News

[Important] LSF registration

Written on 28.10.25 by Giancarlo Pellegrino

Dear students,

A quick housekeeping note: Please make sure to register or withdraw from the seminar in LSF by November 12, 2025.

LSF registration will open by the end of this week. Also, don’t forget to register for the exam in LSF once it’s available.

Best,
Giancarlo

Important schedule update

Written on 20.10.25 by Giancarlo Pellegrino

Dear students,

I've made a small update to our session schedule after realizing that December 22 falls within the semester break, and many of you may already have travel plans. The key changes are as follows:

No session on 22.12.2025. Session 8 has been rescheduled from 22.12 to… Read more

Dear students,

I've made a small update to our session schedule after realizing that December 22 falls within the semester break, and many of you may already have travel plans. The key changes are as follows:

No session on 22.12.2025. Session 8 has been rescheduled from 22.12 to 15.12.2025
Sessions 6 and 7 will both take place on 08.12.2025. On that day, we’ll have two presentations (Session 6 and Session 7), but due to time constraints, we’ll discuss only the main paper from Session 7

Please make a note of these adjustments.

---
Giancarlo

The Web Security Seminar

For registration, please apply for this seminar through the central seminar assignment system.

The Web Security Seminar will teach students to present, analyze, discuss, and summarize papers in different areas of Web security. The seminar combines a reading group with (almost) weekly meetings and a regular seminar, where students will write a seminar paper.

Each student will get a topic assigned, consisting of a lead and a follow-up paper. The student will present the follow-up paper in a 20-minute presentation followed by a 10-minute Q&A. Afterwards we will all discuss the lead paper as a reading group. All students must read the lead paper and, before each session, must submit a summary with strengths and weaknesses.

Finally, each student will write a seminar paper on the assigned topic, for which the two papers serve as the starting point. Special attention should be paid at fulfilling the seminar paper's objective.

Any use of LLMs/GenAI is strictly forbidden for producing or polishing the text of the seminar papers. We will thoroughly investigate any suspicious text we find in the submitted manuscripts, e.g., via an oral exam in which the student is invited to explain the text.

Important Details

Kickoff on Monday, 20.10.2025, 10:15-12:00, CISPA main building (C0), room 0.02
(Semi) Regular seminar sessions on Mondays. First session is on Monday, 03.11.2025, 10:15-12:00
Each Thursday at 23:59 before each session
- All students: submit the paper summary (one page max) with discussion points: three items for the strengths, three items for the weaknesses, and future work
- Only the presenter: submit your slides for feedback by your supervisor.
Attendance in all meetings and submission of summary and discussion points for each topic is mandatory. For exceptional cases, contact the teaching staff.
The Web Security Seminar will not offer a hybrid participation to the seminar.

Grading

1. Requirements for a passing grade:

Attend all sessions
Submit:
- the summaries of all sessions; your slide deck for feedback before your presentation and the final slide deck of your presentation
- the first version of your seminar paper. The first version must be complete with no placeholders. The completeness of your draft will be graded.
- the final version of your seminar paper addressing the feedback of your supervisor

2. Grade structure:

30%: Presentation (E.g., timing; quality of the slides; clarity; exposition; and QA)
60%: Seminar paper (E.g., compliance with the submission rules; correctness of the references; adherence to the objectives; quality of writing; structure; completeness of relevant papers; correct representation of research results)
10%: Participation to the paper discussions

Seminar Paper Details

We will cover the different types of seminar paper during the kickoff session.

All seminar papers are due on (see below). Based on your submission, you will receive feedback within one week and have until (see below) to improve your paper. The paper grading will be on the final version. Note that the first submission must already be sufficient to pass. If you submit a half-baked version of the paper, you will likely fail the course.

Each paper must use the provided template and all the text must be written via Overleaf in a project monitored by the organizers of the seminar. It must not be longer than 8 pages, not counting references and appendices. Note that appendices are not meant to provide information that is absolutely necessary to understand the paper, but rather to provide auxiliary material. Papers can be shorter, but in general the provided page limit is a good indicator of how long a paper should be.

Schedule, List of Topics, and Papers

Date	Time	Content	Tutor	Student	Topic	Main paper (discussed)	Follow-up papers (presented)
20.10.2025	10:00-12:00	Kickoff +2 days: topic prefs
27.10.2025	10:00-12:00	(break)
03.11.2025	10:00-12:00	Session 1	Gianluca	Tiziano	Agentic Penetration Testing	PentestAgent: Incorporating LLM Agents to Automated Penetration Testing	PENTESTGPT: Evaluating and Harnessing Large Language Models for Automated Penetration Testing
10.11.2025	10:00-12:00	Session 2	Alex	Luca R.	Automated API Security Testing	Vulnerability-oriented Testing for RESTful APIs	RESTler: Stateful REST API Fuzzing
17.11.2025	10:00-12:00	Session 3	Metodi	Devanarayanan	Privacy Violations on the Web	Automating Cookie Consent and GDPR Violation Detection	Freely Given Consent?: Studying Consent Notice of Third-Party Tracking and Its Violations of GDPR in Android Apps
24.11.2025	10:00-12:00	Session 4	Ali	Bharat	Evolution of Web-Based Data Leakage: From Trackers to AI Agents	Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission	When LLMs Go Online: The Emerging Threat of Web-Enabled LLMs
01.12.2025	10:00-12:00	Session 5	Francis	Jakub	Web Cache Deception Attacks	Cached and Confused: Web Cache Deception in the Wild	Web Cache Deception Escalates!
08.12.2025	10:00-12:00	*Session 6+7 () Submit paper draft**	Allen	6: Guatam 7: Mohamed B. J.	Session 6: Cross-platform Web App Security Session 7: JavaScript Analysis with Abstract Interpretation	~~Session 6: A Security Study about Electron Applications and a Programming Methodology to Tame DOM Functionalities~~ ()** Session 7: Mining Node.js Vulnerabilities via Object Dependence Graph and Query	Session 6: COINDEF: A Comprehensive Code Injection Defense for the Electron Framework Session 7: Scaling JavaScript Abstract Interpretation to Detect and Exploit Node.js Taint-style Vulnerability
15.12.2025	10:00-12:00	Session 8	Valentino	Nadeen	Detection of Malicious Browser Extensions	Arcanum: Detecting and Evaluating the Privacy Risks of Browser Extensions on Web Pages and Web Content	You’ve Changed: Detecting Malicious Browser Extensions through their Update Deltas
22.12.2025	10:00-12:00	Winter break
29.12.2025	10:00-12:00	Winter break
05.01.2026	10:00-12:00	Winter break
12.01.2026	10:00-12:00	Session 9	Dominic	Simon R. P.	Type Confusion in Gradually Typed Languages	Typed and Confused: Studying the Unexpected Dangers of Gradual Typing	Type Devil: Dynamic Type Inconsistency Analysis for JavaScript
19.01.2026	10:00-12:00	Session 10	Andrea	Aakase	Immersive environment automatic security testing	AUTOVR: Automated UI Exploration for Detecting Sensitive Data Flow Exposures in Virtual Reality Apps	OVRseen: Auditing Network Traffic and Privacy Policies in Oculus VR
26.01.2026	10:00-12:00	Session 11	Giancarlo	Simon	Logic Vulnerabilities in Web Applications	How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores	Toward Black-Box Detection of Logic Flaws in Web Applications
09.02.2026	---	---
16.02.2026	---	Final paper

(*): Double session, i.e., TWO presentations and ONE discussion
(**): The discussion of Session 6 main paper, while originally planned, will not take place.