Main Page

News

Grades in CMS & LSF

Written on 27.03.23 by Ben Stock

Dear all,

we have finished the grading of the seminar papers. We also added comments on your talks through the feedback on your submission. I'll also upload the grades to LSF now.

Feedback available and deadline for final paper extended

Written on 24.02.23 by Ben Stock

Hi all,

due to a miscommunication, we did not release the feedback for your submissions on time, apologies for that. These are visible in the CMS now. To account for the delay, we have extended the deadline from March 3 to March 10 for the final versions.

Zoom Link for January 23

Written on 22.01.23 (last change on 23.01.23) by Ben Stock

https://cispa-de.zoom.us/j/97081924650?pwd=OUpYVEJVd1ZsNndIZnYySWxNVXk2Zz09 :)

Update: please arrive by 2pm so we can start right away

Evaluation link

Written on 15.01.23 by Ben Stock

Hi all,

I received the link for Qualis eval. Please fill out https://qualis.uni-saarland.de/eva/?l=140604&p=MA60MY

Thanks and see you tomorrow!

Merry Christmas, "Guten Rutsch" and Zoom link

Written on 29.12.22 by Ben Stock

Hi all,

first, I hope you had a merry Christmas and healthily start the new year. For our first meeting in 2023, we'll use https://cispa-de.zoom.us/j/99210655983?pwd=OGR2NTFTWlZFK1RwekZPb0FiU0tlQT09

See you remotely then!

Meeting January 2

Written on 20.12.22 by Ben Stock

Hi all,

for the January 2 meeting, we will start at 2pm sharp since we need to have two talks (one we skipped because of the speaker being out sick). We'll run until 4pm, which I hope is not an issue since there is no relocation required after the seminar ;)

See you next year!

Next meeting in 0.01

Written on 06.12.22 by Ben Stock

Hi all,

next week, Michael Backes needs to stream something from 0.02. We will meet in 0.01 (the room next to 0.02). However, please *do not* use the way through 0.02, but rather from the entrance walk a bit further and use the second door on the right. This leads to a small corridor where you can… Read more

Hi all,

LSF registration

Written on 08.11.22 by Ben Stock

LSF registration for seminars is open now. Please make sure to sign up until November 22 to be eligible for the credits.

Clarification: three items per paper

Written on 06.11.22 by Ben Stock

There was an inconsistency between the slides and the CMS main page, so let me clarify: all students must submit three items for discussion before each meeting, that includes the speaker of the follow-up talk.

Topics assigned

Written on 01.11.22 by Ben Stock

Dear all,

I have just assigned the topics for all students. For that, I have "abused" the tutorial bidding in the CMS. You can see the respective topic in your Personal Status page - if you have tutorial T02, that means you have Topic 2 (Request Smuggling) assigned to you.

This also means that… Read more

Dear all,

This also means that we will skip the next meeting on November 14.

As for the meetings around Christmas, I propose that we meet in person still on December 19, but move to a virtual meeting on January 2. This requires that you are comfortable with attending a Zoom call with your camera activated on that day. If either of those requirements cause an issue, please let me know ASAP.

See you all on November 21.

Show all

The Web Security Seminar

For registration, please apply for this seminar through the central seminar assignment system.

In this seminar, students will learn to present, discuss, and summarize papers in different areas of Web security. The seminar is taught as a combination of a reading group with weekly meetings and a regular seminar, where you have to write a seminar paper. Specifically, each student will get a single topic assigned to them, consisting of two papers (a lead and follow-up paper).

For the weekly meetings, all students have to have read the lead paper and must state at least three questions before the meeting. In the meeting, the assigned student will present the follow-up paper (20 minute presentation + 10 minute Q/A). Afterward, the entire group will discuss both papers.

Moreover, each student will write a seminar paper on the topic assigned to them, for which the two papers on the topic serve as the starting point.

Important Details

Kickoff: Monday, October 31, 14:00, in person in CISPA 0.02
Regular seminar starts Monday, November 14, ends Monday, February 6
By Sunday night, 23:59, submit three discussion items: strengths, weaknesses, future work
Optional feedback round/practice talk on Thursday before the presentation (arrange exact time with supervisor)
Attendance in all meetings and submission of three discussion items for each topic is mandatory. For exceptional cases, contact the teaching staff.
Note that we will not offer a hybrid solution. We plan to have in-person meetings as long as possible and switch to fully online if the need arises.

Seminar Paper Details

Each seminar paper is meant to provide a summary/categorization of research papers in the associated area. Depending on the topic, the paper should be structured in a logical fashion. For example, assume the topic of Service Workers. One might classify the seminar paper based on security considerations for Service Workers, attacks against Service Workers, and attacks enabled through Service Workers. Each section should demonstrate the state of the art in the area. Finally, the paper should, where possible, discuss limitations and open issues given the previously conducted work.

