Foundations of Web Security Ben Stock

News

27.09.2021

Backup exam results / backup exam inspection

I have finished grading and added the results into the CMS. We will do the exam inspection on Thursday, 10-11:30. Please let me know if you plan to attend so I can decide whether to just do it in my office or reserve a room.

25.09.2021

Reminder: backup exam participation / possible Covid symptoms

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have... Read more

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

  • Cough / Husten
  • Sore throat / Halsschmerzen
  • Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
  • Fever /Fieber
  • Aches and pains / Gliederschmerzen
  • Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
  • Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

22.09.2021

Backup exam

For Monday's backup exam, we will not be in GHH, but instead in HS 002 in the CS building. As last time, please have a vaccination proof, recovery proof, or negative test result available for me to check. You can see your seat number in the CMS.

 

Also, the... Read more

For Monday's backup exam, we will not be in GHH, but instead in HS 002 in the CS building. As last time, please have a vaccination proof, recovery proof, or negative test result available for me to check. You can see your seat number in the CMS.

 

Also, the standard disclaimer applies:

Also note the following (will remind again about this on the day before the exam):

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

  • Cough / Husten
  • Sore throat / Halsschmerzen
  • Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
  • Fever /Fieber
  • Aches and pains / Gliederschmerzen
  • Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
  • Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

13.09.2021

Reminder: backup exam registration

This is your one-week reminder. Please ensure that you are registered through the LSF by September 20 if you want to take the backup exam. 

29.07.2021

Exam results & exam inspection

We have put the exam results into the CMS. Please check your personal status page. We will do the inspection on Monday, from 10-12 in CISPA's room 0.07. 

27.07.2021

Reminder: exam participation / possible Covid symptoms

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have... Read more

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

  • Cough / Husten
  • Sore throat / Halsschmerzen
  • Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
  • Fever /Fieber
  • Aches and pains / Gliederschmerzen
  • Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
  • Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

23.07.2021

Exam details

Quick reminder about the details for the exam:

  • Günter-Hotz-Hörsaal (Building E2.2)
  • Start 28.7. 14:00 - 16:00
  • Please arrive by 13:45, but wait outside of the building (main entrance at the lower end)
  • Please either bring a negative quick test (<24h old), a... Read more

Quick reminder about the details for the exam:

  • Günter-Hotz-Hörsaal (Building E2.2)
  • Start 28.7. 14:00 - 16:00
  • Please arrive by 13:45, but wait outside of the building (main entrance at the lower end)
  • Please either bring a negative quick test (<24h old), a proof of vaccination (>14 days after final shot), or a proof of recovering (e.g., PCR positive result no older than 6 months and no younger than 4 weeks)
  • Please note that it is necessary for you to bring your medical mouth-nose protection mask (surgical mask or FFP2/KN95/N95 mask) with you. These must be worn whenever you are moving around in the building. It is recommended that everyone (including supervisors) wears protective masks during the entire exam, also while sitting at the seat.
  • Everyone has a fixed seat assigned. You can see your seat in the "Personal Status" page.

 

Also note the following (will remind again about this on the day before the exam):

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

  • Cough / Husten
  • Sore throat / Halsschmerzen
  • Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
  • Fever /Fieber
  • Aches and pains / Gliederschmerzen
  • Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
  • Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

21.07.2021

Reminder: Exam registration

Hi folks,

note that *today* is the last chance you have to register for the main exam. After today, you cannot register and can therefore not take part in the exam.

13.07.2021

Exam preparation and planning

To allow everyone to have some more time to prepare specifically for the types of questions you might expect, we will use this week's slot to not only explain the jeopardy solutions, but also to provide a general idea of what you can expect from the exam. In the... Read more

To allow everyone to have some more time to prepare specifically for the types of questions you might expect, we will use this week's slot to not only explain the jeopardy solutions, but also to provide a general idea of what you can expect from the exam. In the final meeting on July 23, I will cover topics that you can nominate which should be clarified. Please add your topics as answers to the post in the Askbot at https://cms.cispa.saarland/askbot/websec21/question/32/topics-for-wrap-up-session-on-july-23/

If you plan to take the exam on July 28, note the following important points:

