TEStabiliTy pAttern-driven weB appLication sEcurity and privacy testing

Raze to the Ground: Query-Efficient Adversarial HTML Attacks on Machine-Learning Phishing Webpage Detectors (si apre in una nuova finestra)

Autori: Biagio Montaruli, Luca Demetrio, Maura Pintor, Luca Compagna, Davide Balzarotti, Battista Biggio
Pubblicato in: Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security, 2024
Editore: ACM
DOI: 10.1145/3605764.3623920

FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities (si apre in una nuova finestra)

Autori: Samuel Groß, Simon Koch, Lukas Bernhard, Thorsten Holz, Martin Johns
Pubblicato in: Proceedings 2023 Network and Distributed System Security Symposium, 2023
Editore: Internet Society
DOI: 10.14722/ndss.2023.24290

Poster: The Risk of Insufficient Isolation of Database Transactions in Web Applications (si apre in una nuova finestra)

Autori: Simon Koch, Malte Wessels, David Klein, Martin Johns
Pubblicato in: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Numero 202, 2024, Pagina/e 3576-3578
Editore: ACM
DOI: 10.1145/3576915.3624394

Keeping Privacy Labels Honest (si apre in una nuova finestra)

Autori: Simon Koch (Technische Universität Braunschweig, Institute for Application Security), Malte Wessels (Technische Universität Braunschweig, Institute for Application Security), Benjamin Altpeter (Datenanfragen.de e. V.), Madita Olvermann (Technische Universität Braunschweig, Industrial/Organizational and Social Psychology), Martin Johns (Technische Universität Braunschweig, Institute for Applica
Pubblicato in: Proceedings on Privacy Enhancing Technologies Symposium, Numero Volume: 2022 Numero: 4, 2022, Pagina/e Pages: 486–506
Editore: Privacy Enhancing Technologies Board
DOI: 10.56553/popets-2022-0119

Testability Tarpits: the Impact of Code Patterns on the Security Testing of Web Applications (si apre in una nuova finestra)

Autori: Feras Al Kassar, Giulia Clerici, Luca Compagna, Davide Balzarotti, Fabian Yamaguchi
Pubblicato in: Proceedings 2022 Network and Distributed System Security Symposium, 2023
Editore: Internet Society
DOI: 10.14722/ndss.2022.24150

Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions (si apre in una nuova finestra)

Autori: Klein, David and Barber, Thomas and Bensalim, Souphiane and Stock, Ben and Johns, Martin
Pubblicato in: EuroS&P IEEE European Symposium on Security and Privacy, 2022
Editore: IEEE
DOI: 10.1109/eurosp53844.2022.00023

General Data Protection Runtime: Enforcing Transparent GDPR Compliance for Existing Applications (si apre in una nuova finestra)

Autori: David Klein, Benny Rolle, Thomas Barber, Manuel Karl, Martin Johns
Pubblicato in: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2024, Pagina/e 3343-3357
Editore: ACM
DOI: 10.1145/3576915.3616604

Domain and Website Attribution beyond WHOIS (si apre in una nuova finestra)

Autori: Silvia Sebastián, Raluca-Georgia Diugan, Juan Caballero, Iskander Sanchez-Rola, Leyla Bilge
Pubblicato in: Annual Computer Security Applications Conference, 2023, Pagina/e 124-137
Editore: ACM
DOI: 10.1145/3627106.3627190

Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model. (si apre in una nuova finestra)

Autori: Tom Van Goethem, Gertjan Franken, Iskander Sanchez-Rola, David Dworken, and Wouter Joosen
Pubblicato in: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '22), 2022, Pagina/e 784–798
Editore: Association for Computing Machinery
DOI: 10.1145/3488932.3517416

Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection (si apre in una nuova finestra)

Autori: Tom Van Goethem, Iskander Sanchez-Rola, Wouter Joosen
Pubblicato in: 2023 IEEE Security and Privacy Workshops (SPW), Numero 7, 2024, Pagina/e 371-383
Editore: IEEE
DOI: 10.1109/spw59333.2023.00038

The OK Is Not Enough: A Large Scale Study of Consent Dialogs in Smartphone Applications

