{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T05:54:37Z","timestamp":1769925277847,"version":"3.49.0"},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,12,11]],"date-time":"2025-12-11T00:00:00Z","timestamp":1765411200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,12,11]],"date-time":"2025-12-11T00:00:00Z","timestamp":1765411200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"name":"Agenzia per la Cybersicurezza Nazionale","award":["H71J24001710005"],"award-info":[{"award-number":["H71J24001710005"]}]},{"name":"project SERICS","award":["H73C22000890001"],"award-info":[{"award-number":["H73C22000890001"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2026,2]]},"DOI":"10.1007\/s10207-025-01168-z","type":"journal-article","created":{"date-parts":[[2025,12,11]],"date-time":"2025-12-11T09:13:20Z","timestamp":1765444400000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Cookie Baker: gray-box login automation for web application security testing"],"prefix":"10.1007","volume":"25","author":[{"given":"Simone","family":"Bozzolan","sequence":"first","affiliation":[]},{"given":"Stefano","family":"Calzavara","sequence":"additional","affiliation":[]},{"given":"Davide","family":"Porcu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,12,11]]},"reference":[{"key":"1168_CR1","unstructured":"A+ LMS. A+. https:\/\/github.com\/apluslms\/a-plus"},{"key":"1168_CR2","unstructured":"Al-Roomi, S.A., Li, F.: A large-scale measurement of website login policies. In Joseph\u00a0A. Calandrino and Carmela Troncoso, editors, 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, pages 2061\u20132078. USENIX Association, (2023)"},{"key":"1168_CR3","doi-asserted-by":"crossref","unstructured":"Alhuzali, A., Eshete, B., Gjomemo, R., Venkatakrishnan, VN.: Chainsaw: Chained automated workflow-based exploit generation. In Edgar\u00a0R. Weippl, Stefan Katzenbeisser, Christopher Kruegel, Andrew\u00a0C. Myers, and Shai Halevi, editors, Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, pages 641\u2013652. ACM, (2016)","DOI":"10.1145\/2976749.2978380"},{"key":"1168_CR4","unstructured":"Alhuzali, A., Gjomemo, R., Eshete, B., Venkatakrishnan, V.N.: NAVEX: precise and scalable exploit generation for dynamic web applications. In William Enck and Adrienne\u00a0Porter Felt, editors, 27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018, pages 377\u2013392. USENIX Association, (2018)"},{"key":"1168_CR5","doi-asserted-by":"crossref","unstructured":"Alroomi, S., Li, F.: Measuring website password creation policies at scale. In Weizhi Meng, Christian\u00a0Damsgaard Jensen, Cas Cremers, and Engin Kirda, editors, Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, November 26-30, 2023, pages 3108\u20133122. ACM, (2023)","DOI":"10.1145\/3576915.3623156"},{"key":"1168_CR6","unstructured":"Annecy, C.A.: collectives. https:\/\/github.com\/Club-Alpin-Annecy\/collectives"},{"key":"1168_CR7","unstructured":"Awesome-Selfhosted. Awesome-Selfhosted. https:\/\/github.com\/awesome-selfhosted\/awesome-selfhosted"},{"key":"1168_CR8","unstructured":"Bakhit, M.: Conreq. https:\/\/github.com\/Archmonger\/Conreq"},{"key":"1168_CR9","doi-asserted-by":"crossref","unstructured":"Bozzolan, S., Calzavara, S., Hantke, F., Stock, B.: Behind the curtain: A server-side view of web session security. In IEEE Secure Development Conference, SecDev 2025, Indianapolis, IN, USA, October 14-16, 2025. IEEE, (2025)","DOI":"10.1109\/SecDev66745.2025.00022"},{"key":"1168_CR10","unstructured":"Bozzolan, S., Calzavara, S., Porcu, D.: Artifacts. https:\/\/github.com\/Asterius27\/CookieBaker"},{"key":"1168_CR11","unstructured":"BugMeNot. BugMeNot: find and share logins. https:\/\/bugmenot.com\/"},{"key":"1168_CR12","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102472","volume":"111","author":"S Calzavara","year":"2021","unstructured":"Calzavara, S., Jonker, H., Krumnow, B., Rabitti, A.: Measuring web session security at scale. Comput. Secur. 111, 102472 (2021)","journal-title":"Comput. Secur."