Marco Squarcina
Senior Scientist Dott.ric.
My research interests focus mainly on Web and mobile security, but I'm passionate about computer security and hacking in its broadest sense. I love teaching, and I strongly support the concept of learning by doing. Sometimes I play and organise CTF competitions with w0y and mhackeroni. I had the privilege to do cool things connected with my job, like talking at Black Hat USA, playing DEF CON CTF finals 4 times, co-organizing the Italian Cyber Challenge project, training Team Europe for the International Cybersecurity Challenge (ICC), or hosting the largest Attack/Defense CTF in the history of the European Cybersecurity Challenge (ECSC 2022). I'm now coaching the Austrian team for ECSC and coordinating other national educational activities on IT security.
My name is Marco Squarcina, I’m a postdoctoral researcher at TU Wien. My research interests focus on web security, but I’m passionate about computer security and hacking in its broadest sense. I play and organise CTFs under the nickname “lavish” as a member of WE_0WN_Y0U, mhackeroni and formerly c00kies. Before relocating to Austria I served as a coach for the national cybersecurity team in Italy to compete in the ENISA European Cyber Security Challenge.
Roles
- Senior Scientist
Courses
- Project in Computer Science 1 / PR / 192.021
- Project in Computer Science 2 / PR / 192.022
2025S
- Project in Computer Science 1 / PR / 192.021
- Project in Computer Science 2 / PR / 192.022
- Bachelor Thesis / PR / 192.061
- Attacks and Defenses in Computer Security / UE / 192.111
2024W
Projects (at TU Wien)
-
W4MP : Fixing the Broken Bridge Between Mobile Apps and the Web
2023 - 2027 / Vienna Science and Technology Fund (WWTF)
Publications (created while at TU Wien)
-
2024
-
Tabbed Out: Subverting the Android Custom Tab Security Model
Beer, P., Squarcina, M., Veronese, L., & Lindorfer, M. (2024). Tabbed Out: Subverting the Android Custom Tab Security Model. In 2024 IEEE Symposium on Security and Privacy (SP) (pp. 4591–4609).
DOI: 10.1109/SP54263.2024.00105 MetadataAbstract
Mobile operating systems provide developers with various mobile-to-Web bridges to display Web pages inside native applications. A recently introduced component called Custom Tab (CT) provides an outstanding feature to overcome the usability limitations of traditional WebViews: it shares the state with the underlying browser. Similar to traditional WebViews, it can also keep the host application informed about ongoing Web navigations. In this paper, we perform the first systematic security evaluation of the CT component and show how the design of its security model did not consider cross- context state inference attacks when the feature was introduced. Additionally, we show how CTs can be exploited for fine-grained exfiltration of sensitive user browsing data, violation of Web session integrity by circumventing SameSite cookies, and how UI customization of the CT component can lead to phishing and information leakage. To assess the prevalence of CTs in the wild and the practicality of the mitigation strategies we propose, we carry out the first large-scale analysis of CT usage on over 50K Android applications. Our analysis reveals that their usage is widespread, with 83% of applications embedding CTs either directly or as part of a library. We have responsibly disclosed all our findings to Google, which has already taken steps to apply targeted mitigations, assigned three CVEs for the discovered vulnerabilities, and awarded us $10,000 in bounties. Our interaction with Google led to clarifications of the CT security model in the new Chrome Custom Tabs Security FAQ document. -
Web Platform Threats: Automated Detection of Web Security Issues With WPT
Bernardo, P., Veronese, L., DALLA VALLE, V., Calzavara, S., Squarcina, M., Adão, P., & Maffei, M. (2024). Web Platform Threats: Automated Detection of Web Security Issues With WPT. In Proceedings of the 33rd USENIX Security Symposium (pp. 757–774).
MetadataAbstract
Client-side security mechanisms implemented by Web browsers, such as cookie security attributes and the Mixed Content policy, are of paramount importance to protect Web applications. Unfortunately, the design and implementation of such mechanisms are complicated and error-prone, potentially exposing Web applications to security vulnerabilities. In this paper, we present a practical framework to formally and automatically detect security flaws in client-side security mechanisms. In particular, we leverage Web Platform Tests (WPT), a popular cross-browser test suite, to automatically collect browser execution traces and match them against Web invariants, i.e., intended security properties of Web mechanisms expressed in first-order logic. We demonstrate the effectiveness of our approach by validating 9 invariants against the WPT test suite, discovering violations with clear security implications in 104 tests for Firefox, Chromium and Safari. We disclosed the root causes of these violations to browser vendors and standard bodies, which resulted in 8 individual reports and one CVE on Safari. -
Cookie Crumbles: Breaking and Fixing Web Session Integrity
Squarcina, M., Adão, P., Lorenzo Veronese, & Matteo Maffei. (2023). Cookie Crumbles: Breaking and Fixing Web Session Integrity. In J. Calandrino & C. Troncoso (Eds.), SEC ’23: Proceedings of the 32nd USENIX Conference on Security Symposium (pp. 5539–5556). USENIX Association.
DOI: 10.34726/5329 MetadataAbstract
Cookies have a long history of vulnerabilities targeting their confidentiality and integrity. To address these issues, new mechanisms have been proposed and implemented in browsers and server-side applications. Notably, improvements to the Secure attribute and cookie prefixes aim to strengthen cookie integrity against network and same-site attackers, whereas SameSite cookies have been touted as the solution to CSRF. On the server, token-based protections are considered an effective defense for CSRF in the synchronizer token pattern variant. In this paper, we question the effectiveness of these protections and study the real-world security implications of cookie integrity issues, showing how security mechanisms previously considered robust can be bypassed, exposing Web applications to session integrity attacks such as session fixation and cross-origin request forgery (CORF). These flaws are not only implementation-specific bugs but are also caused by compositionality issues of security mechanisms or vulnerabilities in the standard. Our research contributed to 12 CVEs, 27 vulnerability disclosures, and updates to the cookie standard. It comprises (i) a thorough cross-browser evaluation of cookie integrity issues, that results in new attacks originating from implementation or specification inconsistencies, and (ii) a security analysis of the top 13 Web frameworks, exposing session integrity vulnerabilities in 9 of them. We discuss our responsible disclosure and propose practical mitigations. -
WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms
Veronese, L., Farinier, B., Bernardo, P., Tempesta, M., Squarcina, M., & Maffei, M. (2023). WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms. In 2023 IEEE Symposium on Security and Privacy (SP) (pp. 2761–2779). IEEE.
DOI: 10.1109/SP46215.2023.10179465 MetadataAbstract
The complexity of browsers has steadily increased over the years, driven by the continuous introduction and update of Web platform components, such as novel Web APIs and security mechanisms. Their specifications are manually reviewed by experts to identify potential security issues. However, this process has proved to be error-prone due to the extensiveness of modern browser specifications and the interplay between new and existing Web platform components. To tackle this problem, we developed WebSpec, the first formal security framework for the analysis of browser security mechanisms, which enables both the automatic discovery of logical flaws and the development of machine-checked security proofs. WebSpec, in particular, includes a comprehensive semantic model of the browser in the Coq proof assistant, a formalization in this model of ten Web security invariants, and a toolchain turning the Coq model and the Web invariants into SMT-lib formulas to enable model checking with the Z3 theorem prover. If a violation is found, the toolchain automatically generates executable tests corresponding to the discovered attack trace, which is validated across major browsers.We showcase the effectiveness of WebSpec by discovering two new logical flaws caused by the interaction of different browser mechanisms and by identifying three previously discovered logical flaws in the current Web platform, as well as five in old versions. Finally, we show how WebSpec can aid the verification of our proposed changes to amend the reported inconsistencies affecting the current Web platform. -
Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web
Squarcina, M., Tempesta, M., Veronese, L., Calzavara, S., & Maffei, M. (2021). Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web. In 30th USENIX Security Symposium (pp. 2917–2934). 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021.
Metadata ⯈Fulltext (preprint)Abstract
Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention by the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including: cookies, CSP, CORS, postMessage and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887, sites, where we quantified the threats posed by related-domain attackers to popular web applications. -
The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches
Squarcina, M., Calzavara, S., & Maffei, M. (2021). The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches. In 2021 IEEE Security and Privacy Workshops (SPW). 15th IEEE Workshop on Offensive Technologies, San Francisco, CA, United States of America (the).
DOI: 10.1109/spw53761.2021.00062 Metadata ⯈Fulltext (preprint)Abstract
Service workers boost the user experience of modern web applications by taking advantage of the Cache API to improve responsiveness and support offline usage. In this paper, we present the first security analysis of the threats posed by this programming practice, identifying an attack with major security implications. In particular, we show how a traditional XSS attack can abuse the Cache API to escalate into a person-in-the-middle attack against cached content, thus compromising its confidentiality and integrity. Remarkably, this attack enables new threats which are beyond the scope of traditional XSS. After defining the attack, we study its prevalence in the wild, finding that the large majority of the sites which register service workers using the Cache API are vulnerable as long as a single webpage in the same origin of the service worker is affected by an XSS. Finally, we propose a browser-side countermeasure against this attack, and we analyze its effectiveness and practicality in terms of security benefits and backward compatibility with existing web applications. -
Gathering of robots in a ring with mobile faults
Das, S., Focardi, R., Luccio, F. L., Markou, E., & Squarcina, M. (2019). Gathering of robots in a ring with mobile faults. Theoretical Computer Science, 764, 42–60.
