{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,9,8]],"date-time":"2024-09-08T12:34:11Z","timestamp":1725798851747},"publisher-location":"Cham","reference-count":56,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783319113784"},{"type":"electronic","value":"9783319113791"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014]]},"DOI":"10.1007\/978-3-319-11379-1_8","type":"book-chapter","created":{"date-parts":[[2014,8,19]],"date-time":"2014-08-19T23:14:54Z","timestamp":1408490094000},"page":"150-171","source":"Crossref","is-referenced-by-count":6,"title":["You Can\u2019t Be Me: Enabling Trusted Paths and User Sub-origins in Web Browsers"],"prefix":"10.1007","author":[{"given":"Enrico","family":"Budianto","sequence":"first","affiliation":[]},{"given":"Yaoqi","family":"Jia","sequence":"additional","affiliation":[]},{"given":"Xinshu","family":"Dong","sequence":"additional","affiliation":[]},{"given":"Prateek","family":"Saxena","sequence":"additional","affiliation":[]},{"given":"Zhenkai","family":"Liang","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"8_CR1","unstructured":"W3C: Content security policy 1.0, \n                    \n                      http:\/\/www.w3.org\/TR\/CSP\/"},{"key":"8_CR2","doi-asserted-by":"crossref","unstructured":"Johns, M.: Preparedjs: Secure script-templates for javascript. In: Detection of Intrusions and Malware & Vulnerability Assessment (2013)","DOI":"10.1007\/978-3-642-39235-1_6"},{"key":"8_CR3","unstructured":"Chen, P., Nikiforakis, N., Huygens, C., Desmet, L.: A dangerous mix: Large-scale analysis of mixed-content websites. In: Information Security Conference (2013)"},{"key":"8_CR4","unstructured":"Trend Micro: New york times pushes fake av malvertisement, \n                    \n                      http:\/\/goo.gl\/BtjgPc"},{"key":"8_CR5","unstructured":"Verizon: 2013 Data breach investigation report, \n                    \n                      http:\/\/www.verizonenterprise.com\/DBIR\/2013\/"},{"key":"8_CR6","unstructured":"Enigma Group: Facebook profiles can be hijacked by chrome extensions malware, \n                    \n                      http:\/\/underurhat.com\/hacking"},{"key":"8_CR7","unstructured":"Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: Network and Distributed System Security Symposium (2012)"},{"key":"8_CR8","doi-asserted-by":"crossref","unstructured":"Akhawe, D., Li, F., He, W., Saxena, P., Song, D.: Data-confined html5 applications. In: European Symposium on Research in Computer Security (2013)","DOI":"10.1007\/978-3-642-40203-6_41"},{"key":"8_CR9","doi-asserted-by":"crossref","unstructured":"Dong, X., Chen, Z., Siadati, H., Tople, S., Saxena, P., Liang, Z.: Protecting sensitive web content from client-side vulnerabilities with cryptons. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (2013)","DOI":"10.1145\/2508859.2516743"},{"key":"8_CR10","doi-asserted-by":"crossref","unstructured":"Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: Clamp: Practical prevention of large-scale data leaks. In: IEEE Symposium on Security and Privacy (2009)","DOI":"10.1109\/SP.2009.21"},{"key":"8_CR11","doi-asserted-by":"crossref","unstructured":"Felt, A.P., Finifter, M., Weinberger, J., Wagner, D.: Diesel: Applying privilege separation to database access. In: ACM Symposium on Information, Computer and Communications Security (2011)","DOI":"10.1145\/1966913.1966971"},{"key":"8_CR12","unstructured":"Chen, E.Y., Gorbaty, S., Singhal, A., Jackson, C.: Self-exfiltration: The dangers of browser-enforced information flow control. In: Web 2.0 Security and Privacy (2012)"},{"key":"8_CR13","doi-asserted-by":"crossref","unstructured":"Dong, X., Patil, K., Mao, J., Liang, Z.: A comprehensive client-side behavior model for diagnosing attacks in ajax applications. In: ICECCS (2013)","DOI":"10.1109\/ICECCS.2013.35"},{"key":"8_CR14","unstructured":"Projects, T.C.: Per-page suborigins, \n                    \n                      http:\/\/goo.gl\/PoH5pY"},{"key":"8_CR15","doi-asserted-by":"crossref","unstructured":"Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H.J., Cowan, C.: User-driven access control: Rethinking permission granting in modern operating systems. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)","DOI":"10.1109\/SP.2012.24"},{"key":"8_CR16","doi-asserted-by":"crossref","unstructured":"Roesner, F., Fogarty, J., Kohno, T.: User interface toolkit mechanisms for securing interface elements. In: User Interface Software and Technology (2012)","DOI":"10.1145\/2380116.2380147"},{"key":"8_CR17","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1007\/978-3-642-40203-6_5","volume-title":"Computer Security \u2013 ESORICS 2013","author":"X. Dong","year":"2013","unstructured":"Dong, X., Hu, H., Saxena, P., Liang, Z.: A quantitative evaluation of privilege separation in web browser designs. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol.\u00a08134, pp. 75\u201393. Springer, Heidelberg (2013)"},{"key":"8_CR18","doi-asserted-by":"crossref","unstructured":"Akhawe, D., Saxena, P., Song, D.: Privilege separation in html5 applications. In: USENIX Security (2012)","DOI":"10.1007\/978-3-642-40203-6_41"},{"key":"8_CR19","doi-asserted-by":"crossref","unstructured":"mOiwa, Y., Takagi, H., Watanabe, H., Suzuki, H.: Pake-based mutual http authentication for preventing phishing attacks. In: World Wide Web Conference (2009)","DOI":"10.1145\/1526709.1526898"},{"key":"8_CR20","unstructured":"Budianto, E., Jia, Y.: Summary of source code modification, chromium patches, and userpath technical report, \n                    \n                      https:\/\/github.com\/ebudianto\/UserPath"},{"key":"8_CR21","unstructured":"Budianto, E., Jia, Y.: Url for demo video, \n                    \n                      https:\/\/github.com\/ebudianto\/UserPath\/wiki\/DEMO-Video-URLs"},{"key":"8_CR22","unstructured":"Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: A fresh approach to strong client authentication for the web. In: USENIX Security (2012)"},{"key":"8_CR23","doi-asserted-by":"crossref","unstructured":"Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Proceedings of 1st USEC (2007)","DOI":"10.1007\/978-3-540-77366-5_27"},{"key":"8_CR24","unstructured":"Cao, Y., Yegneswaran, V., Porras, P., Chen, Y.: Pathcutter: Severing the self-propagation path of xss javascript worms in social web networks. In: Network and Distributed System Security Symposium (2012)"},{"key":"8_CR25","unstructured":"Hansen, R., Grossman, J.: Clickjacking, \n                    \n                      http:\/\/goo.gl\/p7dxIC"},{"key":"8_CR26","unstructured":"YGN Ethical Hacker Group: Elgg 1.7.9 xss vulnerability, \n                    \n                      http:\/\/goo.gl\/XUeqis"},{"key":"8_CR27","unstructured":"Cve-2012-6561, C.V.E.: xss vulnerability in elgg, \n                    \n                      http:\/\/goo.gl\/mmW8bM"},{"key":"8_CR28","doi-asserted-by":"crossref","unstructured":"Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Conference on Computer and Communications Security (2008)","DOI":"10.1145\/1455770.1455782"},{"key":"8_CR29","doi-asserted-by":"crossref","unstructured":"Wu, M., Miller, R.C., Little, G.: Web wallet: Preventing phishing attacks by revealing user intentions. In: Symposium on Usable Privacy and Security (2006)","DOI":"10.1145\/1143120.1143133"},{"key":"8_CR30","unstructured":"Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Language-based defenses against untrusted browser origins. In: USENIX Security (2013)"},{"key":"8_CR31","doi-asserted-by":"crossref","unstructured":"Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web application. In: IEEE Symposium on Security and Privacy (2010)","DOI":"10.1109\/SP.2010.16"},{"key":"8_CR32","unstructured":"Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: USENIX Security (2012)"},{"key":"8_CR33","doi-asserted-by":"crossref","unstructured":"Zhou, Y., Evans, D.: Protecting private web content from embedded scripts. In: European Symposium on Research in Computer Security (2011)","DOI":"10.1007\/978-3-642-23822-2_4"},{"key":"8_CR34","doi-asserted-by":"crossref","unstructured":"Dong, X., Tran, M., Liang, Z., Jiang, X.: Adsentry: comprehensive and flexible confinement of javascript-based advertisements. In: ACSAC (2011)","DOI":"10.1145\/2076732.2076774"},{"key":"8_CR35","doi-asserted-by":"crossref","unstructured":"Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Computer