IS542: Web Service Security and Privacy

The course provides in-depth studies of numerous web attacks and defenses. The course covers comprehensive security vulnerabilities and privacy risks that exist on the Web. We will also discuss how to detect those vulnerabilities and alleviate the privacy risks.

Basic Information

• Lecture: Monday/Wednesday 10:30 - 11:45, Room 3445 E3-1
• Instructor: Sooel Son
• Email: sl.son (at) kaist.ac.kr
• Homepage: https://sites.google.com/site/ssonkaist/
• Office hours: Thursday 13:00 - 14:00, Room 4434
• T.A.:
  • Beomsoo Kim: dmbs335 (at) kaist.ac.kr
  • Dongwon Shin: dongwon.shin (at) kaist.ac.kr
  • Kiwon Chung: greenare (at) kaist.ac.kr

Evaluation

• Attendance/Participation: 5%
• Midterm exam: 20%
• Homework: 15%
• Presentation: 20%
• Project: 40%

Schedule

• 8/28 Course Introduction

• 8/30 Web programmging
  • Group project announced
• 9/4 Server-side Web attacks(1)
  • Reading materials

    N. Jovanovic et al. Pixy: a static analysis tool for detecting Web application vulnerabilities (S&P 2006)
    S. Bandhakavi et al. CANDID: preventing sql injection attacks using dynamic candidate evaluations (CCS 2007)
    Son et al. "Diglossia: Detecting Code-Injection Attacks with Precision and Efficiency" (CCS 2013)
    Ray et al. "Defining Code-injection Attacks" (POPL 2012)
    

• 9/6 Server-side Web attacks(2)

• 9/11 Cross-site Scripting (1)
  • Reading materials

    Zalewski. "Postcards from the Post-XSS World" (2011)
    S. Lekis et al. 25 million flows later: large-scale detection of DOM-based XSS (CCS 2013)
    

  • Team selection due 9/13 (2 persons for one team)

• 9/13 Cross-site Scripting (2)

• 9/18 Content Security Policy
  • Reading materials

    L. Weichselbaum et al. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, (CCS 2016)
    A. Doupe et al. deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation (CCS 2013)
    

• 9/20 CSRF
  • Reading materials

    A. Barth et al. Robust Defenses for Cross-Site Request Forgery, (CCS 2008)
    

• 9/25 Clickjacking & Browser extensions
  • Reading materials

    Huang et al. Clickjacking: Attacks and Defenses (Usenix Security 2012)
    Rydstedt et al. Busting frame busting: a study of clickjacking vulnerabilities at popular sites (W2SP 2010)
    A. Kapravelos et al. Hulk: Eliciting Malicious Behavior in Browser Extensions, (USENIX 2014)
    Thomas et al. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications (S&P 2015)
    Jagpal et al. Trends and Lessons from Three Years Fighting Malicious Extensions (USENIX 2015)
    

• 9/27 Phishing & Spam
  • Reading materials

    Jagatic et al. Social Phishing, (Communication of ACM, 2007)
    

• 10/2 Holiday

• 10/4 Password & Two-factor Auth (1)
  • Reading materials

    Bonneau et al. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes (S&P 2012).
    Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords (S&P 2012)
    Universal 2nd Factor (U2F) Overview (FIDO Alliance Proposed Standard, 2015)
    

• 10/9 Holiday

• 10/11 Password & Two-factor Auth (2)

• 10/16
  • [No class] Midterm season
• 10/18
  • Midterm exam
  • E3-1 3445 (10:00 A.M. ~ 11:45 A.M.)
• 10/23 HTTPS
  • Reading materials

    Sotirov et al. Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate (CRYPTO 2009)
    Lenstra et al. Ron was Wrong, Whit is Right (CRYPTO 2012).
    Adrian et al. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (CCS 2015)
    

• 10/25 Tracking

• 10/30 Student Presentation - XSS
  • Reading materials
  • Presenter 1: Valentin Guittard

    Lekis et al. 25 Million Flows Later - Large-scale Detection of DOM-based XSS, in: CCS. (CCS 2013) 
    

  • Presenter 2: Jaehong Jung

    Steffens et al. PMForce: Systematically Analyzing postMessage Handlers at Scale (CCS 2020) 
    

• 11/1 Student Presentation - Web attacks
  • Reading materials
  • Presenter 3: Changjo Yun

    Khodayari et al. It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses (S&P 2023) 
    

  • Presenter 4: Laszlo Barak

    Drakonakis et al. The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws (CCS 2020) 
    

• 11/6 Student Presentation - Web Service attacks
  • Reading materials
  • Presenter 5: Jinseo Kim

    Hao et al. It's Not What It Looks Like: Manipulating Perceptual Hashing based Applications (CCS 2021) 
    

  • Presenter 6: Matyas Richter

    Zhang et al. Reverse Attack: Black-box Attacks on Collaborative Recommendation (CCS 2021)
    

• 11/8 Student Presentation - Phishing
  • Reading materials
  • Presenter 7: Seong Jun Lee

    Oest et al. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale (USENIX 2020)
    

  • Presenter: Sooel Son:

    Kim et al. HearMeOut: Detecting Voice Phishing Activities in Android (MobiSys 2022) 
    

• 11/13 Student Presentation - Phishing
  • Reading materials
  • Presenter 8: Sungwoo Jeon

    Zhang et al. CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing  (S&P 2021)
    

  • Presenter 9: Kevin Chen

    Kondracki et al. Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits (CCS 2021)
    

• 11/15 Student Presentation - Mobile web security
  • Reading materials
  • Presenter 10: Clovis Fourdrinier

    Shen et al. Understanding Worldwide Private Information Collection on Android (NDSS 2021) 
    

  • Presenter 11: Eunchan Park

    Zhang et al. Identity Confusion in WebView-based Mobile App-in-app Ecosystems (USENIX 2022) 
    

• 11/20 Student Presentation - Tracking & Ad
  • Reading materials
  • Presenter 12: Robert Krzysztof Noparlik

    Munir et al. CookieGraph: Understanding and Detecting First-Party Tracking Cookies (CCS 2023)
    

  • Presenter 13: Seongho Keum

    Oest et al. PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists  (USENIX 2020) 
    

• 11/22 Student Presentation - Fingerprinting, Fuzzing
  • Reading materials
  • Presenter 14: Seungjin Baek

    Solomos et al. The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions (USENIX 2022) 
    

  • Presenter: Suyoung Lee

    Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer. (USENIX 2020)
    

• 11/27 No class

• 11/29 No class (undergraduate admission interview)

• 12/4 Final Project Presentation (1)
  • Presenters:
    • Kevin Chen & Valentin Guitard
    • Seungjin Baek & Eunchan Park
    • Jinseo Kim & Changjo Yun
    • Jaehong Jung & Robert Noparlik
• 12/6 Final Project Presentation (2) & Wrap-up
  • Presenters:
    • Matyas Richter & Laszlo Barak
    • Seongho Keum & Sungwoo Jeon
    • Seongjun Lee & Clovis Fourdrinier
• 12/14
  • Deadline for your final course project report