Monthly Archives: December 2010

Update on PAPAS and HTTP Parameter Pollution [Part 1]

My first post on HTTP Parameter Pollution has been read by more than 1,500 people, and several other security portals have blogged about it (e.g., Security-Shell, PenTestIT, Dark Reading, ToolsWatch, Packet Storm and Security Focus). So far, PAPAS, our online HPP … Continue reading

Posted in Web Security | Tagged , , | Leave a comment

G-Free: Defeating Return-Oriented Programming and ACSAC 2010

After an adrenaline-inducing trip involving an aircraft breakdown and heavy snowing, I am back from Austin, TX, where I attended ACSAC ’10 together with Davide. Austin is promoted as the “The Live Music Capital of the World”, and it shows: … Continue reading

Posted in Conferences, Systems Security | Tagged , , , , , | Leave a comment

The Evolution of Input Validation Vulnerabilities in Web Applications

Today, we finalized the camera-ready version of our paper that we will present in the upcoming Financial Cryptography and Data Security ’11 conference to be held at St. Lucia. In the paper entitled “Quo Vadis? A Study of the Evolution … Continue reading

Posted in Software Engineering, Vulnerability Detection, Web Security | Leave a comment

BADGERS 2011 Call for Papers

In April, I am co-chairing a new workshop called BADGERS (Building Analysis Datasets and Gathering Experience Returns for Security) with Thorsten. The BADGERS workshop is intended to encourage the development of large scale security-related data collection and analysis initiatives. It will … Continue reading

Posted in Call For Papers, General | Leave a comment

HTTP Parameter Pollution. So how many flawed applications exist out there?! We go online with a new service.

In this post, I’d like to give a brief overview about our upcoming paper on detecting HPP problems in web applications. The idea is to save readers from the effort of going through the entire paper. Typically, web applications are … Continue reading

Posted in Web Security | Tagged , , | 2 Comments

OWASP BeNeLux 2010

I just got back from Holland where I was invited to participate in the annual OWASP BeNeLux conference with a talk on Clickjacking. For the second year, the OWASP chapters of Holland, Belgium and Luxembourg co-organized an event with the … Continue reading

Posted in Conferences, General | Tagged , , | Leave a comment

EXPOSURE, a new upcoming service for finding malicious domains using passive DNS analysis

One of the papers we will be presenting in the upcoming NDSS 2011 conference in San Diego will be Leyla‘s work on detecting malicious DNS domains using large-scale passive DNS analysis. We have used EXPOSURE in practice to automatically detect … Continue reading

Posted in Malware Analysis and Detection, Systems Security | Leave a comment