Invited Talk in our Web Sec Lecture Series
in our CISPA Web Sec lecture series, we have a speaker today who might be interesting for some of you. Feel free to join the Zoom call, info below.
When: Thursday June 10, 10:00 AM
Speaker: Stefano Calzavara
Title: May I take your subdomain? Exploring same-site attacks on the modern Web
Abstract: Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this talk we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications.
Short Bio: Stefano Calzavara is a tenure-track assistant professor at Università Ca' Foscari Venezia. His research focuses on formal methods, computer security and their intersection, with a particular emphasis on web security. Stefano is also happy to serve as the co-leader of the Italian chapter of the Open Web Application Security Project (OWASP).