not leak solutions to exercises, we ask you to place them in the Askbot, a StackOverflow like forum in the CMS.
This way, your fellow students can help you with your questions and any answer will be public.
|
27.10.2019
|
Regarding breaks in the lecture, part 2The doodle has spoken: 14 wanted no break, 12 wanted a break. Hence, there will not be a break and we start 10:15 |
25.10.2019
|
Upcoming task using an old ChromeHi all, for one of the XSS-related tasks, you will need Chrome/Chromium in a version less than 78 (which will be released shortly). Please make sure to download an installer of version 77 now, as otherwise you'll have to rely on some third-party sites to download... Read more Hi all, for one of the XSS-related tasks, you will need Chrome/Chromium in a version less than 78 (which will be released shortly). Please make sure to download an installer of version 77 now, as otherwise you'll have to rely on some third-party sites to download it. Thanks :) |
25.10.2019
|
Recordings available
The recordings of this week's Lecture and Tutorial are now online!
The slide set uploaded for the Django 101 was not presented in the Tutorial and is intended to be a supplementary source of information.
If you were unable to attend, you might want to have a look... Read more
The recordings of this week's Lecture and Tutorial are now online!
The slide set uploaded for the Django 101 was not presented in the Tutorial and is intended to be a supplementary source of information.
If you were unable to attend, you might want to have a look at the recording of the Tutorial.
|
21.10.2019
|
Regarding breaks in the lectureBetween my cold and the content of today's lecture, I totally forgot to ask the "shall we have a break?" question. As I have a teaching commitment right after the Web Security lecture, I cannot make the lecture run longer. Instead, we'd have to start at... Read more Between my cold and the content of today's lecture, I totally forgot to ask the "shall we have a break?" question. As I have a teaching commitment right after the Web Security lecture, I cannot make the lecture run longer. Instead, we'd have to start at 10:10. Please fill out the Doodle at https://doodle.com/poll/xnrcs29xrxaxxz2k until Friday. Based on this, I will let you know if Monday's lecture (and all following ones) will start earlier or not. |
21.10.2019
|
Exercise Sheet 1 Online and Timetable updateWe have just released exercise sheet 1, which you can find in the materials section of the CMS. Furthermore, we entered the Tutorials into the timetable. Have fun and see you on Thursday! |
Web Security
The lecture will take place every Monday from 10-12, starting October 21st. Due to personal reasons, the lecture will end early, i.e., the last content lecture is on January 13th. There will be a Q&A lecture for exam preparation on February 3rd.
This lecture is an advanced lecture in Web security. At the very least, having taking CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.
Due to hardware limitations, this course can only accommodate up to 60 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018 and SS2019 about this.
Exams
- Main exam: 12.2.2020 10-12
- Backup exam: 2.4.2020 10-12
Exercises
In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.
- Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge.
- Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit bugs in our services.
Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx 67% of all points. More details on how to work on the exercises and submit flags will be provided in the tutorial.