28. April - 02. June 2025, San Francisco
Robin was invited to speak about "Dancer in the Dark" at RSAC 2025. The conference took place in San Francisco. It counts as the largest cybersecurity industry conference with over 44.000 participants this year. You can view the recording and slides at → RSAC (account needed).
17. April 2025, Braunschweig
We are pleased to announce that Simon Koch successfully defended his dissertation. We would like to congratulate Simon on the well-deserved success of his outstanding work and dedication. We wish him continued success on his academic journey, with his next stop at the University of Innsbruck.
12. March 2024, Braunschweig
We are hosting the next CoT Meetup at TU Braunschweig. Students and IT Security people from local companies like Siemens, Volkswagen, CyMotive, HeyLogin get together an meet every three months. Join uns in a relaxed atmosphere and listen to to Simon Koch's Research Talk, and Aljosha's (VW) talk about MAC algorithms in embedded applications.
Students are welcome to join.We have snacks and drinks. If you have questions, feel free to contact Robin.
Link to the event: → LinkedIn (more)
Location and Time: 12.03.2024 18:00 at the Plaza/Atrium (1. OG) of the Informatikzentrum
(Atrium, Informatikzentrum TU Braunschweig, Mühlenpfordtstraße 23, 38106 Braunschweig)
2025-02-05, Braunschweig
Another summer semester is coming to an end and with it we have also successfully completed another Hacklab. At the closing event, we celebrated and reflected with pizza and mate.
27.12.-30.12, Hamburg
We attended this year's Chaos Communication Congress (38c3) in Hamburg, enjoying the atmosphere, great talks, Illegal Instructions, and maybe a Tschunk or two.
2024-12-12, London, England
David presented Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials as a Briefing at Black Hat Europe 2024. The talk covered the risks induced by the "parse, serialize, parse" coding pattern inherent in the concept of server-side HTML sanitization. The event was an excellent opportunity to keep in touch with security folks from the industry and learn about cutting-edge security tools and techniques.
Thanks to Isabelle Waltrick for taking this picture!
2024-08-14, Philadelphia
We are excited to announce that our colleagues received a Distinguished Paper Award at USENIX Security 2024 for their paper "Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting". Congratulations to Robin Kirchner, Jonas Möller, Marius Musch, David Klein, Konrad Rieck, and Martin Johns!
Robin and Malte attended the conference to present their papers on Blind-XSS and SSRF, respectively. The conference will upload recordings of their presentations in the next weeks.
We enjoyed cold drinks and barbecue as we reflected on this year's Seclab.
The Seclab spans challenges from six different units, from web and android security to vulnerabilities & exploits.
The students who were most successful in solving the security challenges even received prizes and will be included in our Hall of Fame.
2024-07-15, Bristol, UK
Next stop: Bristol. Robin and David are attending the 24th Privacy Enhancing Technologies Symposium (PETS) to present two papers: "A Black-Box Privacy Analysis of Messaging Service Providers’ Chat Message Processing" and "FP-tracer: Fine-grained Browser Fingerprinting Detection via Taint-tracking and Multi-level Entropy-based Thresholds".
2024-06-12, Brussels, Belgium
Alexandra and her student Anna Sack attended the SplinterCon in Brussels.
This interdisciplinary event invites researcher, journalists, and technology makers to discuss present and new ways of communicating with and within isolated (and censored) networks worldwide.
Alex spoke about Russia's path to its own 'Sovereign Internet' and the general consequences of isolation for the global network.
They also used their visit to Brussels to be taken on a guided tour of the EU Parliament.
2024-05-20, San Francisco, USA
David presented our work Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials at IEEE Security and Privacy 2024. Here, we analzed differences between HTML parsers, so called parser differentials. Due to fundamental properties of the HTML specification, server-side HTML parsing is always suspectible to parsing differentials which can be abused to bypass server-side sanitization routines.
2024-04-17, Braunschweig
At the latest Charter of Trust Meetup, Robin presented the state of our research on Blind-XSS detection and automatic XSS polyglots generation together with results from our large-scale study on the prevalence of the vulnerability. Charter of Trust Meetups, formerly "Cyber Security Meetups", take place every three months as a means to connect the security community around Braunschweig. Learn more on LinkedIn.
2024-03-02, Winterthur
Malte gave an introductory talk on Server-Side-Request Forgery (SSRF) attacks and defenses at Winterkongress 2024. To the recording at media.ccc.de.
2023-02-07
The Hacklab "Praktikum" ended in February with a cozy final round with pizza and mate. We were thrilled by how many students were interested in the exciting security topics. The successful participants not only acquired profound knowledge in web security, binary exploitation, reversing and vehicle networking, but also used it practically. The best performances were rewarded with a small prize.
In the next semester, we will continue with the Seclab, the sister event of the Hacklab.
2024-01-29
400 school students from 11th and 12th grade visited TU Braunschweig to learn about IT-related lectures and courses the university has to offer. Our institute prepared a special Capture the flag (CTF) contest for our future generation of young hackers and security researchers. About 70 security-interested people took part in our CTF, while the fastest student contestors conquered our leaderboard in merely 45 minutes!
We had a lot of fun showing the students our field of work and we'll surely host another CTF next year!
Congratulations to miriam, sofie13, chrissi, jonas, and qwert for solving all the challenges!
2023-09-30, Dortmund
After multiple weeks and 27 hacking challenges our colleagues Jannik and Tobias managed to place in the top 20 on the qualifiers scoreboard of the Deutschlands Bester Hacker competition, thus attending the event finals for the second time in a row. This year's final event took place in Dortmund, where both showed their hacking skills and IT security knowledge, helping a fictional airport to restore operation after a malware attack. The competition event was part of the Digitale Woche Dortmund and wants to promote and raise awareness to the importance of hacking as a technique to audit and secure computer networks, finding security vulnerabilities before malicious actors do and fixing them.
When not doing hacking competitions themselves, both colleagues take part in running and teaching the Praktikum IT-Sicherheit 1: Seclab & Praktikum IT-Sicherheit 2: Hacklab courses, where TU Braunschweig students can broaden their IT security skills by solving challenges and hacking into prepared systems. Deutschlands Bester Hacker will return in 2024. Maybe it's time for another finalist from Braunschweig? :)
2023-07-20, Braunschweig
Our student team won this year's TDSE — a programming competition at TU Braunschweig. They developed a privacy preserving GPS tag which, with the corresponding Android app, can help locate lost cars or bicycles. The system features independence, robustness, security and a small digital footprint. To achieve this, the students avoided the use of third-party and cloud services and relied on open source software and encryption.
2023-06-15, Braunschweig
Two days ago, the IAS and IBR institutes hosted the "2nd Cybersecurity Meetup Braunschweig". We welcomed 50 participants from academia (TU Braunschweig and Ostfalia) and industry (Siemens Mobility, Siemens AG, VW, Cymotive, IAV, heylogin, dynexo) at the Plaza of our Informatikzentrum for an evening of enlightening talks and engaging discussions. We were delighted to help organize this fantastic event and are eagerly looking forward to the third Cybersecurity Meetup.
2023-02-14, Braunschweig
Hacklab is over and the results are in! This time even more participants took on our challenges and proved their knowledge and skill in IT-security. We're happy and proud that the course received such positive feedback again.
To finish the semester off, we've met up at our award ceremony honouring the exceptional performance of the top of the leaderboard. After giving some insight into our perspective on the technical side of the course, we opened the discussion about different solutions and approaches to the tasks. We had a great time and really hope you did as well!