Autori: Koch, Simon; Altpeter, Benjamin; Johns, Martin
Pubblicato in: 32nd USENIX Security Symposium (USENIX Security 23), 2023, Pagina/e 5467-5484
Editore: USENIX Association

When Sally Met Trackers: Web Tracking From the Users' Perspective

Autori: Savino Dambra, Iskander Sanchez-Rola, Leyla Bilge, Davide Balzarotti
Pubblicato in: 31th USENIX Security Symposium (USENIX Security 22)}, 2022, Pagina/e 2189--2206, ISBN 978-1-939133-31-1
Editore: USENIX Association

Testability Tarpits: the Impact of Code Patterns on the Security Testing of Web Applications

Autori: Feras Al Kassar (SAP Security Research), Giulia Clerici (SAP Security Research), Luca Compagna (SAP Security Research), Davide Balzarotti (EURECOM), Fabian Yamaguchi (ShiftLeft Inc)
Pubblicato in: NDSS Symposium 2022, 2022
Editore: Internet Society

Poster: Analysis of User Uniqueness on LinkedIn Based on Publicly Available Non-PII (si apre in una nuova finestra)

Autori: Ángel Merino, José González-Cabañas, Ángel Cuevas, Rubén Cuevas
Pubblicato in: Proceedings of the 2023 ACM on Internet Measurement Conference, 2024, Pagina/e 726-727
Editore: ACM
DOI: 10.1145/3618257.3625000

{WHIP}: Improving Static Vulnerability Detection in Web Application by Forcing tools to Collaborate

Autori: Al-Kassar, Feras; Compagna, Luca; Balzarotti, Davide
Pubblicato in: 32nd USENIX Security Symposium (USENIX Security 23), 2023, Pagina/e 6079-6096
Editore: USENIX Association

Unique on Facebook: formulation and evidence of (nano)targeting individual users with non-PII data (si apre in una nuova finestra)

Autori: González-Cabañas, José ; Cuevas, Ángel ; Cuevas, Rubén ; López-Fernández, Juan ; García, David
Pubblicato in: ACM Internet Measurement Conference (IMC '21), 2021
Editore: Association for Computing Machinery
DOI: 10.1145/3487552.3487861

Analysis and Implementation of Nanotargeting on LinkedIn Based on Publicly Available Non-PII (si apre in una nuova finestra)

Autori: Ángel Merino, José González-Cabañas, Ángel Cuevas, Rubén Cuevas
Pubblicato in: Proceedings of the CHI Conference on Human Factors in Computing Systems, Numero 671, 2024, Pagina/e 1-22
Editore: ACM
DOI: 10.1145/3613904.3642107

Proceedings of 45th IEEE Symposium on Security and Privacy

Autori: Khodayari, Soheil; Barber, Thomas; Pellegrino, Giancarlo
Pubblicato in: Proceedings of 45th IEEE Symposium on Security and Privacy, 2024
Editore: IEEE

Scamdog Millionaire: Detecting E-commerce Scams in the Wild (si apre in una nuova finestra)

Autori: Platon Kotzias, Kevin Roundy, Michalis Pachilakis, Iskander Sanchez-Rola, Leyla Bilge
Pubblicato in: Annual Computer Security Applications Conference, 2023, Pagina/e 29-43
Editore: ACM
DOI: 10.1145/3627106.3627184

SSRF vs. Developers: A Study of SSRF-Defenses in PHP Applications

Autori: Wessels, Malte; Koch, Simon; Pellegrino, Giancarlo; Johns, Martin
Pubblicato in: 33rd USENIX Security Symposium (USENIX Security 24), 2024, Pagina/e 6777-6794
Editore: USENEX

It’s (dom) clobbering time: Attack techniques, prevalence, and defenses

Autori: Khodayari, Soheil; Pellegrino, Giancarlo
Pubblicato in: 2023 IEEE Symposium on Security and Privacy, 2023, Pagina/e 1041-1058
Editore: IEEE

Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials

Autori: Klein, David; Johns, Martin
Pubblicato in: 2024 IEEE Symposium on Security and Privacy (SP), 2024, Pagina/e 173-173
Editore: IEEE

