Web Security

The web is now part of everyone’s life and it constitutes the primary means of access to many useful services with strict security requirements. As a result, vulnerabilities on the web platform may enable vicious attacks with catastrophic consequences, ranging from economic losses, e.g., in the case of attacks against payment providers like PayPal, to privacy violations, e.g., in the case of improper disclosure of electronic health records. Security-critical services are more and more supplied online today and this increases the need of effective defenses for the web platform.

Unfortunately, it is well-known that protecting online services is complicated, given the intrinsic complexity of the web. The web ecosystem is variegate and includes a large number of different components and technologies, hence the attack surface against web applications is incredibly large: security flaws in the web browser may expose authentication credentials and sensitive data stored in web pages; vulnerabilities of web protocols may break the confidentiality and the integrity of the communication session; and errors in the web application code may lead to the inclusion of malicious contents in otherwise trusted web pages. Even experienced web developers and security practitioners have a hard time at taming this complexity, leading to the proliferation of security breaches in the wild.

The ACADIA Center has contributed to the web security area by devising novel solutions against known web vulnerabilities, by assessing the effectiveness of existing countermeasures and by designing automated attack finding tools for penetration testing.

Selected Publications

  1. S. Calzavara, R. Focardi, M. Nemec, A. Rabitti, M. Squarcina – Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem, to appear in IEEE Symposium on Security and Privacy (2019)
  2. S. Calzavara, R. Focardi, M. Maffei, C. Schneidewind, M. Squarcina, M. Tempesta – WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring, in USENIX Security (2018)
  3. S. Calzavara, A. Rabitti, M. Bugliesi – Semantics-based analysis of Content Security Policy deployment, in ACM Transactions on the Web (2018)
  4. S. Calzavara, R. Focardi, M. Squarcina, M. Tempesta – Surviving the Web: a journey into web session security, in ACM Computing Surveys (2017)
  5. S. Calzavara, A. Rabitti, M. Bugliesi – CCSP: Controlled relaxation of content security policies by runtime policy composition, in Usenix Security Symposium (2017)
  6. S. Calzavara, A. Rabitti, M. Bugliesi – Content Security Problems? Evaluating the effectiveness of Content Security Policy in the wild, in ACM Conference on Computer and Communication Security (2017)
  7. M. Bugliesi, S. Calzavara, R. Focardi – Formal methods for web security, in Journal of Logical and Algebraic Methods in Programming (2017)
  8. S. Calzavara, R. Focardi, N. Grimm, M. Maffei – Micro-policies for web session security, in IEEE Computer Security Foundations Symposium (2016)
  9. M. Bugliesi, S. Calzavara, R. Focardi, W. Khan – CookiExt: patching the browser against session hijacking attacks, in Journal of Computer Security (2015)
  10. S. Calzavara, G. Tolomei, A. Casini, M. Bugliesi, S. Orlando – A supervised learning approach to protect client authentication on the Web, in ACM Transactions on the Web (2015)