Papers

Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side XSS in the Wild	Germany	2019	15	Marius Steffens, Christian Rossow , Martin Johns, and Ben Stock	Hindawi Journal of Computer Networks and Communications
Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting	USA	2018	15	William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, Limin Jia	NDSS Symposium
Untangling the Web of Client-Side Cross-Site Scripting	Germany	2015	130	Benjamin Stock	Friedrich-Alexander-Universität Erlangen-Nürnberg
25 Million Flows Later - Large-scale Detection of DOM-based XSS	Germany	2013	12	Sebastian Lekies, Ben Stock, Martin Johns	Future Generation Computer Systems
Regular Expressions Considered Harmful in Client-Side XSS Filters	USA	2010	9	Daniel Bates, Adam Barth, Collin Jackson	UC Berkeley & Carnegie Mellon University
Precise client-side protection against DOM-based XSS	Germany	2014	16	Benjamin Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, Martin Johns	23rd USENIX Security Symposium
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening	USA	2021	13	Pei Wang, Julian Bangert, Christoph Kern	UC Berkeley
The Emperor's New API: On the (In)Secure Usage of New Client Side Primitives.	USA	2010	10	Steve Hanna, Richard Shin, Devdatta Akhawe, Arman Boehm, and Dawn Song	University of California, Berkeley
From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting	Germany	2015	12	Benjamin Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies, Martin Johns	FAU Erlangen-Nuremberg, SAP SE, Ruhr-University Bochum
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites	USA	2013	14	Sooel Son, Vitaly Shmatikov	University of Texas
ScriptGard: Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications	USA	2011	11	David Molnar, Prateek Saxena, Benjamin Livshits	UC Berkeley, Microsoft Research
DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection	China	2016	9	Xiaoguang Mao, Jinkun Pan	National University of Defense Technology
DexterJS: Robust Testing Platform for DOM-Based XSS Vuln.	Singapore	2015	10	Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, Prateek Saxena	National University of Singapore, Singapore
Eval Begone! Semi-Automated Removal of Eval from JavaScript Programs	USA	2012	14	Fadi Meawad Gregor Richards Floreal Morandat Jan Vitek	Purdue University
Precise XSS detection and mitigation with Client-side Templates	USA	2020	16	José Carlos Pazos, Jean-Sébastien Légaré, Ivan Beschastnikh, William Aiello	University of British Columbia
Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM	Germany	2012	220	Mario Heiderich	Ruhr-University Bochum
Origin Cookies: Session Integrity for Web Applications	USA	2011	8	Andrew Bortz, Adam Barth, and Alexei Czeskis	Stanford University, Google, Inc., University of Washington
PMForce: Systematically Analyzing postMessage Handlers at Scale	Germany	2020	13	Marius Steffens, Ben Stock	CISPA
I Know What You Did Last Summer: New Persistent Tracking Mechanisms in the Wild	UK	2018	14	Stefano Belloro, Alexios Mylonas	BBC, Bournemouth University
Lightweight Integrity Protection for Web Storage-driven Content Caching	Germany	2012	8	Sebastian Lekies and Martin Johns	SAP Research Karlsruhe
Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication	Germany	2021	13	Meiser, Gordon and Laperdrix, Pierre and Stock, Ben	CISPA, INRIA
Security considerations around the usage of client-side storage APIs	uk	2018	47	Stefano Belloro, Alexios Mylonas	BBC, Bournemouth University
Context-Sensitive Auto-Sanitization in Web Templating Languages Using Type Qualifiers	USA	2011	130	Mike Samuel, Dawn Song, Prateek Saxena	UC Berkeley, Google Inc.
