IS542: Web Service Security and Privacy

The course provides in-depth studies of numerous web attacks and defenses. The course covers comprehensive security vulnerabilities and privacy risks that exist on the Web. We will also discuss how to detect those vulnerabilities and alleviate the privacy risks.

Basic Information

Lecture: Tuesday/Thursday 2:30 - 3:45, Room 3445 E3-1
Instructor: Sooel Son
Email: sl.son (at) kaist.ac.kr
Homepage: https://sites.google.com/site/ssonkaist/
Office hours: TBD
T.A.:
- Dongwon Shin: dongwon.shin (at) kaist.ac.kr

Evaluation

Attendance/Participation: 10%
Midterm exam: 20%
HW: 10%
Presentation: 20%
Project: 40%

Schedule

9/3 Course Introduction
9/5 Web programming
- Group project announced

9/10 Server-side Web attacks(1)

Reading materials

N. Jovanovic et al. Pixy: a static analysis tool for detecting Web application vulnerabilities (S&P 2006)
S. Bandhakavi et al. CANDID: preventing sql injection attacks using dynamic candidate evaluations (CCS 2007)
Son et al. "Diglossia: Detecting Code-Injection Attacks with Precision and Efficiency" (CCS 2013)
Ray et al. "Defining Code-injection Attacks" (POPL 2012)

9/12 Server-side Web attacks(2)
- Team selection due 9/16 (2 persons for one team)
9/17 Holiday

9/19 Cross-site Scripting (1)

Reading materials

Zalewski. "Postcards from the Post-XSS World" (2011)
S. Lekis et al. 25 million flows later: large-scale detection of DOM-based XSS (CCS 2013)

9/24 Cross-site Scripting (2)

9/26 Content Security Policy

Reading materials

L. Weichselbaum et al. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy, (CCS 2016)
A. Doupe et al. deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation (CCS 2013)

10/1 Holiday
10/3 Holiday

10/8 CSRF

Reading materials

A. Barth et al. Robust Defenses for Cross-Site Request Forgery, (CCS 2008)

10/10 Clickjacking & Browser extensions

Reading materials

Huang et al. Clickjacking: Attacks and Defenses (Usenix Security 2012)
Rydstedt et al. Busting frame busting: a study of clickjacking vulnerabilities at popular sites (W2SP 2010)
A. Kapravelos et al. Hulk: Eliciting Malicious Behavior in Browser Extensions, (USENIX 2014)
Thomas et al. Ad Injection at Scale: Assessing Deceptive Advertisement Modifications (S&P 2015)
Jagpal et al. Trends and Lessons from Three Years Fighting Malicious Extensions (USENIX 2015)

10/15 Phishing & Spam

Reading materials

Jagatic et al. Social Phishing, (Communication of ACM, 2007)

10/17 Password & Two-factor Auth (1)

Reading materials

Bonneau et al. The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes (S&P 2012).
Bonneau. The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords (S&P 2012)
Universal 2nd Factor (U2F) Overview (FIDO Alliance Proposed Standard, 2015)

10/22
- [No class] Midterm season
10/24
- Midterm exam
- E3-1 3445 (1:00 P.M. ~ 3:00 P.M.)
10/29 Tracking

10/31 HTTPS

Reading materials

Sotirov et al. Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate (CRYPTO 2009)
Lenstra et al. Ron was Wrong, Whit is Right (CRYPTO 2012).
Adrian et al. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice (CCS 2015)

11/5 Differential Privacy

11/7 Student Presentation - Web application vulnerabilities

Reading materials

Presenter 1: Heechan Yang

Lee et al. FUSE: Finding File Upload Bugs via Penetration Testing. (NDSS 2020)

Presenter 2: Ga-eun Bae

Khodayari et al. It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses (S&P 2023) 

11/12 Student Presentation - Web service vulnerabilities

Reading materials

Presenter 3: MERZOUK Youri

Khodayari et al. The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web (S&P 2024) 

Presenter 4: Ilman MOHAMMAD AL MOMIN

Drakonakis et al. The Cookie Hunter: Automated Black-box Auditing for Web Authentication and Authorization Flaws (CCS 2020) 

11/14 Student Presentation - Fingerprinting

Reading materials

Presenter 5: Ilman MOHAMMAD AL MOMIN

Kondracki  et al. Smudged Fingerprints: Characterizing and Improving the Performance of Web Application Fingerprinting (USENIX 2024)

Presenter 6: Krystof Rohan

Zhang et al. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. (CCS 2024) 

11/19 Student Presentation - Phishing

Reading materials

Presenter 7: Heechan Yang

Oest et al. Sunrise to Sunset: Analyzing the End-to-end Life Cycle and Effectiveness of Phishing Attacks at Scale (USENIX 2020) 

Presenter 8: Yoonha Bahng

Kim et al. HearMeOut: Detecting Voice Phishing Activities in Android (MobiSys 2022) 

11/21 Student Presentation - Phishing

Reading materials

Presenter 9: Ga-eun Bae

Zhang et al. CrawlPhish: Large-scale Analysis of Client-side Cloaking Techniques in Phishing  (S&P 2021) 

Presenter 10: Heiko Kiesel

Kondracki et al. Catching Transparent Phish: Analyzing and Detecting MITM Phishing Toolkits (CCS 2021) 

11/26 Student Presentation

Reading materials

Presenter 11: Yoonha Bahng

Zhiyuan et al. Don't Listen To Me: Understanding and Exploring Jailbreak Prompts of Large Language Models (USENIX 2024) 

Presenter 12: MERZOUK Youri

Hoang et al. GFWeb: Measuring the Great Firewall's Web Censorship at Scale (USENIX 2024) 

11/28 No class (undergraduate admission interview)

12/3 Student Presentation - Tracking & Ad

Reading materials

Presenter 13: Heiko Kiesel

Munir et al. CookieGraph: Understanding and Detecting First-Party Tracking Cookies (CCS 2023) 

Presenter 14: Krystof Rohan

Oest et al. PhishTime: Continuous Longitudinal Measurement of the Effectiveness of Anti-phishing Blacklists  (USENIX 2020)

12/5 Guest lecture
12/10 Final Project Presentation (1)
- Presenters:
12/12 Final Project Presentation (2)
12/14
- Deadline for your final course project report