Grades on LSF

Written on 25.03.24 by Giancarlo Pellegrino

As per title: grades are on LSF.


Change of room for Nov 20

Written on 15.11.23 (last change on 15.11.23) by Giancarlo Pellegrino

Dear students,

On Nov 20, the seminar will exceptionally take place in room 106 in E1 1, from 10:15-12:00. 


Registration in LSF

Written on 07.11.23 by Giancarlo Pellegrino

Dear students,

The study coordination informed us that in order to get CPs you have to register using LSF. Registration deadline is Nov 21. 


Assignments uploaded

Written on 31.10.23 by Giancarlo Pellegrino

Dear students, 

Assignments are online.



The Web Security Seminar

For registration, please apply for this seminar through the central seminar assignment system.

The Web Security Seminar will teach students to present, analyze, discuss, and summarize papers in different areas of Web security. The seminar combines a reading group with (almost) weekly meetings and a regular seminar, where students will write a seminar paper.

Each student will get a topic assigned, consisting of a lead and a follow-up paper. The student will present the follow-up paper in a 20-minute presentation followed by a 10-minute Q&A. Afterwards we will all discuss the lead paper as a reading group. All students must read the lead paper and, before each session, must submit a summary with strengths and weaknesses.

Finally, each student will write a seminar paper on the topic assigned to them, for which the two papers serve as the starting point.


Important Details

  • Kickoff on Monday, 30.10.2023, 10:15-12:00, CISPA main building, room 0.02 
  • (Semi) Regular seminar sessions on Mondays. First session is on Monday, 13.11.2023, 10:15-12:00
  • Each Sunday at 23:59 before each session, submit the paper summary (one page max) with discussion points: three items for the strengths, three items for the weaknesses, and future work
  • Optional feedback round before your session (arrange exact time with your supervisor)
  • Attendance in all meetings and submission of summary and discussion points for each topic is mandatory. For exceptional cases, contact the teaching staff.
  • Note that we will not offer a hybrid solution. We plan to have in-person meetings as long as possible and switch to fully online if the need arises.

Seminar Paper Details

We will cover the different types of seminar paper during the kickoff session.

All seminar papers are due on (see below). Based on your submission, you will receive feedback within one week and have until (see below) to improve your paper. The paper grading will be on the final version. Note that the first submission must already be sufficient to pass. If you submit a half-baked version of the paper, you will likely fail the course.

Each paper must use the provided template. It must not be longer than 8 pages, not counting references and appendices. Note that appendices are not meant to provide information that is absolutely necessary to understand the paper, but rather to provide auxiliary material. Papers can be shorter, but in general the provided page limit is a good indicator of how long a paper should be.


Schedule, List of Topics, and Papers

Date Time Content Tutor Main paper (discussed) Follow-up papers (presented)
30.10.23 10:15-12:00 Kickoff - - -
06.11.23   (break)      
13.11.23 10:15-12:00

Session 1: Malicious JavaScript Analysis (Vasili)

Aurore HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs

Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks

20.11.23 10:15-12:00

Session 2: 

  1. Obtaining and Selling User Profiles on Cybercriminal Markets (Norman)
  2. Phished and 2FA'd: Stolen Credentials and Forged Fingerprints (Riddhi)

Impersonation-as-a-service: Characterizing the emerging criminal infrastructure for user impersonation at scale

  1. Know Your Cybercriminal: Evaluating Attacker Preferences by Measuring Profile Sales on an Active, Leading Criminal Market for User Impersonation at Scale
  2. Rods with Laser Beams: Understanding Browser Fingerprinting on Phishing Pages
27.11.23   (break)      
04.12.23 10:15-12:00

Session 3: Prototype pollution (Nicolas E.)

Cris Probe the Proto: Measuring Client-Side Prototype Pollution Vulnerabilities of One Million Real-world Websites

Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js

11.12.23 10:15-12:00

Session 4: User Browsing Behavior vs. Top Lists (Aniketh)


A World Wide View of Browsing the World Wide Web 

TRANCO: A Research-Oriented Top Sites Ranking Hardened Against Manipulation

18.12.23 10:15-12:00

Session 5: Reproducibility in Web Measurements (Philip)

Florian How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security

You Call This Archaeology? Evaluating Web Archives for Reproducible Web Security Measurements

25.12.23 🎅 (Winter break)      
01.01.24 🎉 (Winter break)      
08.01.24 10:15-12:00

Session 6: Software Supply Chain Security (Nicolas D.)

Cris Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages

Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications

15.01.24 10:15-12:00

Session 7: All Your Secrets Cross Boundaries: Exploring the Risks of Cross-Site Information Leaks (Vedant)

Jannis The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web

SoK: Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model

22.01.24 10:15-12:00

Session 8: Browser Extensions & Client-Side Security (Divya) Cross-language Interaction in the Web (Harshitha)

No presentation, only paper discussion.

Cris Everything Old is New Again: Binary Security of WebAssembly

Bilingual Problems: Studying the Security Risks Incurred by Native Extensions in Scripting Languages

29.01.24 10:15-12:00

Session 9: Web Application Scanners (Prerak)

Alex Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities

Black Widow: Blackbox Data-driven Web Scanning

05.02.24 10:15-12:00

Session 10: Beyond Malicious Extensions: How can Extensions put User Security & Privacy at Risk? (Meenakshi)

Aurore DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale  Detection of Inconsistencies in Privacy Practices of Browser Extensions
Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.