(p)SADWeb: (Pro)Seminar on Attacks & Defense on the Web

Thank you all for your participation. We hope that by attending this proseminar you learned quite a bit about giving a good scientific presentation, and about (our) ongoing research in web security. The grades should be registered in LSF by now, so please double-check that that is indeed the case. Let us know if you have any ideas on how to improve this proseminar or questions about the grade. Good luck with your studies and we hope to see you around!

Hi all,

in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.

When: Thursday June 10, 10:00 AM

Zoom link: https://cispa-de.zoom.us/j/96775779464?pwd=WFQ1aW9Xb2c1OHMybWlEUDIralN5QT09

Speaker: Stefano Calzavara 

Title: May I take your subdomain? Exploring same-site attacks on the modern Web

Abstract: Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this talk we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.

Short Bio: Stefano Calzavara is a tenure-track assistant professor at Università Ca' Foscari Venezia. His research focuses on formal methods, computer security and their intersection, with a particular emphasis on web security. Stefano is also happy to serve as the co-leader of the Italian chapter of the Open Web Application Security Project (OWASP).

Please find the topic assignment table here: https://cms.cispa.saarland/psadweb/3/Topic_assignment. As discussed in the kickoff meeting, for each topic we have three students assigned: one for presenting the topic and two for asking questions. Also, we decided to drop one topic and skip the first session, so that the first presenters have more time to prepare. See you all on the 5^th of May!