Send email Copy Email Address
© Tobias Ebelshäuser
Research Group

Stock

Secure Web Applications Group

The Secure Web Applications Group (or SWAG, for short) conducts its research in all areas related to Web Security. Of particular focus is research around client-side security, in the detection, analysis, and mitigation of attacks around JavaScript. In addition, we research how to best communicate discovered vulnerabilities to affected operators. Furthermore, we investigate how malicious JavaScript may adversely affect users on the Web, researching both novel ways of detecting such scripts and attacking existing defensive solutions. Want to work with us? See the details for PhD students, thesis students, and student helper at our jobs page.

Head of Group

Ben Stock

Email

Address

Kaiserstraße 21
66386 St. Ingbert (Germany)

Members

Sebastian Roth
Placeholder

Metodi Mitkov
Placeholder

Moritz Wilhelm

Shubham Agarwal
Placeholder

Jannis Rautenstrauch

Florian Hantke
Placeholder

Thomas Helbrecht
Placeholder

Christine Utz

Most Recent Publications

Year 2023

2023-07-10

Comparing Large-Scale Privacy and Security Notifications

Conference / Medium

PETS
Proceedings on Privacy Enhancing TechnologiesPETS 2023

Tags
Secure Connected and Mobile Systems
Authors
Download Visit Detail Page
2023-05

The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web

Conference / Medium

SP
2023 IEEE Symposium on Security and Privacy (SP)44th IEEE Symposium on Security and Privacy

Tags
Secure Connected and Mobile Systems
Authors
Download Visit Detail Page
2023-02

DiffCSP: Finding Browser Bugs in Content Security Policy Enforcement through Differential Testing

Conference / Medium

NDSS
NDSSNDSS

Tags
Secure Connected and Mobile Systems
Authors
Download Visit Detail Page
2023-01

Privacy Rarely Considered: Exploring Considerations in the Adoption of Third-Party Services by Websites

Conference / Medium

PETS
Proceedings on Privacy Enhancing Technologies (PoPETs)PETS 2023

Tags
Secure Connected and Mobile Systems
Authors
Download Visit Detail Page

Year 2022

2022-11-09

Helping or Hindering? How Browser Extensions Undermine Security

Conference / Medium

CCS
ACM CCS 2022The 29th ACM Conference on Computer and Communications Security (CCS)

Tags
Secure Connected and Mobile Systems
Authors
Download Visit Detail Page

PROJECTS

CURRENT PROJECTS

The Web is arguably the most popular platform for information exchange today. To allow for a better user experience, much functionality is shifted towards the client. This shift also increases the complexity of client-side code and hence the attack surface. This can be exhibited in increased vulnerabilities such as Client-Side Cross-Site Scripting. We therefore try to better understand these issues and develop and evaluate potential solutions In general, our research investigates all types of client-side Web security, including areas such as CSP and framing control.

Although detection of many types of web-based flaws has been in the focus of researchers over the previous years, notifying affected parties barely got any attention. For this project, we try to identify potential channels for notification and evaluate their effectiveness. Also, we try to improve not only on technical measures like avoiding spam filters, but also try to understand the human aspects of a notification, such as how different wording might influence the success of a notification.

With its prevalence in the browser, JavaScript also makes for a prime target for attackers. Therefore, our group researches new ways of detecting malicious JavaScript in the wild. Specifically, this subsumes work in which we automatically generate signatures for exploit kits, alleviating the burden of malware analysists .In addition, our work focusses on detection of malicious JavaScript in general through methods of machine learning and novel ways of bypassing existing static analysis tools.