Currently, no news are available

The Web Security Seminar

For registration, please apply for this seminar through the central seminar assignment system.

The Web Security Seminar will teach students to present, analyze, discuss, and summarize papers in different areas of Web security. The seminar combines a reading group with (almost) weekly meetings and a regular seminar, where students will write a seminar paper.

Each student will get a topic assigned, consisting of a lead and a follow-up paper. The student will present the follow-up paper in a 20-minute presentation followed by a 10-minute Q&A. Afterwards we will all discuss the lead paper as a reading group. All students must read the lead paper and, before each session, must submit a summary with strengths and weaknesses.

Finally, each student will write a seminar paper on the topic assigned to them, for which the two papers serve as the starting point.


Important Details

  • Kickoff on Monday, 22.04.2024, 12:15-14:00, CISPA main building, room 0.01
  • (Semi) Regular seminar sessions on Mondays. First session is on Monday, 06.05.2024, 12:15-14:00
  • Each Sunday at 23:59 before each session, submit the paper summary (one page max) with discussion points: three items for the strengths, three items for the weaknesses, and future work
  • Optional feedback round before your session (arrange exact time with your supervisor)
  • Attendance in all meetings and submission of summary and discussion points for each topic is mandatory. For exceptional cases, contact the teaching staff.
  • Note that we will not offer a hybrid solution. We plan to have in-person meetings as long as possible and switch to fully online if the need arises.

Seminar Paper Details

We will cover the different types of seminar paper during the kickoff session.

All seminar papers are due on (see below). Based on your submission, you will receive feedback within one week and have until (see below) to improve your paper. The paper grading will be on the final version. Note that the first submission must already be sufficient to pass. If you submit a half-baked version of the paper, you will likely fail the course.

Each paper must use the provided template. It must not be longer than 8 pages, not counting references and appendices. Note that appendices are not meant to provide information that is absolutely necessary to understand the paper, but rather to provide auxiliary material. Papers can be shorter, but in general the provided page limit is a good indicator of how long a paper should be.


Schedule, List of Topics, and Papers

Date Time Content Tutor Main paper (discussed) Follow-up papers (presented)
22.04.24 12:15-14:00 Kickoff - - -
29.04.24   (break)      
06.05.24 12:15-14:00

Session 1: Roadblocks in Remediating to Vulnerability Notifications

Giada Investigating system operators' perspective on security misconfigurations

How Website Owners Face Privacy Issues: Thematic Analysis of Responses from a Covert Notification Study Reveals Diverse Circumstances and Challenges

13.05.24 12:15-14:00

Session 2: Browser Extensions & Client-Side Security


Helping or Hindering? How Browser Extensions Undermine Security

Extending a Hand to Attackers: Browser Privilege Escalation Attacks via Extensions
20.05.24   (break)      
27.05.24 12:15-14:00

Session 3: Third-party inclusion in web virtual reality

Andrea OVRseen: Auditing Network Traffic and Privacy Policies in Oculus VR

AdCube: WebVR Ad Fraud and Practical Confinement of Third-Party Ads

03.06.24 12:15-14:00

Session 4: Forms & Web Application Scanning


Black Ostrich: Web Application Scanning with String Solvers

Plug the Database & Play With Automatic Testing: Improving System Testing by Exploiting Persistent Data

10.06.24 12:15-14:00

Session 5: The LoggedIn Web: A New Security Frontier

Jannis To Auth or Not To Auth? A Comparative Analysis of the Pre- and Post-Login Security Landscape

The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws

17.06.24 12:15-14:00

Session 6: JavaScript Isolation

Abdullah SANDDRILLER: A Fully-Automated Approach for Testing Language-Based JavaScript Sandboxes Preventing Dynamic Library Compromise on Node.js via RWX-Based Privilege Reduction
24.06.24 12:15-14:00

Session 7: Detecting e-Commerce Scams at Scale

Giada BEYOND PHISH: Toward Detecting Fraudulent e-Commerce Websites at Scale Scamdog Millionaire: Detecting E-commerce Scams in the Wild
01.07.24 12:15-14:00

Session 8: Object Injection Vulnerabilities in Node.js

Dominic Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js Abusing Hidden Properties to Attack the Node.js Ecosystem
08.07.24 12:15-14:00

Session 9: Formal verification of client-side security mechanisms

Valentino Web Platform Threats: Automated Detection of Web Security Issues With WPT WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms
15.07.24 12:15-14:00

Session 10: Legal & Ethical Challenges in Web Security Research

Florian Dancer in the Dark: Synthesizing and Evaluating Polyglots for Blind Cross-Site Scripting Where Are the Red Lines? Towards Ethical Server-Side Scans in Security and Privacy Research
Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.