},{"key":"1168_CR13","doi-asserted-by":"crossref","unstructured":"Calzavara, S., Tolomei, G., Casini, A., Bugliesi, M., Orlando, S.: A supervised learning approach to protect client authentication on the web. ACM Trans. Web, 9(3):15:1\u201315:30, (2015)","DOI":"10.1145\/2754933"},{"key":"1168_CR14","unstructured":"Carbon0-Games. Carbon0. https:\/\/github.com\/Carbon0-Games\/carbon0-web-app"},{"key":"1168_CR15","doi-asserted-by":"crossref","unstructured":"Demir, N., Gro\u00dfe-Kampmann, M., Urban, T., Wressnegger, C., Holz, T., Pohlmann, N.: Reproducibility and replicability of web measurement studies. In Fr\u00e9d\u00e9rique Laforest, Rapha\u00ebl Troncy, Elena Simperl, Deepak Agarwal, Aristides Gionis, Ivan Herman, and Lionel M\u00e9dini, editors, WWW \u201922: The ACM Web Conference 2022, Virtual Event, Lyon, France, April 25 - 29, 2022, pages 533\u2013544. ACM, (2022)","DOI":"10.1145\/3485447.3512214"},{"key":"1168_CR16","doi-asserted-by":"crossref","unstructured":"Drakonakis, K., Ioannidis, S., Polakis, J.: The cookie hunter: Automated black-box auditing for web authentication and authorization flaws. In Jay Ligatti, Xinming Ou, Jonathan Katz, and Giovanni Vigna, editors, CCS \u201920: 2020 ACM SIGSAC Conference on Computer and Communications Security, Virtual Event, USA, November 9-13, 2020, pages 1953\u20131970. ACM, (2020)","DOI":"10.1145\/3372297.3417869"},{"key":"1168_CR17","unstructured":"Flask-MongoEngine. Flask-MongoEngine documentation. https:\/\/docs.mongoengine.org\/projects\/flask-mongoengine\/en\/latest\/index.html"},{"key":"1168_CR18","unstructured":"Flask-SQLAlchemy. Flask-SQLAlchemy Documentation (3.1.x). https:\/\/flask-sqlalchemy.readthedocs.io\/en\/stable\/"},{"key":"1168_CR19","unstructured":"Flask-WTF. Flask-WTF Documentation (1.2.x). https:\/\/flask-wtf.readthedocs.io\/en\/1.2.x\/"},{"key":"1168_CR20","unstructured":"GitHub. CodeQL. https:\/\/codeql.github.com\/"},{"key":"1168_CR21","unstructured":"GitHub. The top programming languages. https:\/\/octoverse.github.com\/2022\/top-programming-languages, 2022"},{"key":"1168_CR22","unstructured":"Google. Google AI for Developers. https:\/\/ai.google.dev\/"},{"key":"1168_CR23","unstructured":"Jonker, H., Kalkman, J., Krumnow, B., Sleegers, M., Verresen, A.: Shepherd: Enabling automatic and large-scale login security studies. CoRR, arxiv: abs\/1808.00840, (2018)"},{"key":"1168_CR24","unstructured":"Khodayari, S., Pellegrino, G.: JAW: studying client-side CSRF with hybrid property graphs and declarative traversals. In Michael\u00a0D. Bailey and Rachel Greenstadt, editors, 30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021, pages 2525\u20132542. USENIX Association, (2021)"},{"key":"1168_CR25","doi-asserted-by":"crossref","unstructured":"Kubicek, K., Merane, J., Bouhoula, A., Basin, D.A.: Automating website registration for studying GDPR compliance. In Tat-Seng Chua, Chong-Wah Ngo, Ravi Kumar, Hady\u00a0W. Lauw, and Roy\u00a0Ka-Wei Lee, editors, Proceedings of the ACM on Web Conference 2024, WWW 2024, Singapore, May 13-17, 2024, pages 1295\u20131306. ACM, (2024)","DOI":"10.1145\/3589334.3645709"},{"key":"1168_CR26","unstructured":"k\u00e4ytt\u00e4j\u00e4t ry. K.I.: sikteeri. https:\/\/github.com\/kapsiry\/sikteeri"},{"key":"1168_CR27","unstructured":"Liu, Y., Ott, M., Goyal, N., Du, J., Joshi, M., Chen, D., Levy, O., Lewis, M., Zettlemoyer, L., Stoyanov, V.: Roberta: A robustly optimized BERT pretraining approach. CoRR, arXiv: abs\/1907.11692, (2019)"},{"key":"1168_CR28","unstructured":"Flask Login. Flask-Login 0.7.0 documentation. https:\/\/flask-login.readthedocs.io\/en\/latest\/"},{"key":"1168_CR29","doi-asserted-by":"crossref","unstructured":"Lounici, S., Rosa, M., Negri, C.M., Trabelsi, S., \u00d6nen, M.: Optimizing leak detection in open-source platforms with machine learning techniques. In Paolo Mori, Gabriele Lenzini, and Steven Furnell, editors, Proceedings of the 7th International Conference on Information Systems Security and Privacy, ICISSP 2021, Online Streaming, February 11-13, 2021, pages 145\u2013159. SCITEPRESS, (2021)","DOI":"10.5220\/0010238101450159"},{"key":"1168_CR30","unstructured":"Marshall, B.: Gapps. https:\/\/github.com\/bmarsh9\/gapps"},{"key":"1168_CR31","unstructured":"Miessler, D., Haddix, J., Portal, I.: g0tmi1k. SecLists. https:\/\/github.com\/danielmiessler\/SecLists"},{"key":"1168_CR32","unstructured":"OWASP. OWASP ZAP (Zed Attack Proxy): a dynamic web application security testing tool. https:\/\/www.zaproxy.org\/"},{"key":"1168_CR33","doi-asserted-by":"crossref","unstructured":"Pellegrino, G., Johns, M., Koch, S., Backes, M., Rossow, C.: Deemon: Detecting CSRF with dynamic analysis and property graphs. In Bhavani Thuraisingham, David Evans, Tal Malkin, and Dongyan Xu, editors, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 1757\u20131771. ACM, (2017)","DOI":"10.1145\/3133956.3133959"},{"key":"1168_CR34","unstructured":"PortSwigger. Burp Suite: a software tool for security assessment and penetration testing of web applications. https:\/\/portswigger.net\/burp"},{"key":"1168_CR35","unstructured":"racetime.gg. racetime.gg. https:\/\/github.com\/racetimeGG\/racetime-app"},{"key":"1168_CR36","doi-asserted-by":"crossref","unstructured":"Rautenstrauch, J., Mitkov, M., Helbrecht, T., Hetterich, L., Stock, B.: To auth or not to auth? A comparative analysis of the pre- and post-login security landscape. In IEEE Symposium on Security and Privacy, SP 2024, San Francisco, CA, USA, May 19-23, 2024, pages 1500\u20131516. IEEE, (2024)","DOI":"10.1109\/SP54263.2024.00094"},{"key":"1168_CR37","unstructured":"Squarcina, M., Ad\u00e3o, P., Veronese, L., Maffei, M.: Cookie crumbles: Breaking and fixing web session integrity. In Joseph\u00a0A. Calandrino and Carmela Troncoso, editors, 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, pages 5539\u20135556. USENIX Association, (2023)"},{"key":"1168_CR38","unstructured":"Stack Overflow. Stack Overflow Developer Survey 2023. https:\/\/survey.stackoverflow.co\/2023\/?utm_source=social-share&utm_medium=social &utm_campaign=dev-survey-2023, 2023"},{"key":"1168_CR39","unstructured":"Stafeev, A., Pellegrino, G.: Sok: State of the krawlers - evaluating the effectiveness of crawling algorithms for web security measurements. In Davide Balzarotti and Wenyuan Xu, editors, 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024. USENIX Association, (2024)"},{"key":"1168_CR40","unstructured":"Uysal, H.: pervane. https:\/\/github.com\/hakanu\/pervane"},{"key":"1168_CR41","unstructured":"Wang, Y.: Student Exchange Forum of BJUT. https:\/\/github.com\/echo-cool\/BDIC3023J-Software-Methodology-Q-A-Platform"},{"key":"1168_CR42","unstructured":"Wapiti Web Application Scanner. Wapiti: a Free and Open-Source web-application vulnerability scanner in Python. https:\/\/wapiti-scanner.github.io\/"},{"key":"1168_CR43","unstructured":"Wessels, M., Koch, S., Pellegrino, G., Johns, M.: SSRF vs. developers: A study of ssrf-defenses in PHP applications. In Davide Balzarotti and Wenyuan Xu, editors, 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, PA, USA, August 14-16, 2024. USENIX Association, (2024)"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01168-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-025-01168-z","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-025-01168-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T16:08:02Z","timestamp":1769875682000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-025-01168-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,11]]},"references-count":43,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,2]]}},"alternative-id":["1168"],"URL":"https:\/\/doi.org\/10.1007\/s10207-025-01168-z","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,12,11]]},"assertion":[{"value":"21 March 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"22 November 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 December 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}},{"value":"The authors declare full compliance with ethical standards. This article does not contain any studies involving humans or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}],"article-number":"6"}}