I am primarily interested in Web Security. I've worked on three main areas:
Securing users from vulnerabilities such as XSS, CSRF and HPP, which exploit web application bugs to attack the user instead.
I have also developed an XSS scanner, along with tools that allow an attacker to use search engines to discover new vulnerable sites. A tech report is available here
Development of secure Web Applications using the Spreadsheet paradigm.
Spreadsheet are an extremely successful programming paradigm, mostly thanks their simplicity and concreteness. In fact, non-programmers routinely use spreadsheets to build applications in tabular format, even though they don't refer to them as applications. We are studying whether it is possible to improve the spreadsheet paradigm and extend its applicability to Web Applications. The related paper is in submission (available upon request)
Riccardo Pelizzi, R. Sekar. A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications. In Annual Computer Security Applications Conference (ACSAC 2011), December 2011. [PDF] [SLIDES] [CODE]
Riccardo Pelizzi, R. Sekar. Protection, Usability and Improvements in Reflected XSS Filters. In ACM Symposium on Information, Computer and Communications Security (ASIACCS 2012), May 2012. [PDF] [SLIDES]
Riccardo Pelizzi, R. Sekar. WebSheets: Web Applications for Non-Programmers In ACM New Security Paradigms Workshop (NSPW 2015), September 2015. [COMING SOON]