The central topic of this seminar are web attacks. The proposed topics range from XSS and clickjacking, to attacks exploiting CORS misconfigurations and weak third-party libraries.

The seminar is expected to take place as a block seminar at the end of the lecture period.

Dates & Deadlines

• First week: distribution of topics.
• End of April: Topic consultation
• May 15th: Preliminary seminar thesis version (at least 5 pages) describing the main paper problem.
• June 22nd: Submission deadline of the prefinal seminar thesis.
• July 5th: Submission deadline of the reviews.
• July 17th: Submission deadline of the final version of the seminar thesis.
• July 29th & 30th: Block Seminar, Presentation of your work

Depending on the situation in July, the presentations will possibly be held remotely.

The seminar will be organized over Panda.

Registration of Topics

The topics are given in the first meeting. You should have a look at the topics (see below) and respective papers before the first meeting and make your mind up about your topic preferences.

Grading and Demands

Presentation

20 minutes presentation. 5 minutes discussion and questions.

The best presentation will be awarded! More information will be given in the first meeting.

Seminar thesis

Essay of length 12 to 20 pages written according to the standards of a scientific paper.

Reviews

We will follow a peer review procedure similar to scientific publications:

• You submit your thesis (paper) at easychair.org
• Some (2) peers (other students) review your submission:
  • Read and understand the submitted paper
  • Criticize your paper
  • Make recommendations on how to improve
  • Be honest, polite, and helpful when writing your reviews
• The reviews you write will influence your final grade
• The reviews you receive will not influence (but your final version)
• Each student has to write 2 reviews (each 1-2 pages)

Topics

  1. Cristian-Alexandru Staicu and Michael Pradel. Leaky Images: Targeted Privacy Attacks in the Web. www.usenix.org/conference/usenixsecurity19/presentation/staicu

  2. Zhang et al. All Your Clicks Belong to Me: Investigating Click Interception on the Web. www.usenix.org/conference/usenixsecurity19/presentation/zhang

 3.  John V. Monaco. What Are You Searching For? A Remote Keylogging Attack on Search Engine Autocomplete. www.usenix.org/conference/usenixsecurity19/presentation/monaco

 4. Zimmermann et al. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. www.usenix.org/conference/usenixsecurity19/presentation/zimmerman

 5. Alhuzali et al. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. www.usenix.org/conference/usenixsecurity18/presentation/alhuzali

 6. Steffens et al. Don’t Trust The Locals:Investigating the Prevalence of PersistentClient-Side Cross-Site Scripting in the Wild. swag.cispa.saarland/papers/steffens2019locals.pdf

 7. Stock et al. Hey, You Have a Problem:On the Feasibility of Large-Scale Web Vulnerability Notification. swag.cispa.saarland/papers/stock2016hey.pdf

 8. Schwenk, Niemietz, Mainka. Same-Origin Policy: Evaluation in Modern Browsers. www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2017/07/13/Same-Origin-Policy_Security-Evaluation.pdf

 9. Tom Van Goethem, Frank Piessens, Wouter Joosen, Nick Nikiforakis. Clubbing seals: Exploring the ecosystem of third-party security seals. lirias.kuleuven.be/retrieve/290834

10. James Kettle. HTTP Desync Attacks: Smashing into the Cell Next Door. www.blackhat.com/us-19/briefings/schedule/index.html

11. James Kettle. Exploiting CORS misconfigurations for Bitcoins and bounties. portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties. www.usenix.org/conference/usenixsecurity18/presentation/chen-jianjun. www.owasp.org/images/c/c1/GOD17-CORS.pdf.
 
12. Calzavara et al. A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web.   publications.cispa.saarland/3033/

13. Roth et al. Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies.  publications.cispa.saarland/2986/

14. Stock et al. Didn’t You Hear Me? — Towards More Successful Web Vulnerability Notifications. publications.cispa.saarland/1190/

15. Van Goethem et al. The Clock is Still Ticking:Timing Attacks in the Modern Web. www.securitee.org/files/timing-attacks_ccs2015.pdf

16. Vissers et al. The Wolf of Name Street:Hijacking Domains Through Their Nameservers. www.securitee.org/files/dnshijack_ccs2017.pdf

17. Hao et al. Drops for Stuff: An Analysis of Reshipping Mule Scams. www.securitee.org/files/mules_ccs2015.pdf

18. Kondracki. Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers. www.securitee.org/files/meddlingmiddlemen_oakland2020.pdf