Secure Web Applications Group

PhD students

The fun part

Want to join the Secure Web Applications Group as a PhD student? Great! We have a challenge for you first, though.

There is a hip new portal for owl dating that is privacy-friendly. Owley Madison (https://owley-madison.jeopardy.websec.saarland) does not simply store your contacts on the server where they might get compromised, but instead uses client-side storage for ensure privacy. We know that you can send URLs to a victim user (through https://gameserver.websec.saarland/owley, use CAPTCHA SWAG{crawler}), but you will have to find a way to steal his secret. We know that he likes to share it in the chat with his favorite owl, so maybe there is something you can find out there?

Can you steal the flag that the crawler owl inputs to its Owley chat partner? You will have to install a keylogger on the chat page, but the creators made sure to put all the functionality on separate subdomains to defend against XSS, so it may be necessary to abuse a SOP relaxation mechanism to correctly place your payload.

Looking for some inspiration on what to do? Possibly this paper, that one and finally not trusting the locals might be beneficial.

Once you have the solution, briefly explain how you achieved it and put the flag into your application letter in the job portal.

The formal part

We expect students to have a strong background in security, shown through corresponding grades in relevant lectures or extracurricular activies such as CTFs or first papers in the area. The goal of our research group is to publish at the most relevant venues in computer security. Hence, candidates not only require a strong background and willingness to learn more about (Web) security, but should also be determined to pursue the (not always easy) goal of publishing at tier-1 venues.

In return, we can offer an excellent research environment for conducting your PhD thesis work with close individual supervision, which is fully paid according to TV-öD 13. As part of the renowned Helmholtz Association, CISPA also provides a significant funding for travel and equipment, meaning our students will always be able to present their work in person (and possibly also visit other conferences).

Postdoctoral Researchers

Given the expected growth of our group, we are also looking for postdoctoral researchers to support the supervision of PhD students. This includes day-to-day advice for topics you might be unfamiliar with, meaning you should be eager to learn new topics that relate to Web security. As our research usually targets tier-1 conferences, we expect prior experience in publishing at such venues.

In return, we can offer an excellent research environment to continue your research career. All positions are 100% funded, according to TV-öD 13. As part of the renowned Helmholtz Association, CISPA also provides a significant funding for travel and equipment, meaning our researchers will always be able to present their work in person (and possibly also visit other conferences).

If you are interested, please contact Ben Stock! To avoid unspecific applications, please include the title of Ben's first CCS paper in the mail text. I will ignore emails that do not contain this keyword.

Internships

We can sometimes offer voluntary or mandatory internships within our group. Depending on the type of internship, the support we can offer may differ. In order to apply for an internship outside the regular channels, please send an email to Ben Stock. Before doing so, please familiarize yourself with the research that our group does. To prove this, please include the number of vulnerabilities discovered in Ben's first CCS paper in the subject or your email. Any emails not containing that keyword will be ignored.