{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,30]],"date-time":"2026-06-30T14:21:33Z","timestamp":1782829293857,"version":"3.54.5"},"reference-count":87,"publisher":"Informa UK Limited","issue":"1","content-domain":{"domain":["www.tandfonline.com"],"crossmark-restriction":true},"short-container-title":["Information Security Journal: A Global Perspective"],"published-print":{"date-parts":[[2022,1,2]]},"DOI":"10.1080\/19393555.2020.1853855","type":"journal-article","created":{"date-parts":[[2020,12,31]],"date-time":"2020-12-31T07:57:45Z","timestamp":1609401465000},"page":"1-27","update-policy":"https:\/\/doi.org\/10.1080\/tandf_crossmark_01","source":"Crossref","is-referenced-by-count":28,"title":["A systematic review and taxonomy of web applications threats"],"prefix":"10.1080","volume":"31","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0772-9916","authenticated-orcid":false,"given":"Yassine","family":"Sadqi","sequence":"first","affiliation":[{"name":"USMS University","place":["Beni Mellal, Morocco"]}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4704-5364","authenticated-orcid":false,"given":"Yassine","family":"Maleh","sequence":"additional","affiliation":[{"name":"USMS University","place":["Beni Mellal, Morocco"]}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"301","published-online":{"date-parts":[[2020,12,31]]},"reference":[{"key":"e_1_3_1_2_1","unstructured":"Akamai. (2019). Global state of the internet security & DDoS attack reports. Akamai. https:\/\/www.akamai.com\/us\/en\/resources\/our-thinking\/state-of-the-internet-report\/global-state-of-the-internet-security-ddos-attack-reports.jsp"},{"key":"e_1_3_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737514"},{"key":"e_1_3_1_4_1","doi-asserted-by":"publisher","DOI":"10.1504\/IJWMC.2018.091137"},{"key":"e_1_3_1_5_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0167-4048(03)00512-1"},{"key":"e_1_3_1_6_1","unstructured":"Anomali. (2013). What Is MITRE ATT&CK and How Is It Useful? | From Anomali. https:\/\/www.anomali.com\/resources\/what-mitre-attck-is-and-how-it-is-useful"},{"key":"e_1_3_1_7_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11277-016-3800-0"},{"key":"e_1_3_1_8_1","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2020.1741743"},{"key":"e_1_3_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.12"},{"key":"e_1_3_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038923"},{"key":"e_1_3_1_11_1","unstructured":"CAPEC. (2019). CAPEC - CAPEC-588: DOM-Based XSS (Version 3.2). The MITRE Corporation. https:\/\/capec.mitre.org\/data\/definitions\/588.html"},{"key":"e_1_3_1_12_1","unstructured":"CAPEC. (n.d.). CAPEC - Common Attack Pattern Enumeration and Classification (CAPEC). The MITRE Corporation. Retrieved February 15 2020 from https:\/\/capec.mitre.org\/"},{"key":"e_1_3_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2872518.2888605"},{"key":"e_1_3_1_14_1","unstructured":"Cloudflare. (n.d.). HTTP Flood DDoS Attack. Cloudflare. Retrieved February 15 2020 from https:\/\/www.cloudflare.com\/learning\/ddos\/http-flood-ddos-attack\/"},{"key":"e_1_3_1_15_1","doi-asserted-by":"publisher","DOI":"10.7326\/0003-4819-127-3-199708010-00006"},{"key":"e_1_3_1_16_1","unstructured":"CWE. (2019). CWE - 2019 CWE Top 25 most dangerous software errors. The MITRE Corporation. https:\/\/cwe.mitre.org\/top25\/archive\/2019\/2019_cwe_top25.html"},{"key":"e_1_3_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2016.02.005"},{"key":"e_1_3_1_18_1","unstructured":"FBI. (2019). 