In this article, we survey the most common attacks against web sessions, that is, attacks that
target honest web browser users establishing an authenticated session with a trusted web …

In this paper, we focus on authentication and authorization flaws in web apps that enable
partial or full access to user accounts. Specifically, we develop a novel fully automated black …

Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal
are based on the OpenID Connect protocol. This protocol enables so-called relying parties …

Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To
address these issues, new mechanisms have been proposed and implemented in browsers …

To mitigate a myriad of Web attacks, modern browsers support client-side security policies
shipped through HTTP response headers. To enforce these defenses, the server needs to …

Chromium-based browsers now restrict cookies' scope to a same-site context by changing
the default policy for cookies, thus requiring developers to adapt their websites. The extent of …

Over the years, browsers have adopted an ever-increasing number of client-enforced
security policies deployed through HTTP headers. Such mechanisms are fundamental for …

Given the dynamic nature of the Web, security measurements on it suffer from reproducibility
issues. In this paper we take a systematic look into the potential of using web archives for …

Cyber security confronts a tremendous challenge of maintaining the confidentiality and
integrity of user's private information such as password and PIN code. Billions of users are …

Related-domain attackers control a sibling domain of their target web application, eg, as the
result of a subdomain takeover. Despite their additional power over traditional web …