Sunday February 24  
8:00am - 7:00pm Registration
8:30am - 8:40am Welcome and Introductory Remarks
8:40am - 9:10am

Abstract: Cross-Site Scripting is a type of vulnerability which typically involves data flowing from an attacker-controllable source to a security-sensitive sink. In this talk, I will outline how we have used taint tracking to automatically find client-side XSS at a large scale. Moreover, apart from prevalence of this threat, I will outline how the general security landscape of the client-side Web has evolved and why vulnerabilities on the client are becoming more and more prevalent. Last but not least, I will report on our efforts to help developers remediate their issues, and finish with an outlook on what (I think) upcoming challenges for client-side security research might be.

9:10am - 10:00am Session 1
  Measuring the Impact of HTTP/2 and Server Push on Web Fingerprinting
Weiran Lin, Sanjeev Reddy, Nikita Borisov
  Lightnion: seamless anonymous communication from any web browser
Wouter Lueks, Matthieu Daumas, Carmela Troncoso
10:00am - 10:30am Morning Break
10:30am - 11:30am Panel: Browsers and security
11:30am - 12:30pm Session 2
  HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs
Aurore Fass, Michael Backes, Ben Stock
  Cross-Site Challenge-Response Attacks
Nethanel Gelernter, Itamar Peretz
12:30pm - 1:30pm Lunch
1:30pm - 2:00pm

Abstract: Many web servers today face two types of clients: desktop web browsers and smartphone mobile apps. While analyzing the code (e.g., Javascript) running in a web browser can be used to identify the vulnerabilities of web servers, the analysis of mobile apps provides another rich avenue of studying the security of online web. In this talk, I will present a line of research of how to uncover various web server vulnerabilities through automated mobile app analysis. In particular, I will talk about AuthScope that identifies authorization vulnerabilities in web servers via differential analysis. Then, I will talk about LeakScope that identifies the data leakage vulnerabilities in the cloud from mobile apps. These mobile app centric analyses have identified thousands of vulnerabilities and responsible disclosures have all been made to the service providers. Finally, I will also discuss some future directions in this line of research.

2:00pm - 2:50pm Session 3
  DorkPot: A Honeypot-based Analysis of Google Dorks
Florian Quinkert, Eduard Leonhardt, Thorsten Holz
  Extension Vetting: Haven’t We Solved This Problem Yet?
Dénes Bán, Benjamin Livshits
2:50pm - 3:30pm Afternoon Break
3:30pm - 5:00pm Brainstorming for research, collaborations and funding session
6:00pm - 7:00pm Reception