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices	Germany	2019	12	Marius Musch, Marius Steffens, Marius Steffens, Sebastian Roth, Ben Stock, Martin Johns	CISPA & TU Braunschweig
Auto-Patching DOM-based XSS At Scale	Singapore	2015	12	Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, Prateek Saxena	National University of Singapore
A Systematic Analysis of XSS Sanitization in Web Application Frameworks	USA	2011	22	Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song	University of California, Berkeley
FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications	usa	2010	17	Prateek Saxena, Steve Hanna, Pongsin Poosankam, Dawn Song	University of California, Berkeley, Carnegie Mellon University
A Symbolic Execution Framework for JavaScript	USA	2010	18	Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song	University of California, Berkeley
The Eval that Men Do A Large-scale Study of the Use of Eval in JavaScript Applications	USA	2011	27	Gregor Richards, Christian Hammer, Brian Burg, Jan Vitek	Purdue University, University of Washington
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities	USA	2015	16	Michael Weissbacher, William Robertson, Engin Kirda, Christopher Kruegel, Giovanni Vigna	Northeastern University, UC Santa Barbara
Cookies Lack Integrity: Real-World Implications	USA	2015	16	Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan, Nicholas Weaver	Tsinghua University and International Computer Science Institute,Microsoft Research Redmond, University of California, Berkeley, Huawei Canada
Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning	USA	2021	130	William Melicher, Lujo Bauer, Limin Jia, Clement Fung	Carnegie Mellon University
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices	Germany	2019	16	Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, Martin Johns	TU Braunschweig, CISPA
DOM-based XSS Attacks	Germany	2012	146	Zdravko Danailov, Krassen Deltchev	Ruhr-University of Bochum
An Empirical Analysis of XSS Sanitization in Web Application Frameworks	USA	2011	17	Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song	University of California at Berkeley
Securing Frame Communication in Browsers	USA	2009	9	Adam Barth, Collin Jackson, and John C. Mitchell	Standford, Carnegie Mellon,
Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure	China	2016	12	Chong Guan, Kun Sun, Zhan Wang, WenTao Zhu	Chinese Academy of Sciences, RealtimeInvent, Inc., College of William and Mary
A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web	Germany	2020	16	Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Michael Backes and Ben Stock,	Università Ca’ Foscari, CISPA, Saarbrücken Graduate School of Computer Science
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies	USA	2020	18	Sebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, and Ben Stock	CISPA, Universit`a Ca’ Foscari Venezia, Stony Brook University,
Reining in the Web with Content Security Policy	China	2010	9	Sid Stamm, Brandon Sterne, Gervase Markham	Mozilla
VisibleV8: In-browser Monitoring of JavaScript in the Wild	USA	2019	13	Jordan Jueckstock, Alexandros Kapravelos	North Carolina State University
Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage	USA	2020	14	Shaown Sarker, Jordan Jueckstock, Alexandros Kapravelos	North Carolina State University
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy	Austria	2016	12	Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, Artur Janc	Google
Why is CSP Failing? Trends and Challenges in CSP Adoption	USA	2014	22	Michael Weissbacher, William Robertson Tobias Lauinger	North Carolina State University
Semantics-Based Analysis of Content Security Policy Deployment	Italia	2017	37	Stefano Calzavara, Alvise Rabitti, Michele Bugliesi	Università Ca’ Foscari Venezia
Data Exfiltration in the Face of CSP	Sweden	2016	12	Steven Van Acker, Daniel Hausknecht, Andrei Sabelfeld	Chalmers University of Technology
Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering	France	2020	13	Tamara Rezk Dolière Francis Somé	INRIA
Assessing the Impact of Script Gadgets on CSP at Scale	Germany	2020	12	Sebastian Roth, , Michael Backes, , and Ben Stock	CISPA Helmholtz Center for Information Security
Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets	Austria?	2017	15	Sebastian Lekies, Krzysztof Kotowicz, Samuel Groß, Eduardo A. Vela Nava, Martin Johns	Google, SAP
ACCESSPROV: Tracking the Provenance of Access Control Decisions	USA	2017	8	Frank Capobianco, Christian Skalka, Trent Jaeger	The Pennsylvania State University, The University of Vermont
Automated Inference of Access Control Policies for Web Applications	Luxembourg	2015	12	Lionel Briand, Ha Thanh Le, , Cu Duy Nguyen, , and Benjamin Hourte	Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, EarthLab/td>
Static Detection of Access Control Vulnerabilities inWeb Applications	USA	2011	16	Fangqi Sun, , Liang Xu, Zhendong Su,	University of California, Davis
Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications	USA	2009	16	Michael Dalton, Christos Kozyrakis, Nickolai Zeldovich	Computer Systems Laboratory Stanford University, CSAIL MIT
Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications	Zurich	2021	13	Malte Kushnir, Olivier Favre, Marc Rennhard, Damiano Esposito and Valentin Zahnd	Institute of Applied Information Technology, scanmeter GmbH