JavaScript has evolved into a versatile ecosystem for not just the web, but also a wide range of server-side and client-side applications. With this increased scope, the potential impact of bugs increases. Despite this, testing tools for JavaScript have remained relatively primitive, largely due to the languages complex implementation and confusing specification. ExpoSE is a dynamic symbolic execution (DSE) tool for JavaScript with support for asynchronous events, strings, and complex regular expressions (including capture groups). It also supports concurrent test-case execution and provides detailed coverage statistics.

A Solution To Compression Oracles on the Web - Cloudflare

Compression is often considered an essential tool when reducing the bandwidth usage of internet services. The impact that the use of such compression schemes can have on security, however, has often been overlooked. The recently detailed CRIME, BREACH, TIME and HEIST attacks on TLS have shown that if an attacker can make requests on behalf of a user then secret information can be extracted from encrypted messages using only the length of the response. Deciding whether an element of a web-page should be secret often depends on the content of the page, however there are some common elements of web-pages which should always remain secret such as Cross-Site Request Forgery (CSRF) tokens. Such tokens are used to ensure that malicious webpages cannot forge requests from a user by enforcing that any request must contain a secret token included in a previous response.

Detecting Humanity - Brave Software

One unresolved problem with the web is the detection of bots, programs that drive a web browser to emulate human behavior. Bot detection is an issue in web development because automated tools can reduce the user experience, such as a bot which responds to Twitter posts with angry messages. During a research internship as Brave, a privacy-focused web browser, we worked on a new client-side approach to detect user humanity.


Puffer is a novel whole system privacy protector & ad-blocker for Android that outperforms existing DNS based solutions through inspection of Server Name Indication (SNI) records during initialization of TLS connections. Our solution cannot be circumvented with custom DNS resolvers or other common circumvention approaches because we inspect connections at the packet level. As such, our approach still works out of the box with browsers that use custom DNS approaches like Firefox. It also works to stop advertising in apps from circumventing ad-blockers.