News
Backup exam resultsWritten on 10.04.21 by Ben Stock ... are visible now on your personal status page. |
Gameserver + Gitlab ResetWritten on 30.03.21 by Marius Steffens Hey all, as this semester comes to a close, we will reset the Gameserver and the Gitlab for preparation for the next semester. This means that we will delete all data by Thursday, so if there is something that you want to keep around make sure to back it up to your local… Read more Hey all, as this semester comes to a close, we will reset the Gameserver and the Gitlab for preparation for the next semester. This means that we will delete all data by Thursday, so if there is something that you want to keep around make sure to back it up to your local system.
Cheers, Marius |
Oral re-examsWritten on 29.03.21 by Ben Stock We will have the oral backup exams on Friday, April 9th. Please register through the LSF where possible or through the CMS if you can't. Should that not work (because the CMS is configured weirdly), ping me and I manually register you. Once the deadline for registration has passed, I will send out a… Read more We will have the oral backup exams on Friday, April 9th. Please register through the LSF where possible or through the CMS if you can't. Should that not work (because the CMS is configured weirdly), ping me and I manually register you. Once the deadline for registration has passed, I will send out a link to a scheduling of some sorts after that ;) |
saarsec CTF workshop on April 10th and 11thWritten on 25.03.21 by Ben Stock Hello there, we, the Capture-the-Flag Team saarsec, consisting of students and lecturers from Saarland University, are giving a workshop to familiarize students with Capture-the-Flag competitions as well as attacking and defending against security vulnerabilities. CTFs are a great way to actually… Read more Hello there, we, the Capture-the-Flag Team saarsec, consisting of students and lecturers from Saarland University, are giving a workshop to familiarize students with Capture-the-Flag competitions as well as attacking and defending against security vulnerabilities. CTFs are a great way to actually fiddle around with the practical details of mounting attacks and defenses that were theoretically discussed during your studies. This practical experience can not only be beneficial for your studies but also come in handy during later stages of your career. The workshop starts with a short introduction to Linux, followed by different topics such as File Inclusions, SQL Injections, and Command Injections. For each topic, we will discuss how we can find these vulnerabilities, exploit them on a large scale, and how we can fix them. Then, for each each topic, you'll spend more than 50% of the time in each slot on actual challenges. At the end, we will host a CTF for all workshop participants where they can use their newly acquired skills against each other.
FAQ: Q: When and where? A: April 10th and 11th, entirely virtually Q: Requirements? A: We do not require any certain skills as we will start with the basics. However, the knowledge from Cysec1 or Security is definitely an advantage. Q: Sounds awesome! Where can I register or get more information? A: https://workshop.saarsec.rocks See you there, saarsec |
Oral exam resultsWritten on 15.02.21 by Ben Stock I have put the results of the oral exams into the CMS now. All who participated also now have a submission for an exercise sheet; this was the easiest way to provide feedback through the CMS. The grading scheme is quite strict, which is based on the fact that our written exams are also very strict… Read more I have put the results of the oral exams into the CMS now. All who participated also now have a submission for an exercise sheet; this was the easiest way to provide feedback through the CMS. The grading scheme is quite strict, which is based on the fact that our written exams are also very strict about necessary details and we did not want to favor students from this year over last year. Overall, the distribution of grades is similar enough to the previous year to lead me to believe this is correct. Note that in your "submission", you will find reasons for why we deduct percentage points from a theoretical maximum of 100%. Here, we followed the same guides as we would for grading a written exam. We also set the same mark for 1.0 (90%) and the same steps for all following grades. As indicated in the beginning of the term, you can use the backup (oral) exam to improve your grade. This will happen at the beginning of April and I will let you know more details about when this will be later. Since the plan was to have the written re-exam on April 9, assume that we will do the backup exams in that week as well. PS: unless I miscounted something, all results are final. If there is a mismatch between the feedback and the points visible in the CMS, please reach out. |
Oral examsWritten on 08.02.21 by Ben Stock I have updated the information page for the oral exams to include the Zoom link, please see https://cms.cispa.saarland/websec2021/contents/view/6 Please arrive a few minutes before your slot (you will be in the waiting room) and have your camera/microphone tested and your student ID ready. |
