(p)SADWeb: (Pro)Seminar on Attacks & Defense on the Web Giancarlo Pellegrino, Cristian-Alexandru Staicu, Ben Stock

News



02.08.2021

Wrap up

Thank you all for your participation. We hope that by attending this proseminar you learned quite a bit about giving a good scientific presentation, and about (our) ongoing research in web security. The grades should be registered in LSF by now, so please... Read more

Thank you all for your participation. We hope that by attending this proseminar you learned quite a bit about giving a good scientific presentation, and about (our) ongoing research in web security. The grades should be registered in LSF by now, so please double-check that that is indeed the case. Let us know if you have any ideas on how to improve this proseminar or questions about the grade. Good luck with your studies and we hope to see you around!

10.06.2021

Invited Talk in our Web Sec Lecture Series

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom link... Read more

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom linkhttps://cispa-de.zoom.us/j/96775779464?pwd=WFQ1aW9Xb2c1OHMybWlEUDIralN5QT09

Speaker: Stefano Calzavara 

Title: May I take your subdomain? Exploring same-site attacks on the modern Web


Abstract: Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this talk we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

Short Bio: Stefano Calzavara is a tenure-track assistant professor at Università Ca' Foscari Venezia. His research focuses on formal methods, computer security and their intersection, with a particular emphasis on web security. Stefano is also happy to serve as the co-leader of the Italian chapter of the Open Web Application Security Project (OWASP).

16.04.2021

Topic Assignment and Schedule Change

Please find the topic assignment table here: https://cms.cispa.saarland/psadweb/3/Topic_assignment. As discussed in the kickoff meeting, for each topic we have three students assigned: one for presenting the topic and two for asking questions. Also, we decided to... Read more

Please find the topic assignment table here: https://cms.cispa.saarland/psadweb/3/Topic_assignment. As discussed in the kickoff meeting, for each topic we have three students assigned: one for presenting the topic and two for asking questions. Also, we decided to drop one topic and skip the first session, so that the first presenters have more time to prepare. See you all on the 5th of May!

13.04.2021

Welcome to SADWeb

Welcome to the proseminar! We'll have the first meeting on April 14th at 2pm (sharp!). Please see the Zoom Access page, which is accessible once you are logged in via the CMS. 



Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators