Date and time: 19 January 2024, 11:00 – 12:00 CET
Speaker: Andrei Sabelfeld, Chalmers University
Title: Next Generation Web Crawling and Security Scanning
Where: Digital Futures hub, Osquars Backe 5, floor 2 at KTH main campus or Zoom
Directions: https://www.digitalfutures.kth.se/contact/how-to-get-here/
Zoom: https://kth-se.zoom.us/s/8088501391
Moderator and administrator: Musard Balliu, musard@kth.se
This seminar is co-sponsored by Digital Futures and KTH Security
Watch the recorded presentation
 Abstract: Securing web applications is a pressing challenge, as manifested by millions of dollars paid in bounties annually by the web’s big players like Google and Meta (Facebook). Web security scanners play an important role, focusing on crawling and scanning for vulnerabilities. Unfortunately, state-of-the-art falls short of deeply exploring web applications, running into roadblocks both on the client- and server-side and failing to track non-trivial data- and control flows in web applications.
Abstract: Securing web applications is a pressing challenge, as manifested by millions of dollars paid in bounties annually by the web’s big players like Google and Meta (Facebook). Web security scanners play an important role, focusing on crawling and scanning for vulnerabilities. Unfortunately, state-of-the-art falls short of deeply exploring web applications, running into roadblocks both on the client- and server-side and failing to track non-trivial data- and control flows in web applications.
This talk illuminates key challenges for crawling and scanning the modern web. To tackle these challenges, we showcase a line of work that 1) develops navigation modelling, page traversing, and tracking inter-page dependencies as the foundation for Next Generation Web Crawling and Scanning; 2) leverages SMT solving to pass input validation while scanning the web; and 3) leverages database-aware fuzzing to find unprotected output. We demonstrate how our approach leads to both boosting the code coverage and discovering new vulnerabilities in production software, including HotCRP, osCommerce, PrestaShop, and WordPress.
The talk is based on the S&P’21, CCS’23, and USENIX’24 papers written jointly with Benjamin Eriksson, Eric Olsson, Giancarlo Pellegrino, Adam Doupé, Amanda Stjerna, Riccardo De Masellis, and Philipp Ruemmer.
Bio: Andrei Sabelfeld is a Chalmers University of Technology Professor and newly appointed part-time Visiting Professor at KTH. Before becoming a faculty member, he was a Research Associate at Cornell University in Ithaca, NY, USA. Andrei Sabelfeld’s research ranges from foundations to practice in various computer security and privacy topics. He has received several prestigious prizes and awards from ERC, SSF, VR, WASP, Chalmers, Google, Meta (Facebook), and Amazon. Today, he leads a group of researchers at Chalmers engaged in many internationally visible projects on software security, web security, IoT security, security foundations, and applied cryptography.


 
   
         
   
         
   
        