[14]
OWASP cross-site request forgery prevention cheat sheet. https:
//cheatsheetseries.owasp.org/cheatsheets/Cross-Site Request Forge
ry Prevention Cheat Sheet.html.
[15]
XMLHttpRequest API. https://developer.mozilla.org/en-US/docs/We
b/API/XMLHttpRequest.
[16] “Fetch Living Standard,” https://fetch.spec.whatwg.org.
[17]
“Beacon, W3C Working Draft,” 2023. [Online]. Available:
https://www.w3.org/TR/beacon/
[18] J. Wilander, “Advanced csrf and stateless anti-csrf,” 2012.
[19]
P. D. Ryck, L. Desmet, W. Joosen, and F. Piessens, “Automatic and
precise client-side protection against CSRF attacks,” in ESORICS,
2011.
[20]
X. Likaj, S. Khodayari, and G. Pellegrino, “Where we stand (or
fall): An analysis of csrf defenses in web frameworks,” in RAID
Symposium, 2021, pp. 370–385.
[21] Bitnami Application Catalog. https://bitnami.com/stacks.
[22] Project Foxhound. https://github.com/SAP/project-foxhound.
[23]
D. Klein, T. Barber, S. Bensalim, B. Stock, and M. Johns, “Hand
Sanitizers in the Wild: A Large-scale Study of Custom JavaScript
Sanitizer Functions,” in IEEE EuroS&P, 2022.
[24]
Chrome DevTools Protocol. https://chromedevtools.github.io/devtool
s-protocol/.
[25]
M. West, “Content Security Policy Level 3,” W3C Working Draft,
2022, https://w3c.github.io/webappsec-csp/.
[26]
L. Weichselbaum, M. Spagnuolo, S. Lekies, and A. Janc, “Csp is
dead, long live csp! on the insecurity of whitelists and the future of
content security policy,” in ACM CCS, 2016, pp. 1376–1387.
[27]
Cross-Origin Opener Policy. https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy.
[28]
J. Schwenk, M. Niemietz, and C. Mainka, “Same-Origin Policy:
Evaluation in Modern Browsers,” in USENIX Security Symposium,
2017.
[29]
D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song, “Towards
a formal foundation of web security,” in IEEE CSF, 2010.
[30]
S. Lekies, B. Stock, and M. Johns, “25 million flows later: large-scale
detection of DOM-based XSS,” in ACM CCS, 2013.
[31]
S. Lekies, K. Kotowicz, S. Groß, E. A. Vela Nava, and M. Johns,
“Code-reuse attacks for the web: Breaking cross-site scripting miti-
gations via script gadgets,” in CCS, 2017.
[32]
M. Steffens and B. Stock, “PMForce: Systematically Analyzing
postMessage Handlers at Scale,” in CCS, 2020.
[33]
window.open() API. https://developer.mozilla.org/en-US/docs/Web/
API/Window/open.
[34]
“Cookies: HTTP State Management Mechanism,” 2020. [Online].
Available: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05
[35]
Cross-Origin Resource Sharing. https://developer.mozilla.org/en-
US/docs/Web/HTTP/CORS.
[36]
CSP connect-src Directive. https://developer.mozilla.org/en-US/docs/
Web/HTTP/Headers/Content-Security-Policy/connect-src.
[37]
Cross-Origin Embedder Policy. https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy.
[38]
“HTML Living Standard,” 2023. [Online]. Available: https:
//html.spec.whatwg.org/
[39] “XMLHttpRequest Living Standard,” https://xhr.spec.whatwg.org/.
[40]
“Push API Specification, W3C Working Draft,” 2023. [Online].
Available: https://www.w3.org/TR/push-api/
[41]
“WebSockets Living Standard,” 2023. [Online]. Available: https:
//websockets.spec.whatwg.org/
[42] “WHATWG Specifications,” https://spec.whatwg.org/.
[43] “W3C Standards and Drafts,” https://www.w3.org/TR/.
[44]
S. Khodayari and G. Pellegrino, “It’s (dom) clobbering time: Attack
techniques, prevalence, and defenses,” in IEEE S&P Symposium,
2023.
[45]
“Push API: CSRF on PushManager Subscriptions.” [Online].
Available: https://developer.mozilla.org/en-US/docs/Web/API/Push
API
[46]
K. Subramani, J. Jueckstock, A. Kapravelos, and R. Perdisci, “Sok:
Workerounds-categorizing service worker attacks and mitigations,”
in IEEE EuroS&P Symposium, 2022.
[47]
T. Watanabe, E. Shioji, M. Akiyama, and T. Mori, “Melting pot of
origins: Compromising the intermediary web services that rehost
websites.” in NDSS Symposium, 2020.
