Andrei Sabelfeld - Next Generation Web Crawling and Security Scanning

Abstract: Securing web applications is a pressing challenge, as manifested by millions of dollars paid in bounties annually by the web’s big players like Google and Meta (Facebook). Web security scanners play an important role, focusing on crawling and scanning for vulnerabilities. Unfortunately, state-of-the-art falls short of deeply exploring web applications, running into roadblocks both on the client- and server-side and failing to track non-trivial data- and control flows in web applications.

This talk illuminates key challenges for crawling and scanning the modern web. To tackle these challenges, we showcase a line of work that 1) develops navigation modelling, page traversing, and tracking inter-page dependencies as the foundation for Next Generation Web Crawling and Scanning; 2) leverages SMT solving to pass input validation while scanning the web; and 3) leverages database-aware fuzzing to find unprotected output. We demonstrate how our approach leads to both boosting the code coverage and discovering new vulnerabilities in production software, including HotCRP, osCommerce, PrestaShop, and WordPress.

The talk is based on the S&P’21, CCS’23, and USENIX’24 papers written jointly with Benjamin Eriksson, Eric Olsson, Giancarlo Pellegrino, Adam Doupé, Amanda Stjerna, Riccardo De Masellis, and Philipp Ruemmer.

Bio: Andrei Sabelfeld is a Chalmers University of Technology Professor and newly appointed part-time Visiting Professor at KTH. Before becoming a faculty member, he was a Research Associate at Cornell University in Ithaca, NY, USA. Andrei Sabelfeld’s research ranges from foundations to practice in various computer security and privacy topics. He has received several prestigious prizes and awards from ERC, SSF, VR, WASP, Chalmers, Google, Meta (Facebook), and Amazon. Today, he leads a group of researchers at Chalmers engaged in many internationally visible projects on software security, web security, IoT security, security foundations, and applied cryptography.

Disclaimer: This video was recorded when the speaker gave a seminar at Digital Futures, a cross-disciplinary research centre that explores and develops digital technologies of great societal importance (https://www.digitalfutures.kth.se). The content is produced by the speaker and not the center. The captions have been generated automatically. If you need refined captions to access the material, please reach out to the Associate Director for Seminars at Digital Futures.

Видео Andrei Sabelfeld - Next Generation Web Crawling and Security Scanning канала Digital Futures: Research Hub for Digitalization