Vulnerability analyses for deployed systems

We study real-world systems, such as browsers and web applications, that have very big user bases; we identify classes of new security and privacy threats; we construct convincing end-to-end attacks to show these threats intuitively so that the industry must take actions to address them.

A "field study" of commercially deployed single-sign-on (SSO) schemes

We studied many websites that use popular web-based SSO schemes. We discovered 8 types of different logic flaws that allow an attacker to sign in as a victim. The study was based on a tool call BRM Analyzer, which we launched at Our paper can be downloaded here.

How to shop for free online

We studied many merchant websites that accept third-party payments, such as through PayPal, Amazon Payments and Google Checkout. Many logic flaws were identified, which allowed us to shop for free! All 9 flaws that we reported were fixed promptly. The paper and the slide deck are archived here. The paper won the "best practical paper" award in the Oakland conference. The work had a lot of news coverage, such as CNNMoney, CNET, etc. The work was in collaboration with Rui Wang and XiaoFeng Wang of Indiana University Bloomington.

Channel 9 interview

X.commerce Innovate Developer Conference 2011

PayPal had a 44-minute talk about our free-shopping work in its developers' conference.


Side-channel leaks in web applications

We demonstrated that by observing side-channel characteristics of encrypted web traffic, an eavesdropper can infer surprisingly detailed information about a user. The information includes health records, family income, investment details and search queries, which imposes a serious privacy threat to Software-as-a-Service. Our Oakland paper and its slide deck are archived here. The work was described in several articles, including ones by Network World, The Register, Ed Felten and Bruce Schneier. It is a joint work with Rui Wang, XiaoFeng Wang and Kehuan Zhang of Indiana University Bloomington.


We focused on a specific adversary named “Pretty-Bad-Proxy” (PBP). PBP is a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer. It attempts to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme. We discovered a set of vulnerabilities exploitable by a PBP: in many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server.

All major browsers, such as IE, Firefox, Chrome, Opera and Safari, were vulnerable to some of the bugs we reported. Most bugs have been fixed. MSDN posted an article explaining one of the changes that IE8 made. The paper and the slide deck can be obtained here. The work was covered by Technology Review, Computer World and ZDNet.


We built a formal model for IE6's GUI behaviors, specifically for the status bar and the address bar. We checked the model and found 13 logic bugs which resulted in GUI spoofing (an example), 11 of which were fixed before IE7 was shipped. Our paper can be downloaded here.