Foundations of Web Security Ben Stock


Currently, no news are available

Foundations of Web Security (formerly known as Web Security (meaning: you cannot take it if you already passed Web Security))

This lecture covers the fundamental security problems that are prevalent on the Web as well as security mechanisms to mitigate them. A particular focus lies on the offensive side of Web security, whereas defense mechanisms merely need to be added to stop the attacks. In contrast, the Secure Web Development course is more focussed on architectural and engineering aspects of secure Web applications, including code review techniques and full message processing pipelines. You can take both courses, but neither requires the other to follow the course material.

Note that the course is now switched back to the summer term (for the foreseeable future).

Requirements, expectations, and registration

While the name might be giving away a different idea, this lecture is an advanced lecture in Web security. At the very least, having taken CySec1/CySec2 or Security will significantly ease taking this course. If you are looking for easy 6CP, this is not the lecture for you. If you want to learn a lot about different aspects of Web Security and understand how flaws can be exploited and fixed and are willing to commit significant effort to a course, this is the right course for you. To self-assess whether this is the right course for you, please visit to guide you through the process. Note that you can only register through a token handed out in that tool (which you'll get irrespective of the amount of points you score on the self-assessment test).

Due to hardware limitations, this course can only accommodate up to 80 students. Students will be admitted on a first-come first-served basis. You should not take this course for easy credit points as it will be a significant effort. Previous students have liked the course, but noted the workload above an average course. See also the evaluation results for SS2018, SS2019WS2019 and WS2020 about this.

Teaching plan for summer 2021

Given the COVID-19 situation, the lecture will not be held in person. Instead, the lecture will be taught as an inverted classroom. We will release videos of the lectures each week and have a Q/A session one week after that. These session will be a combination of quizzes and a chance for you to ask questions. We will also have an office hour on Mondays, where you can also ask questions about the exercises.

Tentative schedule (Lecture slot: Friday 10-12)

  • 16.4.2021: Organizational matters and History of the Web (live lecture) / Release of Video 2 (Basic Client-Side Technology)
  • 23.4.2021: Q/A session for Basic Client-Side Technology / Introduction to Django&PyCharm / Release of Video 3 (Cross-Site Scripting)
  • 30.4.2021: Q/A session for Cross-Site Scripting / Release of Video 4 (Content Security Policy)
  • 7.5.2021: Q/A session for Content Security Policy / Release of Video 5 (Cross-Origin Communication)
  • 14.5.2021: No lecture
  • 21.5.2021: Q/A session for Cross-Origin Communication / Release of Video 6 (Cross-Origin Attacks)
  • 28.5.2021: Q/A session for Cross-Origin Attacks / Release of Video 7 (Database Insecurity)
  • 4.6.2021: Presentation of first batch of jeopardy challenge solutions
  • 11.6.2021:  Q/A session for Database Insecurity / Release of Video 8 (Code Execution)
  • 18.6.2021:  Q/A session for Code Execution / Release of Video 9 (Assorted Server-Side Issues)
  • 25.6.2021:  Q/A session for Assorted Server-Side Issues / Release of Video 10 (Infrastructure Security)
  • 2.7.2021: Q/A session for Infrastructure Security
  • 9.7.2021: Current research & Beyond the classical models (live lecture)
  • 16.7.2021: Presentation of second batch of jeopardy challenge solutions
  • 23.7.2021: Exam preparation


  • TBA


In this term, in order to qualify for the exam, you have to mandatorily do exercises. In particular, there are two types of exercises.

  • Security vulnerabilities and fixes for our social network Screecher: Here, you have to find flaws in the new versions we hand out every week, fix them in your own installation without breaking functionality as well as exploit them against a central instance. Functionality and exploitability of your instances will be automatically checked by us. Once you exploit our central instance, you get a flag which you can submit to prove you solved the challenge. In total, this roughly sums up to 15 offensive points and 17 defensive points.
  • Jeopardy-style challenges: Since Screecher is a Python-based service, but we also cover issues which relate to other programming languages exclusively (like PHP), we also have challenges which are attack-only. For those, you have exploit to bugs in our services. In total, we plan to have around 20-22 jeopardy challenges.

Points will be awarded in three categories: offensive (Screecher), defensive (Screecher), and jeopardy. In total, you have to get 50% of all available points. In total, each of the three categories gives you the same amount of points, i.e., if you exclusively work on Screecher and exploit and fix all bugs, you'd end up with approx. 60% of all points. More details on how to work on the exercises and submit flags will be provided in the introductory session about our infrastructure.

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators