{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,25]],"date-time":"2025-03-25T14:13:05Z","timestamp":1742911985796,"version":"3.40.3"},"publisher-location":"Cham","reference-count":46,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030299613"},{"type":"electronic","value":"9783030299620"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-29962-0_27","type":"book-chapter","created":{"date-parts":[[2019,9,14]],"date-time":"2019-09-14T23:03:29Z","timestamp":1568502209000},"page":"565-585","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Mime Artist: Bypassing Whitelisting for the Web with JavaScript Mimicry Attacks"],"prefix":"10.1007","author":[{"given":"Stefanos","family":"Chaliasos","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"George","family":"Metaxopoulos","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"George","family":"Argyros","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dimitris","family":"Mitropoulos","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2019,9,15]]},"reference":[{"key":"27_CR1","doi-asserted-by":"crossref","unstructured":"Lekies, S., Kotowicz, K., Gro\u00df, S., Vela Nava, E.A., Johns, M.: Code-reuse attacks for the web: breaking cross-site scripting mitigations via script gadgets. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1709\u20131723. ACM (2017)","DOI":"10.1145\/3133956.3134091"},{"key":"27_CR2","doi-asserted-by":"crossref","unstructured":"Oren, Y., Kemerlis, V.P., Sethumadhavan, S., Keromytis, A.D.: The spy in the sandbox: practical cache attacks in JavaScript and their implications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, New York, NY, USA, pp. 1406\u20131418. ACM (2015)","DOI":"10.1145\/2810103.2813708"},{"key":"27_CR3","unstructured":"Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: 23rd USENIX Security Symposium, San Diego, CA, pp. 655\u2013670 (2014)"},{"key":"27_CR4","doi-asserted-by":"crossref","unstructured":"Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: Proceedings of the 19th Conference on Computer and Communications Security, pp. 760\u2013771 (2012)","DOI":"10.1145\/2382196.2382276"},{"key":"27_CR5","doi-asserted-by":"crossref","unstructured":"Bojinov, H., Bursztein, E., Boneh, D.: XCS: cross channel scripting and its impact on web applications. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 420\u2013431. ACM (2009)","DOI":"10.1145\/1653662.1653713"},{"key":"27_CR6","unstructured":"Elias, A., Vasilis, P., Evangelos, M.: Code-injection attacks in browsers supporting policies. In: Proceedings of the 2nd Workshop on Web 2.0 Security and Privacy, Washington, DC, USA. IEEE (2009)"},{"key":"27_CR7","unstructured":"Marius, S., Rossow, C., Johns, M., Stock, B.: Don\u2019t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild. In: Proceedings of the 2019 Network and Distributed System Security Symposium (NDSS) (2019)"},{"key":"27_CR8","doi-asserted-by":"crossref","unstructured":"Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM Symposium on Principles of Programming Languages, pp. 237\u2013249. ACM (2007)","DOI":"10.1145\/1190216.1190252"},{"key":"27_CR9","doi-asserted-by":"crossref","unstructured":"Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, SP 2009, Washington, DC, USA, pp. 331\u2013346. IEEE Computer Society (2009)","DOI":"10.1109\/SP.2009.33"},{"key":"27_CR10","doi-asserted-by":"crossref","unstructured":"Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution framework for JavaScript. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, Washington, DC, USA, pp. 513\u2013528. IEEE Computer Society (2010)","DOI":"10.1109\/SP.2010.38"},{"key":"27_CR11","unstructured":"Giffin, D.B., Levy, A., Stefan, D., Terei, D., Mazi\u00e8res, D., Mitchell, J.C., Russo, A.: Hails: protecting data privacy in untrusted web applications. In: Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2012), Hollywood, CA, USA, pp. 47\u201360 (2012)"},{"key":"27_CR12","doi-asserted-by":"crossref","unstructured":"Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663\u20131671 (2014)","DOI":"10.1145\/2554850.2554909"},{"key":"27_CR13","doi-asserted-by":"crossref","unstructured":"Soni, P., Budianto, E., Saxena, P.: The SICILIAN defense: signature-based whitelisting of Web JavaScript. In: Proceedings of the 22nd Conference on Computer and Communications Security, pp. 1542\u20131557. ACM (2015)","DOI":"10.1145\/2810103.2813710"},{"issue":"5","key":"27_CR14","first-page":"1","volume":"36","author":"CV Sharath","year":"2011","unstructured":"Sharath, C.V., Selvakumar, S.: BIXSAN: browser independent XSS sanitizer for prevention of XSS attacks. SIGSOFT Softw. Eng. Notes 36(5), 1\u20137 (2011)","journal-title":"SIGSOFT Softw. Eng. Notes"},{"key":"27_CR15","doi-asserted-by":"crossref","unstructured":"Saoji, T., Austin, T.H., Flanagan, C.: Using precise taint tracking for auto-sanitization. In: Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security, New York, NY, USA, PLAS 2017, pp. 15\u201324. ACM (2017)","DOI":"10.1145\/3139337.3139341"},{"key":"27_CR16","doi-asserted-by":"crossref","unstructured":"Argyros, G., Stais, I., Jana, S., Keromytis, A.D., Kiayias, A.: SFADiff: automated evasion attacks and fingerprinting using black-box differential automata learning. In: Proceedings of the 2016 ACM Conference on Computer and Communications Security, pp. 1690\u20131701. ACM (2016)","DOI":"10.1145\/2976749.2978383"},{"key":"27_CR17","doi-asserted-by":"crossref","unstructured":"Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, New York, NY, USA, pp. 921\u2013930. ACM (2010)","DOI":"10.1145\/1772690.1772784"},{"key":"27_CR18","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"116","DOI":"10.1007\/978-3-319-66399-9_7","volume-title":"Computer Security \u2013 ESORICS 2017","author":"M Heiderich","year":"2017","unstructured":"Heiderich, M., Sp\u00e4th, C., Schwenk, J.: DOMPurify: client-side protection against XSS and markup injection. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 116\u2013134. Springer, Cham (2017). https:\/\/doi.org\/10.1007\/978-3-319-66399-9_7"},{"issue":"1","key":"27_CR19","doi-asserted-by":"publisher","first-page":"2:1","DOI":"10.1145\/2939374","volume":"19","author":"D Mitropoulos","year":"2016","unstructured":"Mitropoulos, D., Stroggylos, K., Spinellis, D., Keromytis, A.D.: How to train your browser: preventing XSS attacks using contextual script fingerprints. ACM Trans. Priv. Secur. 19(1), 2:1\u20132:31 (2016)","journal-title":"ACM Trans. Priv. Secur."},{"key":"27_CR20","doi-asserted-by":"crossref","unstructured":"Wurzinger, P., Platzer, C., Ludl, C., Kirda, E., Kruegel, C.: SWAP: mitigating XSS attacks using a reverse proxy. In: Proceedings of the 2009 ICSE Workshop on Software Engineering for Secure Systems, Washington, DC, USA, pp. 33\u201339. IEEE Computer Society (2009)","DOI":"10.1109\/IWSESS.2009.5068456"},{"key":"27_CR21","doi-asserted-by":"crossref","unstructured":"Johns, M., Engelmann, B., Posegga, J.: XSSDS: server-side detection of cross-site scripting attacks. In: Proceedings of the 2008 Annual Computer Security Applications Conference, pp. 335\u2013344. IEEE (2008)","DOI":"10.1109\/ACSAC.2008.36"},{"key":"27_CR22","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/978-3-540-70542-0_2","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"P Bisht","year":"2008","unstructured":"Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: precise dynamic prevention of cross-site scripting attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 23\u201343. Springer, Heidelberg (2008). https:\/\/doi.org\/10.1007\/978-3-540-70542-0_2"},{"key":"27_CR23","doi-asserted-by":"crossref","unstructured":"Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 255\u2013264. ACM (2002)","DOI":"10.1145\/586110.586145"},{"key":"27_CR24","doi-asserted-by":"crossref","unstructured":"Kayacik, H.G., Zincir-Heywood, A.N.: Mimicry attacks demystified: what can attackers do to evade detection? In: Proceedings of the Sixth Annual Conference on Privacy, Security and Trust, Washington, USA, pp. 213\u2013223. IEEE (2008)","DOI":"10.1109\/PST.2008.25"},{"issue":"8","key":"27_CR25","doi-asserted-by":"publisher","first-page":"453","DOI":"10.1145\/360933.360975","volume":"18","author":"EW Dijkstra","year":"1975","unstructured":"Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM 18(8), 453\u2013457 (1975)","journal-title":"Commun. ACM"},{"issue":"2","key":"27_CR26","doi-asserted-by":"publisher","first-page":"222","DOI":"10.1109\/TSE.1987.232894","volume":"13","author":"DER Denning","year":"1987","unstructured":"Denning, D.E.R.: An intrusion detection model. IEEE Trans. Soft. Eng. 13(2), 222\u2013232 (1987)","journal-title":"IEEE Trans. Soft. Eng."},{"issue":"2","key":"27_CR27","doi-asserted-by":"publisher","first-page":"188","DOI":"10.1109\/TDSC.2017.2665620","volume":"16","author":"D Mitropoulos","year":"2019","unstructured":"Mitropoulos, D., Louridas, P., Polychronakis, M., Keromytis, A.D.: Defending against web application attacks: approaches, challenges and implications. IEEE Trans. Depend. Secure Comput. 16(2), 188\u2013203 (2019)","journal-title":"IEEE Trans. Depend. Secure Comput."},{"key":"27_CR28","unstructured":"nsign\u2019s source code repository on Github (2016). https:\/\/github.com\/istlab\/nSign. Accessed 06 July 2018"},{"key":"27_CR29","unstructured":"W3Techs - World Wide Web Technology Surveys. https:\/\/w3techs.com\/. Accessed 28 Apr 2019"},{"key":"27_CR30","unstructured":"CVE Details: The Ultimate Vulnerability Data Source. https:\/\/www.cvedetails.com\/. Accessed 10 Sept 2018"},{"key":"27_CR31","unstructured":"Vulnerability Details: CVE-2016-14126 - XSS in the Participants Database Wordpress Plugin. https:\/\/www.cvedetails.com\/cve\/CVE-2017-14126\/. Accessed 10 Sept 2018"},{"key":"27_CR32","unstructured":"Coinhive: A crypto miner for your website (2018). https:\/\/coinhive.com\/. Accessed 10 Sept 2018"},{"key":"27_CR33","unstructured":"Vulnerability Details: CVE-2016-2153 - XSS Vulnerability in Moodle. https:\/\/www.cvedetails.com\/cve\/CVE-2016-2153\/. Accessed 10 Sept 2018"},{"key":"27_CR34","unstructured":"Mitropoulos, D., Louridas, P., Salis, V., Spinellis, D.: All Your Script Are Belong to Us: Collecting and Analyzing JavaScript Code from 10K Sites for 9 Months, March 2019"},{"key":"27_CR35","doi-asserted-by":"crossref","unstructured":"Mitropoulos, D., Louridas, P., Salis, V., Spinellis, D.: Time present and time past: analyzing the evolution of JavaScript code in the wild. In: 16th International Conference on Mining Software Repositories: Technical Track, MSR 2019. IEEE Computer Society, May 2019","DOI":"10.1109\/MSR.2019.00029"},{"key":"27_CR36","doi-asserted-by":"crossref","unstructured":"Code share. Nature 514, 536\u2013537 (2014)","DOI":"10.1038\/514536a"},{"key":"27_CR37","unstructured":"nightcrawler: Collecting JavaScript on a daily basis (2019). https:\/\/github.com\/AUEB-BALab\/nightcrawler. Accessed 26 Apr 2019"},{"key":"27_CR38","unstructured":"Haverbeke, M.: acornjs\/acorn: a small, fast, JavaScript-based JavaScript parser. https:\/\/github.com\/acornjs\/acorn. Accessed 10 June 2018"},{"issue":"6","key":"27_CR39","doi-asserted-by":"publisher","first-page":"281","DOI":"10.1016\/j.ipl.2004.10.015","volume":"93","author":"K Rustan","year":"2005","unstructured":"Rustan, K., Leino, M.: Efficient weakest preconditions. Inf. Process. Lett. 93(6), 281\u2013288 (2005)","journal-title":"Inf. Process. Lett."},{"key":"27_CR40","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"337","DOI":"10.1007\/978-3-540-78800-3_24","volume-title":"Tools and Algorithms for the Construction and Analysis of Systems","author":"L de Moura","year":"2008","unstructured":"de Moura, L., Bj\u00f8rner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337\u2013340. Springer, Heidelberg (2008). https:\/\/doi.org\/10.1007\/978-3-540-78800-3_24"},{"key":"27_CR41","doi-asserted-by":"crossref","unstructured":"Zheng, Y., Zhang, X., Ganesh, V.: Z3-str: a Z3-based string solver for web application analysis. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 114\u2013124. ACM (2013)","DOI":"10.1145\/2491411.2491456"},{"issue":"1","key":"27_CR42","doi-asserted-by":"publisher","first-page":"2:1","DOI":"10.1145\/2133375.2133377","volume":"15","author":"R Roemer","year":"2012","unstructured":"Roemer, R., Buchanan, E., Shacham, H., Savage, S.: Return-oriented programming: systems, languages, and applications. ACM Trans. Inf. Syst. Secur. 15(1), 2:1\u20132:34 (2012)","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"27_CR43","doi-asserted-by":"crossref","unstructured":"Ray, D., Ligatti, J.: Defining code-injection attacks. In: Proceedings of the 39th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, New York, NY, USA, pp. 179\u2013190. ACM (2012)","DOI":"10.1145\/2103656.2103678"},{"issue":"8","key":"27_CR44","doi-asserted-by":"publisher","first-page":"105","DOI":"10.1145\/1787234.1787257","volume":"53","author":"H Bojinov","year":"2010","unstructured":"Bojinov, H., Bursztein, E., Boneh, D.: The emergence of cross channel scripting. Commun. ACM 53(8), 105\u2013113 (2010)","journal-title":"Commun. ACM"},{"key":"27_CR45","unstructured":"Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: Proceedings of the 23rd USENIX Conference on Security Symposium, Berkeley, CA, USA, pp. 989\u20131003. USENIX Association (2014)"},{"key":"27_CR46","doi-asserted-by":"crossref","unstructured":"Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, New York, NY, USA, pp. 601\u2013610. ACM (2007)","DOI":"10.1145\/1242572.1242654"}],"container-title":["Lecture Notes in Computer Science","Computer Security \u2013 ESORICS 2019"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-29962-0_27","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,15]],"date-time":"2024-09-15T00:15:25Z","timestamp":1726359325000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-030-29962-0_27"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030299613","9783030299620"],"references-count":46,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-29962-0_27","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"15 September 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ESORICS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"European Symposium on Research in Computer Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Luxembourg","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Luxembourg","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23 September 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27 September 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"esorics2019","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"http:\/\/conf.laas.fr\/esorics\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"344","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"67","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"0","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"19% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3,2","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"11","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"This content has been made available to all.","name":"free","label":"Free to read"}]}}