Skip to content

Latest commit

 

History

History
291 lines (234 loc) · 17.9 KB

Web and browser.md

File metadata and controls

291 lines (234 loc) · 17.9 KB
Raw

Web, Browser and Concurrency

USENIX

  • (2018) NAVEX: Precise and scalable exploit generation for dynamic web applications
    • automatic exploits generation, code property graph, conclic execution, SQL injection, XSS, EAR

Oakland

  • (2018) Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities
  • (2017) IVD: Automatic Learning and Enforcement of Authorization Rules in Online Social Networks
  • (2016) Back in Black: Towards Formal, Black Box Analysis of Sanitizers and Filters
  • (2016) Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search
  • (2016) Cloak of Visibility: Detecting When Machines Browse a Different Web
  • (2016) Verena: End-to-End Integrity Protection for Web Applications
  • (2015) Ad Injection at Scale: Assessing Deceptive Advertisement Modifications
  • (2015) Understanding and Monitoring Embedded Web Scripts

CCS

  • (2017) Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers (Meng Luo, Oleksii Starov, Nima Honarmand, Nick Nikiforakis)
  • (2017) Deterministic Browser
  • (2017) Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security
  • (2017) Tail Attacks on Web Applications
  • (2017) Let’s Go in for a Closer Look: Observing Passwords in Their Natural Habitat
  • (2017) How Unique is Your .onion? An Analysis of the Fingerprintability of Tor Onion Services
  • (2017) Where the Wild Warnings Are: Root Causes of Chrome HTTPS Certificate Errors
  • (2017) Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting
  • (2017) The Wolf of Name Street: Hijacking Domains Through Their Nameservers
  • (2017) Automated Crowdturfing Attacks and Defenses in Online Review Systems
  • (2017) Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials
  • (2017) Code-reuse attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets
  • (2016) Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem
  • (2016) Chainsaw: Chained Automated Workflow-based Exploit Generation
  • (2016) CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites
  • (2016) "The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing
  • (2016) Breaking Web Applications Built On Top of Encrypted Data
  • (2015) WebCapsule: Towards a Lightweight Forensic Engine for Web Browsers
  • (2015) FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications
  • (2015) Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities in Web Applications
  • (2015) Inlined Information Flow Monitoring for JavaScript
  • (2015) The Clock is Still Ticking: Timing Attacks in the Modern Web
  • (2015) Cross-Site Search Attacks
  • (2015) The Spy in the Sandbox: Practical Cache Attacks in Javascript and their Implications
  • (2015) From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting

Chromium

  • (2008) The Security Architecture of the Chromium Browser.
  • (2009 Oakland) Native Client: A Sandbox for Portable, Untrusted x86 Native Code.

ACM Computing Surveys

  • (2017) Surviving the Web: A Journey into Web Session Security
    • attack and protection on web session, web attacker, network attacker, Content injection, XSS, CSFR, SOP, HttpOnly

Update :

USENIX Security

  • (2018) O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web
  • (2018) Fp-Scanner: The Privacy Implications of Browser Fingerprint Inconsistencies
  • (2018) Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers
  • (2018) WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring
  • (2018) A Sense of Time for JavaScript and Node.js: First-Class Timeouts as a Cure for Event Handler Poisoning
  • (2018) Rampart: Protecting Web Applications from CPU-Exhaustion Denial-of-Service Attacks
  • (2018) An Empirical Study of Web Resource Manipulation in Real-world Mobile Applications
  • (2018) Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies
  • (2018) NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications
  • (2017) Same-Origin Policy: Evaluation in Modern Browsers
  • (2017) CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition
  • (2017) Loophole: Timing Attacks on Shared Event Loops in Chrome
  • (2017) PDF Mirage: Content Masking Attack Against Information-Based Online Services
  • (2017) Game of Registrars: An Empirical Analysis of Post-Expiration Domain Name Takeovers
  • (2017) Measuring the Insecurity of Mobile Deep Links of Android
  • (2017) How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security
  • (2017) Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies
  • (2017) Exploring User Perceptions of Discrimination in Online Targeted Advertising
  • (2016) Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification
  • (2016) Tracing Information Flows Between Ad Exchanges Using Retargeted Ads
  • (2016) Request and Conquer: Exposing Cross-Origin Resource Size
  • (2016) Trusted Browsers for Uncertain Times
  • (2016) You've Got Vulnerability: Exploring Effective Vulnerability Notifications
  • (2016) Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016