Excluded topicsWritten on 03.02.21 by Ben Stock Please note that the following topics are excluded from the things we'll cover in the oral exams
Please note that the following topics are excluded from the things we'll cover in the oral exams
Anything not on this list is fair game in the exams, that includes topics from the videos, the Q/A sessions and the jeopardies/Screecher challenges. |
Exam requirementsWritten on 02.02.21 (last change on 02.02.21) by Ben Stock Since I received this question, I want to clarify for all: in order to take part in the oral exam, we need to a) be able to hear you and b) be able to see you during the exam. This is both to make sure that we can check your student ID and more importantly it's the regulation of the university to… Read more Since I received this question, I want to clarify for all: in order to take part in the oral exam, we need to a) be able to hear you and b) be able to see you during the exam. This is both to make sure that we can check your student ID and more importantly it's the regulation of the university to ensure there is nobody else around you and you do the exam without help. That is, you need to have a working microphone and a working camera. Note that if you don't have those, you will not be able to take part in the examination. For privacy protection reasons, we will not be monitoring what you are doing on your device (no screensharing or "proctoring" software). Note that although this is the case, you may not use any cheatsheet or such (I promise you, it also would not help much). Please note that I have taken the decision to move to only-online oral exams in the interest of everyone (including and in particular the students) to avoid unnecessary exposure to others in this pandemic. Please be fair and don't try to abuse this fact (not claiming anyone would, just please don't make me regret that :-)). Finally, if you have concerns regarding privacy or such on Zoom, let me know early on. If we absolutely have to, we can also rely on something else, albeit my experiences with any other system thus far have been underwhelming. |
Jeopardy solutions / things to clarifyWritten on 31.01.21 by Ben Stock We have set the final deadline for the jeopardy challenges as February 5th, 15:00. We'll present the solutions to all challenges that haven't been presented yet starting from 15:00 (using the regular Webinar link we use for the lectures). We will also use that slot to answer questions that you might… Read more We have set the final deadline for the jeopardy challenges as February 5th, 15:00. We'll present the solutions to all challenges that haven't been presented yet starting from 15:00 (using the regular Webinar link we use for the lectures). We will also use that slot to answer questions that you might have from any of the previous lectures. Please make sure that you put all topic you want to have re-discussed into the Askbot (https://cms.cispa.saarland/askbot/websec2021/question/368/topics-for-wrap-up-session/) or upvote those from others. We'll discuss those based on the number of upvotes in that session as well. If you can't make that slot, don't worry, it will be recorded. Please also feel free to look at the slides for tomorrow, which I uploaded to the CMS already. |
Slides, new challenge and live lectureWritten on 25.01.21 by Ben Stock The slides for today's Q/A lecture are up. Note that all content in the Q/A lectures is also something we can talk about in the exam. We have also enabled the final three jeopardy challenges (CRIME, HSTS Tracking, and HTTP Desync). Finally, the lecture next week will be a live lecture. It will… Read more The slides for today's Q/A lecture are up. Note that all content in the Q/A lectures is also something we can talk about in the exam. We have also enabled the final three jeopardy challenges (CRIME, HSTS Tracking, and HTTP Desync). Finally, the lecture next week will be a live lecture. It will be a combination of some more content (XS Leaks, Browser defense against Spectre and such) and a exam preparation lecture, so it's beneficial to attend. |
Exam formatWritten on 24.01.21 by Ben Stock Given the pandemic, we will not be holding in-person written exams. Instead, we will conduct oral exams starting from the day on which we had originally planned the exam until Friday of that week. To keep the effort low, I have set up a Calendly instance (https://calendly.com/benstock/websec) for you… Read more Given the pandemic, we will not be holding in-person written exams. Instead, we will conduct oral exams starting from the day on which we had originally planned the exam until Friday of that week. To keep the effort low, I have set up a Calendly instance (https://calendly.com/benstock/websec) for you to book your slots. Please do not use your real name when booking, but instead use your initials plus last digit of the matriculation number (e.g., BS1). If you don't feel comfortable adding an email address, feel free to use stock@cispa.de. Every slot can be booked exactly once, so once you have booked a slot, that cannot be taken from you. I will also put up a list in the CMS with the slots once we scheduling is finished. Also note that unless you cannot register through LSF, you have to be registered there by at the latest February 2. If your study course does not allow registration through LSF, please figure out if there is another official way to register (e.g., paper-based). Should that not be the case, drop me an email with your point of contact at the examination office *and register through CMS*. |
