Topic Descriptions and Seminar Paper Objectives
|
Topic Title |
Tutor |
Description |
Seminar Paper Objective |
|||
|---|---|---|---|---|---|---|
| Automated API Security Testing | Alex | A core component of a modern web application is the API, which can be found in customer-facing, partner-facing, and internal web applications. By nature, APIs expose application logic and sensitive data such as Personally Identifiable Information (PII), and because of this, have increasingly become a target for attackers. Consequently, API testing has gained significant popularity as a solution to enhance API security, and a considerable amount of research has been conducted in this field. The research, however, is far from over, as existing testing methods for RESTful APIs often encounter limitations when identifying security vulnerabilities automatically. | In this topic, you would conduct a survey on automated API vulnerability detection techniques. First, introduce and frame the problem. Cover the core concepts. Introduce the research questions you would cover in the paper: - RQ1: What are the main challenges of automated API security scanning? - How do stateful interactions, authentication mechanisms, and complex input formats hinder automated testing? - What limitations exist in black-box versus white-box and gray-box approaches? - RQ2: Which automated techniques have been proposed to detect API vulnerabilities? - How effective are the methods in practice? - What are the trade-offs between accuracy, scalability, and automation? - RQ3: What gaps remain in current research, and what future directions are most promising? - Are there specific vulnerability classes that remain difficult to detect automatically in the API context? - How can emerging technologies like LLM-driven test generation improve coverage and accuracy? Next, present your methodology for selecting the papers. Be explicit, list the methods and parameters (e.g., keywords, years, venues) of your study. The methodology should be fully reproducible by the readers. The section following the methodology presents the survey results: how many papers were found, how many were selected for the study, and why. Cluster and present all selected papers succinctly but with enough details: clearly state the paper's idea and main insights or results. Finally, analyse the papers and answer the research questions 1-3. Conclude the paper by summarizing the survey results. |
|||
| Immersive environment automatic security testing | Andrea | Immersive applications ( XR, VR) have as a key component the interactive environment, where actions include gestures, movements, and complex 3D interactions. These environments process sensitive data ( movements, voice, etc.) and expose new attack surfaces (accurate profiling, sensitive data, etc.), making them attractive targets for attackers. Consequently, automatic testing of VR security has gained attention as a way to improve privacy and safety. The research, however, is still at an early stage, as existing testing tools made for mobile or web apps struggle to handle the unique interaction models of VR. |
Investigate a) how existing automatic testing (e.g., for mobile or games) techniques can be adapted to immersive environments to automatically trigger events and interactions to find network packets, syscalls, and other sensitive data flows. And, other than focusing only on adapting existing techniques, it should also explore b) new approaches (e.g. multimodal models combining visual + controller input), to reach app states that right now are possible only with a human tester. |
|||
| Agentic Penetration Testing | Gianluca | In recent years, machine learning techniques have greatly helped humans detect and mitigate security issues. Precursor techniques were simple heuristic-based methods capable of only basic pattern recognition. On the other hand, today's systems encompass advanced ML/DL architectures that enable the intelligent detection of problems originally intractable to traditional tools. The latest trend in the AI field is the concept of 'Agent'. An LLM-driven system equipped with specialized tools solves the task at hand by observing the current state of the problem and autonomously choosing the best tool to use next until the task is solved. In this seminar, we explore the world of Agentic penetration testing, i.e., agents capable of analyzing applications' security posture. |
Provide a survey (of published and unpusblished articles) on how AI agents are used for penetration testing or, more generally, in the security domain. Highlight the new capabilities of these agents, explaining where previous systems failed and how they improved them. Discuss the position of the human security analyst in a context dominated by autonomous security agents. Do we still need humans in the loop? Present also the risks connected to overly-relying on AI systems. |
|||
| Cross-platform Web App Security | Allen | NodeJS-powered frameworks, such as Electron, has been widely adopted as a solution to develop cross-platform applications including Discord, Microsoft Teams, and Slack. Such framework integrates a browser core and allows developers to build their application with NodeJS and web technologies, even enabling plugin ecosystem. However, this indicates that the attackers may find new attack surface within these applications to cause even more damage by interfering with cross-platform capabilities and underlying systems. |