DOI: 10.1016/j.tcs.2018.05.002 Metadata ⯈Fulltext (preprint)Abstract
This paper studies the well-known problem of gathering multiple mobile agents moving in a graph, but unlike previous results, we consider the problem in the presence of an adversarial mobile entity which we call the malicious agent. The malicious entity can occupy any empty node and prevent honest mobile agents from entering this node. This new adversarial model is interesting as it models transient mobile faults that can appear anywhere in a network. Moreover, our model lies between the less powerful delay-fault model, where the adversary can block an agent for only a finite time, and the more powerful but static fault model of black holes that can even destroy the agents. We study the problem for ring networks and we provide a complete characterization of the solvability of gathering, depending on the size n of the ring and the number of agents k. We consider both oriented or unoriented rings with either synchronous or asynchronous agents. We prove that in an unoriented ring network with asynchronous agents the problem is not solvable when k is even, while for synchronous agents the problem is unsolvable when both n is odd and k is even. We then present algorithms that solve gathering for all the remaining cases, thus completely solving the problem. Finally, we provide a proof-of-concept implementation of the synchronous algorithms using programmable Lego Mindstorms EV3 robots. -
Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem
Calzavara, S., Focardi, R., Nemec, M., Rabitti, A., & Squarcina, M. (2019). Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, Austria. IEEE.
DOI: 10.1109/sp.2019.00053 Metadata ⯈Fulltext (preprint)Abstract
HTTPS aims at securing communication over theWeb by providing a cryptographic protection layer that ensuresthe confidentiality and integrity of communication and enablesclient/server authentication. However, HTTPS is based on theSSL/TLS protocol suites that have been shown to be vulnerableto various attacks in the years. This has required fixes andmitigations both in the servers and in the browsers, producing acomplicated mixture of protocol versions and implementations inthe wild, which makes it unclear which attacks are still effectiveon the modern Web and what is their import on web applicationsecurity. In this paper, we present the first systematic quantitativeevaluation of web application insecurity due to cryptographicvulnerabilities. We specify attack conditions against TLS usingattack trees and we crawl the Alexa Top 10k to assess the importof these issues onpage integrity,authentication credentialsandweb tracking. Our results show that the security of a consistentnumber of websites is severely harmed by cryptographic weak-nesses that, in many cases, are due to external or related-domainhosts. This empirically, yet systematically demonstrates how arelatively limited number of exploitable HTTPS vulnerabilitiesare amplified by the complexity of the web ecosystem. -
WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring
Calzavara, S., Maffei, M., Schneidewind, C., Tempesta, M., & Squarcina, M. (2018). WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring. In Proceedings of the 27th USENIX Security Symposium (pp. 1493–1510). USENIX.
Metadata ⯈Fulltext (preprint)Abstract
We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability. -
Mind Your Keys? A Security Evaluation of Java Keystores
Focardi, R., Squarcina, M., Steel, G., Palmarini, M., & Tempesta, M. (2018). Mind Your Keys? A Security Evaluation of Java Keystores. In Proceedings of 2019 Network and Distributed System Security Symposium (pp. 1–15).
Metadata ⯈Fulltext (preprint)Abstract
Cryptography is complex and variegate and re-quires to combine different algorithms and mechanisms in non-trivial ways. This complexity is often source of vulnerabilities.Secure key management is one of the most critical aspects,since leaking a cryptographic key vanishes any advantage ofusing cryptography. In this paper we analyze Java keystores,the standard way to manage and securely store keys in Javaapplications. We consider seven keystore implementations fromOracle JDK and Bouncy Castle, a widespread cryptographiclibrary. We describe, in detail, how the various keystores enforceconfidentiality and integrity of the stored keys through password-based cryptography and we show that many of the implementa-tions do not adhere to state-of-the-art cryptographic standards.We investigate the resistance to offline attacks and we show that,for non-compliant keystores, brute-forcing can be up to threeorders of magnitude faster with respect to the most compliantkeystore. Additionally, when an attacker can tamper with thekeystore file, some implementations are vulnerable to denial ofservice attacks or, in the worst case, arbitrary code execution.Finally we discuss the fixes implemented by Oracle and BouncyCastle developers following our responsible disclosure. -
Surviving the Web
Calzavara, S., Squarcina, M., Focardi, R., & Tempesta, M. (2018). Surviving the Web. In Companion of the The Web Conference 2018 on The Web Conference 2018 - WWW ’18. International World Wide Web Conferences Steering Committee Republic and Canton of Geneva, Switzerland ©2018, Austria. ACM.
