First European workshop on Web Application Security Research (WASR’13)

Important information

The workshop is co-located with this year’s OWASP Research conference in Hamburg, Germany.

Date: Wednesday, 21th of August 2013
Location: Hamburg University of Technology,  room A0.13.1/2, Schwarzenbergstraße 93, Hamburg Harbug (map)
Public Transportation: S-Bahn S3/S31 to “Heimfeld” or to “Harburg-Rathaus” (in this case take Bus 142 to stop “Kasernenstrasse (TU Harburg)”.
Participation: Attendance is free, however prior registration is required (see below).

WASR is organized by the EU FP7 projects WebSand, STREWS, SPaCIoS, and
NESSoS and will be hosted by the Hamburg University of Technology.

Local Organization: Maryna Krotofil
Program and Coordination: Martin Johns

Workshop motivation

Since its birth in 1990, the Web has evolved from a simple, stateless
delivery mechanism for static hypertext documents to a fully-edged
run-time environment for distributed, multi-party applications. While this
shift opens new opportunities ­ Business, Society, and Government rely
more and more on the Web to provide their services to customers and
citizens ­ it also increases significantly the complexity of the overall
environment. The web technologies have gradually shifted from a central
server technology towards a rich/stateful client paradigm and lively
interaction models. The wave of popular peer-to-peer web applications and
web mashup applications confirm this emerging trend. Users expect to use
any of their devices to access on-demand applications to process resources
stored somewhere else. But the shift from the server-centered paradigm
poses a significant challenge of securing web applications in the presence
of multiple stakeholders, including security-ignorant end-users. This
motivates the need for solid “web application security” that shall target
the overall cross-domains, cross-devices, and cross-services application
together with the isolated components within it.

Workshop format

This workshop is intended as a forum where recent research outcomes in the
area of Web Application Security will be presented to security
practitioners to get valuable feedback, trigger open discussions in the
room, and promote outstanding EU-funded research. Presentations will cover
topics, such as, protecting against pervasive threats (e.g., ClickJacking,
XSS), security & Web standards, model-driven security testing,
vulnerability-driven testing, mutation testing for security, Web
application sandboxing, information flow security, attack detection and

The workshop will consist of a set of selected talks provided by the
hosting projects as well as several invited presentations. While most of
the program is already populated, the workshop may still have room for one
or two additional presentations. If you would like to present your
research at the workshop, please contact the workshop organizers.

Program (talks are 25 + 5 min)

08:30 – 08:50 Registration

08:50 – 09:00 Opening remarks

09:00 – 10:30

  • Jonas Magazinius (Chalmers TH, WebSand): “Architectures for Inlining Security Monitors in Web Applications”
  • Thomas Roessler (W3C/STREWS): “On the ongoing standardization of Web security and why you should care”
  • Luca Compagna (SAP/SPACIOS): “Instrumentation-based security testing”

10:30 – 11:00 [break]

11:00 – 13:00

  • Konrad Rieck (University of Goettingen): “Learning-based Detection of Malicious JavaScript Code”
  • Sergio Maffeis (Imperial College London): “WebSpi: Discovering concrete attacks on security-sensitive web applications by formal analysis.”
  • Ben Stock (FAU Erlangen/SAP Research/WebSand): “Eradicating DNS Rebinding with the Extended Same-Origin Policy”
  • Lieven Desmet (KU Leuven/STREWS/WebSand/NESSoS): “Server-driven sandboxing of JavaScript”

13:00 – 14:00 [lunch]

14:00 – 15:30 (Work in Progress session, ~7*10 min + chaos)

  • Bastian Braun (University of Passau/WebSand): “LogSec – A Smart Browser for Secure Web Sessions”
  • Willem De Groef (KU Leuven/WebSand/NESSoS): “Recent work on applications of SME on the server-side”
  • Johannes Dahse (Ruhr University Bochum): “Static detection of second-order vulnerabilities”
  • Sebastian Lekies (SAP/WebSand): “Large-scale Detection of DOM-based XSS”
  • Petru Florin Mihancea (IeAT/SPACIOS): “jModex: extracting models from web applications”
  • Karim Hossen (Grenoble INP/SPACIOS) “Model based testing without the pain of writing the model”
  • Fabien Duchene (Grenoble INP/SPACIOS) “KameleonFuzz: the day Darwin drove my XSS Fuzzer”

15:30 – 16:00 [break]

16:00 – 17:30

  • Johan Oudinet (TU Munich/SPACIOS): “SPaCiTE: a mutation-based security testing tool”
  • Martin Ochoa Ronderos (TUM/SPACIOS) & Michele Peroli (UNIVR/SPACIOS): “VERA: a vulnerability-driven security testing tool”
  • Mario Heiderich (RUB/Cure53): “JSMVCOMFG – To sternly look at JS MVC and Templating Frameworks”

17:30 – 18:15 Closing panel: “WebSec research meets the real world – what now?”
(Panelists: Boris Hemkemeier (Commerzbank), Jim Manico (White Hat Security), Luca Compagna (SAP), Joachim Posegga (Uni Passau), Moderation: Luca Vigano (U Verona))

Workshop attendance

The workshop is mainly invite-only. However, a limited set of seats are open for participation from the public. If you would like to participate, please contact the workshop organizers (we moved to a bigger venue, hence, a couple of seats just became available).