{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,18]],"date-time":"2025-11-18T12:15:43Z","timestamp":1763468143175,"version":"3.41.0"},"reference-count":88,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2013,5,1]],"date-time":"2013-05-01T00:00:00Z","timestamp":1367366400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Web"],"published-print":{"date-parts":[[2013,5]]},"abstract":"<jats:p>JavaScript is an interpreted programming language most often used for enhancing webpage interactivity and functionality. It has powerful capabilities to interact with webpage documents and browser windows, however, it has also opened the door for many browser-based security attacks. Insecure engineering practices of using JavaScript may not directly lead to security breaches, but they can create new attack vectors and greatly increase the risks of browser-based attacks. In this article, we present the first measurement study on insecure practices of using JavaScript on the Web. Our focus is on the insecure practices of JavaScript inclusion and dynamic generation, and we examine their severity and nature on 6,805 unique websites. Our measurement results reveal that insecure JavaScript practices are common at various websites: (1) at least 66.4% of the measured websites manifest the insecure practices of including JavaScript files from external domains into the top-level documents of their webpages; (2) over 44.4% of the measured websites use the dangerous eval() function to dynamically generate and execute JavaScript code on their webpages; and (3) in JavaScript dynamic generation, using the document.write() method and the innerHTML property is much more popular than using the relatively secure technique of creating script elements via DOM methods. Our analysis indicates that safe alternatives to these insecure practices exist in common cases and ought to be adopted by website developers and administrators for reducing potential security risks.<\/jats:p>","DOI":"10.1145\/2460383.2460386","type":"journal-article","created":{"date-parts":[[2013,6,5]],"date-time":"2013-06-05T12:09:34Z","timestamp":1370434174000},"page":"1-39","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":17,"title":["A measurement study of insecure javascript practices on the web"],"prefix":"10.1145","volume":"7","author":[{"given":"Chuan","family":"Yue","sequence":"first","affiliation":[{"name":"University of Colorado Colorado Springs"}]},{"given":"Haining","family":"Wang","sequence":"additional","affiliation":[{"name":"The College of William and Mary"}]}],"member":"320","published-online":{"date-parts":[[2013,5,29]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/183432.183527"},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"volume-title":"Proceedings of the 17th USENIX Security Symposium. 17--30","author":"Barth A.","key":"e_1_2_1_3_1"},{"volume-title":"Proceedings of the International Conference on Software Maintenance.","author":"Baxter I. D.","key":"e_1_2_1_4_1"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242656"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1963405.1963436"},{"key":"e_1_2_1_7_1","doi-asserted-by":"crossref","unstructured":"Ceri S. Fraternali P. Bongio A. Brambilla M. Comai S. and Matera M. 2002. Designing Data-Intensive Web Applications. Morgan Kaufmann San Fransisco CA. Ceri S. Fraternali P. Bongio A. Brambilla M. Comai S. and Matera M. 2002. Designing Data-Intensive Web Applications. Morgan Kaufmann San Fransisco CA.","DOI":"10.1109\/MIC.2002.1020321"},{"key":"e_1_2_1_8_1","unstructured":"Cert. 2000. CERT advisory ca-2000-02 malicious html tags embedded in client web requests. http:\/\/www.cert.org\/advisories\/CA-2000-02.html. Cert. 2000. CERT advisory ca-2000-02 malicious html tags embedded in client web requests. http:\/\/www.cert.org\/advisories\/CA-2000-02.html."