Hi there

My name is Marco Squarcina, I'm a postdoctoral researcher at TU Wien. My research interests focus mainly on web security, but I’m passionate about computer security and hacking in its broadest sense. I love teaching and I'm a strong support of learning by doing. I play and organise CTFs with w0y and mhackeroni. Before relocating to Austria I co-organized the Italian Cyber Challenge project and served as a coach for the national team that competed in the ENISA European Cyber Security Challenge.

The best way to get in touch with me is by e-mail. Please use my PGP key if you need to send sensitive data. You can also reach me by phone at +43 (1) 58801-192607, or in my office at Favoritenstrasse 9-11, Stiege 2, 1. Stock, 1040 Wien.

Selected Publications

• Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web. USENIX Security. 2021. pdf bibtex website
  M. Squarcina, M. Tempesta, L. Veronese, S. Calzavara, M. Maffei.
• The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches. 15th IEEE Workshop on Offensive Technologies (WOOT 21). 2021. pdf bibtex website
  M. Squarcina, S. Calzavara, M. Maffei.
• Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. IEEE Symposium on Security and Privacy (S&P). 2019. pdf website
  S. Calzavara, R. Focardi, M. Nemec, A. Rabitti, M. Squarcina.
• WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring. USENIX Security. 2018. arXiv pdf slides
  S. Calzavara, R. Focardi, M. Maffei, C. Schneidewind, M. Squarcina, M. Tempesta.
• Mind Your Keys? A Security Evaluation of Java Keystores. Network and Distributed System Security Symposium (NDSS 2018). 2018. pdf slides video
  R. Focardi, F. Palmarini, G. Steel, M. Squarcina, M. Tempesta.
• Surviving the Web: A Journey into Web Session Security. ACM Computing Surveys (CSUR). 2017. Pre-print version: pdf
  S. Calzavara, R. Focardi, M. Squarcina, M. Tempesta.
• Run-time Attack Detection in Cryptographic APIs. 30th Computer Security Foundations Symposium (CSF 2017). 2017. pdf slides
  R. Focardi, M. Squarcina.
• Gran: model checking grsecurity RBAC policies. 25th Computer Security Foundations Symposium (CSF 2012). 2012. pdf
  M. Bugliesi, S. Calzavara, R. Focardi, M. Squarcina.

My scholar profile.

Teaching

• 2021 (WS): lecturer, Attacks and Defenses in Computer Security (VU) [192.111], TU Wien
• 2021 (WS): lecturer, Attacks and Defenses in Computer Security (UE) [192.111], TU Wien
• 2020 (WS): lecturer, Attacks and Defenses in Computer Security (UE) [192.111], TU Wien
• 2020 (WS): guest lecturer, Systems and Applications Security (VU) [192.112], TU Wien
• 2020 (SS): lecturer, Introduction to Security (UE) [192.092], TU Wien
• 2019 (WS): guest lecturer, Advanced Internet Security (VU) [192.091], TU Wien
• 2019 (WS): lecturer, Capture the Flag (SE) [192.092], TU Wien
• 2019 (SS): lecturer, Introduction to Security (UE) [192.082], TU Wien
• 2015/16 - 2017/18: teaching assistant, Security 1 [CM0475], Security 2 [CM0494], Ca' Foscari University of Venice
• 2013/14 - 2014/15: teaching assistant, Security of Computer Systems [CM0288], Ca' Foscari University of Venice

Selected Vulns

• Vulnerability in the third-party domain connection feature on Shopify, see the paper
• SAML2.0, Login CSRF on Google
• CVE-2018-2794, Oracle Java, CVSS 3.0 Base Score 7.7 (HIGH)
• CVE-2017-10356, Oracle Java, CVSS 3.0 Base Score 6.2 (MEDIUM)
• CVE-2017-10345, Oracle Java, CVSS 3.0 Base Score 3.1 (LOW)

Music

I'm a jungle/drum'n'bass DJ, still using turntables and carrying around a 30kg record bag. You can find a selection of my old dj sets on mixcloud. More recently I've started streaming on Twitch, follow me if you want to be notified when I go live.