  • You need to get at least 26 points until this Friday, 10am, at which point Jeopardy challenges will stop yielding points.
  • You need to be registered through LSF until July 21. If for some reason you cannot register through LSF, send me an email before that deadline. You cannot register after July 21.
  • Based on my interpretation of the current Saarland Corona rules - and importantly in the interest of everyone's safety - you may only attend the exam if you are a) fully vaccinated (+14 days since last shot), b) recovered from Covid (PCR positive <6 months and >4 weeks ago), or c) have a negative quick test which is no older than 24h. You can either get tested for free where you live or make an appointment in the UdS test center (https://test-saarland.de/uds). 
  • Should your quick test come back positive, but a PCR test after is negative, send me the quick test result and I will make sure that you having missed the exam will not be counted as a failed attempt. If the PCR test is positive as well, you can send that information to the university to be exempted.

Note also the regulation from the university regarding masks during the exam:

While entering/leaving the room (this includes also waiting situations), moving in the room, and while talking to supervisors, medical mouth-nose protection (surgical masks) or FFP 2 / KN 95 / N95 masks are mandatory. It is recommended that everyone (including supervisors) wears protective masks during the entire exam, also while sitting at the seat.

09.07.2021

Outlook for next two weeks / Final reminder for evaluation ;-)

I have just uploaded the slides and video of the final regular lecture today. We will meet next week (16.7.2021) at the regular time to discuss the second batch of jeopardy challenges. I will run through the steps of each challenge and we will also release a... Read more

I have just uploaded the slides and video of the final regular lecture today. We will meet next week (16.7.2021) at the regular time to discuss the second batch of jeopardy challenges. I will run through the steps of each challenge and we will also release a "walkthrough" guide. The week after (23.7.2021), we will have our exam preparation, in which I will give you hints on what to expect in the exam and what types of answers we will look for.

Generally speaking, the exam will be very practical. That is, if you managed to do all the jeopardy and screecher challenges (or understood how they work from the provided solutions), you should not have a hard time with the majority of the exam. Examples of some of the more theoretical questions can be found in the Reading Guide, so I encourage everyone to have a look at the control tasks (solutions are the end of the reading guide). 

Finally, as a reminder, if you have not yet evaluated the lecture, please do so before July 15, at which point the system will be shut off. The link to the evaluation is: https://qualis.uni-saarland.de/eva/?l=130408&p=2tpvbh

Have a nice weekend!

29.06.2021

Taking gamification to the next level: our CTF team saarsec

Hi all,

if you liked the challenges we did for FoWS, you'll probably also like playing actual CTFs ;-) Our local team saarsec is regularly participating in these and there are two great Attack/Defense CTFs (somewhat similar to Screecher, but round-based with... Read more

Hi all,

if you liked the challenges we did for FoWS, you'll probably also like playing actual CTFs ;-) Our local team saarsec is regularly participating in these and there are two great Attack/Defense CTFs (somewhat similar to Screecher, but round-based with frequently changing flags) coming up (on July 10 and July 18) These CTFs, which typically for for 8-10 hours, will allow you to apply your exploitation, patching, and automation skills. Some more info about the CTF team can be found at https://saarsec.rocks/.

We have regular meetings on Thursday at 5pm, held virtually at the moment. If you are interested in joining for the meeting, send me an email and I can provide you with access to the meeting URL. If you want to then join more regularly, you'll get an invite to saarsec's Mattermost channel, which we use for all the coordination.

24.06.2021

Evaluation

I have received the link for the evaluation today. Please rate the lecture at https://qualis.uni-saarland.de/eva/?l=130408&p=2tpvbh

Also, if you have additional feedback you want to leave about the lecture, feel free to use the feedback in the CMS. We also... Read more

I have received the link for the evaluation today. Please rate the lecture at https://qualis.uni-saarland.de/eva/?l=130408&p=2tpvbh

Also, if you have additional feedback you want to leave about the lecture, feel free to use the feedback in the CMS. We also appreciate specific feedback on the Jeopardy challenges through the gameserver interface.

