Web Platform Threats: Automated Detection of Web Security Issues With WPT
Pedro Bernardo, Lorenzo Veronese, Valentino Dalla Valle, Stefano Calzavara, Marco Squarcina, Pedro Adão, Matteo Maffei
33rd USENIX Security Symposium · Day 1 · USENIX Security '24
The modern web platform is an incredibly complex ecosystem, built upon ever-evolving specifications implemented by various browsers. This talk, presented by Pedro Bernardo and a collaborative team from TU Wien and the University of Padua, addresses the profound challenges of ensuring security and consistency across this intricate landscape. Titled "Web Platform Threats: Automated Detection of Web Security Issues With WPT," the research introduces a novel, automated approach to identify security vulnerabilities within browser implementations by leveraging the existing **Web Platform Tests (WPT)** suite in conjunction with formally defined **web invariants**.
AI review
This research introduces a robust, automated methodology for detecting browser vulnerabilities by leveraging Web Platform Tests against formally defined security invariants. The team's pipeline successfully identified 10 unique flaws, leading to two CVEs and crucial changes to the RFC 6265bis cookie specification, demonstrating significant real-world impact. This isn't just theory; it's a paradigm shift towards proactive, verifiable browser security.