The objective for this seminar paper is to 1) understand the mechanisms behind Electron framework and how JavaScript technologies is adopted to support cross-platform application development, and 2) assess the security of the framework by systematically identifying attack surfaces allowing malicious parties to tame the DOM tree. The students are supposed to show that they: 1) Understand how Electron framework works at a high level 2) Understand how sanitization works and how the vulnerability function by using Microsoft Teams as an example 3) Try to propose an approach to detect the vulnerability, and compare their initial idea with the approach proposed by the seminar paper 4) Evaluate the results of the paper and share their idea about the paper, e.g., whether the paper has limitations, whether additional analysis is required, or whether the methodology proposed by the paper is good or not. |
|||
| JavaScript Analysis with Abstract Interpretation | Allen | Static analysis of JavaScript suffers from dynamic features enabled by the language, causing failure to identify critical vulnerability-related data flows. Traditional Abstract Interpretation has been extended to tackle this challenge by building an abstract representation for the object structures. However, the techniques have their own challenges which needs to be specifically addressed. |
The overall objective of this seminar paper is to introduce students with the idea and challenge of performing sound security analysis in NodeJS applications. The students are supposed to understand the overall idea, advantages, and limitations of the related works, and how the paper addresses these limitation. If possible, identify the limitation of the proposed solution, and compare these with the follow-up seminar paper in this session. More specifically, the seminar paper needs to demonstrate the following details: 1) Understand the basic idea of Abstract Interpretation in general. 2) Analyze and summarize the prior approaches mentioned in the paper on JavaScript, and identify the major challenge that the paper aims to address. 3) Identify how the paper addresses the challenge of existing works, and, by reading through the evaluation, evaluate whether and how the proposed approach addresses the problem proposed in this paper. Optional: evaluate the entire paper, and try to identify one limitation of the paper and potential improvement. |
|||
| Detection of Malicious Browser Extensions | Valentino | Browser extensions provide powerful customization but can pose significant security and privacy risks. Detecting malicious extensions is challenging due to diverse abuse patterns and the difficulty of distinguishing malicious from benign behavior. As detection methods improve, malicious actors continue to evolve their techniques. This creates an ongoing challenge to stay ahead of emerging threats while maintaining a balance between security and the legitimate functionality that the extensions provide. We will study two papers where static, dynamic analysis, and user feedback monitoring are used to detect common malicious behaviors while minimizing false positives. | Understand the architecture of browser extensions and reason on a set of possible malicious behaviours. Identify the main features that can be considered in the analysis of extensions. Define the main aspects of static vs dynamic approaches. Understand the role of extensions APIs and discuss how analysis for maliciousness could be driven by the higher relevance that these part of the code have. | |||
| Type Confusion in Gradually Typed Languages | Dominic | The dynamic nature of modern programming languages such as JavaScript and Python not only offers developers lots of freedom and flexibility, but also gives rise to issues such as type confusion. Type confusion vulnerabilities occur when there is a mismatch between a piece of data’s expected and actual data type at runtime. These vulnerabilities can act as building block for larger attacks, e.g.., enabling attackers to circumvent input validation mechanisms and to hijack the control flow. More recently, gradual typing has emerged as a middleground between the flexibility of dynamic typing and the type safety of static typing. But does gradual typing actually help preventing type confusion in practice? Or could it possibly make it even worse? | - Introduce and frame the problem: Present technical terms you are going to use in the paper. Show that you understand type confusion and gradual typing. - Type-related issues: Discuss type confusion and how it can be detected by presenting the follow-up paper concisely but in-depth. Collect other kinds of type-related issues from related work and compare them to type confusion in terms of attack vector, threat model, potential consequences. Also discuss how type-related issues, especially type confusion can act as building blocks for larger attacks. |
|||
