Web Security Ben Stock

News

14.11.2019

XSSAuditor enabled for URL checker

Just a quick clarification about the RSXSS exercise: We are crawling these URLs with a Chrome with version < 78. 
This means in particular, that the XSSAuditor is still enabled by default. 

You do not need to specifically bypass the Auditor(in contrast to the... Read more

Just a quick clarification about the RSXSS exercise: We are crawling these URLs with a Chrome with version < 78. 
This means in particular, that the XSSAuditor is still enabled by default. 

You do not need to specifically bypass the Auditor(in contrast to the RCXSS exercise), however, you should take this into account when building your payload. Otherwise, you might accidentally trigger the Auditor. 

12.11.2019

Display bug in Crawler interface

Submitted URLs were not guaranteed to be displayed in the correct order. This lead to confusion, since seemingly no new URLs were being added by the crawler after URL submission (while they were displayed somewhere in the page rather than at the top).
This issue... Read more

Submitted URLs were not guaranteed to be displayed in the correct order. This lead to confusion, since seemingly no new URLs were being added by the crawler after URL submission (while they were displayed somewhere in the page rather than at the top).
This issue has been resolved, and the submitted URLs should be displayed in the correct order now.

08.11.2019

Bugfix for PM / general note on defenses/exploits

We have deployed a seemingly working fix today for the functionality checkers on the postMessage task. This was a race condition which only occured in about 4/100 attempts which made it incredibly hard to debug. Marius was nevertheless brave enough to slay that... Read more

We have deployed a seemingly working fix today for the functionality checkers on the postMessage task. This was a race condition which only occured in about 4/100 attempts which made it incredibly hard to debug. Marius was nevertheless brave enough to slay that particular dragon. Should you still encounter an issue, please let us know via the Askbot. More generally speaking, please use the askbot as much as possibly. Otherwise, if three students have the same question, we (mostly Marius) has to reply to three individual requests. Hence, only use that channel if you are sure that your question would leak parts of the answer.

Apart from that, based on the questions we have received, I wanted to provide a couple of hints regarding the exercises. Before reaching out to use about your fixes breaking your application, please use your instance of Screecher yourself. This is best achieved with the developer tools open, as you'll see both JavaScript errors and failed requests in the console. Virtually all questions thus far could have been answered by yourselves by following these steps.

Additionally, there seemed to be a bit of confusion about what the crawler does when you submit a URL. This is specific on the task at hand, yet follows an easy pattern: set up the state correctly in the browser and then visit your link. That is, e.g., when the task is related to Screecher, our crawler will log in with the appropriate account to team0 and then visit your attacker URL. Hence, you can assume that the browser visiting your attacker page has valid authorization cookies for team0.screecher.de. Your task in then to conduct the necessary attack and leak the secret to the feedback URL at the gameserver.

Furthermore, if you are receiving this email, yet plan to not do the exercises / drop the course, please let us know. This allows us to disable the VMs and conserve some resources.

06.11.2019

Bugfix for DNS rebinding

We just fixed a bug in the DNS rebinding crawler. Based on the attempts of students I have seen so far, first blood can be achieved within the next hour ;-)

05.11.2019

New Secrets and Keys

Due to some students accidentally leaking their secrets in the index.html file of their attacker folders, we decided to reset all credentials issued so far. This means in particular that old credentials including Gameserver Secrets, SSH keys and Gitlab credentials... Read more
Due to some students accidentally leaking their secrets in the index.html file of their attacker folders, we decided to reset all credentials issued so far. This means in particular that old credentials including Gameserver Secrets, SSH keys and Gitlab credentials will no longer work. We have issued new Gameserver Secrets and SSH keys and adjusted the CMS and your machines and the Gitlab accordingly. Please note that once you login at Gitlab again you will prompted with a password reset form. You can simply enter your NEW gameserver secret. Your CMS already has the updated Gameserver secret. We plan on not resetting any credentials again in the future so keep your secrets secret by choosing filenames in the attacker directory with sufficiently large entropy.
04.11.2019

Submitting URLs

Note that when submitting a URL, you must select the correct checker. If you use DNS Rebinding as the checker to attack postMessages, you'll not be very successful.

04.11.2019

New jeopardy challenge: DNS rebinding

We have released a new jeopardy challenge. Your goal is quite easy: gain access to the startpage of the 172.17.0.1 from the crawler's browser. The solution is not as easy :-)

To achieve that, you must run a DNS rebinding attack against the crawler. To that end,... Read more

We have released a new jeopardy challenge. Your goal is quite easy: gain access to the startpage of the 172.17.0.1 from the crawler's browser. The solution is not as easy :-)

To achieve that, you must run a DNS rebinding attack against the crawler. To that end, you must leverage the rbndr service (for details see https://github.com/taviso/rbndr). The service will randomly return one of the two IP addresses specified in the hostname.

We have set up our infrastructure such that if the IP points to the websec server (134.96.225.55), you can access your attacker directory. In particular, the following URL will point to user 1's attacker directory: http://7f000001.8660e137.rbndr.us/1/. Naturally, this only works for 50% of all requests as the rbndr service will either return 127.0.0.1 or 134.96.225.55.

