Don’t Trust The Locals: Investigating the Prevalence of Persistent Client-Side XSS in the Wild |
Germany |
2019 |
15 |
Marius Steffens, Christian Rossow , Martin Johns, and Ben Stock |
Hindawi Journal of Computer Networks and Communications |
Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting |
USA |
2018 |
15 |
William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, Limin Jia |
NDSS Symposium |
Untangling the Web of Client-Side Cross-Site Scripting |
Germany |
2015 |
130 |
Benjamin Stock |
Friedrich-Alexander-Universität Erlangen-Nürnberg |
25 Million Flows Later - Large-scale Detection of DOM-based XSS |
Germany |
2013 |
12 |
Sebastian Lekies, Ben Stock, Martin Johns |
Future Generation Computer Systems |
Regular Expressions Considered Harmful in Client-Side XSS Filters |
USA |
2010 |
9 |
Daniel Bates, Adam Barth, Collin Jackson |
UC Berkeley & Carnegie Mellon University |
Precise client-side protection against DOM-based XSS |
Germany |
2014 |
16 |
Benjamin Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, Martin Johns |
23rd USENIX Security Symposium |
If It’s Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening |
USA |
2021 |
13 |
Pei Wang, Julian Bangert, Christoph Kern |
UC Berkeley |
The Emperor's New API: On the (In)Secure Usage of New Client Side Primitives. |
USA |
2010 |
10 |
Steve Hanna, Richard Shin, Devdatta Akhawe, Arman Boehm, and Dawn Song |
University of California, Berkeley |
From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting |
Germany |
2015 |
12 |
Benjamin Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies, Martin Johns |
FAU Erlangen-Nuremberg, SAP SE, Ruhr-University Bochum |
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites |
USA |
2013 |
14 |
Sooel Son, Vitaly Shmatikov |
University of Texas |
ScriptGard: Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications |
USA |
2011 |
11 |
David Molnar, Prateek Saxena, Benjamin Livshits |
UC Berkeley, Microsoft Research |
DomXssMicro: A Micro Benchmark for Evaluating DOM-Based Cross-Site Scripting Detection |
China |
2016 |
9 |
Xiaoguang Mao, Jinkun Pan |
National University of Defense Technology |
DexterJS: Robust Testing Platform for DOM-Based XSS Vuln. |
Singapore |
2015 |
10 |
Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, Prateek Saxena |
National University of Singapore, Singapore |
Eval Begone! Semi-Automated Removal of Eval from JavaScript Programs |
USA |
2012 |
14 |
Fadi Meawad Gregor Richards Floreal Morandat Jan Vitek |
Purdue University |
Precise XSS detection and mitigation with Client-side Templates |
USA |
2020 |
16 |
José Carlos Pazos, Jean-Sébastien Légaré, Ivan Beschastnikh, William Aiello |
University of British Columbia |
Towards Elimination of XSS Attacks with a Trusted and Capability Controlled DOM |
Germany |
2012 |
220 |
Mario Heiderich |
Ruhr-University Bochum |
Origin Cookies: Session Integrity for Web Applications |
USA |
2011 |
8 |
Andrew Bortz, Adam Barth, and Alexei Czeskis |
Stanford University, Google, Inc., University of Washington |
PMForce: Systematically Analyzing postMessage Handlers at Scale |
Germany |
2020 |
13 |
Marius Steffens,
Ben Stock |
CISPA |
I Know What You Did Last Summer: New Persistent Tracking Mechanisms in the Wild |
UK |
2018 |
14 |
Stefano Belloro, Alexios Mylonas |
BBC, Bournemouth University |
Lightweight Integrity Protection for Web Storage-driven Content Caching |
Germany |
2012 |
8 |
Sebastian Lekies and Martin Johns |
SAP Research Karlsruhe |
Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication |
Germany |
2021 |
13 |
Meiser, Gordon and Laperdrix, Pierre and Stock, Ben |
CISPA, INRIA |
Security considerations around the usage of client-side storage APIs |
uk |
2018 |
47 |
Stefano Belloro, Alexios Mylonas |
BBC, Bournemouth University |
Context-Sensitive Auto-Sanitization in Web Templating Languages Using Type Qualifiers |
USA |
2011 |
130 |
Mike Samuel, Dawn Song, Prateek Saxena |
UC Berkeley, Google Inc. |
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices |
Germany |
2019 |
12 |
Marius Musch, Marius Steffens, Marius Steffens, Sebastian Roth, Ben Stock, Martin Johns |
CISPA & TU Braunschweig |
Auto-Patching DOM-based XSS At Scale |
Singapore |
2015 |
12 |
Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, Prateek Saxena |
National University of Singapore |
A Systematic Analysis of XSS Sanitization in Web Application Frameworks |
USA |
2011 |
22 |
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song |
University of California, Berkeley |
FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications |
usa |
2010 |
17 |
Prateek Saxena, Steve Hanna, Pongsin Poosankam, Dawn Song |
University of California, Berkeley, Carnegie Mellon University |
A Symbolic Execution Framework for JavaScript |
USA |
2010 |
18 |
Prateek Saxena, Devdatta Akhawe, Steve Hanna,
Feng Mao,
Stephen
McCamant, Dawn Song |
University of California, Berkeley |