All seminar papers are due on February 10, 2022. Based on your submission, you will receive feedback within one week and have until March 3, 2022 to improve your paper. The paper grading will be on the final version. Note that the first submission must already be sufficient to pass. If you submit a half-baked version of the paper, you will flunk the course.

Each paper must use the provided template. It must not be longer than 8 pages, not counting references and appendices. Note that appendices are not meant to provide information that is absolutely necessary to understand the paper, but rather to provide auxiliary material. Papers can be shorter, but in general the provided page limit is a good indicator of how long a paper should be.

List of Topics and Papers

~~Web Cache Deception (14.11.2022)~~
1. ~~Web Cache Deception Escalates https://www.usenix.org/conference/usenixsecurity22/presentation/mirheidari~~
2. ~~Cached and Confused https://www.usenix.org/conference/usenixsecurity20/presentation/mirheidari~~
Request smuggling (21.11.2022)
1. FRAMESHIFTER: Security Implications of HTTP/2-to-HTTP/1 Conversion Anomalies (USENIX 2022) https://www.usenix.org/conference/usenixsecurity22/presentation/jabiyev
2. T-Reqs: HTTP Request Smuggling with Differential Fuzzing (CCS 2021) https://dl.acm.org/doi/abs/10.1145/3460120.3485384
PHP Analysis (28.11.2022)
1. TCHECKER: Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications (CCS 2022)
2. FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities (https://www.usenix.org/conference/usenixsecurity22/presentation/park-sunnyeo)
Taint-Tracking for Vulnerability Detection (5.12.2022)
1. Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites (https://www.ndss-symposium.org/ndss-paper/auto-draft-207/)
2. Don’t Trust the Locals https://www.ndss-symposium.org/ndss-paper/dont-trust-the-locals-investigating-the-prevalence-of-persistent-client-side-cross-site-scripting-in-the-wild/
Domain Security (12.12.2022)
1. Domains Do Change Their Spots: Quantifying Potential Abuse of Residual Trust https://johnny.so/publication/so-2022-domains/so-2022-domains.pdf
2. Cracking wall of confinement: Understanding and analyzing malicious domain takedowns. (NDSS 2019) https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_02B-1_Alowaisheq_paper.pdf
Phishing (19.12.2022)
1. I’m SPARTACUS, No, I’m SPARTACUS: Proactively Protecting Users From Phishing by Intentionally Triggering Cloaking Behavior (CCS 2022) https://zhibosun.me/assets/publication/ccs/spartacus.pdf
2. Crawlphish: Large-scale analysis of client-side cloaking techniques in phishing (S&P 2021) https://www.public.asu.edu/~pzhang57/papers/crawlphish.pdf
Security Inconsistencies (2.1.2023)
1. Security Lottery https://www.usenix.org/conference/usenixsecurity22/presentation/roth
2. Site Policy https://www.ndss-symposium.org/ndss-paper/reining-in-the-webs-inconsistencies-with-site-policy/
Service Workers (9.1.2023)
1. SWAPP: A New Programmable Playground for Web Application Security (Usenix 2022) https://www.usenix.org/system/files/sec22-chinprutthiwong.pdf
2. Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation (NDSS 2019) https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-2_Papadopoulos_paper.pdf
Extension Fingerprinting (16.1.2023)
1. The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions https://www.usenix.org/conference/usenixsecurity22/presentation/solomos
2. Unleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention (https://www.usenix.org/conference/usenixsecurity22/presentation/karami)
~~Extension Side Effects (23.1.2023)~~
1. ~~Helping or Hindering? How Browser Extensions Undermine Security (https://swag.cispa.saarland/papers/agarwal2022helping.pdf)~~
2. ~~Hulk: Eliciting Malicious Behavior in Browser Extensions (https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kapravelos)~~
VR and Web (30.1.2023)
1. AdCube: WebVR Ad Fraud and Practical Confinement of Third-Party Ads (https://www.usenix.org/system/files/sec21-lee-hyunjoo.pdf)
2. SurroundWeb: Mitigating Privacy Concerns in a 3D Web Browser (http://users.umiacs.umd.edu/~tdumitra/courses/ENEE757/Fall15/papers/Vilk15.pdf)
Data Leakage (6.2.2023)
1. Leaky Forms https://www.usenix.org/conference/usenixsecurity22/presentation/senol
2. Fill in the Blanks https://www.cs.uic.edu/~browser-autofill/