| Privacy Violations on the Web | Metodi | The GDPR requires data controllers (e.g., Web sites or applications) to obtain freely given, informed, and unambiguous consent before processing users’ personal data. However, do developers actually follow the privacy laws and guidelines? How effective are privacy regulatory measures in practice? Studies show that many services consistently engage in privacy violations, for example by assuming implicit consent or ignoring the users’ choice altogether. Technical advances now allow for the detection of privacy violations at scale. In addition, research is also trying to understand why these violations are happening in the first place by engaging with developer directly. The findings highlight the scale of privacy violations on the web and the urgent need for better enforcement, transparency, and tools to support lawful data practices. | The students are expected to understand the fundamentals of the GDPR - what is GDPR, what is personal data, what is consent, and when is it violated. They will also learn about privacy violations on the Web and in mobile applications, and the methods to detect them automatically at scale. In addition, they will learn about the current challenges in the topic, e.g., the processing of privacy policies at scale, enforcement of the GDPR, lack of tools and difficulties developers face when trying to adhere to the GDPR (e.g., caused by third-party libraries). The student should find additional papers about privacy violations from top-tier conferences to compare different ecosystems (specifically Web, Android and iOS). In addition to discussing the technical aspects and limitations of the papers, students should also focus on broader questions like why does privacy matter, what is the perspective of different stakeholders, and how do users understand privacy (and if users’ understanding can be improved). | |||
| Evolution of Web-Based Data Leakage: From Trackers to AI Agents | Ali | The leakage of personal information on the web has shifted in both scale and nature. In the past, this data was often collected passively through hidden scripts and trackers that captured details such as email addresses before users even clicking “submit.” These silent mechanisms operated in the background of everyday browsing, enabling cross-site tracking and persistent identification without explicit consent. Today, the problem is no longer limited to passive collection: autonomous AI agents with web access can be deliberately directed to harvest sensitive information, generate convincing impersonations, and conduct large-scale phishing campaigns. From hidden trackers to AI-driven exploitation, web-based data leakage has evolved from background collection to active, attacker-driven operations, raising urgent questions about how defences must adapt. | - Learn how personal data leakage on the web has evolved, moving from passive collection by hidden trackers to active exploitation through AI-driven agents. - Understand concrete attack scenarios, including data exfiltration from forms, harvesting of PII, and the creation of impersonation and phishing attacks. - Compare these different approaches, identify their similarities and differences, and reflect on what they imply for future defenses. |
|||
| Web Cache Deception Attacks | Francis | The modern Web expands beyond web servers and clients (i.e., web browsers). In particular, Web caches are intermediate relays that store website content to allow quick delivery to users. This includes static, dynamic, programmatic CDNs (content delivery networks), and edge serverless services. Cache deception and confusion vulnerabilities occur when a web cache (e.g., a CDN) and a backend origin server disagree on the rules for caching resources. Specifically, the attacker exploits this ambiguity and tricks users into visiting URLs that are considered static (i.e., cacheable and publicly accessible) by the web cache. At the same time, the response returned by the backend server could be dynamically generated based on the user's private information (e.g., authentication cookies), or contain other critical information like CSRF tokens, CSP nonces, etc. Publicly exposing these URLs introduce various security and privacy issues. |
- understand the specificities and technologies backing web caches, potentially how to detect them - discuss known and potential security and privacy threats that come with their usage in the Web ecosystem - discuss and devise mitigations against the identified threats and how they can contribute to a safer Web |
|||
| Logic Vulnerabilities in Web Applications | Giancarlo | Logic vulnerabilities in web applications arise from flaws in the business logic that governs how users interact with the system, rather than from low-level coding errors. These vulnerabilities allow attackers to exploit inconsistencies in workflows or data validation such as skipping authentication steps, reusing tokens, or manipulating checkout sequences, to gain unauthorized privileges or disrupt processes. Because they stem from design flaws rather than technical misconfigurations, detecting logic vulnerabilities remains largely a manual and challenging task, with limited automated tools or formal methodologies available. |
The general objective of this seminar paper is to assess the adequacy of existing approaches for detecting logic vulnerabilities in web applications.More specifically, the seminar paper should aim to: 1) Identify and describe representative instances of logic vulnerabilities observed in modern web applications, with an emphasis on recent and well-documented cases; 2) Survey and analyze prior practical approaches that address the detection of logic vulnerabilities; 3) Critically evaluate the effectiveness, limitations, and gaps of current detection methodologies, highlighting where automated solutions fall short and where manual analysis remains essential; 4) (Optional) Discuss one potential direction for improvement or emerging trends, such as the integration of formal methods, AI-assisted analysis, or improved modeling of business logic. |