Monthly Archives: December 2010

Update on PAPAS and HTTP Parameter Pollution [Part 1]

My first post on HTTP Parameter Pollution has been read by more than 1,500 people, and several other security portals have blogged about it (e.g., Security-Shell, PenTestIT, Dark Reading, ToolsWatch, Packet Storm and Security Focus). So far, PAPAS, our online HPP … Continue reading

Posted in Web Security | Tagged , , | Leave a comment

G-Free: Defeating Return-Oriented Programming and ACSAC 2010

After an adrenaline-inducing trip involving an aircraft breakdown and heavy snowing, I am back from Austin, TX, where I attended ACSAC ’10 together with Davide. Austin is promoted as the “The Live Music Capital of the World”, and it shows: … Continue reading

Posted in Conferences, Systems Security | Tagged , , , , , | Leave a comment

The Evolution of Input Validation Vulnerabilities in Web Applications

Today, we finalized the camera-ready version of our paper that we will present in the upcoming Financial Cryptography and Data Security ’11 conference to be held at St. Lucia. In the paper entitled “Quo Vadis? A Study of the Evolution … Continue reading

Posted in Software Engineering, Vulnerability Detection, Web Security | Leave a comment

BADGERS 2011 Call for Papers

In April, I am co-chairing a new workshop called BADGERS (Building Analysis Datasets and Gathering Experience Returns for Security) with Thorsten. The BADGERS workshop is intended to encourage the development of large scale security-related data collection and analysis initiatives. It will … Continue reading

Posted in Call For Papers, General | Leave a comment

HTTP Parameter Pollution. So how many flawed applications exist out there?! We go online with a new service.

In this post, I’d like to give a brief overview about our upcoming paper on detecting HPP problems in web applications. The idea is to save readers from the effort of going through the entire paper. Typically, web applications are … Continue reading

Posted in Web Security | Tagged , , | 2 Comments

OWASP BeNeLux 2010

I just got back from Holland where I was invited to participate in the annual OWASP BeNeLux conference with a talk on Clickjacking. For the second year, the OWASP chapters of Holland, Belgium and Luxembourg co-organized an event with the … Continue reading

Posted in Conferences, General | Tagged , , | Leave a comment

EXPOSURE, a new upcoming service for finding malicious domains using passive DNS analysis

One of the papers we will be presenting in the upcoming NDSS 2011 conference in San Diego will be Leyla‘s work on detecting malicious DNS domains using large-scale passive DNS analysis. We have used EXPOSURE in practice to automatically detect … Continue reading

Posted in Malware Analysis and Detection, Systems Security | Leave a comment

LEET 11 and Eurosec 11 workshops

I am involved in two interesting workshops next year: LEET and Eurosec. Both events are being partially-organized by iSecLab members. I am chairing Eurosec and Chris is chairing LEET. Both workshops usually have interesting programs and I would encourage the submission … Continue reading

Posted in Call For Papers, General | Leave a comment

Detecting Privacy Leaks in iPhone Applications

In the upcoming NDSS 2011 conference in San Diego, one of the papers our team will be presenting is Manuel‘s work on detecting privacy leaks in iPhone applications. The sales of smartphones have exploded recently — especially because of mobile phone … Continue reading

Posted in Binary Analysis, General, Privacy | Leave a comment


Last week, I participated at the two-day NATO RTO symposium on Information Assurance and Cyber Defence in Tallinn, the capital of Estonia. Originally to be held in Antalya, Turkey, in April, the event was canceled due to the ash-crisis in … Continue reading

Posted in Web Security | Leave a comment