2018 internet crime report (pp. 1\u201328). FBI Internet Crime Complaint Center. Federal Bureau of Investigation. https:\/\/pdf.ic3.gov\/2018_IC3Report.pdf"},{"key":"e_1_3_1_19_1","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2019.1628325"},{"key":"e_1_3_1_20_1","volume-title":"High performance browser networking","author":"Grigorik I.","year":"2013","unstructured":"Grigorik, I. (2013). High performance browser networking. O\u2019Reilly Media. http:\/\/shop.oreilly.com\/product\/0636920028048.do"},{"key":"e_1_3_1_21_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2019.05.014"},{"key":"e_1_3_1_22_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2004.06.011"},{"key":"e_1_3_1_23_1","volume-title":"Analysing the Adobe hack and poor password security","author":"Helme S.","year":"2013","unstructured":"Helme, S. (2013). Analysing the Adobe hack and poor password security. Scott Helme. https:\/\/scotthelme.co.uk\/the-adobe-hack\/"},{"key":"e_1_3_1_24_1","doi-asserted-by":"publisher","DOI":"10.2172\/751004"},{"key":"e_1_3_1_25_1","volume-title":"19 deadly sins of software security: Programming flaws and how to fix them","author":"Howard M.","year":"2005","unstructured":"Howard, M., LeBlanc, D., & Viega, J. (2005). 19 deadly sins of software security: Programming flaws and how to fix them. McGraw-Hill Professional."},{"key":"e_1_3_1_26_1","unstructured":"HULK. (2012). HULK - Http Unbearable Load King \u2248 Packet Storm. Packet Storm. http:\/\/goo.gl\/PWhEJk"},{"key":"e_1_3_1_27_1","unstructured":"Hunt T. (2019). The 773 Million Record \u201cCollection #1\u201d Data Breach. Troy Hunt. https:\/\/www.troyhunt.com\/the-773-million-record-collection-1-data-reach\/"},{"key":"e_1_3_1_28_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2014.07.010"},{"key":"e_1_3_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2008.4483667"},{"key":"e_1_3_1_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2016.08.016"},{"key":"e_1_3_1_31_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2017.03.018"},{"key":"e_1_3_1_32_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2015.07.004"},{"key":"e_1_3_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/1323293.1294264"},{"key":"e_1_3_1_34_1","unstructured":"Kitchenham B. & Charters S. (2007). Guidelines for performing systematic literature reviews in software engineering (EBSE Technical Report). EBSE."},{"key":"e_1_3_1_35_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2010.03.006"},{"key":"e_1_3_1_36_1","unstructured":"Kottler S. (2018). February 28th DDoS Incident Report. The GitHub Blog. GitHub. https:\/\/github.blog\/2018-03-01-ddos-incident-report\/"},{"key":"e_1_3_1_37_1","unstructured":"Krasimirov A. & Tsolova T. (2019). In systemic breach hackers steal millions of Bulgarians\u2019 financial data. Reuters. https:\/\/www.reuters.com\/article\/us-bulgaria-cybersecurity-idUSKCN1UB0MA"},{"key":"e_1_3_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/185403.185412"},{"key":"e_1_3_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2541315"},{"key":"e_1_3_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECPRI.1997.601330"},{"key":"e_1_3_1_41_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2018.06.049"},{"key":"e_1_3_1_42_1","unstructured":"Lough D. L. (2001). A taxonomy of computer attacks with applications to wireless networks [PhD Thesis Virginia Tech]. Virginia Tech. https:\/\/vtechworks.lib.vt.edu\/handle\/10919\/27242"},{"key":"e_1_3_1_43_1","unstructured":"Martin B. Brown M. Paller A. & Christey S. (2009). 2009 CWE\/SANS Top 25 most dangerous programming errors."},{"key":"e_1_3_1_44_1","article-title":"2011 CWE\/SANS top 25 most dangerous software errors","volume":"7515","author":"Martin B.","year":"2011","unstructured":"Martin, B., Brown, M., Paller, A., Kirby, D., & Christey, S. (2011). 2011 CWE\/SANS top 25 most dangerous software errors. Common Weakness Enumeration, 7515.","journal-title":"Common Weakness Enumeration"},{"key":"e_1_3_1_45_1","unstructured":"Matsakis L. & Lapowsky I. (2018). Everything we know about facebook\u2019s massive security breach. Wired. https:\/\/www.wired.com\/story\/facebook-security-breach-50-million-accounts\/"},{"key":"e_1_3_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/997150.997156"},{"key":"e_1_3_1_47_1","unstructured":"MITRE. (2007). CWE - Vulnerability Type Distributions in CVE. The MITRE Corporation. https:\/\/cwe.mitre.org\/documents\/vuln-trends\/index.html"},{"key":"e_1_3_1_48_1","unstructured":"MITRE. (n.d.). MITRE ATT&CKTM. The MITRE Corporation. Retrieved February 6 2020 from https:\/\/attack.mitre.org\/"},{"key":"e_1_3_1_49_1","volume-title":"Equifax data leak may affect nearly half the US population","author":"Ng A.","year":"2017","unstructured":"Ng, A., & Musil, S. (2017). Equifax data leak may affect nearly half the US population. CNET. https:\/\/www.cnet.com\/news\/equifax-data-leak-hits-nearly-half-of-the-us-population\/"},{"key":"e_1_3_1_50_1","unstructured":"OWASP. (2004). OWASP Top 10 2004. OWASP Foundation. https:\/\/github.com\/owasp-top\/owasp-top-2004"},{"key":"e_1_3_1_51_1","unstructured":"OWASP. (2007). OWASP TOP 10 2007. OWASP Foundation. https:\/\/github.com\/owasp-top\/owasp-top-2007"},{"key":"e_1_3_1_52_1","unstructured":"OWASP. (2017a). 2017 Top 10 | OWASP. OWASP Foundation. https:\/\/owasp.org\/www-project-top-ten\/OWASP_Top_Ten_2017\/Top_10-2017_Top_10.html"},{"key":"e_1_3_1_53_1","unstructured":"OWASP. (2017b). A3-Sensitive Data Exposure | OWASP. OWASP Foundation. https:\/\/owasp.org\/www-project-top-ten\/OWASP_Top_Ten_2017\/Top_10-2017_A3-Sensitive_Data_Exposure.html"},{"key":"e_1_3_1_54_1","unstructured":"OWASP. (2017c). A6-Security Misconfiguration | OWASP. OWASP Foundation. https:\/\/owasp.org\/www-project-top-ten\/OWASP_Top_Ten_2017\/Top_10-2017_A6-Security_Misconfiguration.html"},{"key":"e_1_3_1_55_1","unstructured":"OWASP. (2017d). OWASP Top Ten. OWASP Foundation. https:\/\/owasp.org\/www-project-top-ten\/"},{"key":"e_1_3_1_56_1","unstructured":"OWASP. (2019). HTML5 Security Cheat Sheet | OWASP. OWASP Foundation. https:\/\/owasp.org\/www-project-cheat-sheets\/cheatsheets\/HTML5_Security_Cheat_Sheet.html"},{"key":"e_1_3_1_57_1","doi-asserted-by":"crossref","unstructured":"Pellegrino G. & Balzarotti D. (2014). Toward black-box detection of logic flaws in web applications. NDSS.","DOI":"10.14722\/ndss.2014.23021"},{"key":"e_1_3_1_58_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2015.11.017"},{"key":"e_1_3_1_59_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2019.106960"},{"key":"e_1_3_1_60_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-12226-7"},{"key":"e_1_3_1_61_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-09581-3_23"},{"key":"e_1_3_1_62_1","doi-asserted-by":"publisher","DOI":"10.1504\/IJITST.2015.073936"},{"key":"e_1_3_1_63_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2018.09.029"},{"key":"e_1_3_1_64_1","unstructured":"SANS. (2018). CEO Fraud\/BECSANS Security Awareness. SANS Institute. https:\/\/www.sans.org\/\/security-awareness-training\/resources\/ceo-fraudbec"},{"key":"e_1_3_1_65_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.06.004"},{"key":"e_1_3_1_66_1","volume-title":"17th Annual Network and Distributed System Security Symposium (NDSS)","author":"Saxena P.","year":"2010","unstructured":"Saxena, P., Hanna, S., Poosankam, P., & Song, D. (2010). FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. 17th Annual Network and Distributed System Security Symposium (NDSS). NDSS Symposium 2010. San Diego, CA, USA. https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/2017\/09\/saxe.pdf"},{"key":"e_1_3_1_67_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2011.12.013"},{"key":"e_1_3_1_68_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.06.005"},{"key":"e_1_3_1_69_1","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS.2016.7502862"},{"key":"e_1_3_1_70_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23309"},{"key":"e_1_3_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/1377488.1377489"},{"key":"e_1_3_1_72_1","unstructured":"Statista. (2020). Global digital population 2020. Statista. https:\/\/www.statista.com\/statistics\/617136\/digital-population-worldwide\/"},{"key":"e_1_3_1_73_1","unstructured":"Stock B. Johns M. Steffens M. & Backes M. (2017). How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. 971\u2013987. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/stock"},{"key":"e_1_3_1_74_1","unstructured":"Stock B. Lekies S. Mueller T. Spiegel P. & Johns M. (2014). Precise Client-side Protection against DOM-based Cross-Site Scripting. 