Web applications are an integral part of our lives and culture. We use

web applications to manage our bank accounts, interact with friends,

and file our taxes. A single vulnerability in one of these web

applications could allow a malicious hacker to steal your money, to

impersonate you on Facebook, or to access sensitive information, such

as tax returns. It is vital that we develop new approaches to discover

and fix these vulnerabilities before the cybercriminals exploit them.

In this dissertation, I will present my research on securing the web

against current threats and future threats. First, I will discuss my

work on improving black-box vulnerability scanners, which are tools

that can automatically discover vulnerabilities in web applications.

Then, I will describe a new type of web application vulnerability:

Execution After Redirect, or EAR, and an approach to automatically

detect EARs in web applications. Finally, I will present deDacota, a

first step in the direction of making web applications secure by

construction.

Security competitions have become a popular way to foster security education by creating a competitive environment in which participants go beyond the effort usually required in traditional security courses. Live security competitions (also called “Capture The Flag,” or CTF competitions) are particularly well-suited to support hands-on experience, as they usually have both an attack and a defense component. Unfortunately, because these competitions put several (possibly many) teams against one another, they are difficult to design, implement, and run. This paper presents a framework that is based on the lessons learned in running, for more than 10 years, the largest educational CTF in the world, called iCTF. The framework’s goal is to provide educational institutions and other organizations with the ability to run customizable CTF competitions. The framework is open and leverages the security community for the creation of a corpus of educational security challenges.