{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,4,9]],"date-time":"2025-04-09T04:28:24Z","timestamp":1744172904837,"version":"3.40.3"},"publisher-location":"Cham","reference-count":48,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031491863"},{"type":"electronic","value":"9783031491870"}],"license":[{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T00:00:00Z","timestamp":1672531200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023]]},"DOI":"10.1007\/978-3-031-49187-0_9","type":"book-chapter","created":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T12:02:36Z","timestamp":1701345756000},"page":"163-182","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Load-and-Act: Increasing Page Coverage of\u00a0Web Applications"],"prefix":"10.1007","author":[{"given":"Nico","family":"Weidmann","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1538-5033","authenticated-orcid":false,"given":"Thomas","family":"Barber","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0007-1493-9552","authenticated-orcid":false,"given":"Christian","family":"Wressnegger","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,12,1]]},"reference":[{"key":"9_CR1","doi-asserted-by":"crossref","unstructured":"Artzi, S., Dolby, J., Jensen, S.H., M\u00f8ller, A., Tip, F.: A framework for automated testing of JavaScript web applications. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 571\u2013580 (2011)","DOI":"10.1145\/1985793.1985871"},{"key":"9_CR2","doi-asserted-by":"crossref","unstructured":"Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: automated black-box web application vulnerability testing. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P), pp. 332\u2013345 (2010)","DOI":"10.1109\/SP.2010.27"},{"key":"9_CR3","doi-asserted-by":"crossref","unstructured":"Bensalim, S., Klein, D., Barber, T., Johns, M.: Talking about my generation: targeted DOM-based XSS exploit generation using dynamic data flow analysis. In: Proceedings of the European Workshop on System Security (EUROSEC) (2021)","DOI":"10.1145\/3447852.3458718"},{"key":"9_CR4","unstructured":"coder\/code-server. https:\/\/github.com\/coder\/code-server"},{"key":"9_CR5","doi-asserted-by":"crossref","unstructured":"Demir, N., Gro\u00dfe-Kampmann, M., Urban, T., Wressnegger, C., Holz, T., Pohlmann, N.: Reproducibility and replicability of web measurement studies. In: Proceedings of the ACM Web Conference (WWW) (2022)","DOI":"10.1145\/3485447.3512214"},{"key":"9_CR6","unstructured":"Doup\u00e9, A., Cavedon, L., Kruegel, C., Vigna, G.: Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of the USENIX Security Symposium, pp. 523\u2013538 (2012)"},{"key":"9_CR7","doi-asserted-by":"crossref","unstructured":"Eriksson, B., Pellegrino, G., Sabelfeld, A.: Black widow: blackbox data-driven web scanning. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P), pp. 1125\u20131142 (2021)","DOI":"10.1109\/SP40001.2021.00022"},{"key":"9_CR8","unstructured":"Facebook: \u201cclient-side\u201d CSRF (2018). https:\/\/web.archive.org\/web\/20180513184714\/https:\/\/www.facebook.com\/notes\/facebook-bug-bounty\/client-side-csrf\/2056804174333798\/"},{"key":"9_CR9","doi-asserted-by":"crossref","unstructured":"Ferruci, F., Sarro, F., Ronca, D., Abrah\u00e3o, S.: A Crawljax based approach to exploit traditional accessibility evaluation tools for AJAX applications. In: D\u2019Atri, A., Ferrara, M., George, J.F., Spagnoletti, P. (eds.) Information Technology and Innovation Trends in Organizations. Physica, Heidelberg (2011)","DOI":"10.1007\/978-3-7908-2632-6_29"},{"key":"9_CR10","doi-asserted-by":"crossref","unstructured":"Gross, F., Fraser, G., Zeller, A.: EXSYST: search-based GUI testing. In: Proceedings of the International Conference on Software Engineering (ICSE) (2012)","DOI":"10.1109\/ICSE.2012.6227232"},{"key":"9_CR11","doi-asserted-by":"crossref","unstructured":"Ihm, S., Pai, V.S.: Towards understanding modern web traffic. In: Proceedings of the Internet Measurement Conference (IMC), pp. 295\u2013312 (2011)","DOI":"10.1145\/2068816.2068845"},{"key":"9_CR12","unstructured":"Istanbul, a JavaScript test coverage tool. https:\/\/istanbul.js.org\/"},{"key":"9_CR13","unstructured":"jgraph\/docker-drawio. https:\/\/github.com\/jgraph\/docker-drawio"},{"key":"9_CR14","doi-asserted-by":"crossref","unstructured":"Jonker, H., Karsch, S., Krumnow, B., Sleegers, M.: Shepherd: a generic approach to automating website login. In: MADWeb 2020 (2020)","DOI":"10.14722\/madweb.2020.23008"},{"key":"9_CR15","doi-asserted-by":"crossref","unstructured":"Kang, Z., Song, D., Cao, Y.: Probe the proto: measuring client-side prototype pollution vulnerabilities of one million real-world websites. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2022)","DOI":"10.14722\/ndss.2022.24308"},{"key":"9_CR16","unstructured":"Khodayari, S., Pellegrino, G.: JAW: studying client-side CSRF with hybrid property graphs and declarative traversals. In: Proceedings of the USENIX Security Symposium, pp. 2525\u20132542 (2021)"},{"key":"9_CR17","doi-asserted-by":"crossref","unstructured":"Khodayari, S., Pellegrino, G.: It\u2019s (DOM) clobbering time: attack techniques, prevalence, and defenses. In: Proceedings of the IEEE Symposium on Security and Privacy (S &P) (2023)","DOI":"10.1109\/SP46215.2023.10179403"},{"key":"9_CR18","unstructured":"KirstenS: Cross site request forgery (CSRF). https:\/\/owasp.org\/www-community\/attacks\/csrf"},{"key":"9_CR19","unstructured":"KirstenS: Cross site scripting (XSS). https:\/\/owasp.org\/www-community\/attacks\/xss\/"},{"key":"9_CR20","unstructured":"Klein, A.: DOM based cross site scripting or XSS of the third kind. Web Application Security Consortium (2005)"},{"key":"9_CR21","doi-asserted-by":"crossref","unstructured":"Klein, D., Musch, M., Barber, T., Kopmann, M., Johns, M.: Accept all exploits: exploring the security impact of cookie banners. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC), pp. 911\u2013922 (2022)","DOI":"10.1145\/3564625.3564647"},{"key":"9_CR22","doi-asserted-by":"crossref","unstructured":"Lekies, S., Stock, B., Johns, M.: 25 million flows later: large-scale detection of DOM-based XSS. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 1193\u20131204 (2013)","DOI":"10.1145\/2508859.2516703"},{"key":"9_CR23","first-page":"707","volume":"10","author":"VI Levenshtein","year":"1966","unstructured":"Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. Doklady Phys. 10, 707\u2013710 (1966)","journal-title":"Doklady Phys."},{"key":"9_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"191","DOI":"10.1007\/978-3-540-87403-4_11","volume-title":"Recent Advances in Intrusion Detection","author":"S McAllister","year":"2008","unstructured":"McAllister, S., Kirda, E., Kruegel, C.: Leveraging user interactions for in-depth testing of web applications. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 191\u2013210. Springer, Heidelberg (2008). https:\/\/doi.org\/10.1007\/978-3-540-87403-4_11"},{"key":"9_CR25","doi-asserted-by":"crossref","unstructured":"Melicher, W., Das, A., Sharif, M., Bauer, L., Jia, L.: Riding out DOMsday: towards detecting and preventing DOM cross-site scripting. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2018)","DOI":"10.14722\/ndss.2018.23309"},{"key":"9_CR26","doi-asserted-by":"crossref","unstructured":"Melicher, W., Fung, C., Bauer, L., Jia, L.: Towards a lightweight, hybrid approach for detecting DOM XSS vulnerabilities with machine learning. In: Proceedings of the ACM Web Conference (WWW), pp. 2684\u20132695 (2021)","DOI":"10.1145\/3442381.3450062"},{"issue":"1","key":"9_CR27","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2109205.2109208","volume":"6","author":"A Mesbah","year":"2012","unstructured":"Mesbah, A., van Deursen, A., Lenselink, S.: Crawling Ajax-based web applications through dynamic analysis of user interface state changes. ACM Trans. Web 6(1), 1\u201330 (2012)","journal-title":"ACM Trans. Web"},{"key":"9_CR28","doi-asserted-by":"crossref","unstructured":"Mesbah, A., Prasad, M.R.: Automated cross-browser compatibility testing. In: Proceedings of the International Conference on Software Engineering (ICSE) (2011)","DOI":"10.1145\/1985793.1985870"},{"key":"9_CR29","unstructured":"Odoo: Open source ERP and CRM. https:\/\/www.odoo.com"},{"key":"9_CR30","unstructured":"ownCloud GmbH: ownCloud. https:\/\/owncloud.com"},{"key":"9_CR31","doi-asserted-by":"crossref","unstructured":"Parameshwaran, I., Budianto, E., Shinde, S., Dang, H., Sadhu, A., Saxena, P.: DexterJS: robust testing platform for DOM-based XSS vulnerabilities. In: Proceedings of the Joint Meeting on Foundations of Software Engineering, pp. 946\u2013949 (2015)","DOI":"10.1145\/2786805.2803191"},{"key":"9_CR32","doi-asserted-by":"crossref","unstructured":"Park, J., Lim, I., Ryu, S.: Battles with false positives in static analysis of JavaScript web applications in the wild. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 61\u201370 (2016)","DOI":"10.1145\/2889160.2889227"},{"key":"9_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"295","DOI":"10.1007\/978-3-319-26362-5_14","volume-title":"Research in Attacks, Intrusions, and Defenses","author":"G Pellegrino","year":"2015","unstructured":"Pellegrino, G., Tsch\u00fcrtz, C., Bodden, E., Rossow, C.: j\u00c4k: using dynamic analysis to crawl and test modern web applications. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 295\u2013316. Springer, Cham (2015). https:\/\/doi.org\/10.1007\/978-3-319-26362-5_14"},{"key":"9_CR34","unstructured":"Ratanaworabhan, P., Livshits, B., Zorn, B.G.: JSMeter: comparing the behavior of JavaScript benchmarks with real web applications. In: USENIX Conference on Web Application Development (WebApps) (2010)"},{"issue":"7","key":"9_CR35","first-page":"46","volume":"13","author":"JW Ratcliff","year":"1988","unstructured":"Ratcliff, J.W., Metzener, D.E.: Pattern-matching - the gestalt approach. Dr. Dobbs J. 13(7), 46 (1988)","journal-title":"Dr. Dobbs J."},{"key":"9_CR36","doi-asserted-by":"crossref","unstructured":"Richards, G., Lebresne, S., Burg, B., Vitek, J.: An analysis of the dynamic behavior of JavaScript programs. In: Proceedings of the ACM SIGPLAN International Conference on Programming Languages Design and Implementation (PLDI), pp. 1\u201312 (2010)","DOI":"10.1145\/1809028.1806598"},{"key":"9_CR37","doi-asserted-by":"crossref","unstructured":"Roest, D., Mesbah, A., van Deursen, A.: Regression testing ajax applications: coping with dynamism. In: Proceedings of the International Conference on Software Testing, Verification and Validation (ICST), pp. 127\u2013136 (2010)","DOI":"10.1109\/ICST.2010.59"},{"key":"9_CR38","unstructured":"SalesAgility: SuiteCRM. https:\/\/suitecrm.com"},{"key":"9_CR39","unstructured":"SAP\/project-foxhound. https:\/\/github.com\/SAP\/project-foxhound"},{"key":"9_CR40","unstructured":"Saxena, P., Hanna, S., Poosankam, P., Song, D.: FLAX: systematic discovery of client-side validation vulnerabilities in rich web applications. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2010)"},{"key":"9_CR41","doi-asserted-by":"crossref","unstructured":"Steffens, M., Rossow, C., Johns, M., Stock, B.: Don\u2019t trust the locals: investigating the prevalence of persistent client-side cross-site scripting in the wild. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2019)","DOI":"10.14722\/ndss.2019.23009"},{"key":"9_CR42","unstructured":"Stewart, S., Burns, D.: WebDriver. W3C working draft, W3C (2022)"},{"key":"9_CR43","unstructured":"Stock, B., Johns, M., Steffens, M., Backes, M.: How the web tangled itself: uncovering the history of client-side web (in)security. In: Proceedings of the USENIX Security Symposium, pp. 971\u2013987 (2017)"},{"key":"9_CR44","unstructured":"Stock, B., Lekies, S., Mueller, T., Spiegel, P., Johns, M.: Precise client-side protection against DOM-based cross-site scripting. In: Proceedings of the USENIX Security Symposium, pp. 655\u2013670 (2014)"},{"key":"9_CR45","doi-asserted-by":"crossref","unstructured":"Stock, B., Pfistner, S., Kaiser, B., Lekies, S., Johns, M.: From facepalm to brain bender: exploring client-side cross-site scripting. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 1419\u20131430 (2015)","DOI":"10.1145\/2810103.2813625"},{"key":"9_CR46","unstructured":"The Selenium Project: Selenium (2022). https:\/\/www.selenium.dev\/"},{"key":"9_CR47","unstructured":"WHATWG: HTML living standard (2022). https:\/\/html.spec.whatwg.org\/"},{"key":"9_CR48","doi-asserted-by":"crossref","unstructured":"Zheng, Y., et al.: Automatic web testing using curiosity-driven reinforcement learning. In: Proceedings of the International Conference on Software Engineering (ICSE), pp. 423\u2013435 (2021)","DOI":"10.1109\/ICSE43902.2021.00048"}],"container-title":["Lecture Notes in Computer Science","Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-49187-0_9","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,4,8]],"date-time":"2025-04-08T21:35:46Z","timestamp":1744148146000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-49187-0_9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023]]},"ISBN":["9783031491863","9783031491870"],"references-count":48,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-49187-0_9","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2023]]},"assertion":[{"value":"1 December 2023","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ISC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Groningen","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"The Netherlands","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2023","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"15 November 2023","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"17 November 2023","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"isw2023","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/isc23.cs.rug.nl\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}