Robust Machine Learning for Malware Detection over Time

Autori: Daniele Angioni Primo;Luca DemetrioSecondo;Maura PintorPenultimo;Battista BiggioUltimo
Pubblicato in: 6th Italian Conference on Cybersecurity, ITASEC 2022, 2022
Editore: CEUR-WS

The Fault in Our Stars: An Analysis of GitHub Stars as an Importance Metric for Web Source Code

Autori: Koch, Simon; Klein, David; Johns, Martin
Pubblicato in: Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) 2024, 2024
Editore: iNTERNET SOCIETY

Generating Realistic Synthetic Curricula Vitae for Machine LearningApplications under Differential Privacy

Autori: Andrea Bruera1, Francesco Alda, Francesco Di Cerbo3
Pubblicato in: PROCEEDINGS - LREC 2022 Joint Workshop Language Resources and Evaluation Conference, 2022, Pagina/e 53-63, ISBN 979-10-95546-96-2
Editore: European Language Resources Association (ELRA)

Towards Understanding and Improving Security-Relevant Web Application Logging (si apre in una nuova finestra)

Autori: Merve Sahin, Noemi Daniele
Pubblicato in: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, Numero 22, 2024, Pagina/e 814-829
Editore: ACM
DOI: 10.1145/3634737.3637647

Indicators of Attack Failure: Debugging and Improving Optimization of Adversarial Examples

Autori: Maura Pintor, Luca Demetrio, Angelo Sotgiu, Ambra Demontis, Nicholas Carlini, Battista Biggio, Fabio Roli
Pubblicato in: Advances in Neural Information Processing Systems, 2022, Pagina/e 23063-23076
Editore: Curran Associates, Inc.

Secure and explainable machine learning in Python (si apre in una nuova finestra)

Autori: Maura Pintor, Luca Demetrio, Angelo Sotgiu, Marco Melis, Ambra Demontis, Battista Biggio
Pubblicato in: SoftwareX, Numero 23527110, 2022, ISSN 2352-7110
Editore: Elsevier
DOI: 10.1016/j.softx.2022.101095

Online advertisement in a pink-colored market (si apre in una nuova finestra)

Autori: Amir Mehrjoo, Rubén Cuevas, Ángel Cuevas
Pubblicato in: EPJ Data Science, Numero 13, 2024, ISSN 2193-1127
Editore: Springer Nature
DOI: 10.1140/epjds/s13688-024-00473-2

A Deep Dive into the Accuracy of IP Geolocation Databases and its Impact on Online Advertising (si apre in una nuova finestra)

Autori: Patricia Callejo, Marco Gramaglia, Rubén Cuevas, Ángel Cuevas
Pubblicato in: IEEE Transactions on Mobile Computing, Numero 22, 2024, Pagina/e 4359-4373, ISSN 1536-1233
Editore: Institute of Electrical and Electronics Engineers
DOI: 10.1109/tmc.2022.3166785

Overprofiling Analysis on Major Internet Players (si apre in una nuova finestra)

Autori: Francisco Caravaca, José González-Cabañas, Ángel Cuevas, Rubén Cuevas
Pubblicato in: Proceedings on Privacy Enhancing Technologies, Numero 2024, 2024, Pagina/e 929-946, ISSN 2299-0984
Editore: Privacy Enhancing Technologies Board
DOI: 10.56553/popets-2024-0149

Estimating ideology and polarization in European countries using Facebook data (si apre in una nuova finestra)

Autori: Francisco Caravaca, José González-Cabañas, Ángel Cuevas, Rubén Cuevas
Pubblicato in: EPJ Data Science, Numero 11, 2023, ISSN 2193-1127
Editore: Springer Open
DOI: 10.1140/epjds/s13688-022-00367-1

Practical Attacks on Machine Learning: A Case Study on Adversarial Windows Malware (si apre in una nuova finestra)

Autori: Luca Demetrio; Battista Biggio; Fabio Roli
Pubblicato in: IEEE Security & Privacy, 2022, Numero 15584046, 2022, Pagina/e 77-85, ISSN 1558-4046
Editore: IEEE
DOI: 10.1109/msec.2022.3182356

