Foundations of Web Security

Dear former WebSecurity students,

Our Bachelor student Philipp is currently writing his thesis about Trusted Types. As part of this thesis, he is conducting a study on the usability of Trusted Types.

The study consists of two parts: First, an interview about XSS and Trusted Types. And afterwards, a coding task where Trusted Types sanitizer functions need to be created. The whole process will last approximately 60 minutes, and you will be compensated with a 25€ Amazon voucher.

So if you are interested or have further questions, do not hesitate to write him an email (s8phbaus@stud.uni-saarland.de).

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

• Cough / Husten
• Sore throat / Halsschmerzen
• Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
• Fever /Fieber
• Aches and pains / Gliederschmerzen
• Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
• Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

For Monday's backup exam, we will not be in GHH, but instead in HS 002 in the CS building. As last time, please have a vaccination proof, recovery proof, or negative test result available for me to check. You can see your seat number in the CMS.

 

Also, the standard disclaimer applies:

Also note the following (will remind again about this on the day before the exam):

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

• Cough / Husten
• Sore throat / Halsschmerzen
• Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
• Fever /Fieber
• Aches and pains / Gliederschmerzen
• Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
• Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

• Cough / Husten
• Sore throat / Halsschmerzen
• Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
• Fever /Fieber
• Aches and pains / Gliederschmerzen
• Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
• Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

Quick reminder about the details for the exam:

• Günter-Hotz-Hörsaal (Building E2.2)
• Start 28.7. 14:00 - 16:00
• Please arrive by 13:45, but wait outside of the building (main entrance at the lower end)
• Please either bring a negative quick test (<24h old), a proof of vaccination (>14 days after final shot), or a proof of recovering (e.g., PCR positive result no older than 6 months and no younger than 4 weeks)
• Please note that it is necessary for you to bring your medical mouth-nose protection mask (surgical mask or FFP2/KN95/N95 mask) with you. These must be worn whenever you are moving around in the building. It is recommended that everyone (including supervisors) wears protective masks during the entire exam, also while sitting at the seat.
• Everyone has a fixed seat assigned. You can see your seat in the "Personal Status" page.

 

Also note the following (will remind again about this on the day before the exam):

If your answer is "yes" to one or more of the following questions, then you are not allowed to attend the exam. If you provide a doctor’s certificate to the examination office later on, the examination attempt will be canceled and will not count.

Did you have definite contact with a Covid-19 patient, who was tested positive, in the last 14 days?

Do you have any of the following symptoms?

• Cough / Husten
• Sore throat / Halsschmerzen
• Nasal congestion / runny nose / Schnupfen ▪ Diarrhoea /Durchfall
• Fever /Fieber
• Aches and pains / Gliederschmerzen
• Loss of smell (e.g. no longer able to smell burnt food) / Geruchsverlust
• Loss of taste (e.g. unable to distinguish when food is burnt) / Geschmacksverlust”

If a student is not sure about the answer to one of these questions, then he/she has to consult a doctor to decide whether or not his/her health status is critical. If the decision is that he/she can participate, then he/she has to bring a medical certificate along to the exam.

To allow everyone to have some more time to prepare specifically for the types of questions you might expect, we will use this week's slot to not only explain the jeopardy solutions, but also to provide a general idea of what you can expect from the exam. In the final meeting on July 23, I will cover topics that you can nominate which should be clarified. Please add your topics as answers to the post in the Askbot at https://cms.cispa.saarland/askbot/websec21/question/32/topics-for-wrap-up-session-on-july-23/

If you plan to take the exam on July 28, note the following important points:

• You need to get at least 26 points until this Friday, 10am, at which point Jeopardy challenges will stop yielding points.
• You need to be registered through LSF until July 21. If for some reason you cannot register through LSF, send me an email before that deadline. You cannot register after July 21.
• Based on my interpretation of the current Saarland Corona rules - and importantly in the interest of everyone's safety - you may only attend the exam if you are a) fully vaccinated (+14 days since last shot), b) recovered from Covid (PCR positive <6 months and >4 weeks ago), or c) have a negative quick test which is no older than 24h. You can either get tested for free where you live or make an appointment in the UdS test center (https://test-saarland.de/uds). 
• Should your quick test come back positive, but a PCR test after is negative, send me the quick test result and I will make sure that you having missed the exam will not be counted as a failed attempt. If the PCR test is positive as well, you can send that information to the university to be exempted.

Note also the regulation from the university regarding masks during the exam:

While entering/leaving the room (this includes also waiting situations), moving in the room, and while talking to supervisors, medical mouth-nose protection (surgical masks) or FFP 2 / KN 95 / N95 masks are mandatory. It is recommended that everyone (including supervisors) wears protective masks during the entire exam, also while sitting at the seat.