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2007.6"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772720"},{"volume-title":"Proceedings of the USENIX Security Symposium.","author":"Curtsinger C.","key":"e_1_2_1_11_1"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1124772.1124861"},{"key":"e_1_2_1_13_1","unstructured":"Dom2Events. 2012. Document object model (dom) level 2 events. http:\/\/www.w3.org\/TR\/DOM-Level-2-Events\/events.html. Dom2Events. 2012. Document object model (dom) level 2 events. http:\/\/www.w3.org\/TR\/DOM-Level-2-Events\/events.html."},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-02918-9_6"},{"key":"e_1_2_1_15_1","unstructured":"Evalmdc. 2011. Eval-mdc. https:\/\/developer.mozilla.org\/en\/JavaScript\/Reference\/Global Objects\/eval. Evalmdc. 2011. Eval-mdc. https:\/\/developer.mozilla.org\/en\/JavaScript\/Reference\/Global Objects\/eval."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1408664.1408680"},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS).","author":"Finifter M.","key":"e_1_2_1_17_1"},{"volume-title":"JavaScript: The Definitive Guide","author":"Flanagan D.","key":"e_1_2_1_18_1"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242661"},{"key":"e_1_2_1_20_1","doi-asserted-by":"crossref","unstructured":"Fogie S. Grossman J. Hansen R. Rager A. and Petkov P. D. 2007. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress. Fogie S. Grossman J. Hansen R. Rager A. and Petkov P. D. 2007. XSS Exploits: Cross Site Scripting Attacks and Defense. Syngress.","DOI":"10.1016\/B978-159749154-9\/50007-X"},{"volume-title":"Proceedings of the USENIX Security Symposium.","author":"Guarnieri S.","key":"e_1_2_1_21_1"},{"key":"e_1_2_1_22_1","unstructured":"Heilmann C. 2011. Unobtrusive javascript. http:\/\/www.onlinetools.org\/articles\/unobtrusivejavascript\/. Heilmann C. 2011. Unobtrusive javascript. http:\/\/www.onlinetools.org\/articles\/unobtrusivejavascript\/."},{"volume-title":"Proceedings of the USENIX Security Symposium.","author":"Hooimeijer P.","key":"e_1_2_1_23_1"},{"key":"e_1_2_1_24_1","unstructured":"Html5Comm. 2012. HTML5: Communication. http:\/\/www.w3.org\/TR\/html5\/comms.html. Html5Comm. 2012. HTML5: Communication. http:\/\/www.w3.org\/TR\/html5\/comms.html."},{"key":"e_1_2_1_25_1","unstructured":"Html5Sandbox. 2012. HTML5 iframe sandbox. http:\/\/www.w3schools.com\/html5\/att iframe sandbox.asp. Html5Sandbox. 2012. HTML5 iframe sandbox. http:\/\/www.w3schools.com\/html5\/att iframe sandbox.asp."},{"key":"e_1_2_1_26_1","unstructured":"Htmltimers. 2012. HTML timers. http:\/\/www.w3.org\/TR\/html5\/timers.html. Htmltimers. 2012. HTML timers. http:\/\/www.w3.org\/TR\/html5\/timers.html."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/988672.988679"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135884"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242655"},{"key":"e_1_2_1_30_1","doi-asserted-by":"crossref","unstructured":"Jakobsson M. and Myers S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience. Jakobsson M. and Myers S. 2006. Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley-Interscience.","DOI":"10.1002\/0470086106"},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/1242572.1242654"},{"key":"e_1_2_1_32_1","unstructured":"Jsapi. 2011. JSAPI reference-MDC. https:\/\/developer.mozilla.org\/en\/JSAPI Reference. Jsapi. 2011. JSAPI reference-MDC. https:\/\/developer.mozilla.org\/en\/JSAPI Reference."},{"key":"e_1_2_1_33_1","unstructured":"Json. 2011. JSON in javascript. http:\/\/www.json.org\/js.html. Json. 2011. JSON in javascript. http:\/\/www.json.org\/js.html."},{"key":"e_1_2_1_34_1","unstructured":"Jsprincipals. 2011. JSprincipals-MDC. http:\/\/developer.mozilla.org\/en\/JSPrincipals. Jsprincipals. 