TSE

  • (2018) On Accelerating Source Code Analysis at Massive Scale
  • (2018) Metamorphic Testing of RESTful Web APIs
  • (2018) A Survey of Recent Trends in Testing Concurrent Software Systems
  • (2018) Reviving Sequential Program Birthmarking for Multithreaded Software Plagiarism Detection
  • (2017) A Study of Causes and Consequences of Client-Side JavaScript Bugs
  • (2017) AutoSense: A Framework for Automated Sensitivity Analysis of Program Data
  • (2017) A Survey of App Store Analysis for Software Engineering
  • (2016) Parallel Performance Problems on Shared-Memory Multicore Systems: Taxonomy and Observation
  • (2016) Probabilistic Model Checking of Regenerative Concurrent Systems
  • (2016) Dynamic Testing for Deadlocks via Constraints
  • (2016) Asymptotic Perturbation Bounds for Probabilistic Model Checking with Empirically Determined Probability Parameters
  • (2016) Model Checking Software with First Order Logic Specifications Using AIG Solvers
  • (2016) A Lightweight System for Detecting and Tolerating Concurrency Bugs

TIFS

  • (2019) Sensor-Based Mobile Web Cross-Site Input Inference Attacks and Defenses
  • (2018) Plausible Deniability in Web Search - From Detection to Assessment
  • (2017) Scalable Anti-Censorship Framework Using Moving Target Defense for Web Servers

TDSC

  • (2018) Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis
  • (2017) Generic Soft-Error Detection and Correction for Concurrent Data Structures
  • (2016) Inference Attack on Browsing History of Twitter Users Using Public Click Analytics and Twitter Metadata

SOSP

  • (2017) Diamond: Automating Data Management and Storage for Wide-Area, Reactive Applications
  • (2017) Kraken: Leveraging Live Traffic Tests to Identify and Resolve Resource Utilization Bottlenecks in Large Scale Web Services
  • (2017) Canopy: An End-to-End Performance Tracing And Analysis System
  • (2017) Lazy Diagnosis of In-Production Concurrency Bugs
  • (2017) The Efficient Server Audit Problem, Deduplicated Re-execution, and the Web
  • (2017) Pensieve: Non-Intrusive Failure Reproduction for Distributed Systems using the Event Chaining Approach
  • (2017) Realizing the Fault-Tolerance Promise of Cloud Storage Using Locks with Intent

S&P

  • (2018) Study and Mitigation of Origin Stripping Vulnerabilities in Hybrid-postMessage Enabled Mobile Applications
  • (2018) Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities
  • (2018) Enumerating Active IPv6 Hosts for Large-scale Security Scans via DNSSEC-signed Reverse Zones
  • (2018) FP-STALKER: Tracking Browser Fingerprint Evolutions Along Time
  • (2018) A Formal Treatment of Accountable Proxying over TLS
  • (2018) Tracking Certificate Misissuance in the Wild
  • (2017) Finding and Preventing Bugs in JavaScript Bindings
  • (2016) Cloak of Visibility: Detecting When Machines Browse a Different Web
  • (2016) Domain-Z: 28 Registrations Later
  • (2016) The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information
  • (2016) MitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era
  • (2016) Seeking Nonsense, Looking for Trouble: Efficient Promotional-Infection Detection through Semantic Inconsistency Search

PPoPP

  • (2017) Tapir: Embedding Fork-Join Parallelism into LLVM’s Intermediate Representation

