Publications

YURASCANNER: Leveraging LLMs for Task-driven Web App Scanning

Aleksei Stafeev, Tim Recktenwald, Gianluca De Stefano, Soheil Khodayari, Giancarlo Pellegrino

Uncovering the Role of Support Infrastructure in Clickbait PDF Campaigns

Giada Stivala, Gianluca De Stefano, Andrea Mengascini, Mariano Graziano, Giancarlo Pellegrino

The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web

Soheil Khodayari, Thomas Barber, Giancarlo Pellegrino

The Big Brother's New Playground: Unmasking the Illusion of Privacy in Web Metaverses from a Malicious User's Perspective

Andrea Mengascini, Ryan Aurelio, Giancarlo Pellegrino

SSRF vs. Developers: A Study of SSRF-Defenses in PHP Applications

Malte Wessels, Simon Koch, Giancarlo Pellegrino, Martin Johns

SoK: State of the Krawlers - Evaluating the Effectiveness of Crawling Algorithms for Web Security Measurements

Aleksei Stafeev, Giancarlo Pellegrino

Rag and Roll: An End-to-End Evaluation of Indirect Prompt Manipulations in LLM-based Application Frameworks

Gianluca De Stefano, Lea Schönherr, Giancarlo Pellegrino

The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web

Jannis Rautenstrauch, Giancarlo Pellegrino, Ben Stock

It's (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses

Soheil Khodayari, Giancarlo Pellegrino

From Attachments to SEO: Click Here to Learn More about Clickbait PDFs!

Giada Stivala, Sahar Abdelnabi, Andrea Mengascini, Mariano Graziano, Mario Fritz, Giancarlo Pellegrino

The State of the SameSite: Studying the Usage, Effectiveness, and Adequacy of SameSite Cookies

Soheil Khodayari, Giancarlo Pellegrino

Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks

Xhelal Likaj, Soheil Khodayari, Giancarlo Pellegrino

JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals

Soheil Khodayari, Giancarlo Pellegrino

Black Widow: Blackbox Data-driven Web Scanning

Benjamin Eriksson, Giancarlo Pellegrino, Andrei Sabelfeld

SentiNet: Detecting Localized Universal Attack Against Deep Learning Systems

Edward Chou, Florian Tramer, Giancarlo Pellegrino

Raccoon: Automated Verification of Guarded Race Conditions in Web Applications

Simon Koch, Tim Sauer, Martin Johns, Giancarlo Pellegrino

Deceptive Previews: A Study of the Link Preview Trustworthiness in Social Platforms

Giada Stivala, Giancarlo Pellegrino

Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps

Qingchuan Zhao, Chaoshun Zuo, Brendan Dolan-Gavitt, Giancarlo Pellegrino, Zhiqiang Lin

Geo-locating Drivers: A Study of Sensitive Data Leakagein Ride-Hailing Services

Qingchuan Zhao, Chaoshun Zuo, Giancarlo Pellegrino, Zhiqiang Lin

Fidelius: Protecting User Secrets from Compromised Browsers

Saba Eskandarian, Jonathan Cogan, Sawyer Birnbaum, Peh Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung Nguyen, Taresh Sethi, Vishal Subbiah, Michael Backes, Giancarlo Pellegrino, Dan Boneh

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning

Florian Tramer, Pascal Dupre, Gili Rusak, Giancarlo Pellegrino, Dan Boneh

The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators

Martin Oltrogge, Erik Derr, Christian Stransky, Sascha Fahl, Yasemin Acar, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel, Michael Backes

SentiNet: Detecting Localized Universal Attacks Against Deep Learning Systems

Edward Chou, Florian Tramer, Giancarlo Pellegrino

Formally Reasoning about the Cost and Efficacy of Securing the Email Infrastructure

Patrick Speicher, Marcel Steinmetz, Robert Kuennemann, Milivoj Simeonovski, Giancarlo Pellegrino, Jorg Hoffmann, Michael Backes

Fidelius: Protecting User Secrets from Compromised Browsers

Saba Eskandarian, Jonathan Cogan, Sawyer Birnbaum, Peh Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung Nguyen, Taresh Sethi, Vishal Subbiah, Michael Backes, Giancarlo Pellegrino, Dan Boneh

Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications

Ben Stock, Giancarlo Pellegrino, Frank Li, Christian Rossow, Michael Backes

AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning

Florian Tramer, Pascal Dupre, Gili Rusak, Giancarlo Pellegrino, Dan Boneh

Who Controls the Internet?: Analyzing Global Threats Using Property Graph Traversals

Milivoj Simeonovski, Giancarlo Pellegrino, Christian Rossow, Michael Backes

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs

Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, Christian Rossow

Uses and Abuses of Server-Side Requests

Giancarlo Pellegrino, Onur Catakoglu, Davide Balzarotti, Christian Rossow

POSTER: Mapping the Landscape of Large-Scale Vulnerability Notifications

Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, Michael Backes

Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification

Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, Michael Backes

On the Feasibility of Side-Channel Attacks in a Virtualized Environment

Tsvetoslava Vateva-Gurova, Jesus Luna, Giancarlo Pellegrino, Neeraj Suri

jAEk: Using Dynamic Analysis to Crawl and Test Modern Web Applications

Giancarlo Pellegrino, Constantin Tschuertz, Eric Bodden, Christian Rossow

In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services

Giancarlo Pellegrino, Davide Balzarotti, Stefan Winter, Neeraj Suri

Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics

Giancarlo Pellegrino, Christian Rossow, Fabrice J. Ryba, Thomas C. Schmidt, Matthias Waehlisch

Attribute-based Credentials for Trust: Technical Implementation and Feasibility

Gert Lassøe Mikkelsen, Kasper Damgard, Hans Guldager, Jonas Lindstrøm Jensen, Jesus Luna Garcia, Janus Dam Nielsen, Pascal Paillier, Giancarlo Pellegrino, Michael Bladt Stausholm, Neeraj Suri, Heng Zhang

Towards a framework for assessing the feasibility of side-channel attacks in virtualized environments

T. Vateva-Gurova, J. Luna, G. Pellegrino, N. Suri

Toward Black-Box Detection of Logic Flaws in Web Applications

Giancarlo Pellegrino, Davide Balzarotti

An Authentication Flaw in Browser-based Single Sign-On Protocols: Impact and Remediations

Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuellar, Giancarlo Pellegrino, Alessandro Sorniotti

A Tool for Supporting Developers in Analyzing the Security of Web-Based Security Protocols

Giancarlo Pellegrino, Luca Compagna, Thomas Morreggia

The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures

Alessandro Armando, Wihem Arsac, Tigran Avanesov, Michele Barletta, Alberto Calvi, Alessandro Cappai, Roberto Carbone, Yannick Chevalier, Luca Compagna, Jorge Cuellar, Gabriel Erzse, Simone Frau, Marius Minea, Sebastian Moedersheim, David Von Oheimb, Giancarlo Pellegrino, Serena Elisa Ponta, Marco Rocchetto, Michael Rusinowitch, Mohammad Torabi Dashti, Mathieu Turuani, Luca Vigano

From Model-Checking to Automated Testing of Security Protocols: Bridging the Gap

Alessandro Armando, Giancarlo Pellegrino, Roberto Carbone, Alessio Merlo, Davide Balzarotti

Security Validation of Business Processes via Model-Checking

Wihem Arsac, Luca Compagna, Giancarlo Pellegrino, Serena Elisa Ponta

From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?

Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuellar, Giancarlo Pellegrino, Alessandro Sorniotti

Automatic Security Analysis of SAML-based Single Sign-On Protocols

Alessandro Armando, Roberto Carbone, Luca Compagna

Model-Checking Driven Security Testing of Web-Based Applications

A. Armando, R. Carbone, L. Compagna, K. Li, G. Pellegrino