2011. JSprincipals-MDC. http:\/\/developer.mozilla.org\/en\/JSPrincipals."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135817"},{"volume-title":"Web Engineering: The Discipline of Systematic Development of Web Applications","year":"2006","author":"Kappel G.","key":"e_1_2_1_36_1"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/1841909.1841910"},{"key":"e_1_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2009.04.008"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/1978942.1979321"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135829"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/1180405.1180434"},{"volume-title":"Proceedings of the USENIX Annual Technical Conference.","author":"Livshits B.","key":"e_1_2_1_42_1"},{"key":"e_1_2_1_43_1","doi-asserted-by":"crossref","unstructured":"Mendes E. and Mosley N. 2005. Web Engineering. Springer. Mendes E. and Mosley N. 2005. Web Engineering. Springer.","DOI":"10.1007\/3-540-28218-1"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.36"},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS).","author":"Moshchuk A.","key":"e_1_2_1_45_1"},{"volume-title":"MSDN: InnerHTML property","year":"2011","author":"Msdn","key":"e_1_2_1_46_1"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45144-7"},{"key":"e_1_2_1_48_1","unstructured":"Mxr. 2012. Mozilla cross-reference: Firefox 2 source code. http:\/\/mxr.mozilla.org\/firefox2\/. Mxr. 2012. Mozilla cross-reference: Firefox 2 source code. http:\/\/mxr.mozilla.org\/firefox2\/."},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455783"},{"key":"e_1_2_1_51_1","unstructured":"Powell T. A. Jones D. L. and Cutts D. C. 1998. Web Site Engineering: Beyond Web Page Design. Prentice Hall. Powell T. A. Jones D. L. and Cutts D. C. 1998. Web Site Engineering: Beyond Web Page Design. Prentice Hall."},{"volume-title":"Proceedings of the USENIX Security Symposium. 1--15","author":"Provos N.","key":"e_1_2_1_52_1"},{"volume-title":"Proceedings of the USENIX Conference on Web Application Development (WebApps).","author":"Ratanaworabhan P.","key":"e_1_2_1_53_1"},{"volume-title":"Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI). 61--74","author":"Reis C.","key":"e_1_2_1_54_1"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/988672.988740"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/2048066.2048119"},{"volume-title":"Proceedings of the European Conference on Object-Oriented Programming (ECOOP). 52--78","author":"Richards G.","key":"e_1_2_1_57_1"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806596.1806598"},{"volume-title":"Web Engineering: Modelling and Implementing Web Applications","year":"2007","author":"Rossi G.","key":"e_1_2_1_59_1"},{"key":"e_1_2_1_60_1","unstructured":"Sans. 2007. SANS top-20 2007 security risks (2007 annual update). http:\/\/www.sans.org\/top20\/2007\/. Sans. 2007. SANS top-20 2007 security risks (2007 annual update). http:\/\/www.sans.org\/top20\/2007\/."},{"key":"e_1_2_1_61_1","unstructured":"Siliconforks. 2012. Parsing javascript with spidermonkey. http:\/\/siliconforks.com\/doc\/parsing-javascript-with-spidermonkey\/. Siliconforks. 2012. Parsing javascript with spidermonkey. http:\/\/siliconforks.com\/doc\/parsing-javascript-with-spidermonkey\/."},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.35"},{"key":"e_1_2_1_63_1","unstructured":"Spidermonkey. 2012. Spidermonkey (javascript-c) engine. http:\/\/www.mozilla.org\/js\/spidermonkey\/. Spidermonkey. 2012. Spidermonkey (javascript-c) engine. http:\/\/www.mozilla.org\/js\/spidermonkey\/."},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653738"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.5555\/1051791"},{"volume-title":"Symantec internet security threat report","year":"2008","author":"Symantec","key":"e_1_2_1_66_1"},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS).","author":"Vogt P.","key":"e_1_2_1_67_1"},{"key":"e_1_2_1_68_1","unstructured":"W3cdom. 2011. W3C document object model. http:\/\/www.w3.org\/DOM. W3cdom. 2011. W3C document object model. http:\/\/www.w3.org\/DOM."