I have just uploaded the slides and video of the final regular lecture today. We will meet next week (16.7.2021) at the regular time to discuss the second batch of jeopardy challenges. I will run through the steps of each challenge and we will also release a "walkthrough" guide. The week after (23.7.2021), we will have our exam preparation, in which I will give you hints on what to expect in the exam and what types of answers we will look for.

Generally speaking, the exam will be very practical. That is, if you managed to do all the jeopardy and screecher challenges (or understood how they work from the provided solutions), you should not have a hard time with the majority of the exam. Examples of some of the more theoretical questions can be found in the Reading Guide, so I encourage everyone to have a look at the control tasks (solutions are the end of the reading guide). 

Finally, as a reminder, if you have not yet evaluated the lecture, please do so before July 15, at which point the system will be shut off. The link to the evaluation is: https://qualis.uni-saarland.de/eva/?l=130408&p=2tpvbh

Have a nice weekend!

Hi all,

if you liked the challenges we did for FoWS, you'll probably also like playing actual CTFs ;-) Our local team saarsec is regularly participating in these and there are two great Attack/Defense CTFs (somewhat similar to Screecher, but round-based with frequently changing flags) coming up (on July 10 and July 18) These CTFs, which typically for for 8-10 hours, will allow you to apply your exploitation, patching, and automation skills. Some more info about the CTF team can be found at https://saarsec.rocks/.

We have regular meetings on Thursday at 5pm, held virtually at the moment. If you are interested in joining for the meeting, send me an email and I can provide you with access to the meeting URL. If you want to then join more regularly, you'll get an invite to saarsec's Mattermost channel, which we use for all the coordination.

I have received the link for the evaluation today. Please rate the lecture at https://qualis.uni-saarland.de/eva/?l=130408&p=2tpvbh

Also, if you have additional feedback you want to leave about the lecture, feel free to use the feedback in the CMS. We also appreciate specific feedback on the Jeopardy challenges through the gameserver interface.

Hi folks,

unfortunately, there we some network issues last night still with the CISPA network, which is why I only was able to restart everything just now. We have extended the deadline for this week's sheet by 48h (i.e., 27.6.2021 10:00am) and the one for the next week also by 24h (i.e., 3.7.2021 10:00am). 

Note that this change is not reflected in the sheets, but only in our Gameserver database.

Dear all, 

there will be a shutdown of CISPA's power supply from 10pm tonight until 6pm tomorrow for necessary maintenance. In that time, the servers hosting the videos as well as the challenges and screecher instances will be unavailable. CMS should still work though. If you want to watch the video(s), please sure to finish your downloads before 10pm tonight. We will shut down the VMs at 9pm tonight and start them again at the latest 24h later.

To account for the lost time, we will postpone the Screecher deadline by 1 day, i.e., June 26th, 10 am. For the jeopardy challenges, there is only the deadline at the end of the semester, so no need to push that.

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom link: https://cispa-de.zoom.us/j/96775779464?pwd=WFQ1aW9Xb2c1OHMybWlEUDIralN5QT09

Speaker: Stefano Calzavara 

Title: May I take your subdomain? Exploring same-site attacks on the modern Web

Abstract: Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this talk we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

Short Bio: Stefano Calzavara is a tenure-track assistant professor at Università Ca' Foscari Venezia. His research focuses on formal methods, computer security and their intersection, with a particular emphasis on web security. Stefano is also happy to serve as the co-leader of the Italian chapter of the Open Web Application Security Project (OWASP).

Just a quick reminder, in particular for those not on Mattermost: your screecher instances are running behind an HTTP Authentication, which is not filled by the crawlers (except for those that check functionality/exploitability on your instances). That means, if you try to host a file used for the jeopardy challenges on your screecher instance, that will not work. That is what you have your attacker directories for :-)

Hey everyone,

today we will not release an exercise sheet.
Rather, we release 5 jeopardy exercises at 12:00, accessible via the gameserver interface.

All jeopardies released until today(including today) are due on June 4, 10 am (the rest of the jeopardies will be discussed at the end of the semester).

Happy Hacking!
- Marius

Welcome to this year's iteration of (what is now known as) Foundations of Web Security. To access the Zoom meetings and the lecture recordings, please see https://cms.cispa.saarland/websec21/7/Lecture_Access. We'll start the lecture at 10:15 today and you can already download the (preliminary) slides from the Materials section in CMS. I have also uploaded the video for lecture 2 as well as Q/A for both lectures 1 and 2, so you can take a look at the questions while attending the lecture / watching the videos.