Research Group

Pellegrino

Application Security

Web application software is by far one of the most critical assets of our digital life. The Application Security (AppSec, in short) research group addresses the pressing challenges of identifying, studying, and solving vulnerabilities in modern web application software, at the application and platform levels. Our current interests include the analysis of new web vulnerabilities, program analysis (static, dynamic, and hybrid) that operates at scale, application of ML/AI to web application security, and the security and privacy of future application software systems, including immersive web applications.

Head of Group

Giancarlo Pellegrino

Email

Address

Kaiserstraße 21
66386 St. Ingbert (Germany)

Members

Giada Martina Stivala

Aleksei Stafeev

Gianluca De Stefano

© Tobias Ebelshäuser

Andrea Mengascini

Tim Recktenwald

Ryan Aurelio

Most Recent Publications

Year 2025

2025-07-11

Less is More: Boosting Coverage of Web Crawling through Adversarial Multi-Armed Bandit

Conference / Medium

55th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Tags

Authors

Lorenzo Cazzaro
Stefano Calzavara
Maksim Kovalkov
Aleksei Stafeev
Giancarlo Pellegrino

Full Paper Visit Detail Page

2025-04-28

Permission Rationales in the Web Ecosystem: An Exploration of Rationale Text and Design Patterns

Conference / Medium

International Conference on Human Factors in Computing Systems (CHI)

Tags

Empirical & Behavioral Security

Authors

Yusra Elbitar
Soheil Khodayari
Marian Harbach
Gianluca De Stefano
Balazs Csaba Engedy
Giancarlo Pellegrino
Sven Bugiel

Full Paper Visit Detail Page

2025-02-24

Do (Not) Follow the White Rabbit: Challenging the Myth of Harmless Open Redirection

Conference / Medium

Network and Distributed System Security Symposium (NDSS)

Tags

Empirical & Behavioral Security

Authors

Soheil Khodayari
Kai Glauber
Giancarlo Pellegrino

Full Paper Visit Detail Page

Year 2024

2024-12-09

YuraScanner: Leveraging LLMs for Task-driven Web App Scanning

Conference / Medium

Network and Distributed System Security Symposium (NDSS)

Tags

Empirical & Behavioral Security

Authors

Full Paper Visit Detail Page

2024-08

SSRF vs. Developers: A Study of SSRF-Defenses in PHP Applications

Conference / Medium

Usenix Security Symposium (USENIX-Security)

Tags

Empirical & Behavioral Security

Authors

Malte Wessels
Simon Koch
Giancarlo Pellegrino
Martin Johns

Full Paper Visit Detail Page