},{"key":"e_1_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294263"},{"volume-title":"Proceedings of the USENIX Security Symposium. 417--432","author":"Wang H. J.","key":"e_1_2_1_70_1"},{"volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS).","author":"Wang Y.-M.","key":"e_1_2_1_71_1"},{"key":"e_1_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368088.1368112"},{"key":"e_1_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.5555\/786767.786825"},{"key":"e_1_2_1_74_1","unstructured":"Wikijs. 2011. Javascript. http:\/\/en.wikipedia.org\/wiki\/JavaScript. Wikijs. 2011. Javascript. http:\/\/en.wikipedia.org\/wiki\/JavaScript."},{"key":"e_1_2_1_75_1","unstructured":"Wikisop. 2011. Same origin policy. http:\/\/en.wikipedia.org\/wiki\/Same origin policy. Wikisop. 2011. Same origin policy. http:\/\/en.wikipedia.org\/wiki\/Same origin policy."},{"key":"e_1_2_1_76_1","unstructured":"Wikixss. 2011. Cross-site scripting. http:\/\/en.wikipedia.org\/wiki\/Cross-site scripting. Wikixss. 2011. Cross-site scripting. http:\/\/en.wikipedia.org\/wiki\/Cross-site scripting."},{"key":"e_1_2_1_77_1","unstructured":"Willison S. 2005. 24 ways: Don't be eval(). http:\/\/24ways.org\/2005\/dont-be-eval. Willison S. 2005. 24 ways: Don't be eval(). http:\/\/24ways.org\/2005\/dont-be-eval."},{"key":"e_1_2_1_78_1","unstructured":"Wot. 2012. Safe browsing tool\u2014WOT (web of trust). http:\/\/www.mywot.com\/. Wot. 2012. Safe browsing tool\u2014WOT (web of trust). http:\/\/www.mywot.com\/."},{"key":"e_1_2_1_79_1","unstructured":"Xhr. 2011. XMLHttpRequest. http:\/\/www.w3.org\/TR\/XMLHttpRequest\/. Xhr. 2011. XMLHttpRequest. http:\/\/www.w3.org\/TR\/XMLHttpRequest\/."},{"key":"e_1_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1002\/spe.4380210706"},{"key":"e_1_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1145\/1190216.1190252"},{"volume-title":"Proceedings of the USENIX Large Installation System Administration Conference (LISA). 67--81","year":"2012","author":"Yue C.","key":"e_1_2_1_82_1"},{"key":"e_1_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1145\/1526709.1526838"},{"key":"e_1_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/1754393.1754395"},{"key":"e_1_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2010.03.006"},{"key":"e_1_2_1_86_1","unstructured":"Zalewski M. 2012. Browser security handbook. http:\/\/code.google.com\/p\/browsersec\/wiki\/Main. Zalewski M. 2012. Browser security handbook. http:\/\/code.google.com\/p\/browsersec\/wiki\/Main."},{"key":"e_1_2_1_87_1","doi-asserted-by":"publisher","DOI":"10.1145\/1060745.1060761"},{"key":"e_1_2_1_88_1","doi-asserted-by":"publisher","DOI":"10.1145\/2435349.2435397"}],"container-title":["ACM Transactions on the Web"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2460383.2460386","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2460383.2460386","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T08:39:23Z","timestamp":1750235963000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2460383.2460386"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,5]]},"references-count":88,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2013,5]]}},"alternative-id":["10.1145\/2460383.2460386"],"URL":"https:\/\/doi.org\/10.1145\/2460383.2460386","relation":{},"ISSN":["1559-1131","1559-114X"],"issn-type":[{"type":"print","value":"1559-1131"},{"type":"electronic","value":"1559-114X"}],"subject":[],"published":{"date-parts":[[2013,5]]},"assertion":[{"value":"2011-02-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2013-05-29","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}