Exam sign upWritten on 18.01.21 by Ben Stock Could you all please make sure to check your signup in the LSF? The format of the exam is yet TBD, given that I want to avoid stuffing people into a room given the Covid situation. To decide how to proceed, I need to have some idea on number of students taking the exam. Should you not get the exam… Read more Could you all please make sure to check your signup in the LSF? The format of the exam is yet TBD, given that I want to avoid stuffing people into a room given the Covid situation. To decide how to proceed, I need to have some idea on number of students taking the exam. Should you not get the exam admission, you will just be unregistered, so you'll not have a failed attempt. |
Evalution linksWritten on 11.01.21 by Ben Stock Hi all, you can now evaluate the lecture and tutorial/office hour online. Please use the following links: https://qualis.uni-saarland.de/eva/?l=127166&p=dc921s (Lecture) https://qualis.uni-saarland.de/eva/?l=1271661&p=81t9js (Tutorial) I have no idea how the system works, but I assume that… Read more Hi all, you can now evaluate the lecture and tutorial/office hour online. Please use the following links: https://qualis.uni-saarland.de/eva/?l=127166&p=dc921s (Lecture) https://qualis.uni-saarland.de/eva/?l=1271661&p=81t9js (Tutorial) I have no idea how the system works, but I assume that everyone uses it fairly and evaluates the course exactly once. |
Jeopardy solutions in Office Hour todayWritten on 06.01.21 by Daniel David Emmel Hey all,
this is a quick reminder that we will be presenting the solutions to all Jeopardies which have their deadline today in today's Offce Hour, starting at 11 am! We have not yet decided whether this will be recorded, so try to make it if you can and have not solved all the… Read more Hey all,
this is a quick reminder that we will be presenting the solutions to all Jeopardies which have their deadline today in today's Offce Hour, starting at 11 am! We have not yet decided whether this will be recorded, so try to make it if you can and have not solved all the Jeopardies. You can find the link in the CMS, it's the same link as every week. See you then! |
New challenges / Updated timeline & hintsWritten on 04.01.21 by Ben Stock Unfortunately, there was a small bug in the deployment (again :-() today. We fixed this now and your screecher instances should work. For those without conflicts, I have already pulled and migrated. For the rest, please fix your things :-) Apart from this, there are two new jeopardy challenges. I… Read more Unfortunately, there was a small bug in the deployment (again :-() today. We fixed this now and your screecher instances should work. For those without conflicts, I have already pulled and migrated. For the rest, please fix your things :-) Apart from this, there are two new jeopardy challenges. I helps to think about the example of improper sanitization from today's Q/A session to get an idea of what might be to do for the SQL injection task. Finally, we have slightly adjusted the timeline for the first set of Jeopardy challenges, which will now run until right before the Office Hour on Wednesday, which will be used to present the solutions. Note also that for base href and unsafe hashes, there is a hint on where the flag is. Arguably, if you solve one, solving the other should be trivial :-) Note that once the deadline has passed, you can still solve the exercises (crawlers are still operational), but you will not get points towards exam admission. |
Infrastructure back upWritten on 19.12.20 by Ben Stock I just restarted all checkers and exercises. If you find something that is not working, please send an email to team@screecher.de and we will (for once) also respond on weekends. |
unscheduled rebootWritten on 18.12.20 by Ben Stock Hi all, due to an urgent BIOS update, we have to reboot the machine hosting the WebSec VMs. Expect this to be working again tomorrow morning at the latest. Sorry for the late info, but I literally got it myself now |
New Screecher Exercises + OwleyMadison jeopardyWritten on 14.12.20 by Daniel David Emmel Hi all, we just released two new Screecher Exercises, and now they are finally present in your own repos as well. We also added some small quality of life fixes (again). Please pull the new apps as well as the changes and make sure to make the migrations before you start… Read more Hi all, we just released two new Screecher Exercises, and now they are finally present in your own repos as well. We also added some small quality of life fixes (again). Please pull the new apps as well as the changes and make sure to make the migrations before you start hacking.