The Eval that Men Do A Large-scale Study of the Use of Eval in JavaScript Applications |
USA |
2011 |
27 |
Gregor Richards, Christian Hammer, Brian Burg, Jan Vitek |
Purdue University, University of Washington |
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities |
USA |
2015 |
16 |
Michael Weissbacher, William Robertson, Engin Kirda, Christopher Kruegel, Giovanni Vigna |
Northeastern University, UC Santa Barbara |
Cookies Lack Integrity: Real-World Implications |
USA |
2015 |
16 |
Xiaofeng Zheng, Jian Jiang, Jinjin Liang, Haixin Duan, Shuo Chen, Tao Wan, Nicholas Weaver |
Tsinghua University and International Computer Science Institute,Microsoft Research Redmond, University of California, Berkeley, Huawei Canada |
Towards a Lightweight, Hybrid Approach for Detecting DOM XSS Vulnerabilities with Machine Learning |
USA |
2021 |
130 |
William Melicher, Lujo Bauer, Limin Jia, Clement Fung |
Carnegie Mellon University |
ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices |
Germany |
2019 |
16 |
Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, Martin Johns |
TU Braunschweig, CISPA |
DOM-based XSS Attacks |
Germany |
2012 |
146 |
Zdravko Danailov, Krassen Deltchev |
Ruhr-University of Bochum |
An Empirical Analysis of XSS Sanitization in Web Application Frameworks |
USA |
2011 |
17 |
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, Dawn Song |
University of California at Berkeley |
Securing Frame Communication in Browsers |
USA |
2009 |
9 |
Adam Barth, Collin Jackson, and John C. Mitchell |
Standford, Carnegie Mellon, |
Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure |
China |
2016 |
12 |
Chong Guan, Kun Sun, Zhan Wang, WenTao Zhu |
Chinese Academy of Sciences, RealtimeInvent, Inc., College of William and Mary |
A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web |
Germany |
2020 |
16 |
Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Michael Backes and Ben Stock, |
Università Ca’ Foscari, CISPA, Saarbrücken Graduate School of Computer Science |
Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies |
USA |
2020 |
18 |
Sebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, and Ben Stock |
CISPA, Universit`a Ca’ Foscari Venezia, Stony Brook University, |
Reining in the Web with Content Security Policy |
China |
2010 |
9 |
Sid Stamm, Brandon Sterne, Gervase Markham |
Mozilla |
VisibleV8: In-browser Monitoring of JavaScript in the Wild |
USA |
2019 |
13 |
Jordan Jueckstock, Alexandros Kapravelos |
North Carolina State University |
Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage |
USA |
2020 |
14 |
Shaown Sarker, Jordan Jueckstock, Alexandros Kapravelos |
North Carolina State University |
CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy |
Austria |
2016 |
12 |
Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, Artur Janc |
Google |
Why is CSP Failing? Trends and Challenges in CSP Adoption |
USA |
2014 |
22 |
Michael Weissbacher, William Robertson Tobias Lauinger
| North Carolina State University |
Semantics-Based Analysis of Content Security Policy Deployment |
Italia |
2017 |
37 |
Stefano Calzavara, Alvise Rabitti, Michele Bugliesi |
Università Ca’ Foscari Venezia |
Data Exfiltration in the Face of CSP |
Sweden |
2016 |
12 |
Steven Van Acker, Daniel Hausknecht, Andrei Sabelfeld |
Chalmers University of Technology |
Strenghtening Content Security Policy via Monitoring and URL Parameters Filtering |
France |
2020 |
13 |
Tamara RezkDolière Francis Somé |
INRIA |
Assessing the Impact of Script Gadgets on CSP at Scale |
Germany |
2020 |
12 |
Sebastian Roth, , Michael Backes, , and Ben Stock |
CISPA Helmholtz Center for Information Security |
Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets |
Austria? |
2017 |
15 |
Sebastian Lekies, Krzysztof Kotowicz, Samuel Groß, Eduardo A. Vela Nava, Martin Johns |
Google, SAP |
ACCESSPROV: Tracking the Provenance of Access Control Decisions |
USA |
2017 |
8 |
Frank Capobianco, Christian Skalka, Trent Jaeger |
The Pennsylvania State University, The University of Vermont |
Automated Inference of Access Control Policies for Web Applications |
Luxembourg |
2015 |
12 |
Lionel Briand, Ha Thanh Le, , Cu Duy Nguyen, , and Benjamin Hourte |
Interdisciplinary Centre for Security, Reliability and Trust, University of Luxembourg, EarthLab/td>
|
Static Detection of Access Control Vulnerabilities inWeb Applications |
USA |
2011 |
16 |
Fangqi Sun, , Liang Xu, Zhendong Su, |
University of California, Davis |
Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications |
USA |
2009 |
16 |
Michael Dalton, Christos Kozyrakis, Nickolai Zeldovich |
Computer Systems Laboratory Stanford University, CSAIL MIT |
Automated Black Box Detection of HTTP GET Request-based Access Control Vulnerabilities in Web Applications |
Zurich |
2021 |
13 |
Malte Kushnir, Olivier Favre, Marc Rennhard, Damiano Esposito and Valentin Zahnd |
Institute of Applied Information Technology, scanmeter GmbH |