I am hiring!

I am looking for PhD students in any of our areas of interest! Instructions to apply (and a brand new CTF web challenge!) are here.

Drop me an email for more information!

I am a faculty at CISPA Helmholtz Center for Information Security, leading the Application Security (AppSec) research group.

These are currently our areas of interest:

Broad web security area (e.g., web vulnerability detection, analysis, measurements, etc.)
Program analysis (e.g., web application scanners, static program analysis, client and server-side code analysis, etc.)
Security of immersive web applications (e.g., metaverse security and privacy, WebXR, etc.)
Machine learning and artificial intelligence for program analysis

Research

Current interests

Techniques for Vulnerability Detection:

JavaScript analyses at scale (JAW [USENIX Sec ‘21, IEEE S&P ‘23+‘24])
Web application scanners ([NDSS ‘25] LLM-based scanner, SoK on crawlers [USENIX Sec ‘24] Black Widow [IEEE SP 2021], jAEk [RAID 2015])

Web Vulnerability Analysis

Request forgery (SSRF/CSRF) and request hijacking (CSHR) vulnerabilities (Same-site Cookies [IEEE S&P 2022], CSHR [USENIX Sec ‘21/IEEE S&P ‘24], Defenses [RAID 2021], CSRF [ACM CSS 2017], SSRF detection [USENIX Sec ‘24], Link previews [NDSS 2020], SSR Abuse/Web Origin Laundering [RAID 2016])
Script-less XSS (DOM Clobbering [IEEE S&P ‘23])
Other web vulnerabilities: Web API security [NDSS 2019], Logic vulnerabilities [NDSS 2014]

Web Platform Security:

Security of Immersive Web Platforms [ACM CCS 2024]
Web enclaves and trusted user I/O path (Fidelius [IEEE SP 2019])
Internet core services security (Who controls the Internet [WWW 2017], the Great Cannon [WOOT 2015])

AI/ML and Application Security:

Security of LLM-based Applications (Rag-n-Roll [arXiv ‘24])
Attacking perceptual ad-blocking [CCS 2019] and adversarial physical attacks detection [IEEE DLS 2020]

Distinguished paper award, IEEE SP ‘24: The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web. Proceedings of 45th IEEE Symposium on Security and Privacy.
Distinguished paper award, IEEE SP ‘23: It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses. Proceedings of the 44th IEEE Symposium on Security and Privacy.
Distinguished paper award, IEEE SP ‘23: The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web. Proceedings of the 44rd IEEE Symposium on Security and Privacy.

PC co-chair: USENIX Security (2025)
Vice PC chair: USENIX Security (2023, 2024)
Area chair: TheWebConf (2024)
PC member at IEEE S&P (2024, 2023, 2022, 2021), ACM CCS (2023, 2021, 2020, 2018), USENIX Security (2022, 2021, 2020, 2019), IEEE Euro S&P (2023, 2022, 2020), ACSAC (2023, 2022, 2021, 2020, 2019, 2018, 2017), ACM AsiaCCS (2022, 2021, 2020, 2019), The Web Conference WWW (2023, 2022, 2021, 2020), DIMVA (2023, 2022, 2021, 2020), RAID (2022), SecWeb (2022, 2020), EuroSec (2022, 2021, 2020, 2019), ISC (2019), CARDS (2019), USENIX WOOT (2018), ACM CCS Poster (2016), IWCC (2016, 2015), DEPEND (2016, 2015), WTMC (2016), STAST (2014), NBiS (2014)
General co-chair for IEEE Euro S&P (2020)
PC co-chair for SECTEST2015
USENIX Security invited talks committee (2021, 2019)
Publicity chair for ACM CCS (2017)
Publication chair for DIMVA (2022, 2021)
Reviewer for ACM Computing Surveys, IEEE Transactions on Cloud Computing (TCC), and Transactions on Dependable and Secure Computing (TDSC)