Additionally, we have just released a new jeopardy: The popular owl dating app OwleyMadison! Find it in the Jeopardy tab of the Gameserver, as per usual. Have fun with the new Exercises! |
Quiz 6 Answers + Mistake for XSSI and SameSite cookiesWritten on 14.12.20 by Marius Steffens I have just uploaded the answers to the quiz slides in the Materials. Also be aware that there was a mistake on my part when discussing SameSite cookies and XSSI protection. Including a script into the page counts as a subresource request, which means for SameSite=Lax that cookies will not be sent… Read more I have just uploaded the answers to the quiz slides in the Materials. Also be aware that there was a mistake on my part when discussing SameSite cookies and XSSI protection. Including a script into the page counts as a subresource request, which means for SameSite=Lax that cookies will not be sent along. This means that it is in fact protecting the application against XSSI. Naturally, all the points raised before, e.g., older browsers not supporting SameSite cookies or setting SameSite=None remain problematic. Sorry for the confusion! Cheers, |
New challengesWritten on 07.12.20 by Ben Stock We are releasing new jeopardy challenges today! Since we have *five* new challenges (CSP Bypass, Unsafe Hashes, Base href, Script Gadgets, Clickjacking), we will not have any changes to screecher this week. Happy hacking! |
Updated gameserver & changes to database handlingWritten on 03.12.20 by Ben Stock As can be seen from the Askbot thread, we have finished our move to the new checking infrastructure. Instead of doing checks regularly once per hour, you can now schedule checks against a particular service yourself (at most once per 15 minutes). This should give you more flexibility when verifying… Read more As can be seen from the Askbot thread, we have finished our move to the new checking infrastructure. Instead of doing checks regularly once per hour, you can now schedule checks against a particular service yourself (at most once per 15 minutes). This should give you more flexibility when verifying your fixes. Please note that you should not use that as an oracle - as in the exam, there will be no oracle and you have to understand how to fix a certain issue. In terms of scoring, this means that you now just get points once for having fixed a problem (analog to what is requried for the exam admission). To nevertheless give an incentive to folks to start working on the challenges early, the first three solvers get 15, 10, and 5% more points, respectively. In addition, in the hunt for the database-related errors we kept on having, I have modified the settings in all of your screecher instances (directly on the servers). This should not be a problem, since you are not supposed to touch that file anyways. In addition, I have truncated all entries from the users table; i.e., if you had a particular test account on your VM, this is now gone and you need to re-register it. We'll keep monitoring the situation to see if this finally fixes the database issues (which we have never seen before, actually...). |
Gameserver and Infrastructure UpdateWritten on 03.12.20 by Marius Steffens Hey all, we will be taking down the Gameserver for one to two hours. This maintenance will include changes to our overall checking infrastructure. We will provide updates about the status of our maintencance and the changes to our infrastructure via the following Askbot… Read more Hey all, we will be taking down the Gameserver for one to two hours. This maintenance will include changes to our overall checking infrastructure. We will provide updates about the status of our maintencance and the changes to our infrastructure via the following Askbot thread: https://cms.cispa.saarland/askbot/websec2021/question/228/gameserver-maintenance-updates-031220/ Cheers, Marius |
New jeopardies & updated Screecher instancesWritten on 30.11.20 by Ben Stock ... are online (and in the Git) :) |
Leaking partial solutions on AskbotWritten on 25.11.20 by Ben Stock Please refrain from posting (partial) solutions on the askbot. If you have a specific question for an exploit, join the office hour or send an email to the TAs. In addition, before you ask questions about our crawlers not working properly, do the process yourself: create an account on team0, plant… Read more Please refrain from posting (partial) solutions on the askbot. If you have a specific question for an exploit, join the office hour or send an email to the TAs. In addition, before you ask questions about our crawlers not working properly, do the process yourself: create an account on team0, plant some information (i.e., a fake flag), and then visit your exploit URL. Please use a new profile in Chrome to ensure that you haven't persisted anything, e.g., exceptions to TLS warnings. If that works and leaks the data (on Chrome) and it does not work for our crawlers, reach out (best via email). |
