Sunday February 24 | |
---|---|
8:00am - 7:00pm | Registration |
8:30am - 8:40am | Welcome and Introductory Remarks |
8:40am - 9:10am | Abstract: Cross-Site Scripting is a type of vulnerability which typically involves data flowing from an attacker-controllable source to a security-sensitive sink. In this talk, I will outline how we have used taint tracking to automatically find client-side XSS at a large scale. Moreover, apart from prevalence of this threat, I will outline how the general security landscape of the client-side Web has evolved and why vulnerabilities on the client are becoming more and more prevalent. Last but not least, I will report on our efforts to help developers remediate their issues, and finish with an outlook on what (I think) upcoming challenges for client-side security research might be. |
9:10am - 10:00am | Session 1 |
Measuring the Impact of HTTP/2 and Server Push on Web Fingerprinting Weiran Lin, Sanjeev Reddy, Nikita Borisov |
|
Lightnion: seamless anonymous communication from any web browser Wouter Lueks, Matthieu Daumas, Carmela Troncoso |
|
10:00am - 10:30am | Morning Break |
10:30am - 11:30am | Panel: Browsers and security |
11:30am - 12:30pm | Session 2 |
HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs Aurore Fass, Michael Backes, Ben Stock |
|
Cross-Site Challenge-Response Attacks Nethanel Gelernter, Itamar Peretz |
|
12:30pm - 1:30pm | Lunch |
1:30pm - 2:00pm | Abstract: Many web servers today face two types of clients: desktop web browsers and smartphone mobile apps. While analyzing the code (e.g., Javascript) running in a web browser can be used to identify the vulnerabilities of web servers, the analysis of mobile apps provides another rich avenue of studying the security of online web. In this talk, I will present a line of research of how to uncover various web server vulnerabilities through automated mobile app analysis. In particular, I will talk about AuthScope that identifies authorization vulnerabilities in web servers via differential analysis. Then, I will talk about LeakScope that identifies the data leakage vulnerabilities in the cloud from mobile apps. These mobile app centric analyses have identified thousands of vulnerabilities and responsible disclosures have all been made to the service providers. Finally, I will also discuss some future directions in this line of research. |
2:00pm - 2:50pm | Session 3 |
DorkPot: A Honeypot-based Analysis of Google Dorks Florian Quinkert, Eduard Leonhardt, Thorsten Holz (Best Paper Award) |
|
Extension Vetting: Haven’t We Solved This Problem Yet? Dénes Bán, Benjamin Livshits |
|
2:50pm - 3:30pm | Afternoon Break |
3:30pm - 5:00pm | Brainstorming for research, collaborations and funding session |
6:00pm - 7:00pm | Reception |
@madwebwork
infosec.exchange/@madwebwork
MADWeb 2025, in cooperation with the NDSS Symposium