Web Security Ben Stock

News

25.01.2021

Slides, new challenge and live lecture

The slides for today's Q/A lecture are up. Note that all content in the Q/A lectures is also something we can talk about in the exam.

We have also enabled the final three jeopardy challenges (CRIME, HSTS Tracking, and HTTP Desync).

Finally, the lecture next... Read more

The slides for today's Q/A lecture are up. Note that all content in the Q/A lectures is also something we can talk about in the exam.

We have also enabled the final three jeopardy challenges (CRIME, HSTS Tracking, and HTTP Desync).

Finally, the lecture next week will be a live lecture. It will be a combination of some more content (XS Leaks, Browser defense against Spectre and such) and a exam preparation lecture, so it's beneficial to attend.

24.01.2021

Exam format

Given the pandemic, we will not be holding in-person written exams. Instead, we will conduct oral exams starting from the day on which we had originally planned the exam until Friday of that week. To keep the effort low, I have set up a Calendly instance... Read more

Given the pandemic, we will not be holding in-person written exams. Instead, we will conduct oral exams starting from the day on which we had originally planned the exam until Friday of that week. To keep the effort low, I have set up a Calendly instance (https://calendly.com/benstock/websec) for you to book your slots.

Please do not use your real name when booking, but instead use your initials plus last digit of the matriculation number (e.g., BS1). If you don't feel comfortable adding an email address, feel free to use stock@cispa.de. Every slot can be booked exactly once, so once you have booked a slot, that cannot be taken from you. I will also put up a list in the CMS with the slots once we scheduling is finished.

Also note that unless you cannot register through LSF, you have to be registered there by at the latest February 2. If your study course does not allow registration through LSF, please figure out if there is another official way to register (e.g., paper-based). Should that not be the case, drop me an email with your point of contact at the examination office *and register through CMS*. 

18.01.2021

Exam sign up

Could you all please make sure to check your signup in the LSF? The format of the exam is yet TBD, given that I want to avoid stuffing people into a room given the Covid situation. To decide how to proceed, I need to have some idea on number of students taking the... Read more

Could you all please make sure to check your signup in the LSF? The format of the exam is yet TBD, given that I want to avoid stuffing people into a room given the Covid situation. To decide how to proceed, I need to have some idea on number of students taking the exam. 

Should you not get the exam admission, you will just be unregistered, so you'll not have a failed attempt.

11.01.2021

Evalution links

Hi all,

you can now evaluate the lecture and tutorial/office hour online. Please use the following links:

https://qualis.uni-saarland.de/eva/?l=127166&p=dc921s (Lecture)

https://qualis.uni-saarland.de/eva/?l=1271661&p=81t9js (Tutorial)

I have no idea how... Read more

Hi all,

you can now evaluate the lecture and tutorial/office hour online. Please use the following links:

https://qualis.uni-saarland.de/eva/?l=127166&p=dc921s (Lecture)

https://qualis.uni-saarland.de/eva/?l=1271661&p=81t9js (Tutorial)

I have no idea how the system works, but I assume that everyone uses it fairly and evaluates the course exactly once.

06.01.2021

Jeopardy solutions in Office Hour today

Hey all,

 

this is a quick reminder that we will be presenting the solutions to all Jeopardies which have their deadline today in today's Offce Hour, starting at 11 am!

We have not yet decided whether this will be recorded, so try to make it if you can and... Read more

Hey all,

 

this is a quick reminder that we will be presenting the solutions to all Jeopardies which have their deadline today in today's Offce Hour, starting at 11 am!

We have not yet decided whether this will be recorded, so try to make it if you can and have not solved all the Jeopardies.

You can find the link in the CMS, it's the same link as every week.

See you then!