Security Foundations (2010)","DOI":"10.1109\/CSF.2010.27"},{"key":"8_CR36","unstructured":"Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Network and Distributed System Security Symposium (2010)"},{"key":"8_CR37","doi-asserted-by":"crossref","unstructured":"Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: Notamper: automatic blackbox detection of parameter tampering opportunities in web applications. In: Conference on Computer and Communications Security (2010)","DOI":"10.1145\/1866307.1866375"},{"key":"8_CR38","unstructured":"Wu, T.: The secure remote password protocol. In: Network and Distributed System Security Symposium (1998)"},{"key":"8_CR39","unstructured":"The Spanner: Dom clobbering, \n                    \n                      http:\/\/goo.gl\/ZOLmal"},{"key":"8_CR40","unstructured":"pAdida, B., Barth, A., Jackson, C.: Rootkits for javascript environments. In: WOOT (2009)"},{"key":"8_CR41","unstructured":"Ye, Z.E., Smith, S.: Trusted paths for browsers. In: USENIX Security (2002)"},{"key":"8_CR42","unstructured":"Libonati, A., McCune, J.M., Reiter, M.K.: Usability testing a malware-resistant input mechanism. In: Network and Distributed System Security Symposium (2011)"},{"key":"8_CR43","unstructured":"Engler, J., Karlof, C., Shi, E., Song, D.: Is it too late for pake? In: Proceedings of Web 2.0 Security and Privacy (2009)"},{"key":"8_CR44","unstructured":"Slack, Q.: Tls-srp in apache mod_ssl, \n                    \n                      http:\/\/goo.gl\/cHMoau"},{"key":"8_CR45","unstructured":"Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: USENIX Security (2003)"},{"key":"8_CR46","unstructured":"Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: USENIX Security (2004)"},{"key":"8_CR47","doi-asserted-by":"crossref","unstructured":"Grier, C., Tang, S., King, S.: Designing and implementing the op and op2 web browsers. ACM Transactions on the Web (2011)","DOI":"10.1145\/1961659.1961665"},{"key":"8_CR48","unstructured":"Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The multi-principal os construction of the gazelle web browser. In: USENIX Security (2009)"},{"key":"8_CR49","unstructured":"Barth, A., Jackson, C., Reis, C., Team, T.G.C.: The security architecture of the chromium browser, \n                    \n                      http:\/\/goo.gl\/BGjJqC"},{"key":"8_CR50","doi-asserted-by":"crossref","unstructured":"Papagiannis, I., Pietzuch, P.: Cloudfilter: practical control of sensitive data propagation to the cloud. In: Cloud Computing Security Workshop (2012)","DOI":"10.1145\/2381913.2381931"},{"key":"8_CR51","unstructured":"Tong, T., Evans, D.: Guardroid: A trusted path for password entry. In: MoST (2013)"},{"key":"8_CR52","unstructured":"McCune, J.M., Perrig, A., Reiter, M.K.: Safe passage for passwords and other sensitive data. In: Network and Distributed System Security Symposium (2009)"},{"key":"8_CR53","doi-asserted-by":"crossref","unstructured":"Zhou, Z., Gligor, V.D., Newsome, J., McCune, J.M.: Building verifiable trusted path on commodity x86 computers. In: IEEE Symposium on Security and Privacy (2012)","DOI":"10.1109\/SP.2012.42"},{"key":"8_CR54","doi-asserted-by":"crossref","unstructured":"Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: IEEE Symposium on Security and Privacy (2009)","DOI":"10.1109\/SP.2009.33"},{"key":"8_CR55","unstructured":"Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (2009)"},{"key":"8_CR56","unstructured":"Gundy, M.V., Chen, H.: Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Network and Distributed System Security Symposium (2009)"}],"container-title":["Lecture Notes in Computer Science","Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-11379-1_8","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,27]],"date-time":"2019-05-27T12:47:04Z","timestamp":1558961224000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-11379-1_8"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014]]},"ISBN":["9783319113784","9783319113791"],"references-count":56,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-11379-1_8","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2014]]}}}