CSE610: Web Programming and Security

Course Information

  • Instructor: Seongil Wi
  • Time: Tuesday/Thursday 16:00 ~ 17:15
  • Location: 106-T202
  • Grading:
    • 5% Participation
    • 20% Midterm exam (No final exam)
    • 15% Homework
    • 20% Paper Presentation
    • 40% Project
  • Textbook:
    • Andrew Hoffman, Web Application Security

The course provides in-depth studies of various web attacks and defenses, encompassing a comprehensive exploration of security vulnerabilities and privacy risks present on the web. Additionally, discussions will focus on detecting these vulnerabilities and mitigating privacy risks.

Late Submission Policy

Late submission will be assessed a penalty of 10% per day (We will only accept late submissions of up to 3 days).

Paper Presentation

  • Presentation Time: 30 mins (+QnA 5 mins)
  • Evaluation:
    • Organization/clarity
      • You should present a summary of the contribution of the paper at the very beginning of your presentation.
    • Quality of criticism (You should present your opinion!)
    • Presentation skills
    • Participation points will be awarded to students asking (valuable) questions!

Schedule

Date Topic Reading Notes
02/27/2024 Introduction
02/29/2024 Web Programming
03/05/2024 Client-side Security [Squarcina/USENIXSEC2023] Paper Assignment (6PM)
03/07/2024 Server-side Security [Wi/WWW2022]
[Jovanovic/S&P2006]
03/12/2024 Server-side Security (2)
03/14/2024 Cross-Site Scripting [Steffens/NDSS2019]
[Son/NDSS2013]
[Lekies/CCS2013] 		Project Proposal Due
(Mar. 15, 11:59 PM)
03/19/2024 No Class
03/21/2024 Cross-Site Scripting (2) HW1 out
03/26/2024 Content Security Policy [Weichselbaum/CCS2016]
[Roth/CCS2021]
[Wi/NDSS2023]
03/28/2024 Cross-Site Request Forgery [Barth/CCS2008]
[Pellegrino/CCS2017]
04/02/2024 Clickjacking & XS-Leaks [Rautenstrauch/S&P2023]
[Huang/USENIXSEC2012]
04/04/2024 Extensions & Phishing [Kapravelos/USENIXSEC2014]
[Thomas/S&P2015]
[Zhang/S&P2021]
04/09/2024 SSL/TLS & HTTPS [Brubaker/S&P2014]
[Durumeric/NDSS2017] 		HW1 due (11:59 PM)
04/11/2024 Passwrod [Bonneau/S&P2012]
[Bonneau/S&P2012]
04/16/2024 Midterm weak
04/18/2024 Midterm weak Midterm Exam
(Class Time)
04/23/2024 Paper Presentation
(Web Attacks)
  • [Daeun Lee] 25 Million Flows Later: Large-scale Detection of DOM-based XSS, CCS2013
  • [Chanyoung Park] Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting, NDSS2018
04/25/2024 Paper Presentation
(Web Attacks)
  • [Yonghyeon Kim] HiddenCPG: Large-Scale Vulnerable Clone Detection Using Subgraph Isomorphism of Code Property Graphs, WWW2022
  • [Jiun Min] FuzzOrigin: Detecting UXSS vulnerabilities in Browsers through Origin Fuzzing, USENIXSEC2022
 Project Checkpoint Due
(Apr. 26, 11:59 PM)
04/30/2024 Paper Presentation
(Web Attacks)
  • [Wonil Jang] Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities, USENIXSEC2024
  • [Axel Homery] NAVEX: Precise and scalable exploit generation for dynamic web applications, USENIXSEC2018
05/02/2024 Paper Presentation
(Web Attacks)
  • [Yeon An] Link: Black-Box Detection of Cross-Site Scripting Vulnerabilities Using Reinforcement Learning, WWW2022
  • [Jiseong Kim] Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web, USENIXSEC2021
05/07/2024 Paper Presentation
(XS-Leaks)
  • [Jeongseok Nam] Xsinator.com: From a formal model to the automatic evaluation of cross-site leaks in web browsers, CCS2021
  • [Sanghoon Jung] The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web, S&P2023
05/09/2024 Paper Presentation
(Cross-Site Communication)
  • [Yinae Park] We still Don’t have secure Cross-Domain requests: an empirical study of CORS, USENIXSEC2018
  • [SeungMin Lee] PMForce: Systematically Analyzing postMessage Handlers at Scale, CCS2020
05/14/2024 Paper Presentation
(Phishing)
  • [Minseong Choi] CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing, S&P2021
  • [Seongouk Kim] Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits, CCS2021
05/16/2024 Paper Presentation
(Phishing)
  • [TaeYeong Hwang] PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists, USENIXSEC2020
  • [Dongyeon Yu] Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale, USENIXSEC2020
05/21/2024 Paper Presentation
(Tracking&AD)
  • [Dahyeon Park] Doppelgängers on the Dark Web: A Large-scale Assessment on Phishing Hidden Web Services, WWW2019
  • [Buyoung Mun] CookieGraph: Understanding and Detecting First-Party Tracking Cookies, CCS2023
05/23/2024 Paper Presentation
(Tracking&AD)
  • [Thomas Fellner] The Web Never Forgets: Persistent Tracking Mechanisms in the Wild, CCS2014
  • [JooyoungJang] ADGRAPH: A Graph-Based Approach to Ad and Tracker Blocking, S&P2020
05/28/2024 Paper Presentation
(Fingerprint)
  • [Maïwenn Le Goasteller] Fingerprinting the fingerprinters: Learning to detect browser fingerprinting behaviors, S&P2021
  • [Seongyun Jeong] The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions, USENIXSEC2022
05/30/2024 Paper Presentation
(JS Engine Fuzzing)
  • [Yeongjun Kwak] CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, NDSS2018
  • [Jihun Baek] Montage: A neural network language Model-Guided JavaScript engine fuzzer, USENIXSEC2020
06/04/2024 Paper Presentation
(Content Security Policy)
  • [Mentzel Nils Simon] Reining in the web with content security policy, WWW2010
  • [Sunghyun Yang] CSP is dead long live CSP! on the insecurity of whitelists and the future of content security policy, CCS2016
06/06/2024 Memorial Day
06/11/2024 No class (Final weak)
06/13/2024 No class (Final weak) Final Report Due
(Jun. 14, 11:59 PM)

© WebSec Lab all rights reserved.