jquery fun & hot-patchWritten on 23.11.20 by Ben Stock TLDR: fixed an issue related to jQuery, fixes are on your machine, please merge & push Today, the CDN of jquery.com has encountered a lot of errors. These lead to timeouts in our checkers, since Screecher depends on jQuery. After figuring out what the problem was, we have hot-patched this on your… Read more TLDR: fixed an issue related to jQuery, fixes are on your machine, please merge & push Today, the CDN of jquery.com has encountered a lot of errors. These lead to timeouts in our checkers, since Screecher depends on jQuery. After figuring out what the problem was, we have hot-patched this on your machines. Please SSH into the machines, do a git pull, merge the changes (if any) and git push afterwards before you continue your work. Sorry, but this time it wasn't even our fault :-)
|
Result of Doodle & Quiz 03Written on 22.11.20 by Ben Stock Hi all, given that out of the the mere 15 people that participated in the Doodle, 7 would like to have live lectures, whereas 8 either don't care or want to stick with recorded videos, I do not see sufficient need to change the format midway through the semester. While I am hopeful that WS 2021… Read more Hi all, given that out of the the mere 15 people that participated in the Doodle, 7 would like to have live lectures, whereas 8 either don't care or want to stick with recorded videos, I do not see sufficient need to change the format midway through the semester. While I am hopeful that WS 2021 might be back in person, I'll take this into consideration and ask before the lecture next year. In addition, I have uploaded the slides for the Quiz for tomorrow. Please take a look before the lecture, so we can have a nice discussion. This also makes sense to determine you have understood what's going on with the topics covered, since we start our new exercises right after the lecture. |
New Django Patches + Changes in crawler infrastructureWritten on 17.11.20 by Marius Steffens Hey all, We have provided a final(tm) patch for the flakyness induced by the Django DB interaction. Again, we have pulled those changes to your VM iff there were no conflicts. We have made a small adjustment in the settings.py file regarding cookies. Additionally, we noticed that some of the… Read more Hey all, We have provided a final(tm) patch for the flakyness induced by the Django DB interaction. Again, we have pulled those changes to your VM iff there were no conflicts. We have made a small adjustment in the settings.py file regarding cookies. Additionally, we noticed that some of the students used third-party features or security middlewares to implement parts of the exercises. Since we do not want to teach you how to use these frameworks or how to enable security middlewares in django, but rather, confront you with the nitty gritty details, we have decided to check for such changes. Starting from the next tick, we will abort our checking procedure once we have detected such alterations. This also means that if we were unable to pull on your machine/if you have changed the settings.py file, checking will not proceed unless you pull/revert your changes. To raise the point again: You should not change anything outside of the application folders (in particular not the settings.py). Cheers, |
Jeopardy challenges, functionality checks, and deadlines ... and live lectures?Written on 16.11.20 (last change on 17.11.20) by Ben Stock [Please read carefully until the end] We have released the first jeopardy challenge. Please go to https://gameserver.websec.saarland/jeopardy for the details. Note that we have extended the deadlines for the first batch a bit. Those will be due on January 5, 11:59am. The deadlines will also be… Read more [Please read carefully until the end] We have released the first jeopardy challenge. Please go to https://gameserver.websec.saarland/jeopardy for the details. Note that we have extended the deadlines for the first batch a bit. Those will be due on January 5, 11:59am. The deadlines will also be listed in the Jeopardy view. In addition, given the question in the Q/A session, let me clarify deadlines. The deadline for anything related to Screecher is usually the Monday after the release of the sheet at noon. That is, we check for the last time right after 12:00. Any patches that are not on the VM by that will not be taken into account for the admission to the exam. Finally, I would like to hear your opinion regarding the format of the lecture. Given that last week, I had 35 participants, but only 17 in the Q/A today, I am wondering what format would work best. Can you please help me answer this question by filling the doodle at https://doodle.com/poll/qywqgi7iehhcmiuf |
Hints about the exercisesWritten on 13.11.20 by Ben Stock Since there seem to be a couple of issues related to the exercises, I wanted to point out a couple of things, both specifically for the challenge and in general. - Please check the functionality in your own browser. Register a new account and try the relevant endpoints. Our crawler is quite… Read more Since there seem to be a couple of issues related to the exercises, I wanted to point out a couple of things, both specifically for the challenge and in general. - Please check the functionality in your own browser. Register a new account and try the relevant endpoints. Our crawler is quite literally just a browser that does the same: register, visit the URLs *as specified in the exercise sheet* and check if the resulting page has the content we expect. It is also helpful to have the browser console open to see potential errors. |