PLDI

  • (2018) CUBA: Interprocedural Context-UnBounded Analysis of Concurrent Programs
  • (2018) Verifying That Web Pages Have Accessible Layout
  • (2018) iReplayer: In-situ and Identical Record-and-Replay for Multithreaded Applications
  • (2018) BLeak: Automatically Debugging Memory Leaks in Web Applications
  • (2018) Putting in All the Stops: Execution Control for JavaScript
  • (2018) Systematic Black-Box Analysis of Collaborative Web Applications
  • (2017) Bringing the Web up to Speed with WebAssembly
  • (2016) GreenWeb: Language Extensions for Energy-Efficient Mobile Web Computing
  • (2016) Precise, Dynamic Information Flow for Database-Backed Applications

OSDI

  • (2018) Noria: dynamic, partially-stateful data-flow for high-performance web applications
  • (2018) Floem: A Programming System for NIC-Accelerated Network Applications
  • (2018) Orca: Differential Bug Localization in Large-Scale Services
  • (2018) Fault-Tolerance, Fast and Slow: Exploiting Failure Asynchrony in Distributed Systems
  • (2018) An Analysis of Network-Partitioning Failures in Cloud Systems

OOPSLA

  • (2018) Compositional Programming and Testing of Dynamic Distributed Systems
  • (2018) Sound deadlock prediction
  • (2018) Every Data Structure Deserves Lock-Free Memory Reclamation
  • (2018) Randomized Testing of Distributed Systems with Probabilistic Guarantees
  • (2018) Parallelization of Dynamic Languages: Synchronizing Built-in Collections
  • (2018) What Happens-After the First Race? Enhancing the Predictive Power of Happens-Before Based Dynamic Race Detection
  • (2018) RacerD: Compositional Static Race Detection
  • (2017) Model Checking Copy Phases of Concurrent Copying Garbage Collection with Various Memory Models
  • (2017) Practical Initialization Race Detection for JavaScript Web Applications
  • (2017) Deadlock Avoidance in Parallel Programs with Futures: Why Parallel Tasks Should Not Wait for Strangers
  • (2017) Skip Blocks: Reusing Execution History to Accelerate Web Scripts
  • (2017) Instrumentation Bias for Dynamic Data Race Detection
  • (2017) A Volatile-by-Default JVM for Server Applications
  • (2016) Automated Reasoning for Web Page Layout
  • (2016) Ringer: Web Automation by Demonstration

NDSS

  • (2018) Game of Missuggestions: Semantic Analysis of Search-Autocomplete Manipulations
  • (2018) JavaScript Zero: Real JavaScript and Zero Side-Channel Attacks
  • (2018) Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting
  • (2018) SYNODE: Understanding and Automatically Preventing Injection Attacks on NODE.JS
  • (2017) Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots
  • (2017) (Cross-)Browser Fingerprinting via OS and Hardware Level Features
  • (2017) Fake Co-visitation Injection Attacks to Recommender Systems
  • (2017) Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web
  • (2016) Are these Ads Safe: Detecting Hidden Attacks through the Mobile App-Web Interfaces
  • (2016) Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications
  • (2016) It’s Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services
  • (2016) CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities

ISSTA

  • (2017) Test Execution Checkpointing for Web Applications
  • (2017) Automated Layout Failure Detection for Responsive Web Pages without an Explicit Oracle
  • (2017) Testing and Analysis of Web Applications using Page Models
  • (2016) Optimal Sanitization Synthesis for Web Application Vulnerability Repair
  • (2016) Automated and Effective Testing of Web Services for XML Injection Attacks
  • (2016) ARROW: Automated Repair of Races on Client-Side Web Pages
  • (2016) DEKANT: A Static Analysis Tool That Learns to Detect Web Application Vulnerabilities

ICSE

  • (2018) How not to structure your database-backed web applications: a study of performance bugs in the wild
  • (2018) Automated Repair of Mobile Friendly Problems in Web Pages
  • (2018) Prioritizing Browser Environments for Web Application Test Execution
  • (2017) Finding and Evaluating the Performance Impact of Redundant Data Access for Applications Using ORM
  • (2017) ZenIDS: Introspective Intrusion Detection for PHP Applications
  • (2017) Statically Checking Web API Requests in JavaScript
  • (2017) On Cross-stack Configuration Errors
  • (2017) To Type or Not to Type: Quantifying Preventable Bugs in JavaScript
  • (2017) RClassify: Classifying Race Conditions in Web Applications via Deterministic Replay
  • (2016) calable Thread Sharing Analysis
  • (2016) Coverage-Driven Test Code Generation for Concurrent Classes
  • (2016) Finding Security Bugs in Web Applications Using a Catalog of Access Control Patterns
  • (2016) Feedback-Directed Instrumentation for Deployed JavaScript Applications
  • (2016) Locking Discipline Inference and Checking

FSE

  • (2018) An empirical study on crash recovery bugs in large-scale distributed systems
  • (2018) Testing Multithreaded Programs via Thread Speed Control
  • (2017) Probabilistic Model Checking of Perturbed MDPs with Applications to Cloud Computing
  • (2017) Thread-Modular Static Analysis for Relaxed Memory Models
  • (2017) AtexRace: Across Thread and Execution Sampling for In-House Race Detection
  • (2017) A fast causal profiler for task parallel programs
  • (2017) Reproducing Concurrency Failures from Crash Stacks
  • (2017) Craig vs. Newton in Software Model Checking
  • (2017) Automatic Generation of Inter-Component Communication Exploits for Android Applications
  • (2017) DESCRY: Reproducing System-Level Concurrency Failures
  • (2016) Understanding and Generating High Quality Patches for Concurrency Bugs
  • (2016) Flow-Sensitive Composition of Thread-Modular Abstract Interpretation
  • (2016) Parallel Data Race Detection for Task Parallel Programs with Locks
  • (2016) Revamping JavaScript Static Analysis via Localization and Remediation of Root Causes of Imprecision
  • (2016) WATERFALL: An Incremental Approach for Repairing Record-Replay Tests of Web Applications
  • (2016) A discrete-time feedback controller for containerized cloud applications
  • (2016) WebRanz: Web Page Randomization for Better Advertisement Delivery and Web-Bot Prevention
  • (2016) Constraint-Based Event Trace Reduction
  • (2016) A Deployable Sampling Strategy for Data Race Detection
  • (2016) CacheOptimizer: Helping Developers Configure Caching Frameworks for Hibernate-Based Database-Centric Web Applications
  • (2016) Static DOM Event Dependency Analysis for Testing Web Applications
  • (2016) Atlas: An Intelligent, Performant Framework for Web-Based Grid Computing
  • (2016) Online Shared Memory Dependence Reduction via Bisectional Coordination

ECOOP

  • (2018) Type Regression Testing to Detect Breaking Changes in Node.js Libraries

CCS

  • (2018) MineSweeper: An In-depth Look into Drive-by Cryptocurrency Mining and Its Defense
  • (2018) How You Get Bullets in Your Back: A Systematical Study about Cryptojacking in Real-world
  • (2018) Pride and Prejudice in Progressive Web Apps: Abusing Native App-like Features in Web Applications
  • (2018) Clock Around the Clock: Time-Based Device Fingerprinting
  • (2018) Predicting Impending Exposure to Malicious Content from User Behavior
  • (2018) Mystique: Uncovering Information Leakage from Browser Extensions
  • (2018) Web’s Sixth Sense: A Study of Scripts Accessing Smartphone Sensors
  • (2017) Deterministic Browser
  • (2017) Rewriting History: Changing the Archived Web from the Present
  • (2017) Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse
  • (2017) Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs
  • (2017) Hindsight: Understanding the Evolution of UI Vulnerabilities in Mobile Browsers
  • (2017) Don't Let One Rotten Apple Spoil the Whole Barrel: Towards Automated Detection of Shadowed Domains
  • (2017) Tail Attacks on Web Applications
  • (2017) Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting
  • (2017) Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security
  • (2016) CSPAutoGen: Black-box Enforcement of Content Security Policy upon Real-world Websites
  • (2016) Chainsaw: Chained Automated Workflow-based Exploit Generation
  • (2016) Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem

ASPLOS

  • (2018) Static Detection of Event-based Races in Android Apps
  • (2018) Unconventional Parallelization of Nondeterministic Applications
  • (2018) DATS – Refactoring Access Control Out of Web Applications