DOI: 10.1145/3184558.3186232 Metadata ⯈Fulltext (preprint)Abstract
We survey the most common attacks against web sessions, i.e.,attacks which target honest web browser users establishing an au-thenticated session with a trusted web application. We then reviewexisting security solutions which prevent or mitigate the differentattacks, by evaluating them along four different axes: protection,usability, compatibility and ease of deployment. Based on this sur-vey, we identify five guidelines that, to different extents, have beentaken into account by the designers of the different proposals wereviewed. We believe that these guidelines can be helpful for thedevelopment of innovative solutions approaching web security ina more systematic and comprehensive way -
Surviving the Web: A Journey into Web Session Security
Calzavara, S., Focardi, R., Squarcina, M., & Tempesta, M. (2017). Surviving the Web: A Journey into Web Session Security. ACM Computing Surveys, 50(1), 1–34.
DOI: 10.1145/3038923 Metadata ⯈Fulltext (preprint)Abstract
In this article, we survey the most common attacks against web sessions, that is, attacks that target honest web browser users establishing an authenticated session with a trusted web application. We then review existing security solutions that prevent or mitigate the different attacks by evaluating them along four different axes: protection, usability, compatibility, and ease of deployment. We also assess several defensive solutions that aim at providing robust safeguards against multiple attacks. Based on this survey, we identify five guidelines that, to different extents, have been taken into account by the designers of the different proposals we reviewed. We believe that these guidelines can be helpful for the development of innovative solutions approaching web security in a more systematic and comprehensive way. -
Run-Time Attack Detection in Cryptographic APIs
Squarcina, M., & Focardi, R. (2017). Run-Time Attack Detection in Cryptographic APIs. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE Computer Security Foundations Symposium, Santa Barbara, USA, Non-EU. IEEE Xplore Digital Library.
DOI: 10.1109/csf.2017.33 Metadata ⯈Fulltext (preprint)Abstract
Cryptographic APIs are often vulnerable to attacks that compromise sensitive cryptographic keys. In the literature we find many proposals for preventing or mitigating such attacks but they typically require to modify the API or to configure it in a way that might break existing applications. This makes it hard to adopt such proposals, especially because security APIs are often used in highly sensitive settings, such as financial and critical infrastructures, where systems are rarely modified and legacy applications are very common. In this paper we take a different approach. We propose an effective method to monitor existing cryptographic systems in order to detect, and possibly prevent, the leakage of sensitive cryptographic keys. The method collects logs for various devices and cryptographic services and is able to detect, offline, any leakage of sensitive keys, under the assumption that a key fingerprint is provided for each sensitive key. We define key security formally and we prove that the method is sound, complete and efficient. We also show that without key fingerprinting completeness is lost, i.e., some attacks cannot be detected. We discuss possible practical implementations and we develop a proof-of-concept log analysis tool for PKCS#11 that is able to detect, on a significant fragment of the API, all key-management attacks from the literature.
Presentations (created while at TU Wien)
-
2020
-
The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches in Progressive Web Applications
Somé, D. F., Squarcina, M., Calzavara, S., & Maffei, M. (2020). The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches in Progressive Web Applications. EuroS&P 2020 SecWeb Workshop, Genova, Italy.
MetadataAbstract
Progressive Web Applications (PWAs) are the new trend in web development, promising several features and similar advantages as native applications. They heavily rely on modern web APIs to offer an engaging user experience. Service Workers are one of the core technologies employed by PWAs. They work as a proxy server for websites, allowing requests and responses to be modified, cached and served to the browser even when the user is offline. In this work we showcase a number of flaws in the Cache API that allow an attacker to void the security policies put in place by web developers, posing serious security and privacy threats. Given that these attacks are enabled by the presence of Service Workers, we demonstrate the impact of our findings by performing a large-scale analysis on the top 110K websites. Finally, we propose a redesign of the Cache API that prevents all the attacks discussed in the paper.