Web Security Ben Stock

Registration for this course is open until Sunday, 08.11.2020 23:59.

News

21.10.2020

Welcome to the course

Hi all,

we have currently reached our limit of 60 students. I want to take this opportunity to remind everyone about the description of the course, specifically:

This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2... Read more

Hi all,

we have currently reached our limit of 60 students. I want to take this opportunity to remind everyone about the description of the course, specifically:

This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

If you don't think this is doable for you in the winter term (especially given the Corona situation), please unregister from the course so others can take the place. Naturally, I don't want to kick anybody out and am just as happy if all stay :)

 

Web Security

This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

Due to hardware limitations, this course can only accommodate up to 60 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019 and WS2019 about this.

Teaching plan for winter term 2020/2021

Given the COVID-19 situation, the lecture will obviously not be held in person. Instead, the lecture will be taught as an inverted classroom. We will release videos each week and approx. a week after have the online meeting (Mondays 10-12) which contains quizzes on the covered topic and gives you the chance to ask questions about the slides. We will also have a tutorial, which allows you to ask questions about the exercises (see details below).

 

Tentative schedule

  • 02.11.2020: Organizational matters and History of the Web (live lecture)
  • 09.11.2020: Howto Django (live tutorial in the lecture slot)
  • 16.11.2020: Q/A session for Basic Client-Side Technology, Cookies, and JavaScript
  • 23.11.2020: Q/A session for Same-Origin Policy and Cross-Origin Communication
  • 30.11.2020: Q/A session for DNS Rebinding & Cross-Site Scripting
  • 07.12.2020: Q/A session for Content Security Policy & Clickjacking
  • 14.12.2020: Q/A session for CSRF, XSSI, SRI, and Sandboxing
  • 21.12.2020: (Optional) Presentation of Solutions for Jeopardy Challenges thus far
  • 04.01.2021: Q/A session for Database (In)security
  • 11.01.2021: Q/A session for Code Execution
  • 18.01.2021: Q/A session for Assorted Server-Side Issues
  • 25.01.2021: Q/A session for Infrastructure Security
  • 01.02.2021: Q/A session for Beyond The Browser / Exam preparation

 

Exams 

  • TBA

Exercises 

In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.

  • Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge.
  • Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services.

Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx 67% of all points. More details on how to work on the exercises and submit flags will be provided in the tutorial.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators