Web security research

Sort by:
Articles, softwares and blog posts related to web security
mobile
SessionJuggler Secure Web Login from an Untrusted Terminal Using Session Hijacking
Session Juggler allows to log into any websites on an untrusted terminal on any modern browser by using a simple bookmarklet and a smartphone. The site credentials are never transmited to the untrusted. With Session Juggler users never enter their long term credential on the untrusted terminal. Instead, users log in to a web site using a smartphone app and then transfer the entire session, including cookies and all other session state, to the untrusted terminal.
@WWW 2012
  • mobile
  • web security
medias:2
captcha
Text-based CAPTCHA Strengths and Weaknesses
Based on sucessfull attacks on 13 of the most popular captchas schemes we show how to attack text-based captchas and provide guidelines on how to design secure ones.
@CCS 2011
  • captcha
  • offensive technologies
  • study
medias:2
blog
Reclaiming the Blogosphere TalkBack A Secure LinkBack Protocol for Weblogs
TalkBack is a new blog Linkback protocol that use a lightweight PKI and a rate limiting system to fight blog SPAM
@ESORICS 2011
  • blog
  • web security
  • cryptography
medias:2
embedded devices
Towards Secure Embedded Web Interfaces
We audited the security of more than 30 embedded devices web interfaces and found more than 50 vulnerabilities. To help developers, we have developed WebDroid the first framework specifically dedicated to build secure embedded WebApp.
@Usenix Security 2011
  • embedded devices
  • web security
  • offensive technologies
medias:2
captcha
The Failure of Noise-Based Non-Continuous Audio Captchas
We show how using a generic approach, based on advanced audio processing and machine learning algorithm, our captcha breaker "Decaptcha" is able to break all the popular audio CAPTCHA schemes, including Microsoft and Yahoo.
@S&P 2011
  • captcha
  • web security
  • machine learning
medias:2
mobile
Kamouflage Loss-Resistant Password Management
Kamouflage is a new kind of password manager that use plausible decoys to prevent offline attacks when the master password is weak.
@ESORICS 2010
  • mobile
  • web security
  • privacy
medias:2
web security
An Analysis of Private Browsing Modes in Modern Browsers
We analyze how each of the major browser implements the private browsing mode and show their limitations and describe attacks against them. We also measure on which kind of website people use the private browsing mode.
@Usenix Security 2010
  • web security
  • privacy
  • offensive technologies
medias:2
embedded devices
The emergence of cross channel scripting
We reveal a series of attacks against embedded devices based on a new type of vulnerability that we call cross channel scripting (XCS). XCS is a sophisticated form of cross site scripting (XSS) in which the attack injection and execution are carried out via different protocols.
@CACM Journal Volume 53 Number 8 2010
  • embedded devices
  • web security
  • offensive technologies
education
Webseclab Security Education Workbench
Webseclab is a teaching framework designed to teach students web security through various exercises, project and quizzes. Webseclab combines a cloud-base service to aggregate class results and a student lab in form of a virtual machine that contains more than 80 exercises.
@CEST 2010
  • education
  • web security
medias:2
clickjacking
Framing Attacks on Smartphones Dumb Routers and Social Sites Tap-jacking Geo-localization and Framing Leak Attacks
We show that phone features makes Tap-jacking easier. We explain how to exploit router web interface to steal WiFi network WPA key and location. Finally we demonstrate how to exploit the frame scrolling attack to attack Facebook frame busting defense and leak private information from Yahoo mobile webmail.
@WOOT 2010
  • clickjacking
  • web security
  • mobile
medias:2
clickjacking
Busting Frame Busting a Study of Clickjacking Vulnerabilities on Popular Sites
We study frame busting defense for the Alexa Top-500 sites and show that all can be broken. Some attacks are browser-specific, other exploit code mistakes. We conclude with practical recommendations how to implement a secure frame busting defense.
@W2SP 2010
  • clickjacking
  • web security
  • offensive technologies
medias:2
captcha
How Good are Humans at Solving CAPTCHAs A Large Scale Evaluation
We perform a mass-scale user study on how people react to the 21 most popular captcha schemes (13 images, 8 audios). This study reveals that even the most popular captchas scheme are often difficult for humans, with audio captchas being particularly problematic.
@S&P 2010
  • captcha
  • study
  • web security
medias:2
study
State of the Art Automated Black-Box Web Application Vulnerability Testing
We evaluate the effectiveness of the most popular web automated vulnerability scanners and analyze how effective they are at detecting various vulnerabilities (XSS, CSRF, SQLi…). We also test how good they are at crawling websites and discovering non-standard links (flash, java, AJAX)
@S&P 2010
  • study
  • web security
  • data mining
medias:2
blog
TrackBack Spam Abuse and Prevention
We conducted a longitudinal study of TrackBack spam, collecting and analyzing almost 10 million samples from a massive spam campaign over a 1 period. We report our finding including where the spam campaign leads and why blog spammers are different than email spammers.
@CCSW 2009
  • blog
  • study
  • web security
medias:2
embedded devices
XCS cross channel scripting and its impact on web applications
We reveal a series of attacks against embedded devices based on a new type of vulnerability that we call cross channel scripting (XCS). XCS is a sophisticated form of cross site scripting (XSS) in which the attack injection and execution are carried out via different protocols.
@CCS 2009
  • embedded devices
  • web security
  • offensive technologies
medias:2
captcha
Decaptcha Breaking 75% of eBay Audio CAPTCHAs
This paper shows how Decpatcha is able to break eBay captchas with 75% accuracy. We show that using a custom breaker (75%) greatly out-perform state of art speech recognition system (1%)
@WoOT 2009
  • captcha
  • machine learning
  • web security
medias:2
web security
Bad Memories
We demonstrate how to steal a WiFi network WPA key and location by attacking the router web interface. Then we show how to bypass SSL warning on Internet Explorer and Firefox to perform HTTPS cache injection attacks. Finally we show how to perform various advanced click-jacking attacks on browser and phones (tapjacking).
@BlackHat USA / Defcon 2010
  • web security
  • clickjacking
  • offensive technologies
medias:5
embedded devices
Embedded Management Interfaces Emerging Massive Insecurity
@BlackHat USA 09 2009
  • embedded devices
  • web security
  • offensive technologies
medias:2
web security
SaferChrome
SaferChrome makes browsing safer by identifying and preventing security and privacy breaches.
2010
  • web security
  • browser
  • extension
medias:2
web security
Webseclab
Webseclab is a virtual environement designed to provides student a web security hands-on experience.
2010
  • web security
  • education
medias:2
web security
Foursquare PHP
Foursquare-php is a php library that allows to easily display Foursquare informations on a webpage.
2010
  • web security
  • social network
  • www
medias:2
About me
Researcher at Google, specializing in Internet security and privacy.
Latest blog posts
Latest social News
1 day ago
Confession of a reformed hacker - http://t.co/izoNn9M5yq < interesting stuff on botnets and credit cards.#security#seo#fraud#web
1 day ago
After Twitter turn on 2 steps authentication, Kim Dotcom claims to have invented - http://t.co/NYf3ajtkVr#security#twitter#fb#seo
5 days ago
What Your Facebook Profile Photo Says About You - http://t.co/THHqZQxFem#fb#twitter#psych#smo#seo#privacy
6 days ago
Emotion color guide. Awesome ! What is your color? :)#design#web#art#ux http://t.co/bndVZysO5t
6 days ago
When a porn site masquerades as the Apple App Store - http://t.co/x3r0UKGUlX#ios#apple#security#seo#mobile