24.06.2021

No Q/A session on Friday

Given that there are just two quizzes and no other content for lecture 9's quiz, we'll skip this week's meeting. If you have specific questions about something that was unclear in the lecture, ping me on Mattermost or send me an email so I can clarify. We will... Read more

Given that there are just two quizzes and no other content for lecture 9's quiz, we'll skip this week's meeting. If you have specific questions about something that was unclear in the lecture, ping me on Mattermost or send me an email so I can clarify. We will release the new challenges at 10 am.

22.06.2021

Random reboot

Unfortunately, the machine hosting the exercises was rebooted me understanding why. I have restarted all services now and it seems the screecher instances and jeopardy challenges should be operational. Should that not be the case, please let me know.

20.06.2021

End of power outage

Hi folks,

unfortunately, there we some network issues last night still with the CISPA network, which is why I only was able to restart everything just now. We have extended the deadline for this week's sheet by 48h (i.e., 27.6.2021 10:00am) and the one for the... Read more

Hi folks,

unfortunately, there we some network issues last night still with the CISPA network, which is why I only was able to restart everything just now. We have extended the deadline for this week's sheet by 48h (i.e., 27.6.2021 10:00am) and the one for the next week also by 24h (i.e., 3.7.2021 10:00am). 

Note that this change is not reflected in the sheets, but only in our Gameserver database.

18.06.2021

Power Outage

Dear all, 

there will be a shutdown of CISPA's power supply from 10pm tonight until 6pm tomorrow for necessary maintenance. In that time, the servers hosting the videos as well as the challenges and screecher instances will be unavailable. CMS should still work... Read more

Dear all, 

there will be a shutdown of CISPA's power supply from 10pm tonight until 6pm tomorrow for necessary maintenance. In that time, the servers hosting the videos as well as the challenges and screecher instances will be unavailable. CMS should still work though. If you want to watch the video(s), please sure to finish your downloads before 10pm tonight. We will shut down the VMs at 9pm tonight and start them again at the latest 24h later.

To account for the lost time, we will postpone the Screecher deadline by 1 day, i.e., June 26th, 10 am. For the jeopardy challenges, there is only the deadline at the end of the semester, so no need to push that.

10.06.2021

Invited Talk in our Web Sec Lecture Series

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom link... Read more

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom linkhttps://cispa-de.zoom.us/j/96775779464?pwd=WFQ1aW9Xb2c1OHMybWlEUDIralN5QT09

Speaker: Stefano Calzavara 

Title: May I take your subdomain? Exploring same-site attacks on the modern Web


Abstract: Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this talk we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

Short Bio: Stefano Calzavara is a tenure-track assistant professor at Università Ca' Foscari Venezia. His research focuses on formal methods, computer security and their intersection, with a particular emphasis on web security. Stefano is also happy to serve as the co-leader of the Italian chapter of the Open Web Application Security Project (OWASP).

17.05.2021

Reminder / Clarification: Screecher HTTP Authentication

Just a quick reminder, in particular for those not on Mattermost: your screecher instances are running behind an HTTP Authentication, which is not filled by the crawlers (except for those that check functionality/exploitability on your instances). That means, if you... Read more

Just a quick reminder, in particular for those not on Mattermost: your screecher instances are running behind an HTTP Authentication, which is not filled by the crawlers (except for those that check functionality/exploitability on your instances). That means, if you try to host a file used for the jeopardy challenges on your screecher instance, that will not work. That is what you have your attacker directories for :-)

10.05.2021

Due to popular demand solutions now contains PoCs + changes

Hey all,

due to popular demand, we have released solutions for exercise sheet 1 and updated the solution for sheet 2 with PoCs + diffs for the fixes.

Cheers,
- Marius

 

07.05.2021

New jeopardy exercises, no screecher exercises this week

Hey everyone,

today we will not release an exercise sheet.
Rather, we release 5 jeopardy exercises at 12:00, accessible via the gameserver interface.

All jeopardies released until today(including today) are due on June 4, 10 am (the rest of the jeopardies... Read more

Hey everyone,

today we will not release an exercise sheet.
Rather, we release 5 jeopardy exercises at 12:00, accessible via the gameserver interface.

All jeopardies released until today(including today) are due on June 4, 10 am (the rest of the jeopardies will be discussed at the end of the semester).

Happy Hacking!
- Marius

05.05.2021

Mattermost

Hi folks,

I realized today that we did not post the link to the Mattermost outside of the live lecture ~2 weeks ago. The URL for it is https://mattermost.websec.saarland - please use the option to "Login with Gitlab".

