Web Security Ben Stock

Registration for this course is open until Tuesday, 22.10.2019 00:00.



Location change for 1st backup exam

Given the small number of people taking the backup exam on Wednesday, it will not happen in HS0.02, but instead in CISPA's lecture hall.


Web Security

The lecture will take place every Monday from 10-12, starting October 21st. Due to personal reasons, the lecture will end early, i.e., the last content lecture is on January 13th. There will be a Q&A lecture for exam preparation on February 3rd.

This lecture is an advanced lecture in Web security. At the very least, having taking CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

Due to hardware limitations, this course can only accommodate up to 60 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018 and SS2019 about this.


  • Main exam: 12.2.2020 10-12
  • Backup exam: 2.4.2020 10-12


In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.

  • Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge.
  • Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit bugs in our services.

Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on screecher and exploit and fix all bugs, you'd end up with 66.6% of all points. More details on how to work on the exercises and submit flags will be provided in the tutorial.

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators