School of Electrical, Information and Media Engineering

Teaching programme

  • Master Lecture Data Security
  • Bachelor's and Master's seminar on computer science: Web and data security

Outlook / In preparation

  • New Master lecture Advanced Web Security

  • New Bachelor lecture: Introduction to Web- and Browsersecurity

Courses offered

// Winter 2025/2026

  • Master Lecture Data Security
  • Bachelor's and Master's seminar on computer science: Web and data security

Outlook / In preparation

// Summer 2026

  • New Master lecture Advanced Web Security

// Winter 2026/2027

  • New Bachelor lecture: Introduction to Web- and Browsersecurity

Lecture contents

The lecture deals with the topic of data security. Unlike SSL/TLS, which establishes a secure transport channel, this lecture is about protecting data directly.

As part of the lecture, various data security technologies are examined, for example:

  • JSON is a universal data description language that is supported by every modern browser, among other things. JSON messages can be protected directly with the help of JSON signature and JSON encryption. But is this enough or can these security mechanisms be bypassed?
  • REST is a very widespread technology that allows data to be accessed over the internet via http. It is not only used by all major websites such as Facebook, Google and Github, but is also used in the IoT. The lecture explains in-depth details and common errors/attacks based on the latest scientific findings and industry recommendations. Findings and industry recommendations such as the OWASP API Top 10.
  • XML is one of the oldest description languages for structured data and is still used in countless systems today. "It's just XML. What can probably go wrong?" is one of the most famous quotes from the Python XML library defusedxml. The answer to this question is examined in detail in the lecture: from denial-of-service vulnerabilities to local file inclusion and remote code execution. XML is the Swiss army knife of every penetration tester.

The knowledge learnt is then transferred to various document formats. Examples of this are

  • Office documents such as OOXML (Microsoft) or ODF (LibreOffice) are essentially zipped XML documents. They also support additional features such as digital signatures or encryption. Students learn more about this core component of our digitalisation with a view to its security.
  • PDF is probably the most widely used universal document exchange format. Firstly, we refute the widespread opinion that PDFs are merely boring, static documents and use various so-called "interactive features" to develop attacks. The lecture then examines the security properties of PDFs. In particular, digital signatures, which are used in contracts, for example, will be analysed. Will we be able to forge an invoice signed by Amazon in such a way that it is a refund of over 1 trillion euros and still remain validly signed?

The lecture deals comprehensively with the topic of web security. The security and privacy of web applications and browsers are analysed on the basis of current research results. Core components and advanced attack techniques are analysed, for example:

  • DOM clobbering is a sophisticated attack technique that can be used to inject seemingly harmless HTML markup into web pages to manipulate JavaScript code without writing a single line of malicious code.
  • Content Security Policy (CSP) is like a digital bouncer for websites that uses HTTP headers to decide which scripts, images and other resources may be loaded - effectively blocking cross-site scripting attacks.
  • XS leaks bypass the so-called same-origin policy, one of the main defences of a browser against various types of attacks. The purpose of the same-origin policy is to prevent information from being stolen from a trusted website.

We then look at the security of modern web authentication protocols. These include, among others:

  • OAuth is a very widespread technology for delegating authorisations and is now used by all major websites.and is used today by all major websites such as Facebook, Google, Twitter, Github etc. etc. The lecture explains in-depth details and common errors/attacks that can occur when using OAuth.
  • OpenID Connect is an extension for OAuth to authenticate users on websites with the help of a third-party provider (e.g. using single sign-on procedures such as e.g. using single sign-on procedures such as "Sign in with Google"). In recent years, OpenID Connect has established itself as the de facto standard for web logins via third-party providers. The lecture will explain in detail what the differences to OAuth are and which attacks on OpenID Connect are possible. You can put your exploit skills to the test in the practical exercises. Can we take over the victim's account?
  • SAML stands for Security Assertion Markup Language and is a single sign-on standard that is widely used in business scenarios. However, there are numerous attacks ranging from identity theft to remote code execution.