04.01.2021

New challenges / Updated timeline & hints

Unfortunately, there was a small bug in the deployment (again :-() today. We fixed this now and your screecher instances should work. For those without conflicts, I have already pulled and migrated. For the rest, please fix your things :-) 

Apart from this, there... Read more

Unfortunately, there was a small bug in the deployment (again :-() today. We fixed this now and your screecher instances should work. For those without conflicts, I have already pulled and migrated. For the rest, please fix your things :-) 

Apart from this, there are two new jeopardy challenges. I helps to think about the example of improper sanitization from today's Q/A session to get an idea of what might be to do for the SQL injection task. 

Finally, we have slightly adjusted the timeline for the first set of Jeopardy challenges, which will now run until right before the Office Hour on Wednesday, which will be used to present the solutions. Note also that for base href and unsafe hashes, there is a hint on where the flag is. Arguably, if you solve one, solving the other should be trivial :-)

Note that once the deadline has passed, you can still solve the exercises (crawlers are still operational), but you will not get points towards exam admission.

19.12.2020

Infrastructure back up

I just restarted all checkers and exercises. If you find something that is not working, please send an email to team@screecher.de and we will (for once) also respond on weekends.

18.12.2020

unscheduled reboot

Hi all,

due to an urgent BIOS update, we have to reboot the machine hosting the WebSec VMs. Expect this to be working again tomorrow morning at the latest.

Sorry for the late info, but I literally got it myself now

14.12.2020

New Screecher Exercises + OwleyMadison jeopardy

Hi all,

we just released two new Screecher Exercises, and now they are finally present in your own repos as well.

We also added some small quality of life fixes (again).

Please pull the new apps as well as the changes and make sure to make the migrations... Read more

Hi all,

we just released two new Screecher Exercises, and now they are finally present in your own repos as well.

We also added some small quality of life fixes (again).

Please pull the new apps as well as the changes and make sure to make the migrations before you start hacking.

 

Additionally, we have just released a new jeopardy: The popular owl dating app OwleyMadison!

Find it in the Jeopardy tab of the Gameserver, as per usual.

Have fun with the new Exercises!
Your Screecher Team

14.12.2020

Quiz 6 Answers + Mistake for XSSI and SameSite cookies

I have just uploaded the answers to the quiz slides in the Materials.

Also be aware that there was a mistake on my part when discussing SameSite cookies and XSSI protection. Including a script into the page counts as a subresource request, which means for... Read more

I have just uploaded the answers to the quiz slides in the Materials.

Also be aware that there was a mistake on my part when discussing SameSite cookies and XSSI protection. Including a script into the page counts as a subresource request, which means for SameSite=Lax that cookies will not be sent along. This means that it is in fact protecting the application against XSSI.

Naturally, all the points raised before, e.g., older browsers not supporting SameSite cookies or setting SameSite=None remain problematic.

Sorry for the confusion!

Cheers,
Marius

07.12.2020

New challenges

We are releasing new jeopardy challenges today! Since we have *five* new challenges (CSP Bypass, Unsafe Hashes, Base href, Script Gadgets, Clickjacking), we will not have any changes to screecher this week.

Happy hacking!

03.12.2020

Updated gameserver & changes to database handling

As can be seen from the Askbot thread, we have finished our move to the new checking infrastructure. Instead of doing checks regularly once per hour, you can now schedule checks against a particular service yourself (at most once per 15 minutes). This should give... Read more

As can be seen from the Askbot thread, we have finished our move to the new checking infrastructure. Instead of doing checks regularly once per hour, you can now schedule checks against a particular service yourself (at most once per 15 minutes). This should give you more flexibility when verifying your fixes. Please note that you should not use that as an oracle - as in the exam, there will be no oracle and you have to understand how to fix a certain issue.

In terms of scoring, this means that you now just get points once for having fixed a problem (analog to what is requried for the exam admission). To nevertheless give an incentive to folks to start working on the challenges early, the first three solvers get 15, 10, and 5% more points, respectively.

In addition, in the hunt for the database-related errors we kept on having, I have modified the settings in all of your screecher instances (directly on the servers). This should not be a problem, since you are not supposed to touch that file anyways. In addition, I have truncated all entries from the users table; i.e., if you had a particular test account on your VM, this is now gone and you need to re-register it.

