Here is a list of tools, prototypes, and datasets as part of past/current research projects.


JAW is a hybrid, scalable framework to analyze client-side JavaScript programs for the detection of client-side CSRF vulnerabilities. JAW can be used to conduct interactive and exploratory analysis of JavaScript code
Home Page ] GitHub ] Paper ]

Black Widow

Black widow is a new data-driven web application scanner that combines three techniques: navigation modeling, graph traversing, and tracking inter-state dependencies.
Download code ] Paper ]


We released scripts, datasets, and trained YOLOv3 models of our work Ad-versarial: Defeating Perceptual Ad-Blocking
GitHub ] Paper ]


Fidelius is a new architecture with trusted path for user I/O/ and Web Enclaves, to protect user secrets even if the entire underlying browser and OS are fully controlled by a malicious attacker.
Home Page @Stanford ] GitHub ] Paper ]

Deemon logo

Deemon detects CSRF in PHP/SQL web applications by combining dynamic analysis with property graphs.
GitHub ] Paper ]

Guenter logo

Günter tests web applications against Server Side Request (SSR) abuse including Web Origin Laundering, Server Side Request Forgery (SSRF) and other abuses.
GitHub ] Paper ]

jAEk Logo

jÄk (jAEk) (yet Änother krawler, ja!) is a crawler that uses function hooking and other dynamic analysis techniques to identify JavaScript event function registratio to explore the attack surface of web applications.
GitHub ] Paper ]