[48]
I. Hickson, “Server-sent Events,” in W3C Working Draft, 2012.
[Online]. Available: https://www.w3.org/TR/2012/WD-eventsource-
20120426/
[49]
C. Schneider, “Cross-Site WebSocket Hijacking (CSWSH),” 2019.
[Online]. Available: https://christian-schneider.net/CrossSiteWebSo
cketHijacking.html
[50]
“Cross-Site WebSocket Hijacking.” [Online]. Available: https://portsw
igger.net/web-security/websockets/cross-site-websocket-hijacking
[51]
W. Mei and Z. Long, “Research and Defense of Cross-Site WebSocket
Hijacking Vulnerability,” in IEEE International Conference on
Artificial Intelligence and Computer Applications (ICAICA), 2020.
[52]
P. Murley, Z. Ma, J. Mason, M. Bailey, and A. Kharraz,
“WebSocket Adoption and the Landscape of the Real-Time
Web,” in WWW Web Conference, 2021. [Online]. Available:
https://doi.org/10.1145/3442381.3450063
[53]
P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and
G. Vigna, “Cross site scripting prevention with dynamic data tainting
and static analysis,” in NDSS Symposium, 2007.
[54]
M. Steffens, C. Rossow, M. Johns, and B. Stock, “Don’t trust the
locals: Investigating the prevalence of persistent client-side cross-site
scripting in the wild.” in NDSS, 2019.
[55]
“Exposure of Sensitive Information to Unauthorized Actors in
EventSource,” 2022. [Online]. Available: https://huntr.dev/bounties/d
c9e467f-be5d-4945-867d-1044d27e9b8e/
[56]
S. Calzavara, M. Conti, R. Focardi, A. Rabitti, and G. Tolomei,
“Mitch: A machine learning approach to the black-box detection of
csrf vulnerabilities,” in IEEE EuroS&P Symposium, 2019.
[57]
The WebSocket API. [Online]. Available: https://developer.mozilla.
org/en-US/docs/Web/API/WebSockets API
[58]
V. Le Pochat, T. Van Goethem, S. Tajalizadehkhoob, M. Korczy
´
nski,
and W. Joosen, “Tranco: A research-oriented top sites ranking
hardened against manipulation,” in NDSS Symposium, 2019.
[59] Playwright browser automation framework. https://playwright.dev/.
[60] Firefox developer tools. https://firefox-dev.tools/.
[61]
S. Pletinckx, K. Borgolte, and T. Fiebig, “Out of Sight, Out of Mind:
Detecting Orphaned Web Pages at Internet-Scale,” in ACM CCS,
2021.
[62]
M. Henzinger, “Finding near-duplicate web pages: a large-scale
evaluation of algorithms,” in ACM SIGIR conference on Research
and development in information retrieval, 2006.
[63]
F. Yamaguchi, N. Golde, D. Arp, and K. Rieck, “Modeling and
Discovering Vulnerabilities with Code Property Graphs,” in IEEE
S&P Symposium, 2014.
[64]
M. Backes, K. Rieck, M. Skoruppa, B. Stock, and F. Yamaguchi,
“Efficient and Flexible Discovery of PHP Application Vulnerabilities,”
in IEEE EuroS&P Symposium, 2017.
[65] Neo4j. https://neo4j.com/.
[66]
T. Brito, P. Lopes, N. Santos, and J. F. Santos, “Wasmati: An efficient
static vulnerability scanner for WebAssembly,” Computers & Security,
2022.
[67]
S. Guarnieri and B. Livshits, “GULFSTREAM: Staged Static Analy-
sis For Streaming JavaScript Applications,” in Proceedings of the
USENIX conference on Web application development, 2010.
[68]
S. H. Jensen, P. A. Jonsson, and A. Møller, “Remedying the Eval
that Men Do,” in ACM ISSTA, 2012.
[69]
K. Gallaba, A. Mesbah, and I. Beschastnikh, “Don
´
t Call Us, We
´
ll
Call You: Characterizing Callbacks in Javascript,” in Proceedings
of the ACM/IEEE International Symposium on Empirical Software
Engineering and Measurement, 2015.
[70]
M. Madsen, B. Livshits, and M. Fanning, “Practical Static Analysis
of Javascript Applications in the Presence of Frameworks and
Libraries,” in Proceedings of the ACM Joint European Software
Engineering Conference and Symposium on the Foundations of
Software Engineering (ESEC/FSE), 2013.
[71]
S. H. Jensen, M. Madsen, and A. Møller, “Modeling the HTML DOM
and Browser API in Static Analysis of Javascript Web Applications,”
in Proceedings of the 19th ACM SIGSOFT symposium and the
13th European conference on Foundations of software engineering
(ESEC/FSE), 2011.
[72]
setTimeout global function. https://developer.mozilla.org/en-US/doc
15