 

16.04.2021

Welcome to Foundations of Web Security

Welcome to this year's iteration of (what is now known as) Foundations of Web Security. To access the Zoom meetings and the lecture recordings, please see https://cms.cispa.saarland/websec21/7/Lecture_Access. We'll start the lecture at 10:15 today and you can... Read more

Welcome to this year's iteration of (what is now known as) Foundations of Web Security. To access the Zoom meetings and the lecture recordings, please see https://cms.cispa.saarland/websec21/7/Lecture_Access. We'll start the lecture at 10:15 today and you can already download the (preliminary) slides from the Materials section in CMS. I have also uploaded the video for lecture 2 as well as Q/A for both lectures 1 and 2, so you can take a look at the questions while attending the lecture / watching the videos.

Show all
 

Registration is closed and because of setup constraints, we cannot admit any more students.

 

Foundations of Web Security (formerly known as Web Security (meaning: you cannot take it if you already passed Web Security))

This lecture covers the fundamental security problems that are prevalent on the Web as well as security mechanisms to mitigate them. A particular focus lies on the offensive side of Web security, whereas defense mechanisms merely need to be added to stop the attacks. In contrast, the Secure Web Development course is more focussed on architectural and engineering aspects of secure Web applications, including code review techniques and full message processing pipelines. You can take both courses, but neither requires the other to follow the course material.

Note that the course is now switched back to the summer term (for the foreseeable future).

Requirements, expectations, and registration

While the name might be giving away a different idea, this lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you. To self-assess whether this is the right course for you, please visit https://self-assessment.websec.saarland/ to guide you through the process. Note that you can only register through a token handed out in that tool (which you'll get irrespective of the amount of points you score on the self-assessment test).

Due to hardware limitations, this course can only accommodate up to 80 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019WS2019 and WS2020 about this.

Teaching plan for summer 2021

Given the COVID-19 situation, the lecture will not be held in person. Instead, the lecture will be taught as an inverted classroom. We will release videos of the lectures each week and have a Q/A session one week after that. These session will be a combination of quizzes and a chance for you to ask questions. We will also have an office hour on Mondays, where you can also ask questions about the exercises.

Schedule (Lecture slot: Friday 10-12)

  • 16.4.2021: Organizational matters and History of the Web (live lecture) / Release of Video 2 (Basic Client-Side Technology)
  • 23.4.2021: Q/A session for Basic Client-Side Technology / Introduction to Django&PyCharm / Release of Video 3 (Cross-Site Scripting)
  • 30.4.2021: Q/A session for Cross-Site Scripting / Release of Video 4 (Content Security Policy)
  • 7.5.2021: Q/A session for Content Security Policy / Release of Video 5 (Cross-Origin Communication)
  • 14.5.2021: No lecture
  • 21.5.2021: Q/A session for Cross-Origin Communication / Release of Video 6 (Cross-Origin Attacks)
  • 28.5.2021: Q/A session for Cross-Origin Attacks / Release of Video 7 (Database Insecurity)
  • 4.6.2021: Presentation of first batch of jeopardy challenge solutions
  • 11.6.2021:  Q/A session for Database Insecurity / Release of Video 8 (Code Execution)
  • 18.6.2021:  Q/A session for Code Execution / Release of Video 9 (Assorted Server-Side Issues)
  • 25.6.2021:  Q/A session for Assorted Server-Side Issues / Release of Video 10 (Infrastructure Security)
  • 2.7.2021: Q/A session for Infrastructure Security
  • 9.7.2021: Current research & Beyond the classical models (live lecture)
  • 16.7.2021: Presentation of second batch of jeopardy challenge solutions
  • 23.7.2021: Exam preparation

Exams 

  • Main exam: 28.7.2021 (2pm)
  • Backup exam: 27.9.2021 (9am)

Exercises 

In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.

  • Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge. In total, this roughly sums up to 15 offensive points and 17 defensive points.
  • Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services. In total, we plan to have around 20-22 jeopardy challenges.

Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx. 60% of all points. More details on how to work on the exercises and submit flags will be provided in the introductory session about our infrastructure.



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators