SecWeb 2023

Designing Security for the Web


February 26, 2023: We have extended the deadline to March 2nd. Please visit HotCRP to submit your papers!

February 22, 2023: We have extended the deadline to February 27th. Please visit HotCRP to submit your papers!

January 25, 2023: We are excited to announce our two keynote speakers: Yinzhi Cao and Artur Janc. We will follow up with full details about their talks!

January 8, 2023: The CfP for SecWeb is now out! We look forward for your submission until February 24, 2023 AoE. For details on the scope, see the call for papers.

December 5, 2022: SecWeb 2023 will be jointly held with IEEE S&P in San Francisco on May 25, 2023.

What is SecWeb?

Back in the days, the Web was not designed with security or privacy in mind. Many key mechanisms we rely on today for critical functionality were arguably not designed for security (such as cookies for authentication purposes) and numerous mechanisms have been piecemeal retrofitted to the Web to add security to it. In this workshop, we want to move away from augmenting the Web with Security and rather design Security for the Web.

Aim & Scope

The Web has become the key access point to a plethora of security-sensitive services, which we use on a daily basis, yet it was not designed with security in mind. Over the years, this has led to many security mechanisms which were piecemeal retrofit to not cause breakage to existing web applications. The goal of the SecWeb workshop is therefore twofold: we want to collect ideas on how the Web could be extended with novel security mechanisms, better access interfaces (browsers) and disciplined programming abstractions, so as to natively support secure web application development. Moreover, we also invite in particular contributions which aim to redesign parts of the ecosystem, so as not to be stuck on a patchwork of security on the Web, but rather have security built-in by design.

Besides traditional Web security papers, SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current web platform could be heavily re-envisioned for security. Such proposals often do not fit major computer security conferences, because their real-world deployment might be complicated, yet they have value for the web security community, since they advance the understanding of relevant web security problems, their root causes and the design space of possible solutions. Ideally, we expect well-thought proposals accepted at SecWeb to be excellent starting points for discussion with browser vendors (which we explicitly envision as participants) and/or major players of the Web market, who have the commitment and the resources to convert academic proposals into reality.

Logistics & Dates

SecWeb 2023 is co-located with IEEE S&P 2023 and scheduled for May 25, 2023.

Important Dates

  • Paper Submission Due: 11:59PM AoE, February 24 March 2, 2023 via via HotCRP
  • Notification to authors: March 23, 2023
  • Camera-ready deadline for accepted papers: March 30, 2023

Program 2023

9:00 - 9:10 SecWeb Opening Remarks Sooel Son (KAIST)
Jason Polakis (University of Illinois at Chicago)
09:10 - 10:00 Keynote: Prototype Pollution and Beyond: An Existential, Emerging Threat to the World Wide Web [Slides]

Prototype pollution is a relatively-new type of vulnerability specific to prototype-based languages, such as JavaScript, which allows an adversary to pollute a base object's property, leading to further consequences such as Cross-site Scripting (XSS) and session fixation. In this talk, I am presenting our recent works in detecting and exploiting prototype pollution vulnerabilities across server- and client-side applications. In the first part, I will introduce our flow- and context-sensitive JavaScript static analysis with hybrid branch-sensitivity and points-to information to generate a novel graph structure, called Object Dependence Graph (ODG), using abstract interpretation. Our evaluation of NPM packages reported over 200 zero-day prototype pollutions, among which we have received 70 Common Vulnerabilities and Exposures (CVE) identifiers. In the second part, I will introduce our dynamic taint analysis tool that tracks so-called joint taint flows connecting property lookups and assignments, and generates exploit inputs to guide joint taint flows into final sinks related to further consequences. Our evaluation reveals 2,738 real-world websites—including ten among the top 1,000—are vulnerable to 2,917 zero-day, exploitable prototype pollutions. We verify that 48 vulnerabilities further lead to XSS, 736 to cookie manipulations, and 830 to URL manipulations.
Yinzhi Cao (Johns Hopkins University)

Dr. Yinzhi Cao is an assistant professor in Computer Science at Johns Hopkins University. His research mainly focuses on the security and privacy of the Web, smartphones, and machine learning using program analysis techniques. His past work was widely featured by over 30 media outlets, such as NSF Science Now (Episode 38), CCTV News, IEEE Spectrum, Yahoo! News, and ScienceDaily. He received three distinguished paper awards at USENIX Security'2021, SOSP'17, and IEEE CNS'15 respectively, and one best paper nomination at CCS'20. He is a recipient of the DARPA Young Faculty Award (YFA) 2022, the Amazon Research Award 2021 and 2017, and NSF CAREER Award 2021.
More info on his Web page
10:00 - 10:30 Coffee Break
10:30 - 11:00 HoneyKube: Designing and Deploying a Microservices-based Web Honeypot Chakshu Gupta (University of Twente), Thijs van Ede (University of Twente), Andrea Continella (University of Twente)
11:00 - 11:30 WIP: Investigating the Re-usage of Security Tokens in the Wild Leon Trampert (CISPA Helmholtz Center for Information Security), Ben Stock (CISPA Helmholtz Center for Information Security), Sebastian Roth (CISPA Helmholtz Center for Information Security)
11:30 - 13:00 Lunch Break
13:00 - 13:30 Measuring Re-identification Risk CJ Carey (Google), Travis Dick (Google), Alessandro Epasto (Google), Adel Javanmard (Google), Josh Karlin (Google), Shankar Kumar (Google), Andres Munoz Medina (Google), Vahab Mirrokni (Google), Gabriel Henrique Nunes (Google), Sergei Vassilvitskii (Google), Peilin Zhong (Google)
13:30 - 14:00 What is in the Chrome Web Store? Sheryl Hsu (Stanford University), Manda Tran (Stanford University), Aurore Fass (Stanford University, CISPA Helmholtz Center for Information Security)
14:00 - 14:30 Evaluating Password Composition Policy and Password Meters of Popular Websites Kyungchan Lim (University of Tennessee, Knoxville), Joshua Hankyul Kang (University of Tennessee, Knoxville), Matthew Dixson (University of Tennessee, Knoxville), Hyungjoon Koo (Sungkyunkwan University), Doowon Kim (University of Tennessee, Knoxville)
14:30 - 15:00 Coffee Break
15:00 - 15:50 Keynote: (Re-)Designing the web's cookie model with security in mind

Few concepts are more tightly woven into the fabric of the web than its handling of cookies. The behavior of attaching a cookie based on the destination of a request regardless of its source has fostered the web's composability, but also introduced privacy concerns (cross-site tracking) and enabled cross-site attacks against web applications, such as CSRF and clickjacking. While browsers' efforts to disable the sending of cookies in third-party contexts are motivated primarily by the desire to improve user privacy, they also fundamentally shift the web's security model, bringing the promise of addressing several endemic classes of web vulnerabilities. In this talk, we will start by reviewing vulnerabilities caused by the presence of third-party cookies in the web platform and discuss security gaps in browsers' current third-party cookie blocking behaviors. We will then review existing and proposed mechanisms that restore access to cookies in third-party contexts, such as the Storage Access API, and examine the trade-offs between security and web compatibility. At the end, we will aim to arrive at a principled long-term cookie security model and chart a path towards rectifying one of the original, long-standing web platform security risks.
Artur Janc (Google)

Artur Janc is a Technical Lead for web security on the Information Security Engineering team at Google, working on advancing application security across the Google ecosystem and improving the security and privacy properties of the web platform. Artur holds an M.Sc. in Computer Science from Worcester Polytechnic Institute where he also earned bachelor's degrees in Computer Science and Electrical and Computer Engineering, and a minor in Spanish.
More info on his Web page
15:50 - 15:55 Closing Remarks

Call for Papers

All papers discussing Web security and Web privacy aspects are solicited for submission. SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current Web platform could be heavily re-envisioned for security. This explicitly includes proposals that would break today’s Web to improve its security tomorrow.

Topics of interest include, but are not limited to, the following:

  • Browser security
  • Formal methods for Web security
  • Language-based Web security
  • Security policies for the Web
  • Usable Web security
  • Web application firewalls
  • Web attacks and defenses
  • Web authentication and authorization
  • Web protocol security
  • Web security architectures
  • Web tracking and online advertisement

Reviewing and Publication Process

SecWeb solicits both full and short papers. All papers must be written in English and must not exceed 10 pages (full) and 6 pages (short) in A4 format using the IEEE conference proceeding template (excluding bibliography and well-marked appendixes). Submissions must be in PDF format and should print easily on simple default configurations. Submissions are anonymous, so information that might identify the authors must be excluded. It is the authors' responsibility to ensure that their anonymity is preserved when citing their own work. Failures to adhere to these requirements can be grounds for rejection.

The proceedings will be published by the IEEE after the workshop and will be made available in IEEE Xplore. During submission, authors can choose to have their paper excluded from the proceedings. At least one author of each accepted paper must register to the workshop for presentation.

All submissions considered for inclusion in the proceedings must contain an original contribution. That is, these papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal, conference or workshop. In particular, simultaneous submission of the same work is not allowed. This requirement is relaxed for submissions which will not be included in the proceedings: in particular, we also invite papers that are currently under submission or planned to be submitted before the SecWeb notification.

Submission Site

Submissions go to

Program Committee

  • Sooel Son (KAIST) -- Chair
  • Jason Polakis (University of Illinois at Chicago) -- Chair
  • Aurore Fass (Stanford University)
  • Doowon Kim (University of Tennessee, Knoxville)
  • Frederik Braun (Mozilla)
  • Giancarlo Pellegrino (CISPA Helmholtz Center for Information Security)
  • Gunes Acar (Radboud University)
  • Haehyun Cho (Soongsil University)
  • Hugo Jonker (Open University of the Netherlands)
  • Junhua Su (North Carolina State University)
  • Kyu Hyung Lee (University of Georgia)
  • Lorenzo Veronese (TU Wien)
  • Luca Compagna (SAP Security Research)
  • Marco Squarcina (TU Wien)
  • Marius Steffens (Google)
  • Mauro Tempesta (TU Wien)
  • Mohammad Ghasemisharif (University of Illinois Chicago)
  • Nick Nikiforakis (Stony Brook University)
  • Pierre Laperdrix (CNRS)
  • Sebastian Lekies (Google)
  • Sebastian Roth (CISPA Helmholtz Center for Information Security)
  • Steven Englehardt (DuckDuckGo)
  • Tom Van Goethem (imec-DistriNet, KU Leuven)
  • Tijay Chung (Virginia Tech)
  • Victor Le Pochat (imec-DistriNet, KU Leuven)
  • Walter Rudametkin (University of Lille)
  • Wei Meng (The Chinese University of Hong Kong)
  • Yinzhi Cao (Johns Hopkins University)
  • Mir Masood Ali (University of Illinois at Chicago)
  • Hyungsub Kim (Purdue University)
  • Soheil Khodayari (CISPA Helmholtz Center for Information Security)
  • Matteo Golinelli (University of Trento)
  • Karthika Subramani (Georgia Institute of Technology)
  • Shubham Agarwal (CISPA Helmholtz Center for Information Security)
  • Muhammad Shujaat Mirza (NYU)
  • Hari Venugopalan (UC Davis)

SecWeb Reviewing Mentoring

Reviewing is hard, constructive reviewing even more so. For SecWeb, we therefore will have a mentoring program for junior members of the community. We will invite a limited number of students in the area of Web security into the PC and each junior member will have a mentor which whom to discuss their reviews. In this way, junior community members are exposed to the reviewing and discussion process, while also benefiting from the experience and insights of more senior reviewers. If you or your students are interested in this, fill in the form to indicate your (or your students') interest.