A Black-Box Privacy Analysis of Messaging Service Providers' Chat Message Processing (si apre in una nuova finestra)

Autori: Robin Kirchner, Simon Koch, Noah Kamangar, David Klein, Martin Johns
Pubblicato in: Proceedings on Privacy Enhancing Technologies, Numero 2024, 2024, Pagina/e 674-691, ISSN 2299-0984
Editore: Petsymposium
DOI: 10.56553/popets-2024-0099

Expanding the Measurement of Culture with a Sample of Two Billion Humans (si apre in una nuova finestra)

Autori: Nick Obradovich, Ömer Özak, Ignacio Martín, Ignacio Ortuño-Ortín, Edmond Awad, Manuel Cebrián, Rubén Cuevas, Klaus Desmet, Iyad Rahwan, Ángel Cuevas
Pubblicato in: Journal of the Royal Society Interface, 2022, ISSN 1742-5689
Editore: The Royal Society
DOI: 10.3386/w27827

A new methodology to measure faultlines at scale leveraging digital traces (si apre in una nuova finestra)

Autori: Amir Mehrjoo, Rubén Cuevas, Ángel Cuevas
Pubblicato in: EPJ Data Science, Numero 11, 2023, ISSN 2193-1127
Editore: Springer Nature SharedIt
DOI: 10.1140/epjds/s13688-022-00350-w

Learning Type Inference for Enhanced Dataflow Analysis (si apre in una nuova finestra)

Autori: Lukas Seidel, Sedick David Baker Effendi, Xavier Pinho, Konrad Rieck, Brink van der Merwe, Fabian Yamaguchi
Pubblicato in: Lecture Notes in Computer Science, Computer Security – ESORICS 2023, 2024, Pagina/e 184-203
Editore: Springer Nature Switzerland
DOI: 10.1007/978-3-031-51482-1_10

ModSec-Learn: Boosting ModSecurity with Machine Learning (si apre in una nuova finestra)

Autori: Christian Scano, Giuseppe Floris, Biagio Montaruli, Luca Demetrio, Andrea Valenza, Luca Compagna, Davide Ariu, Luca Piras, Davide Balzarotti, Battista Biggio
Pubblicato in: Computer Science > Machine Learning, 2024
Editore: arXiv e-prints
DOI: 10.48550/arxiv.2406.13547

Certified Adversarial Robustness of Machine Learning-based Malware Detectors via (De)Randomized Smoothing (si apre in una nuova finestra)

Autori: Daniel Gibert, Luca Demetrio, Giulio Zizzo, Quan Le, Jordi Planes, Battista Biggio
Pubblicato in: Computer Science > Cryptography and Security, 2024
Editore: arXiv e-prints
DOI: 10.48550/arxiv.2405.00392

Adversarial ModSecurity: Countering Adversarial SQL Injections with Robust Machine Learning (si apre in una nuova finestra)

Autori: Montaruli, Biagio; Demetrio, Luca; Valenza, Andrea; Compagna, Luca; Ariu, Davide; Piras, Luca; Balzarotti, Davide; Biggio, Battista
Pubblicato in: Computer Science - Machine Learning, Numero 3, 2023
Editore: arXiv e-prints
DOI: 10.48550/arxiv.2308.04964

Rag and roll: An end-to-end evaluation of indirect prompt manipulations in llm-based application frameworks (si apre in una nuova finestra)

Autori: De Stefano, Gianluca; Pellegrino, Giancarlo; Schönherr, Lea
Pubblicato in: Computer Science > Cryptography and Security, 2024
Editore: arXiv e-prints
DOI: 10.48550/arxiv.2408.05025

AttackBench: Evaluating Gradient-based Attacks for Adversarial Examples (si apre in una nuova finestra)

Autori: Cinà, Antonio Emanuele; Rony, Jérôme; Pintor, Maura; Demetrio, Luca; Demontis, Ambra; Biggio, Battista; Ayed, Ismail Ben; Roli, Fabio
Pubblicato in: Computer Science > Machine Learning, 2024
Editore: arXiv preprint
DOI: 10.48550/arxiv.2404.19460