Topic Descriptions and Seminar Paper Objectives
|
Topic Title |
Tutor |
Description |
Seminar Paper Objective |
|---|---|---|---|
| The LoggedIn Web: A New Security Frontier | Jannis | Most web security research studies the Web in an unauthenticated manner: Fresh, anonymous browser profiles are used to measure security vulnerabilities on websites. However, many attacks have a much higher impact on logged-in users. In addition, everyday surfers are logged in to many websites and create a rich browser profile over time, which is not reflected in a fresh browser profile. More recently, various frameworks for semi-automatic registration and login were developed. These were used to study the security of the login process and compare the security landscape between logged-in users and unauthenticated users. | Survey the literature for various web attacks and reason about the impact of the attacks on unauthenticated users vs logged-in users. Compare research on login and registration automation. Which design choices did they make and why? What are the capabilities and success rates of those? Systematize best practices for web security measurements to represent the risks faced by everyday users accurately. |
| Forms & Web Application Scanning | Alex | Many websites rely on form submission, and filling them out is one of the significant challenges for web scanning tools. Successful form submission could enable scanners to reach security-sensitive scenarios, e.g., payment on e-commerce websites. However, the websites only accept forms with valid values. These papers suggest methods to provide valid values for forms. | Explore the different facets of the form submission problem (client-side, server-side, etc) and survey the proposed solutions in each case in the literature. Suggest the directions that future work could take. |
| Legal & Ethical Challenges in Web Security Research | Florian | Legal and ethical challenges of web security research play an essential role in planing safe and responsible experiments. Previous precedents show that not every researcher has the same definition of ethical acceptable or understands the boundaries set by the law. Therefore, it is important, understand legal and ethical challenges, discuss edge-cases and draw lessons from past incidents. The papers selected for this seminar include a particularly controversial study alongside another paper that seeks to understand the legal and ethical dimensions of these challenges. | Conduct a literature survey of ethically controversial security research precedents and papers trying to define ethical boundaries, also extending beyond web security. For each identified controversial case, critically examine the ethical boundaries challenged, and articulate the specific ethical dilemmas encountered. Conclude with a robust discussion on the implications of these findings for future research, proposing a set of ethical guidelines aimed at navigating the complex landscape of security research ethics. |
| JavaScript Isolation | Abdullah | JavaScript isolation plays a significant role in web security (client-side and server-side), blockchain (smart contracts), and protecting against supply chain attacks by allowing users to safely run untrusted code. A plethora of isolation techniques exist to support the various use cases. However, recent work shows that many JavaScript sandboxes are insecure, allowing untrusted code to evade them. Under this topic, we discuss lightweight sandboxing techniques for JavaScript and how to harden them via testing. |
Survey existing JavaScript isolation techniques in the literature, with an emphasis on their usage and design. Compare the pros and cons of every approach, considering factors like performance, usability, and reliability. Additionally, study the existing work on testing and verifying JavaScript isolation and discuss past and potential future failures in isolating JavaScript code on the web. |
| Formal verification of client-side security mechanisms | Valentino | Security mechanisms are fundamental components of web browsers: their role is to mitigate the threats posed when users navigate the web. To verify the effectiveness of a deployed mechanism, one needs to evaluate the correctness of the proposed approach and its implementation in a given browser. However, with mechanisms becoming evermore complicated, manual analysis can be error-prone as one could easily miss subtle aspects like the interaction of different mechanisms. Can it be possible then to automate such a process? Will there be a tradeoff between performances and the correctness of results? | Explore the WPT test suite and discuss the differences between test assertions and global invariants. What are the pros/cons of using test suites to verify the correctness of security mechanisms? And what about using a model of the browser/mechanism to perform the same analysis? |
| Object Injection Vulnerabilities in Node.js | Dominic | Object Injection Vulnerabilities (OIV) are prominent in Node.js. The most common culprit in that regard tends to be prototype-oriented programming, which, for example, enables prototype-pollution. However, there are even more ways to exploit objects in JS/Node.js. The ability to inject code or data into objects gives attackers a wide range of capabilities, ranging from SQL injection to remote code execution. The selected papers present two attack vectors that at the same time appear similar, yet are fundamentally different. The goal is to understand the root cause of these vulnerabilities and to perform a comparative analysis of both approaches, to learn how they differ despite their similarities. | Explore different OIVs in the Node.js ecosystem and beyond. Understand trade-off between developer flexibility and security. Analyze and discuss similarities and subtle differences between attack vectors. |
| Browser Extensions & Client-Side Security | Shubham | Browser extension developers often encounter security restrictions imposed by the browser and the websites they interact with, which may hinder their desired functionalities. To provide enhanced services to their users, they resort to insecure coding practices to bypass these security measures. Unfortunately, these practices can degrade the overall security of both the websites and the extensions themselves, creating vulnerabilities that nefarious actors can exploit. | Understand the browser extension architecture and how different client side components interact. Identify the known security issues associated with extensions, the underlying cause, and the consequence of such issues, based on research studies. Investigate if there exist solutions against the identified security issues and whether they are enforced in practice. Discuss the current extension architecture, the development guidelines and the feasibility of security solutions with respect to the operations of extensions. |
| Roadblocks in Remediating to Vulnerability Notifications | Giada | Website owners as well as administrators of web services might at one point be notified of the presence of a security vulnerability on their websites or web services. Fixing these security vulnerabilities is critical in improving the security of the Web for website owners, web services administrators, and internet users in general. However, multiple research studies show that vulnerability notifications perform poorly as most of the reported web sites/services remain vulnerable. Why is it the case? | Introduce the concept of vulnerability notifications, explaining when, why and how they are performed. List the roadblocks security researchers / professionals can encounter at any step of the notification procedure and explain why they pose a challenge. Next, identify possible recipients of the notification. Survey papers presenting interviews of possible recipients (e.g., website owners, system administrators, …) and present issues they encounter in remediating the reported vulnerability. Finally, provide recommendations on how to improve both notification sending (sender perspective) and notification handling (receiver perspective). |
| Detecting e-Commerce Scams at Scale | Giada | Fraudulent e-commerce websites represent a threat for Internet users and have been until now neglected in cybersecurity research. These two papers conduct a large-scale study identifying the most representative features to detect e-commerce scam websites, showcase different type of scam websites in the wild, and provide insights on how to defend from them. | What are e-commerce scams, how long have they been around and what are the first papers that we have about this topic? Had the problem been studied extensively? Compare the two papers (in depth) in how they define e-commerce scam, collect data, and on the features used to develop the detector. Do they complement each others? Finally, discuss future directions, as real-world deployment, relevance of features in time, and possible evasion techniques put in place by attackers. |
| Third-party inclusion in web virtual reality | Andrea | The topic discusses the potential security risks associated with including third-party objects and code in XR applications, similar to iframes on the web. These papers highlight the need to identify the sources of a virtual experience and mitigate possible risks. | Assess the security risks of integrating third-party code in XR applications, identify potential attack vectors mirroring web vulnerabilities such as iframes, and propose a comprehensive framework for mitigating these risks through secure development practices, UI best practices, and enhanced warning systems. |