Reminder: raise topics for clarification in Q/A lectureWritten on 13.11.20 by Ben Stock Regarding our Q/A lecture for next week, this will be a combination of quizzes and things that students would like to have clarified. If there is something that you do not understand, send me a message until Friday noon so I can incorporate these slides into the deck for Monday. |
Unexpected Checking resultsWritten on 12.11.20 by Marius Steffens Hey all, So over the course of the last days we have seen repeatedly unexpected checking results from students which already solved (parts) of the practical exercises. This issues appears to be very racy and CANNOT be reliably reproduced by us. However, we have identified the potential culprit… Read more Hey all, So over the course of the last days we have seen repeatedly unexpected checking results from students which already solved (parts) of the practical exercises. This issues appears to be very racy and CANNOT be reliably reproduced by us. However, we have identified the potential culprit of the error, which stems from internal django db interactions. We have deployed a fix that hopefully addresses this issue by radically reducing the number of implicit queries done by django in our context processor feature. The fix is readily available in your Gitlab repo and we have already pulled those changes to your VMs (assuming that you did not have any merge conflicts e.g., by having conflicting version on the server vs in the git). We have seen cases of merge conflicts, which prevent this change from being automatically applied, please take care of resolving those conflicts and manually pull the fix on your VM instance. We have opened a Askbot thread in which we want to track further flaky behavior, so if you notice flaky behavior without you changing anything on the server at all, please ping us in the thread: https://cms.cispa.saarland/askbot/websec2021/question/30/crawler-flakyness/. Even though the flakyness does not hinder you exam admission, we will still want to help you compete with your peers for the top score in the scoreboard without randomness. |
Askbot Anonymous Questions + Tag requirements removedWritten on 11.11.20 by Marius Steffens Hey all, Quick update on the Askbot: You should now be able to ask a question without needing to specify tags (thanks again for providing us with feedback to improve your experience). On another note: We encourage you to ask questions without using the anonymous feature. This makes for a little… Read more Hey all, Quick update on the Askbot: You should now be able to ask a question without needing to specify tags (thanks again for providing us with feedback to improve your experience). On another note: We encourage you to ask questions without using the anonymous feature. This makes for a little more "human interaction", which is already very tough in this online setting. Remember that if something is unclear to you, there will probably be others in the course that encountered the same issues, so there is absolutely no shame in asking questions. If those things did not convince you, if you have any issues with your VM or something, the TAs would also be able to help you better as they already know which instance to look at. Have fun and see you the latest next week in the Q/A session or the tutorial tomorrow! |
Office Hour this Thursday at 11 am (no office hour on Wednesday this week!)Written on 10.11.20 (last change on 10.11.20) by Daniel David Emmel Dear students, we will be offering an office hour this week on Thursday, 12.11., to assist you in technical problems or questions you might have with your Screecher instance. The office hour will start at 11 am and will end as soon as there are no more questions. We are not planning for it to… Read more Dear students, we will be offering an office hour this week on Thursday, 12.11., to assist you in technical problems or questions you might have with your Screecher instance. The office hour will start at 11 am and will end as soon as there are no more questions. We are not planning for it to last longer than 12 pm, though. It will take place over Zoom, and you will be able to find the link at the same place where the usual lecture link is also located: https://cms.cispa.saarland/websec2021/4/Lecture_Access Note that we do not provide a recording of the office hours, and that they normally take place on Wednesdays. This week is an exception to that. This means in particular that there will be no office hour tomorrow! See you then! |
Release the Screecher!!Written on 09.11.20 by Ben Stock Hi folks, due to heroic efforts from our team, we can now release Screecher to you! Each student has a gameserver secret in their CMS (see your personal status page). This, together with your CMS username, serves as the login for Hi folks, due to heroic efforts from our team, we can now release Screecher to you! Each student has a gameserver secret in their CMS (see your personal status page). This, together with your CMS username, serves as the login for Please note the following: your leak secret and gameserver are *not* the same. If you accidentally have your gameserver secret stolen, that is a problem (see the doors this opens above). If you have your leak secret stolen, others can poison your feedback tab. This is annoying, but not as bad as the gameserver secret. Please don't have your gameserver secret stolen.