The Hacklab (Praktikum IT-Sicherheit 2), together with Seclab (Praktikum IT-Sicherheit), is a practical IT-security course inspired by Capture-the-Flag (CTF) competitions. Over the course of six units students hack small, vulnerable applications demonstrating their knowledge of common vulnerability classes and ability to craft exploits. Armed with the insights of the attacker's perspective, students become aware of possible pitfalls in software development.
If you missed the course this semester, you get another chance on the Hacklab next year in WS 2023/24. Additionally, we're offering the Seclab in SS 2023, which serves as a good foundation. See you there!
2022-12-29, remote
Malte Wessels, IAS master's graduate Benjamin Altpeter, and Lorenz Sieben gave their talk "Trackers in mobile apps and their legality—A look at the mobile tracking landscape" at FireShonks, representing both the IAS and Datenanfragen.de e.V.
FireShonks is one of the decentralized end-of-year events organized by the chaos community.
They presented a technical deep dive into the current mobile tracking landscape, presenting research from the IAS including Benjamin's master thesis as well as additional research done for Datenanfragen.de e. V.
After covering the technical challenges associated with privacy studies on Android and iOS, as well as discussing their results and examples of privacy violations, they discussed the legal implications and counter-measures.
The talk was recorded. It was held in German, English dub is available. Slides are available at Datenanfragen.de.
2022-11-25, Braunschweig
We are thrilled to announce that Marius Musch has successfully defended his dissertation and is now the IAS’s first doctor. We would like to congratulate Marius that his excellent work and dedication has payed off, and we wish him continued success in his future endeavors.
2022-09-10, Munich
Our colleagues Jannik Hartung and Tobias Jost represented the IAS at the Deutschlands Bester Hacker hacking challenge finals in Munich after finishing the qualifiers in the Top 25.
The inaugural rendition of the hacking and IT security challenge Deutschlands Bester Hacker featured 300 participants from all over Germany. After three online qualification rounds, the top 25 hackers met in Munich for the final hacking challenge.
Jannik and Tobias showed their practical skills and knowledge, representing the IAS. As Deutschlands Bester Hacker will return in 2023 and will be open for everybody to participate, we recommend our hands-on course Praktikum IT-Sicherheit 2: Hacklab and Praktikum IT-Sicherheit: Seclab offered by our friends at the Institute of System Security as preparation :) .
2022-08-10, Boston
Marius Musch presented our work "U Can’t Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild" at Usenix Security 2022 in Boston, USA.
Since the conference was held virtually last year, all authors of full papers were invited to bring a poster of their published work to this year's in-person conference.
In the paper and correspondig poster, we explore the phenomenon of Anti-Debugging techniques written in JavaScript. This means, techniques that prevent the manual, dynamic analysis of websites. We discuss nine different of these techniques und present the first measurement on their prevalence and severity in the wild.
2022-06-08, Genoa
Our work "Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions" was presented by David Klein at EuroS&P 2022 in Genoa, Italy.
Input sanitization is the main technique to defend against injection attacks such as Client-Side Cross-Site Scripting. With more and more functionality being offered in the form of web applications, the importance of correct sanitizing functions increases as well.
In our work we performed a comprehensive study about JavaScript sanitizing functions, deployed on the web at large. We found that a large portion of sanitizers are either insecure or lack generality.
2022-06-02, Nagasaki
Our work "Server-Side Browsers: Exploring the Web’s Hidden Attack Surface" was presented by Marius Musch and Robin Kirchner at AsiaCCS 2022 in Nagasaki.
When websites have use-cases like displaying previews or screenshots of other websites, maintainers tend to shift from simple tools like curl to fully-fledged automated browsers, like Puppeteer, to match the ever-growing complexity of the modern Web. However, visiting arbitrary, user-controlled URLs with these browsers diligently requires them to be kept up-to-date.
In our work, we investigated the phenomenon of server-side browsers at scale. We found that many websites run severely outdated browsers on the server-side, most of them not updated for more than six months, vulnerable to publicly available proof-of-concept exploits.