Topic list
- Web Security Notifications (Supervisor: Ben Stock; 8.11.2021)
- [MAIN] Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
https://swag.cispa.saarland/papers/stock2016hey.pdf - [FOLLOW-UP] Didn’t you hear me? — Towards more successful Web Vulnerability Notifications
https://swag.cispa.saarland/papers/stock2018notification.pdf
- [MAIN] Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
- Client-Side Cross-Site Scripting (Supervisor: Ben Stock; 15.11.2021)
- [MAIN] 25 Million Flows Later - Large-scale Detection of DOM-based XSS
https://swag.cispa.saarland/papers/lekies2013flows.pdf - [FOLLOW-UP] Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.
https://swag.cispa.saarland/papers/steffens2019locals.pdf
- [MAIN] 25 Million Flows Later - Large-scale Detection of DOM-based XSS
- PostMessages (Supervisor: Ben Stock; 22.11.2021)
- [MAIN] The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites
https://www.cs.utexas.edu/~shmat/shmat_ndss13postman.pdf - [FOLLOW-UP] PMForce: Systematically Analyzing postMessage Handlers at Scale
https://swag.cispa.saarland/papers/steffens2020pmforce.pdf
- [MAIN] The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites
- Content Security Policy (Supervisor: Sebastian Roth; 29.11.2021)
- [MAIN] Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies
https://swag.cispa.saarland/papers/roth2020csp.pdf - [FOLLOW-UP] 12 Angry Developers - A Qualitative Study on Developers’ Struggles with CSP
https://swag.cispa.saarland/papers/roth2021usable.pdf
- [MAIN] Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies
- Security Inconsistencies (Supervisor: Sebastian Roth; ; 6.12.2021)
- [MAIN] Reining in the Web’s Inconsistencies with Site Policy
https://swag.cispa.saarland/papers/calzavara2021reining.pdf - [FOLLOW-UP] A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web
https://swag.cispa.saarland/papers/calzavara2020xfo.pdf
- [MAIN] Reining in the Web’s Inconsistencies with Site Policy
- Browser Extension Vulnerabilities (Supervisor: Shubham Agarwal; 13.12.2021)
- [MAIN] EmPoWeb: Empowering Web Applications with Browser Extensions
https://www-sop.inria.fr/members/Doliere.Some/papers/empoweb.pdf - [FOLLOW-UP] DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale
https://swag.cispa.saarland/papers/fass2021doublex.pdf
- [MAIN] EmPoWeb: Empowering Web Applications with Browser Extensions
- Browser Extension Fingerprinting (Supervisor: Shubham Agarwal; 3.1.2022 [meeting about slides latest December 20, 2021])
- [MAIN] Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting
https://www.ndss-symposium.org/wp-content/uploads/2020/02/24383-paper.pdf - [FOLLOW-UP] Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets
https://www.usenix.org/system/files/sec21-laperdrix.pdf
- [MAIN] Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting
- Cross-Site Leaks (Supervisor: Soheil Khodayari; 10.1.2022)
- [MAIN] Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
https://www.ndss-symposium.org/wp-content/uploads/2020/02/24278-paper.pdf - [FOLLOW-UP] Leaky Images: Targeted Privacy Attacks in the Web
https://www.usenix.org/system/files/sec19-staicu.pdf
- [MAIN] Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks
-
- [MAIN] Small World with High Risks: A Study of Security Threats in the npm Ecosystem
https://software-lab.org/publications/usenixSec2019-npm.pdf - [FOLLOW-UP] Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
https://www.ndss-symposium.org/wp-content/uploads/ndss2021_1B-1_23055_paper.pdf
- [MAIN] Small World with High Risks: A Study of Security Threats in the npm Ecosystem
- CPU-based Denial of Service (Supervisor: Masudul Bhuiyan; 24.1.2022)
- [MAIN] Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-staicu.pdf - [FOLLOW-UP] Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-meng.pdf
- [MAIN] Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers
- CSRF (Supervisor: Soheil Khodayari; 31.1.2022)
- [MAIN] Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
- https://dl.acm.org/doi/pdf/10.1145/3133956.3133959
- [FOLLOW-UP] JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals
- https://trouge.net/papers/clientside_csrf_sec21.pdf
- Phishing (Supervisor: Giada Martina Stivala; 7.2.2022)
- [MAIN] PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists
https://www.adamoest.com/phishfarm_ieee_sp_2019_oest.pdf - [FOLLOW-UP] CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing
https://www.kapravelos.com/publications/crawlphish-sp21.pdf
- [MAIN] PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques against Browser Phishing Blacklists