Again, apologies for the delay. We hope to be able to promise it will not happen again :-) Happy implementing! |
Slightly delayed exercises, lecture video and Q/A lectureWritten on 09.11.20 (last change on 09.11.20) by Ben Stock Given that some student left the course last minute and others joined, we had a mix-up between the CMS and the Screecher infrastructure. We only noticed this morning and have to roll out things again. The exercises are therefore delayed slightly (hopefully at most 48hrs). In the mean time, you can… Read more Given that some student left the course last minute and others joined, we had a mix-up between the CMS and the Screecher infrastructure. We only noticed this morning and have to roll out things again. The exercises are therefore delayed slightly (hopefully at most 48hrs). In the mean time, you can have a look at the video for the second lecture, which is now available (see Information -> Lecture Access). Regarding our Q/A lecture for next week, this will be a combination of quizzes and things that students would like to have clarified. If there is something that you do not understand, send me a message until Friday noon so I can incorporate these slides into the deck for Monday. Also, note that we have released a theoretical exercise sheet on the first lecture (see Information -> Materials). The questions of it will also be discussed in the meeting on Monday. Also, I am uploading the slides for the quiz and the second lecture now, so please have a look at the questions and be prepared to answer the questions :-)
We will be in touch shortly with the information about exercise infrastructure. |
Lecture Slides, Recordings, and Course ParticipationWritten on 02.11.20 by Ben Stock Since this question came up today, the slides are always available before a lecture in the CMS (under Information->Materials). Also, all recordings and videos will be made available (today's lecture is uploaded now). Please see Information->Lecture Access for the details on the… Read more Since this question came up today, the slides are always available before a lecture in the CMS (under Information->Materials). Also, all recordings and videos will be made available (today's lecture is uploaded now). Please see Information->Lecture Access for the details on the link/credentials. Finally, today's webinar had only around 35 participants. Should you have decided to not take this course, please unregister, since there are students on the waitlist. |
Clarification: start of lectureWritten on 01.11.20 by Ben Stock This information is a bit hidden: we have the Monday 10-12 slot, i.e., we'll start at 10:15 tomorrow. |
Start of lecturesWritten on 01.11.20 by Ben Stock Hi all, tomorrow we start the lecture for Web Security. Please find the information about how to access it here: https://cms.cispa.saarland/websec2021/contents/view/4 As indicated in the course description, we will release videos of the individual course topics one week before a Q/A lecture on… Read more Hi all, tomorrow we start the lecture for Web Security. Please find the information about how to access it here: https://cms.cispa.saarland/websec2021/contents/view/4 As indicated in the course description, we will release videos of the individual course topics one week before a Q/A lecture on the subject. Note that the first lecture will be live (Monday, November 2) and so will the Django tutorial on November 9. We will record the live lecture and tutorials, but likely not the Q/A sessions. |
Welcome to the courseWritten on 21.10.20 by Ben Stock Hi all, we have currently reached our limit of 60 students. I want to take this opportunity to remind everyone about the description of the course, specifically: This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease… Read more Hi all, we have currently reached our limit of 60 students. I want to take this opportunity to remind everyone about the description of the course, specifically: This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you. If you don't think this is doable for you in the winter term (especially given the Corona situation), please unregister from the course so others can take the place. Naturally, I don't want to kick anybody out and am just as happy if all stay :) |
Web Security
This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.
Due to hardware limitations, this course can only accommodate up to 60 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019 and WS2019 about this.
Teaching plan for winter term 2020/2021
Given the COVID-19 situation, the lecture will obviously not be held in person. Instead, the lecture will be taught as an inverted classroom. We will release videos each week and approx. a week after have the online meeting (Mondays 10-12) which contains quizzes on the covered topic and gives you the chance to ask questions about the slides. We will also have a tutorial, which allows you to ask questions about the exercises (see details below).
Tentative schedule
- 02.11.2020: Organizational matters and History of the Web (live lecture)
- 09.11.2020: Howto Django (live tutorial in the lecture slot)
- 16.11.2020: Q/A session for Basic Client-Side Technology, Cookies, and JavaScript
- 23.11.2020: Q/A session for Same-Origin Policy and Cross-Origin Communication
- 30.11.2020: Q/A session for DNS Rebinding & Cross-Site Scripting
- 07.12.2020: Q/A session for Content Security Policy & Clickjacking
- 14.12.2020: Q/A session for CSRF, XSSI, SRI, and Sandboxing
- 21.12.2020: (Optional) Presentation of Solutions for Jeopardy Challenges thus far
- 04.01.2021: Q/A session for Database (In)security
- 11.01.2021: Q/A session for Code Execution
- 18.01.2021: Q/A session for Assorted Server-Side Issues
- 25.01.2021: Q/A session for Infrastructure Security
- 01.02.2021: Q/A session for Beyond The Browser / Exam preparation
Exams
- TBA
Exercises
In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.
- Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge.
- Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services.
Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx 67% of all points. More details on how to work on the exercises and submit flags will be provided in the tutorial.