Web Security

Doctoral Privatissima, Winter 2013/14

Instructor Prof. Dr. Matteo Maffei
Organizational Meeting Thursday March 20 at 2pm in E1.7, room 2.10
Time Every day, from Monday March 24 until Friday April 11, 9-11am.
Place To be defined.
Office Hours Monday 4-6 pm, E1.7, room 2.09
Form/Credits Doctoral Privatissima, 6 ECTS
Language English

Latest News

  • 2014-03-11: the lecture slot has changed (9-11am). Furthermore, due to the high interest in the course and the limited number of available slots, please send your transcript of records to the instructor before the kick-off meeting: if a selection will turn out to be necessary, this will take into account also the personal background of each student.
  • 2014-02-11: the website is online
  • 2014-02-24: the list of papers is published


Last years have seen a proliferation of attacks (e.g. cross site scripting, SQL injections, and cookie stealing) on web services. The attack surface is extraordinarily large and complex, and it includes the network as well as the application layer: attacks may exploit the nasty semantics of JavaScript applications, flaws in cryptographic protocols, specific features of HTML5, DNS vulnerabilities, and more. Due to the strong influence of the web on the society and due to the increasing number of personal data populating the Internet, such attacks have a devastating harm potential. For this reason, understanding how web services may be attacked and defended is of paramount importance.

Web security is an emerging, and nonetheless extraordinarily active, research field. In this doctoral privatissima, you will get a deep understanding of the state-of-the-art, by critically analysing the most significant research papers published in the top-tier security conferences in the last years. We will focus on both attacks and defence techniques, with the ultimate aim of improving the actual web safeguard and drawing hints for future research.

Topic I. Cookies

Topic II. Generic Attacks (Part I)

Topic III. Generic Attacks (Part II)

Topic IV. Generic Defences

Topic V. Sanitization

Topic VI. XSS (Part I)

Topic VII. XSS (Part II)


Topic IX. Injection Attacks

Topic X. Malware

Topic XI. Javascript (Part I)

Topic XII. Javascript (Part II)

Topic XIII. Web Protocols

Topic XIV. Analysis of Web Applications

Topic XV. HTML5


We are going to meet every day from Monday March 24 until Friday April 11. The meeting will take place at 9am and last for two hours.

Every day a student will present one or two papers, which will be critically analysed together, identifying weaknesses and directions of future research. To facilitate the discussion, the papers presented in class have to be previously read by all students. The result of the discussion will be eventually written in the form of a report. Overall, each student should present about four papers during the doctoral privatissima.


You should have taken language-based security or security.

How to register

In order to register for the course, you have to sign in to Piazza. Since the number of available slots is limited and the selection will be based on personal background, please send your transcript of records to the instructor before the kick-off meeting.