(p)SADWeb: (Pro)Seminar on Attacks & Defense on the Web Giancarlo Pellegrino, Cristian-Alexandru Staicu, Ben Stock



Welcome to SADWeb

Welcome to the proseminar! We'll have the first meeting on April 14th at 2pm (sharp!). Please see the Zoom Access page, which is accessible once you are logged in via the CMS. 


(p)SADWeb: (Pro)Seminar on Attacks & Defense on the Web


Registration: to register for the proseminar, you have to use the central seminar system of the CS department.


(P)SADWeb provides students an overview over recent papers in the broader area of Web security. As the primary purpose of a proseminar is to familiarize yourself with a topic and learn presentation skills, the seminar will feature two presentations from each student.

In the first half of the semester, we will have presentations of two topics each week. After each presentation, the fellow students and lecturers will provide feedback on how to improve the presentation. This general feedback must then be taken into account for the second half of the semester, where again each student will do the second presentation. To not bore the audience, though, this paper will be different from the previously presented one.

The first presentations will count towards 30% of the overall grade, the second presentation will count towards 70% of the overall grade. Attendance in the proseminar meetings is mandatory. At most one session can be skipped, after that you need to bring a doctor’s note to excuse your absence. In addition, submitting feedback to each talk is mandatory, where also at most the talks on one date may be missing (which would naturally occur if you skip one session).

To ensure the quality of presentations is high, you have to set a meeting with the topic advisor one week before the first presentation to discuss the slides. For the second presentation, this meeting is optional, but if desired by the student must be a week before the meeting.

Important: the time for the proseminar is fixed for Wednesday 2-4pm. If you have conflicting courses, please do not bid on the proseminar. The kickoff will be on April 14. The first presentations will start on April 28.

Tentative timeline

  • 14.4.2021 Kickoff
  • 28.4.2021: Phishing, Fingerprinting
  • 5.5.2021: Availability, Supply Chain Attacks
  • 12.5.2021: Client-Side XSS, CSP
  • 19.5.2021: Inconsistencies, Service Workers
  • 26.5.2021: Browser Extensions, Mobile Web Apps
  • 2.6.2021: WebAssembly, ML for Web
  • 9.6.2021: XSLeaks, Phishing
  • 16.6.2021: Fingerprinting, Availability
  • 23.6.2021: Supply Chain Attacks, Client-Side XSS
  • 30.6.2021: CSP, Inconsistencies
  • 7.7.2021: Service Workers, Browser Extensions
  • 14.7.2021: Mobile Web Apps, WebAssembly
  • 21.7.2021: ML for Web, XSLeaks

Topics & Papers

  1. Phishing
    • Phishtime: Continuous longitudinal measurement of the effectiveness of anti-phishing blacklists. [USENIX 2020]
    • Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale [USENIX 2020]
  2. Fingerprinting
    • Cross-)Browser fingerprinting via OS and hardware level features [NDSS 2017]
    • Fingerprinting in style: Detecting browser extensions via injected style sheets [USENIX 2021]
  3. Availability
    • Tail attacks on web applications [CCS 2017]
    • Freezing the web: A study of ReDoS Vulnerabilities in JavaScript-based web servers [USENIX 2018]
  4. Supply Chain Attacks
    • Small world with high risks: A study of security threats in the npm ecosystem [USENIX 2018]
    • Thou shalt not depend on me: Analysing the use of outdated JavaScript libraries on the web [NDSS 2017]
  5. Client-Side XSS
    • Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild [NDSS 2019]
    • PMForce: Systematically Analyzing postMessage Handlers at Scale [CCS 2020]
  6. Content Security Policy
    • Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies [NDSS 2020]
    • Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI [NDSS 2021]
  7. Inconsistencies
    • Reining in the Web’s Inconsistencies with Site Policy [NDSS 2021]
    • A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web [USENIX 2020]
  8. Service Workers
    • Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage [NDSS 2021]
    • Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation [NDSS 2019]
  9. Browser Extensions
    • Mystique: Uncovering Information Leakage from Browser Extensions [CCS 2018]
    • You've Changed: Detecting Malicious Browser Extensions through their Update Deltas (CCS 2020)
  10. Mobile Web Apps
    • Study and mitigation of origin stripping vulnerabilities in hybrid-postMessage enabled mobile applications [S&P 2018]
    • Iframes/popups are dangerous in mobile WebView: Studying and mitigating differential context vulnerabilities [USENIX 2019]
  11. WebAssembly
    • Everything old is new again: Binary security of WebAssembly [USENIX Security 2020]
    • MINOS: A Lightweight Real-Time Cryptojacking Detection System [NDSS 2021]
  12. ​​​​​​​ML for Web
    • Anything to hide? Studying minified and obfuscated code in the web [The Web Conference 2019]
    • Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors [S&P 2021]
  13. XSLeaks
    • Leaky images: Targeted privacy attacks in the web [USENIX 2019]
    • Cross-origin state inference (COSI) attacks: Leaking web site states through XS-leaks [NDSS 2020]

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators