Peer-reviewed publications

2019

LATEX GLOVES: Protecting Browser Extensions from Probing and Revelation Attacks

2018

Raising the Bar: Evaluating Origin-wide Security Manifests

2017

Measuring Login Webpage Security
Discovering Browser Extensions via Web Accessible Resources

2016

Data Exfiltration in the Face of CSP
JavaScript Sandboxing: Isolating and Restricting Client-Side JavaScript

2015

Password meters and generators on the web: From large-scale empirical study to getting it right
Isolating and Restricting Client-Side JavaScript

2014

Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets

2013

Bitsquatting: Exploiting bit-flips for fun, or profit?

2012

JSand: complete client-side sandboxing of third-party JavaScript without browser modifications
You are what you include: large-scale evaluation of remote javascript inclusions
Exploring the ecosystem of referrer-anonymizing services
FlashOver: Automated discovery of cross-site scripting vulnerabilities in rich internet applications

2011

Webjail: Least-privilege integration of third-party components in web mashups
Exposing the lack of privacy in file hosting services

2010

ValueGuard: Protection of native applications against data-only buffer overflows