655\u2013670. https:\/\/www.usenix.org\/conference\/usenixsecurity14\/technical-sessions\/presentation\/stock"},{"key":"e_1_3_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813625"},{"key":"e_1_3_1_76_1","unstructured":"Symantec. (2019). 2019 internet security threat report (No. 24). Symantec. https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-24-2019-en.pdf"},{"key":"e_1_3_1_77_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2005.159"},{"key":"e_1_3_1_78_1","unstructured":"VCloudNews. (2015). Every Day Big Data Statistics \u2013 2.5 Quintillion Bytes of Data Created Daily. VCloudNews. http:\/\/www.vcloudnews.com\/every-day-big-data-statistics-2-5-quintillion-bytes-of-data-created-daily\/"},{"key":"e_1_3_1_79_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.02.004"},{"key":"e_1_3_1_80_1","unstructured":"WASC. (2012a). The web application security consortium\/threat classification. The\u00a0Web Application\u00a0Security Consortium (WASC). \u00a0 http:\/\/projects.webappsec.org\/w\/page\/13246978\/Threat%20Classification"},{"key":"e_1_3_1_81_1","unstructured":"WASC. (2012b). The web application security consortium\/threat classification development view. The\u00a0Web Application\u00a0Security Consortium (WASC). \u00a0 http:\/\/projects.webappsec.org\/w\/page\/13246969\/Threat%20Classification%20Development%20View"},{"key":"e_1_3_1_82_1","unstructured":"WASC. (2012c). The web application security consortium\/threat classification enumeration view. The\u00a0Web Application\u00a0Security Consortium (WASC).\u00a0 http:\/\/projects.webappsec.org\/w\/page\/13246970\/Threat%20Classification%20Enumeration%20View"},{"key":"e_1_3_1_83_1","unstructured":"WASC. (2012d). The web application security consortium\/threat classification taxonomy cross reference view. The\u00a0Web Application\u00a0Security Consortium (WASC).\u00a0 http:\/\/projects.webappsec.org\/w\/page\/13246975\/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View"},{"key":"e_1_3_1_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/1082983.1083209"},{"key":"e_1_3_1_85_1","unstructured":"Whittaker Z. (2019). DoorDash confirms data breach affected 4.9 million customers workers and merchants. TechCrunch. http:\/\/social.techcrunch.com\/2019\/09\/26\/doordash-data-breach\/"},{"key":"e_1_3_1_86_1","unstructured":"Williams J. (n.d.). OWASP risk rating methodology. OWASP Foundation. Retrieved April 30 2020 available from https:\/\/owasp.org\/www-community\/OWASP_Risk_Rating_Methodology"},{"key":"e_1_3_1_87_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2008.925628"},{"key":"e_1_3_1_88_1","doi-asserted-by":"publisher","DOI":"10.1109\/SURV.2013.031413.00127"}],"container-title":["Information Security Journal: A Global Perspective"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.tandfonline.com\/doi\/pdf\/10.1080\/19393555.2020.1853855","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,6]],"date-time":"2026-02-06T21:49:53Z","timestamp":1770414593000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.tandfonline.com\/doi\/full\/10.1080\/19393555.2020.1853855"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,31]]},"references-count":87,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,1,2]]}},"alternative-id":["10.1080\/19393555.2020.1853855"],"URL":"https:\/\/doi.org\/10.1080\/19393555.2020.1853855","relation":{},"ISSN":["1939-3555","1939-3547"],"issn-type":[{"value":"1939-3555","type":"print"},{"value":"1939-3547","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,12,31]]},"assertion":[{"value":"The publishing and review policy for this title is described in its Aims & Scope.","order":1,"name":"peerreview_statement","label":"Peer Review Statement"},{"value":"http:\/\/www.tandfonline.com\/action\/journalInformation?show=aimsScope&journalCode=uiss20","URL":"http:\/\/www.tandfonline.com\/action\/journalInformation?show=aimsScope&journalCode=uiss20","order":2,"name":"aims_and_scope_url","label":"Aim & Scope"},{"value":"2020-12-31","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}