We'll keep monitoring the situation to see if this finally fixes the database issues (which we have never seen before, actually...).

03.12.2020

Gameserver and Infrastructure Update

Hey all,

we will be taking down the Gameserver for one to two hours. This maintenance will include changes to our overall checking infrastructure. 

We will provide updates about the status of our maintencance and the changes to our infrastructure via the... Read more

Hey all,

we will be taking down the Gameserver for one to two hours. This maintenance will include changes to our overall checking infrastructure. 

We will provide updates about the status of our maintencance and the changes to our infrastructure via the following Askbot thread: 

https://cms.cispa.saarland/askbot/websec2021/question/228/gameserver-maintenance-updates-031220/

Cheers,

Marius

30.11.2020

New jeopardies & updated Screecher instances

... are online (and in the Git) :)

25.11.2020

Leaking partial solutions on Askbot

Please refrain from posting (partial) solutions on the askbot. If you have a specific question for an exploit, join the office hour or send an email to the TAs.

In addition, before you ask questions about our crawlers not working properly, do the process... Read more

Please refrain from posting (partial) solutions on the askbot. If you have a specific question for an exploit, join the office hour or send an email to the TAs.

In addition, before you ask questions about our crawlers not working properly, do the process yourself: create an account on team0, plant some information (i.e., a fake flag), and then visit your exploit URL. Please use a new profile in Chrome to ensure that you haven't persisted anything, e.g., exceptions to TLS warnings. If that works and leaks the data (on Chrome) and it does not work for our crawlers, reach out (best via email).

23.11.2020

jquery fun & hot-patch

TLDR: fixed an issue related to jQuery, fixes are on your machine, please merge & push

Today, the CDN of jquery.com has encountered a lot of errors. These lead to timeouts in our checkers, since Screecher depends on jQuery. After figuring out what the problem... Read more

TLDR: fixed an issue related to jQuery, fixes are on your machine, please merge & push

Today, the CDN of jquery.com has encountered a lot of errors. These lead to timeouts in our checkers, since Screecher depends on jQuery. After figuring out what the problem was, we have hot-patched this on your machines. Please SSH into the machines, do a git pull, merge the changes (if any) and git push afterwards before you continue your work.

Sorry, but this time it wasn't even our fault :-)

 

22.11.2020

Result of Doodle & Quiz 03

Hi all,

given that out of the the mere 15 people that participated in the Doodle, 7 would like to have live lectures, whereas 8 either don't care or want to stick with recorded videos, I do not see sufficient need to change the format midway through the semester.... Read more

Hi all,

given that out of the the mere 15 people that participated in the Doodle, 7 would like to have live lectures, whereas 8 either don't care or want to stick with recorded videos, I do not see sufficient need to change the format midway through the semester. While I am hopeful that WS 2021 might be back in person, I'll take this into consideration and ask before the lecture next year.

In addition, I have uploaded the slides for the Quiz for tomorrow. Please take a look before the lecture, so we can have a nice discussion. This also makes sense to determine you have understood what's going on with the topics covered, since we start our new exercises right after the lecture.

17.11.2020

New Django Patches + Changes in crawler infrastructure

Hey all,

We have provided a final(tm) patch for the flakyness induced by the Django DB interaction. Again, we have pulled those changes to your VM iff there were no conflicts. 

We have made a small adjustment in the settings.py file regarding... Read more

Hey all,

We have provided a final(tm) patch for the flakyness induced by the Django DB interaction. Again, we have pulled those changes to your VM iff there were no conflicts. 

We have made a small adjustment in the settings.py file regarding cookies.

Additionally, we noticed that some of the students used third-party features or security middlewares to implement parts of the exercises. Since we do not want to teach you how to use these frameworks or how to enable security middlewares in django, but rather, confront you with the nitty gritty details, we have decided to check for such changes. Starting from the next tick, we will abort our checking procedure once we have detected such alterations. This also means that if we were unable to pull on your machine/if you have changed the settings.py file, checking will not proceed unless you pull/revert your changes.  

