Riccardo Pelizzi

PhD Student @ Stony Brook University

Welcome to Riccardo Pelizzi's Homepage

I am a PhD student at Stony Brook University, working in R. Sekar's Secure Systems Laboratory . My main area of interest is Web Security. During my Ph.D. studies, I've worked on XSS and CSRF detection and prevention, isolation and policy enforcement of untrusted JavaScript code, and Secure Web Application Programming using the Spreadsheet paradigm. You can read more details in my Research page.

Short Biography

  • BEng: Universita' degli Studi di Parma - Computer Engineering - 2003-2006
  • MS: Polytechnic University of Milan - Computer Engineering - 2007-2009
    • Developed a system for high-throughput analysis and clustering of spam.
  • Research Internship: UCSB - Computer Science - Summer 2008
  • MS: Exchange student at the Technische Universität Wien - Informatik - 2009
  • Internship: Security Team - Mozilla Corporation - Summer 2011
    • Developed a Cross-Site Scripting filter for Firefox
  • PhD: Currently attending Stony Brook University, working at the System Security Lab since Fall 2009
    • Expected graduation date: Fall 2015

Curriculum Vitae

Download Here


I am primarily interested in Web Security. I've worked on three main areas:

  • Securing users from vulnerabilities such as XSS, CSRF and HPP, which exploit web application bugs to attack the user instead.

    The XSS filter I developed for Firefox and my ASIACCS publication about XSS and ACSAC publication about CSRF fall into this category.

    I have also developed an XSS scanner, along with tools that allow an attacker to use search engines to discover new vulnerable sites. A tech report is available here

  • Confinement and policy enforcement on untrusted JavaScript code.

    We have developed a confinement solution based on ES6 technologies to confine JavaScript code with no language restrictions and reasonable overhead. The first phase of this research (completed) was to achieve full mediation, building a secure confinement runtime. The related paper is in submission (available upon request, including implementation). The second (ongoing) phase of this project is to build upon the confinement runtime and develop a policy framework.

  • Development of secure Web Applications using the Spreadsheet paradigm.

    Spreadsheet are an extremely successful programming paradigm, mostly thanks their simplicity and concreteness. In fact, non-programmers routinely use spreadsheets to build applications in tabular format, even though they don't refer to them as applications. We are studying whether it is possible to improve the spreadsheet paradigm and extend its applicability to Web Applications. The related paper is in submission (available upon request)


Riccardo Pelizzi, R. Sekar. A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications. In Annual Computer Security Applications Conference (ACSAC 2011), December 2011. [PDF] [SLIDES] [CODE]

Riccardo Pelizzi, R. Sekar. Protection, Usability and Improvements in Reflected XSS Filters. In ACM Symposium on Information, Computer and Communications Security (ASIACCS 2012), May 2012. [PDF] [SLIDES]

Riccardo Pelizzi, R. Sekar. WebSheets: Web Applications for Non-Programmers In ACM New Security Paradigms Workshop (NSPW 2015), September 2015. [PDF] [CODE]

Tung Tran, Riccardo Pelizzi, R. Sekar. Jate: Transparent and Efficient JavaScript Confinement. In Annual Computer Security Applications Conference (ACSAC 2015), December 2015. [PDF]


This page contains software, documents and information that wouldn't fit anywhere else.
  • [JavaScript, Python] jCSRF, A reference implementation for the paper "A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications" [CODE]
  • [PHP, C] CSRFProtector, an Apache Module and PHP library by OWASP based on the same paper [LINK]
  • [C++, JavaScript] XSSFilt, A reference implementation for the paper "Protection, Usability and Improvements in Reflected XSS Filters" [CODE]
  • [C++, JavaScript] Patch to add a reflected XSS filter to Firefox. [CODE]
  • My Research Proficiency Exam (RPE) from 2011, "Web Vulnerabilities and Defenses" [PDF]
  • My MS thesis from 2009, "A System for High-Throughput Spam Analysis and Clustering" [PDF] [SLIDES]
  • [Python] gDork, a XSS vulnerability discovery tool and XSS scanner [available upon request]
  • [JavaScript] Extension to confine untrusted JavaScript on Firefox [preview avaiable upon request]
  • [Haskell] hSite, yet another Site Generator [REPO]
  • [JavaScript] Addon-proxy, a node/addon-sdk module to rewrite incoming requests [REPO]


The page requested could not be found.