Riccardo Pelizzi

PhD Student @ Stony Brook University

Welcome to Riccardo Pelizzi's Homepage

I am a third-year PhD student at Stony Brook University working in R. Sekar's Secure Systems Laboratory . My main area of interest is Web Security. You can read more details in my Research page. Stony Brook Students interested in a CSE593/523 project in Web Security can look at the Projects page.

Valid CSS! Valid XHTML 1.0 Transitional Firefox Download Button

Short Biography

  • BEng: Universita' degli Studi di Parma - Computer Engineering - 2003-2006
  • MS: Polytechnic University of Milan - Computer Engineering - 2007-2009
    • Developed a system for high-throughput analysis and clustering of spam.
  • Research Internship: UCSB - Computer Science - Summer 2008
  • MS: Exchange student at the Technische Universität Wien - Informatik - 2009
  • Internship: Security Team - Mozilla Corporation - Summer 2011
    • Developed a Cross-Site Scripting filter for Firefox
  • PhD: Currently attending Stony Brook University, working at the System Security Lab since Fall 2009
    • Expected graduation date: 2014

Curriculum Vitae

Download Here


I am primarily interested in Web Security. Specifically, my research has been so far focused on securing users from vulnerabilities such as XSS, CSRF and HPP which exploit web application bugs to attack the user instead of the application itself. The XSS filter I developed for Firefox and my recent publication fall into this category.

I have also developed an XSS scanner that I will attempt to publish and/or release in the upcoming months, along with tools that allow an attacker to use search engines to discover new vulnerable sites, which I am hoping to publish as well (though I probably won't release the actual code).

Currently, I am trying to widen my research interests by getting involved with privacy issues related to behavioral advertisement and Mashup policies for Web 2.0 applications. Unfortunately, it seems that there are only 24 hours in a day...

My thesis topic has not been decided yet, and therefore these topics might change over time.

Private Research page (SecLab only)

Projects for Master Students

Hello MS students! Yes, we can work together! Since I am constantly opening up more research avenues than I can handle, I am always looking for help from capable MS students. Technically, you would be advised by Prof. Sekar, but in practice I handle Web Security projects by myself. He and my labmates might be in need of MS students as well for their own research interests, so check with them if Web Security is not your thing.

What to expect when taking a CSE593/523 with me:

  • You will work on a novel, interesting project in the domain of Web Security.
  • There are no "easy" or "short" projects created specifically for MS students. All projects are real research projects that would be challenging for me as well and can potentially be published. For these reasons:
    • Some projects might last more than a single semester, or might not succeed in producing anything of value. Since this is reasearch, your grade will not depend on results, but on your effort. I will meet you often to help you out with your project and keep track your progress and effort.
    • Most of these projects are urgent, either because I do not want to wait for somebody to come up with the same idea somewhere else, or because it is a fundamental part of a larger project I am currently working on. You should not take a 593/523 with the idea of moving courseload from the semester to the winter or summer break. You will be evaluated over a 4-month effort (for the CSE593).
    • You can however write me anytime for available projects and start in the middle of the semester or during a break, assuming it is ok for you to place the credits in the following semester.
  • Funding is at the discretion of my advisor. In general, funding is not available for the first semester of cooperation, but upon satisfying results, it might be available in the following semesters.
  • Prior experience in either WWW technologies or security is preferred.


Riccardo Pelizzi, R. Sekar. A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications. In Annual Computer Security Applications Conference. (ACSAC 2011), December 2011. [PDF] [SLIDES] [CODE]

Riccardo Pelizzi, R. Sekar. Protection, Usability and Improvements in Reflected XSS Filters. In ACM Symposium on Information, Computer and Communications Security. (ASIACCS 2012), May 2012. [PDF] [SLIDES]


This page contains software, documents and information that wouldn't fit anywhere else.
  • A reference implementation for the paper "A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications" [CODE]
  • Patch to add a reflected XSS filter to Firefox. [LINK]
  • My Research Proficiency Exam (RPE) from 2011, "Web Vulnerabilities and Defenses" [PDF]
  • My MS thesis from 2009, "A System for High-Throughput Spam Analysis and Clustering" [PDF] [SLIDES]
  • Taugenichts, a gnome indicator to track PC usage [REPO]
  • Firefox-Resident Crawler [COMING SOON]


The page requested could not be found.
Why don't you have a seat over here?