The Web Security Seminar

Malicious JavaScript Analysis

Aurore

JavaScript was initially designed to create sophisticated and interactive web pages. However, attackers can leverage JavaScript to exploit bugs and further vulnerabilities to compromise the security and privacy of Web users. While some (machine learning-based) systems have been implemented to detect malicious JS, others show that malicious JS can still evade detection…

Investigate how existing systems operate to detect malicious JS (hint: static vs. dynamic approaches). How could these systems be tampered with and how realistic is this? Is malicious JS still an issue today? Why? How could we improve malicious JS detection?

Obtaining and Selling User Profiles on Cybercriminal Markets

Giada

Impersonation-as-a-Service is an emerging threat which leverages user profiles (consisting in credentials, cookies and browser fingerprints) to bypass authentication protections. The observation of "user profile" goods and their purchase on cybercriminal markets shows that this is a growing business and reveals insights into the inner workings of these platforms.

Conduct a survey aimed at identify, present, and describe famous cybercriminal markets, e.g. SilkRoad, the goods they trade, and the estimated revenues. Explore prior works to identify, enumerate, and discuss how these have evolved over time, e.g., trends, changes in the product offers, or emerging trends (e.g., user profiles, affiliate markets).

Prototype Pollution

Cris

Prototype pollution is a dangerous vulnerability that affects prototype-based languages like JavaScript. This vulnerability allows attackers to change important objects in the runtime, e.g., the root prototype, and these changes are then inherited by seemingly unrelated objects. Attackers can exploit this vulnerability to take down web servers, bypass security controls or even to mount powerful remote code execution attacks.

Survey techniques for detecting prototype pollution vulnerabilities and gadgets, and for preventing their exploitation. Additionally, study the connection between prototype pollution and similar vulnerabilities in other domains or languages, e.g., hidden property abuse, object injection vulnerabilities, DOM clobbering.

User Browsing Behavior vs. Top Lists

Aurore

The Web is the most popular software platform. It has a central role in our lives and a significant impact even on society and economy. But how do people spend time on the Web? Which categories of websites do they most frequent vs. spend the most time on? How well do Top Lists capture user browsing behavior?

Discuss what people use the Web for. To what extent are top lists a good proxy for user browsing behavior? In which dimensions can they bias study results? Which considerations should researchers take into account when studying the Web? Make recommendations and justify your suggestions.

Phished and 2FA'd: Stolen Credentials and Forged Fingerprints

Giada

Two-factor Authentication protects users by requesting extra verification steps beyond username and password. Additional authentication is requested in case who provides credentials differs from the regular user. Stolen credentials alone become useless when 2FA is triggered, thus, cybercriminals started collecting user fingerprints as well to avoid triggering extra security checks.

Brief explanation of risk-based authentication, mechanisms and threats. Describe the evolution of the sophistication of phishing websites over time (cloaking could be a case study). Suggest future research directions.

Software Supply Chain Security

Cris

This topic covers the security risks incurred by excessive code reuse, in practice. A series of recent attacks, e.g., SolarWinds or Log4Shell, lead to an increased interest of the academic community in this area. Prior work shows that both vulnerabilities and malicious code in dependencies can pose risks to organizations. Thus, many techniques were proposed both in academia and in industry to detect and mitigate such security risks before they get exploited by malicious actors.

Survey existing academic work on software supply chain security ,e.g., what are the main risks, threats, and detection strategies. Additionally, study modern solutions used by practitioners to deal with these risks, e.g., software bill of materials and reproducible builds. Finally, discuss the tension between code reuse and supply chain risks.

All Your Secrets Cross Boundaries: Exploring the Risks of Cross-Site Information Leaks

Jannis

Websites should not be able to infer information about what users are doing on unrelated websites opened in the same browser. However, attacker controlled websites can often infer such information by exploiting side-channels called cross-site leaks (XS-Leaks). Although browser vendors and websites are trying to fix such issues, new instances of such information leaks are regularly discovered.

Define what an XS-Leak is, which components it consist of and which similar attack classes exist. Survey various papers in the area, identify which areas of the XS-Leak problem they focused on. Classify which types of XS-Leaks attacks and mitigations exit. Reason about which attacks might become irrelevant for the web in the near future and which attacks will stay with us for a while.

Browser Extensions & Client-Side Security

Shubham

Browser extension developers often encounter security restrictions imposed by the browser and the websites they interact with, which may hinder their desired functionalities. To provide enhanced services to their users, they resort to insecure coding practices to bypass these security measures. Unfortunately, these practices can degrade the overall security of both the websites and the extensions themselves, creating vulnerabilities that nefarious actors can exploit.

Understand the browser extension architecture and how different client side components interact. Identify the known security issues associated with extensions, the underlying cause, and the consequence of such issues, based on research studies. Investigate if there exist solutions against the identified security issues and whether they are enforced in practice. Discuss the current extension architecture, the development guidelines and the feasibility of security solutions with respect to the operations of extensions.

Web Application Scanners

Alex

Automated vulnerability detection in web applications is a challenging task. Existing binary application testing techniques do not translate easily to the web application domain. We examine how one can apply fuzzing to web applications and what problems remain unsolved.

Identify the challenges in automated vulnerability detection in web applications. Explore the web application testing techniques used in the past and suggest future research directions.

Cross-language Interaction in the Web

Cris

Traditionally, the web platform supported only a few well-studied programming languages: HTML as a markup language, CSS for styling, and JavaScript for making the pages dynamic. However, with the adoption of the web standards for emerging use cases such as mobile development or the creation of cross-OS desktop applications, the web increasingly allows the interaction with code written in other languages: WebAssembly or any other language that compiles to it, TypeScript, or even native code via native extensions. This incurs significant security risks that are not trivial to mitigate with state-of-the-art techniques.

Create a topology of cross-language interactions on the web. Identify the main security challenges and risks that arise due to these interactions. Survey possible techniques to mitigate the identified risks, e.g., discuss possible changes to the web standards or the use of legacy tools from other domains to deal with this new reality.

Beyond Malicious Extensions: How can Extensions put User Security & Privacy at Risk?

Aurore

Browser extensions were introduced to improve and personalize user browsing experience. To operate, they need elevated privileges compared to web pages. Obviously, malicious extensions can put user security and privacy at risk. However, benign-but-buggy extensions and extensions violating privacy policies are an even stealthier way to put an extension user base at risk…

Uncover why and how extensions can put user security and privacy at risk. How bad can this be? How is Chrome trying to tackle these issues? Which additional steps could be taken?

Reproducibility in Web Measurements

Florian

Reproducibility in web measurement studies present significant challenges due to the dynamic nature of websites. As content and structures can change rapidly, measurements can yield varying results within short time frames. Consequently, researchers have been working on methods to enhance the reproducibility of these studies.

Start with a broad literature review of papers that propose ways to improve the reproducibility of web measurement studies or did use a reproducible method. Identify the challenges and proposed solutions. Discuss how feasible different solutions are and propose a condensed list of best-practices.