To raise the point again: You should not change anything outside of the application folders (in particular not the settings.py).  

Cheers,

16.11.2020

Jeopardy challenges, functionality checks, and deadlines ... and live lectures?

[Please read carefully until the end]

We have released the first jeopardy challenge. Please go to https://gameserver.websec.saarland/jeopardy for the details. Note that we have extended the deadlines for the first batch a bit. Those will be due on January 5,... Read more

[Please read carefully until the end]

We have released the first jeopardy challenge. Please go to https://gameserver.websec.saarland/jeopardy for the details. Note that we have extended the deadlines for the first batch a bit. Those will be due on January 5, 11:59am. The deadlines will also be listed in the Jeopardy view.

In addition, given the question in the Q/A session, let me clarify deadlines. The deadline for anything related to Screecher is usually the Monday after the release of the sheet at noon. That is, we check for the last time right after 12:00. Any patches that are not on the VM by that will not be taken into account for the admission to the exam.

Finally, I would like to hear your opinion regarding the format of the lecture. Given that last week, I had 35 participants, but only 17 in the Q/A today, I am wondering what format would work best. Can you please help me answer this question by filling the doodle at https://doodle.com/poll/qywqgi7iehhcmiuf

13.11.2020

Hints about the exercises

Since there seem to be a couple of issues related to the exercises, I wanted to point out a couple of things, both specifically for the challenge and in general.

- Please check the functionality in your own browser. Register a new account and try the relevant... Read more

Since there seem to be a couple of issues related to the exercises, I wanted to point out a couple of things, both specifically for the challenge and in general.

- Please check the functionality in your own browser. Register a new account and try the relevant endpoints. Our crawler is quite literally just a browser that does the same: register, visit the URLs *as specified in the exercise sheet* and check if the resulting page has the content we expect. It is also helpful to have the browser console open to see potential errors.
- There is a logfile for your screecher instance, which can be accessed through /var/log/uwsgi/app/screecher.log. You can use "tail -f /var/log/uwsgi/app/screecher.log" to follow its output to see if there are errors that happen.
- Note also Marius' news entry about the bugfix we have released. Some students are still experiencing intermittent errors, but thus far it seems those are the systems that have not applied that patch. 

13.11.2020

Reminder: raise topics for clarification in Q/A lecture

Regarding our Q/A lecture for next week, this will be a combination of quizzes and things that students would like to have clarified. If there is something that you do not understand, send me a message until Friday noon so I can incorporate these slides into the... Read more

Regarding our Q/A lecture for next week, this will be a combination of quizzes and things that students would like to have clarified. If there is something that you do not understand, send me a message until Friday noon so I can incorporate these slides into the deck for Monday.

12.11.2020

Unexpected Checking results

Hey all,

So over the course of the last days we have seen repeatedly unexpected checking results from students which already solved (parts) of the practical exercises.

This issues appears to be very racy and CANNOT be reliably reproduced by us. However, we... Read more

Hey all,

So over the course of the last days we have seen repeatedly unexpected checking results from students which already solved (parts) of the practical exercises.

This issues appears to be very racy and CANNOT be reliably reproduced by us. However, we have identified the potential culprit of the error, which stems from internal django db interactions. We have deployed a fix that hopefully addresses this issue by radically reducing the number of implicit queries done by django in our context processor feature. The fix is readily available in your Gitlab repo and we have already pulled those changes to your VMs (assuming that you did not have any merge conflicts e.g., by having conflicting version on the server vs in the git). We have seen cases of merge conflicts, which prevent this change from being automatically applied, please take care of resolving those conflicts and manually pull the fix on your VM instance.

We have opened a Askbot thread in which we want to track further flaky behavior, so if you notice flaky behavior without you changing anything on the server at all, please ping us in the thread: https://cms.cispa.saarland/askbot/websec2021/question/30/crawler-flakyness/.