This also means that your solution is not necessarily deterministic. When you provide a URL to the crawler, it will remain on the page for 2 minutes. In that time, find a way to rebind. Our proof-of-concept works in around 50s, so you should be fine. Use your gameserver endpoint to leak the data. Note that since the attack is non-deterministic, you may need to submit the same URL multiple times. Based on pure chance, there should not be a need to submit the same URL more than ~4 times.

As a final hint: for flushing the DNS cache, we suggest you ensure that the lookup points to 127.0.0.0/8. If you use any other range, Chrome will attempt to establish a connection which times out. This will cost you important time (recall the 120s timeout).

With that, happy rebinding!

04.11.2019

Delayed starting of checkers

Just as a quick note, the checkers for this week will be started tomorrow. There is a bug in Chrome 77 which requires preflight requests for all requests. We are working on a solution and will likely push updates to your git repositories.

Note that also the... Read more

Just as a quick note, the checkers for this week will be started tomorrow. There is a bug in Chrome 77 which requires preflight requests for all requests. We are working on a solution and will likely push updates to your git repositories.

Note that also the crawler for URLs you have submitted might not work just now. We will release another jeopardy challenge soon, though, to keep you entertained.

30.10.2019

Info for Tutorial 31-10-19

Hey,
usually, we will present the solutions for last week's practical exercise sheets in the tutorials. However, due to lasts week's exercise being only theoretical, we will use tomorrow's tutorial to help you with infrastructural problems or problems with the... Read more

Hey,
usually, we will present the solutions for last week's practical exercise sheets in the tutorials. However, due to lasts week's exercise being only theoretical, we will use tomorrow's tutorial to help you with infrastructural problems or problems with the current exercise. You can also drop by and ask questions about the sample solution of the first exercise sheet or any content that has been presented in the lecture so far.

See you tomorrow,
Sebastian & Marius

28.10.2019

Clarification about Askbot and Exercise Submission

For the theoretical exercises(those that do not involve attacking/defending a system), there is no need to hand in anything. In particular, this means that you do not have to hand in anything for exercise sheet 1. If you have any questions that do not leak... Read more
For the theoretical exercises(those that do not involve attacking/defending a system), there is no need to hand in anything. In particular, this means that you do not have to hand in anything for exercise sheet 1. If you have any questions that do not leak solutions to exercises, we ask you to place them in the Askbot, a StackOverflow like forum in the CMS. This way, your fellow students can help you with your questions and any answer will be public.
27.10.2019

Regarding breaks in the lecture, part 2

The doodle has spoken: 14 wanted no break, 12 wanted a break. Hence, there will not be a break and we start 10:15

25.10.2019

Upcoming task using an old Chrome

Hi all,

for one of the XSS-related tasks, you will need Chrome/Chromium in a version less than 78 (which will be released shortly). Please make sure to download an installer of version 77 now, as otherwise you'll have to rely on some third-party sites to download... Read more

Hi all,

for one of the XSS-related tasks, you will need Chrome/Chromium in a version less than 78 (which will be released shortly). Please make sure to download an installer of version 77 now, as otherwise you'll have to rely on some third-party sites to download it.

Thanks :)

25.10.2019

Recordings available

The recordings of this week's Lecture and Tutorial are now online! The slide set uploaded for the Django 101 was not presented in the Tutorial and is intended to be a supplementary source of information. If you were unable to attend, you might want to have a look... Read more
The recordings of this week's Lecture and Tutorial are now online! The slide set uploaded for the Django 101 was not presented in the Tutorial and is intended to be a supplementary source of information. If you were unable to attend, you might want to have a look at the recording of the Tutorial.
21.10.2019

Regarding breaks in the lecture

Between my cold and the content of today's lecture, I totally forgot to ask the "shall we have a break?" question.

As I have a teaching commitment right after the Web Security lecture, I cannot make the lecture run longer. Instead, we'd have to start at... Read more

Between my cold and the content of today's lecture, I totally forgot to ask the "shall we have a break?" question.

As I have a teaching commitment right after the Web Security lecture, I cannot make the lecture run longer. Instead, we'd have to start at 10:10.

Please fill out the Doodle at https://doodle.com/poll/xnrcs29xrxaxxz2k until Friday. Based on this, I will let you know if Monday's lecture (and all following ones) will start earlier or not.

21.10.2019

Exercise Sheet 1 Online and Timetable update

We have just released exercise sheet 1, which you can find in the materials section of the CMS. Furthermore, we entered the Tutorials into the timetable. Have fun and see you on Thursday!
Show all
 

Web Security

The lecture will take place every Monday from 10-12, starting October 21st. Due to personal reasons, the lecture will end early, i.e., the last content lecture is on January 13th. There will be a Q&A lecture for exam preparation on February 3rd.

This lecture is an advanced lecture in Web security. At the very least, having taking CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

Due to hardware limitations, this course can only accommodate up to 60 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018 and SS2019 about this.

Exams 

  • Main exam: 12.2.2020 10-12
  • Backup exam: 2.4.2020 10-12

Exercises 

In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.

  • Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge.
  • Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit bugs in our services.

Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on screecher and exploit and fix all bugs, you'd end up with approx 67% of all points. More details on how to work on the exercises and submit flags will be provided in the tutorial.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators