Up a level |
(2023) You Call This Archaeology? Evaluating Web Archives for Reproducible Web Security Measurements.
(2023) Extended Hell(o): A Comprehensive Large-Scale Study on Email Confidentiality and Integrity Mechanisms in the Wild.
(2023) Comparing Large-Scale Privacy and Security Notifications.
(2023) The Leaky Web: Automated Discovery of Cross-Site Information Leaks in Browsers and the Web.
(2023) DiffCSP: Finding Browser Bugs in Content Security Policy Enforcement through Differential Testing.
(2022) Freely Given Consent? Studying Consent Notice of Third-Party Tracking and Its Violations of GDPR in Android Apps.
(2022) HTML Violations and Where to Find Them: A Longitudinal Analysis of Specification Violations in HTML.
(2022) The Security Lottery: Measuring Client-Side Web Security Inconsistencies.
(2022) Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions.
(2022) To hash or not to hash: A security assessment of CSP’s unsafe-hashes expression.
(2022) Pareto-Optimal Defenses for the Web Infrastructure: Theory and Practice.
(2021) 12 Angry Developers – A Qualitative Study on Developers’ Struggles with CSP.
(2021) DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale.
(2021) Share First, Ask Later (or Never?) - Studying Violations of GDPR's Explicit Consent in Android Apps.
(2021) Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication.
(2021) Reining in the Web's Inconsistencies with Site Policy.
(2021) Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI.
(2020) PMForce: Systematically Analyzing PostMessage Handlers at Scale.
(2020) A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web.
(2020) Assessing the Impact of Script Gadgets on CSP at Scale.
(2020) Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies.
(2019) JStap: A Static Pre-Filter for Malicious JavaScript Detection.
(2019) HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs.
(2019) ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices.
(2019) Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild.
(2018) JaSt: Fully Syntactic Detection of Malicious (Obfuscated) JavaScript.
(2018) Didn’t You Hear Me? — Towards More Successful Web Vulnerability Notifications.
(2017) Efficient and Flexible Discovery of PHP Application Vulnerabilities.
(2017) How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security.
(2016) On the Feasibility of TTL-based Filtering for DRDoS Mitigation.
(2016) Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification.
(2016) Kizzle: A Signature Compiler for Detecting Exploit Kits.
(2016) POSTER: Mapping the Landscape of Large-Scale Vulnerability Notifications.
(2015) From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting.
(2015) The Unexpected Dangers of Dynamic JavaScript.
(2014) Precise Client-side Protection against DOM-based Cross-Site Scripting.
(2014) DOM-basiertes Cross-Site Scripting im Web: Reise in ein unerforschtes Land.
(2014) Protecting Users Against XSS-based Password Manager Abuse.
(2013) 25 Million Flows Later - Large-scale Detection of DOM-based XSS.
(2013) Eradicating DNS Rebinding with the Extended Same-Origin Policy.
(2013) Implementing low-level browser-based security functionality.
(2009) P2P-Botnetz-Analyse--Waledac.
(2009) Walowdac-analysis of a peer-to-peer botnet.