Even though the flakyness does not hinder you exam admission, we will still want to help you compete with your peers for the top score in the scoreboard without randomness.

11.11.2020

Askbot Anonymous Questions + Tag requirements removed

Hey all,

Quick update on the Askbot: You should now be able to ask a question without needing to specify tags (thanks again for providing us with feedback to improve your experience).

On another note: We encourage you to ask questions without using the... Read more

Hey all,

Quick update on the Askbot: You should now be able to ask a question without needing to specify tags (thanks again for providing us with feedback to improve your experience).

On another note: We encourage you to ask questions without using the anonymous feature. This makes for a little more "human interaction", which is already very tough in this online setting. Remember that if something is unclear to you, there will probably be others in the course that encountered the same issues, so there is absolutely no shame in asking questions. 

If those things did not convince you, if you have any issues with your VM or something, the TAs would also be able to help you better as they already know which instance to look at.

Have fun and see you the latest next week in the Q/A session or the tutorial tomorrow!

10.11.2020

Office Hour this Thursday at 11 am (no office hour on Wednesday this week!)

Dear students,

we will be offering an office hour this week on Thursday, 12.11., to assist you in technical problems or questions you might have with your Screecher instance. The office hour will start at 11 am and will end as soon as there are no more... Read more

Dear students,

we will be offering an office hour this week on Thursday, 12.11., to assist you in technical problems or questions you might have with your Screecher instance. The office hour will start at 11 am and will end as soon as there are no more questions.

We are not planning for it to last longer than 12 pm, though.

It will take place over Zoom, and you will be able to find the link at the same place where the usual lecture link is also located:

https://cms.cispa.saarland/websec2021/4/Lecture_Access

Note that we do not provide a recording of the office hours, and that they normally take place on Wednesdays. This week is an exception to that.

This means in particular that there will be no office hour tomorrow!

See you then!

09.11.2020

Release the Screecher!!

Hi folks,

due to heroic efforts from our team, we can now release Screecher to you!

Each student has a gameserver secret in their CMS (see your personal status page). This, together with your CMS username, serves as the login for
-... Read more

Hi folks,

due to heroic efforts from our team, we can now release Screecher to you!

Each student has a gameserver secret in their CMS (see your personal status page). This, together with your CMS username, serves as the login for
- https://gitlab.websec.saarland (which hosts your personal repository of Screecher)
- https://gameserver.websec.saarland (which has all the information you need, such as leak secret and the SSH keys you need to connect)
- Your own instance, e.g., https://team1.screecher.de is also only accessible with your CMS username and gameserver secret

Please note the following: your leak secret and gameserver are *not* the same. If you accidentally have your gameserver secret stolen, that is a problem (see the doors this opens above). If you have your leak secret stolen, others can poison your feedback tab. This is annoying, but not as bad as the gameserver secret. Please don't have your gameserver secret stolen.


As promised, we will prolong the deadline for which you can get points by a day, meaning until Tuesday, November 17. Please find the exact exercise sheet in the materials section of the CMS.

Again, apologies for the delay. We hope to be able to promise it will not happen again :-)

Happy implementing!

09.11.2020

Slightly delayed exercises, lecture video and Q/A lecture

Given that some student left the course last minute and others joined, we had a mix-up between the CMS and the Screecher infrastructure. We only noticed this morning and have to roll out things again. The exercises are therefore delayed slightly (hopefully at most... Read more

Given that some student left the course last minute and others joined, we had a mix-up between the CMS and the Screecher infrastructure. We only noticed this morning and have to roll out things again. The exercises are therefore delayed slightly (hopefully at most 48hrs). In the mean time, you can have a look at the video for the second lecture, which is now available (see Information -> Lecture Access).

Regarding our Q/A lecture for next week, this will be a combination of quizzes and things that students would like to have clarified. If there is something that you do not understand, send me a message until Friday noon so I can incorporate these slides into the deck for Monday.

Also, note that we have released a theoretical exercise sheet on the first lecture (see Information -> Materials). The questions of it will also be discussed in the meeting on Monday. Also, I am uploading the slides for the quiz and the second lecture now, so please have a look at the questions and be prepared to answer the questions :-)

 

We will be in touch shortly with the information about exercise infrastructure.

02.11.2020

Lecture Slides, Recordings, and Course Participation

Since this question came up today, the slides are always available before a lecture in the CMS (under Information->Materials). Also, all recordings and videos will be made available (today's lecture is uploaded now). Please see Information->Lecture Access for the... Read more

Since this question came up today, the slides are always available before a lecture in the CMS (under Information->Materials). Also, all recordings and videos will be made available (today's lecture is uploaded now). Please see Information->Lecture Access for the details on the link/credentials.

Finally, today's webinar had only around 35 participants. Should you have decided to not take this course, please unregister, since there are students on the waitlist.

01.11.2020

Clarification: start of lecture

This information is a bit hidden: we have the Monday 10-12 slot, i.e., we'll start at 10:15 tomorrow.

01.11.2020

Start of lectures

Hi all,

tomorrow we start the lecture for Web Security. Please find the information about how to access it here: https://cms.cispa.saarland/websec2021/contents/view/4

As indicated in the course description, we will release videos of the individual course... Read more

Hi all,

tomorrow we start the lecture for Web Security. Please find the information about how to access it here: https://cms.cispa.saarland/websec2021/contents/view/4

As indicated in the course description, we will release videos of the individual course topics one week before a Q/A lecture on the subject. Note that the first lecture will be live (Monday, November 2) and so will the Django tutorial on November 9. We will record the live lecture and tutorials, but likely not the Q/A sessions.

21.10.2020

Welcome to the course

Hi all,

we have currently reached our limit of 60 students. I want to take this opportunity to remind everyone about the description of the course, specifically:

This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2... Read more

Hi all,

we have currently reached our limit of 60 students. I want to take this opportunity to remind everyone about the description of the course, specifically:

This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

If you don't think this is doable for you in the winter term (especially given the Corona situation), please unregister from the course so others can take the place. Naturally, I don't want to kick anybody out and am just as happy if all stay :)

Show all
 

Web Security

This lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you.

Due to hardware limitations, this course can only accommodate up to 60 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019 and WS2019 about this.

Teaching plan for winter term 2020/2021

Given the COVID-19 situation, the lecture will obviously not be held in person. Instead, the lecture will be taught as an inverted classroom. We will release videos each week and approx. a week after have the online meeting (Mondays 10-12) which contains quizzes on the covered topic and gives you the chance to ask questions about the slides. We will also have a tutorial, which allows you to ask questions about the exercises (see details below).

 

Tentative schedule

  • 02.11.2020: Organizational matters and History of the Web (live lecture)
  • 09.11.2020: Howto Django (live tutorial in the lecture slot)
  • 16.11.2020: Q/A session for Basic Client-Side Technology, Cookies, and JavaScript
  • 23.11.2020: Q/A session for Same-Origin Policy and Cross-Origin Communication
  • 30.11.2020: Q/A session for DNS Rebinding & Cross-Site Scripting
  • 07.12.2020: Q/A session for Content Security Policy & Clickjacking
  • 14.12.2020: Q/A session for CSRF, XSSI, SRI, and Sandboxing
  • 21.12.2020: (Optional) Presentation of Solutions for Jeopardy Challenges thus far
  • 04.01.2021: Q/A session for Database (In)security
  • 11.01.2021: Q/A session for Code Execution
  • 18.01.2021: Q/A session for Assorted Server-Side Issues
  • 25.01.2021: Q/A session for Infrastructure Security
  • 01.02.2021: Q/A session for Beyond The Browser / Exam preparation

 

Exams 

  • TBA

Exercises 

In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.

  • Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge.
  • Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services.

Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx 67% of all points. More details on how to work on the exercises and submit flags will be provided in the tutorial.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators