PhD Positions in Web security (m/f/d) - Group Stock
St. Ingbert,
Germany
Ben Stock is looking for motivated PhD students for SWAG.
Want to join the Secure Web Applications Group as a PhD student? Great! We have a challenge for you first, though: There is a hip new portal for owl dating that is privacy-friendly. https://owley-madison.jeopardy.websec.saarland/ does not simply store your contacts on the server where they might get compromised, but instead uses client-side storage for ensure privacy. We know that you can send URLs to a victim user (through https://gameserver.websec.saarland/owley, use CAPTCHA SWAG{crawler}), but you will have to find a way to steal his secret. We know that he likes to share it in the chat with his favorite owl, so maybe there is something you can find out there?
Can you steal the flag that the crawler owl inputs to its Owley chat partner? You will have to install a keylogger on the chat page, but the creators made sure to put all the functionality on separate subdomains to defend against XSS, so it may be necessary to abuse a SOP relaxation mechanism to correctly place your payload.
Looking for some inspiration on what to do? Possibly this paper, that one, and finally not trusting the locals might be beneficial.
Once you have the solution, briefly explain how you achieved it and put the flag into your cover letter. Note that any applications without that flag will not be considered. In case of questions about the task, contact Ben Stock directly.
About the Group:
The Secure Web Applications Group conducts research in the area of Web Security in general.
"The Secure Web Applications Group (or SWAG, for short) conducts its research in all areas related to Web Security. Of particular focus is research around client-side security, in the detection, analysis, and mitigation of attacks around JavaScript. In addition, we research how to best communicate discovered vulnerabilities to affected operators. Furthermore, we investigate how malicious JavaScript may adversely affect users on the Web, researching both novel ways of detecting such scripts and attacking existing defensive solutions. "
What We Offer:
- Competitive full time-gross base salary for E13 according to the scale of the TVöD (German Federal Employment Agreement)
- Comprehensive benefits package that includes health insurance coverage, 30 days of paid vacation and a robust pension scheme.
- Possibilities for personal and professional growth, encompassing language classes, research support, as well as extracurricular and social activities
- Our onboarding team will provide you with all the necessary support for a seamless and successful start to your journey with us
- A research group with a proven track record in publishing at top-tier venues and a collegial atmosphere between everyone in the group.
What We Expect:
- You have a Bachelor's or Master's degree from a top-tier, research-oriented institutions of higher education in a subject relevant to our research
- Strong background in computer security, with a specific focus on Web Security. Having played CTFs helps, but is not required.
- Programming skills. It helps to have good programming skills in Python and JavaScript.
- You are proficient in spoken and written English
- We maintain a trustworthy, inclusive, and safe space and are looking for curious and creative new colleagues willing to learn & grow in an enjoyable and friendly team atmosphere.
Working at CISPA:
- We promote a flat hierarchy that encourages working together as a cohesive team and contributing one’s perspectives and ideas.
- We offer an excellent research environment with close individual supervision, worldwide collaborations, and with significant funding for travel and equipment.
- Our location is in Saarbrücken, which is a city with international flair (e.g., an International School and distinguished cuisine influenced by the proximity to the French border). The city is also known for its green spaces, parks and proximity to nature, providing opportunities for relaxation and outdoor activities.
If you want to learn more about Ben Stock and their work at CISPA, check out their website.
Application Process
CISPA is committed to increasing the representation of women, minorities, and individuals with disability in Computer Science. In accordance with the Equal Opportunity Plan, CISPA aims at increasing the number of women in Computer Science, and explicitly encourages women to apply. Applications of severely disabled candidates with equivalent qualifications will be given priority. In general, we welcome applications regardless of gender, nationality, ethnic and social origin, religion/belief, disability, age, sexual orientation and identity.
In case of interest in working at CISPA, press the "Apply now" button at the end of the page. Please upload your documents in PDF format on our application platform. Applications via email cannot be accepted.
For any questions regarding the application process, please check out our FAQ.
CISPA Helmholtz Center for Information Security is a German national Science Institution within the Helmholtz Association and provides a unique work environment that offers the advantage of a university department and a research laboratory alike. CISPA's mission is to rethink the digitized world of the future from the ground on up an make it safer through innovative cutting-edge research. CISPA is committed to the highest international academic standards. We offer a world-class research environment that grants extensive resources to a wide range of researchers and constitutes an attractive destination for the best talents and scientists from all countries. CISPA provides a highly international and diverse working environment, currently hosting researchers of over 40 nationalities.
CISPA headquarter is located in Saarbrücken, in the tri-border area of Germany, France and Luxembourg. The CISPA campus is located close to Saarland University, known for its excellence in Computer Science & Cybersecurity programs; the Max Planck Institute for Informatics and the Max Planck Institute for Software Systems; the German Research Center for Artificial Intelligence (DFKI); and more.
For more information about CISPA, see https://cispa.de/en
About CISPA
