{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,28]],"date-time":"2026-04-28T10:15:28Z","timestamp":1777371328846,"version":"3.51.4"},"publisher-location":"New York, New York, USA","reference-count":55,"publisher":"ACM Press","license":[{"start":{"date-parts":[[2018,1,1]],"date-time":"2018-01-01T00:00:00Z","timestamp":1514764800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Secure Business Austria"},{"name":"National Science Foundation (NSF)","award":["CNS-1703454"],"award-info":[{"award-number":["CNS-1703454"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2018]]},"DOI":"10.1145\/3178876.3186090","type":"proceedings-article","created":{"date-parts":[[2018,4,13]],"date-time":"2018-04-13T15:53:48Z","timestamp":1523634828000},"page":"237-246","source":"Crossref","is-referenced-by-count":4,"title":["Large-Scale Analysis of Style Injection by Relative Path Overwrite"],"prefix":"10.1145","author":[{"given":"Sajjad","family":"Arshad","sequence":"first","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Seyed Ali","family":"Mirheidari","sequence":"additional","affiliation":[{"name":"University of Trento, Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tobias","family":"Lauinger","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bruno","family":"Crispo","sequence":"additional","affiliation":[{"name":"University of Trento, Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Engin","family":"Kirda","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"William","family":"Robertson","sequence":"additional","affiliation":[{"name":"Northeastern University, Boston, MA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","reference":[{"key":"key-10.1145\/3178876.3186090-1","unstructured":"2017. Chrome Remote Debugging Protocol. https:\/\/chromedevtools.github.io\/ devtools-protocol\/. (2017)."},{"key":"key-10.1145\/3178876.3186090-2","doi-asserted-by":"crossref","unstructured":"Steven Van Acker, Nick Nikiforakis, Lieven Desmet, Wouter Joosen, and Frank Piessens. 2012. FlashOver: Automated Discovery of Cross-site Scripting Vulnerabilities in Rich Internet Applications. In ACM Symposium on Information, Computer and Communications Security (ASIACCS).","DOI":"10.1145\/2414456.2414462"},{"key":"key-10.1145\/3178876.3186090-3","unstructured":"Alexa. 2016. Top Sites. http:\/\/www.alexa.com\/topsites. (2016)."},{"key":"key-10.1145\/3178876.3186090-4","doi-asserted-by":"crossref","unstructured":"Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves. In IEEE Symposium on Security and Privacy (S&P).","DOI":"10.1109\/SP.2009.3"},{"key":"key-10.1145\/3178876.3186090-5","doi-asserted-by":"crossref","unstructured":"Daniel Bates, Adam Barth, and Collin Jackson. 2010. Regular Expressions Considered Harmful in Client-Side XSS Filters. In International World Wide Web Conference (WWW).","DOI":"10.1145\/1772690.1772701"},{"key":"key-10.1145\/3178876.3186090-6","unstructured":"Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)."},{"key":"key-10.1145\/3178876.3186090-7","unstructured":"Burp Suite. 2017. https:\/\/portswigger.net\/burp\/. (2017)."},{"key":"key-10.1145\/3178876.3186090-8","unstructured":"Orcun Cetin, Carlos Ganan, Maciej Korczynski, and Michel van Eeten. 2017. Make Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning. In Workshop on the Economics of Information Security (WEIS)."},{"key":"key-10.1145\/3178876.3186090-9","unstructured":"Common Crawl. 2016. https:\/\/commoncrawl.org\/. (August 2016)."},{"key":"key-10.1145\/3178876.3186090-10","unstructured":"Soroush Dalili. 2015. Non-Root-Relative Path Overwrite (RPO) in IIS and .Net Applications. https:\/\/soroush.secproject.com\/blog\/2015\/02\/ non-root-relative-path-overwrite-rpo-in-iis-and-net-applications\/. (2015)."},{"key":"key-10.1145\/3178876.3186090-11","doi-asserted-by":"crossref","unstructured":"Adam Doupe, Weidong Cui, Mariusz H. Jakubowski, Marcus Peinado, Christopher Kruegel, and Giovanni Vigna. 2013. deDacota: Toward Preventing Server-Side XSS via Automatic Code and Data Separation. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/2508859.2516708"},{"key":"key-10.1145\/3178876.3186090-12","unstructured":"Omer Gil. 2017. Web Cache Deception Attack. In Black Hat USA."},{"key":"key-10.1145\/3178876.3186090-13","unstructured":"Omer Gil. 2017. Web Cache Deception Attack. http:\/\/omergil.blogspot.com\/2017\/ 02\/web-cache-deception-attack.html. (2017)."},{"key":"key-10.1145\/3178876.3186090-14","doi-asserted-by":"crossref","unstructured":"Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, and Jörg Schwenk. 2012. Scriptless Attacks - Stealing the Pie Without Touching the Sill. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/2382196.2382276"},{"key":"key-10.1145\/3178876.3186090-15","doi-asserted-by":"crossref","unstructured":"Mario Heiderich, Christopher Späth, and Jörg Schwenk. 2017. DOMPurify: ClientSide Protection Against XSS and Markup Injection. In European Conference on Research in Computer Security (ESORICS).","DOI":"10.1007\/978-3-319-66399-9_7"},{"key":"key-10.1145\/3178876.3186090-16","unstructured":"Gareth Heyes. 2009. The Sexy Assassin: Tactical Exploitation using CSS. https:\/\/docs.google.com\/viewer?url=www.businessinfo.co.uk\/labs\/talk\/ The_Sexy_Assassin.ppt. (2009)."},{"key":"key-10.1145\/3178876.3186090-17","unstructured":"Gareth Heyes. 2014. RPO. http:\/\/www.thespanner.co.uk\/2014\/03\/21\/rpo\/. (2014)."},{"key":"key-10.1145\/3178876.3186090-18","doi-asserted-by":"crossref","unstructured":"Lin-Shung Huang, Zack Weinberg, Chris Evans, and Collin Jackson. 2010. Protecting Browsers from Cross-Origin CSS Attacks. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/1866307.1866376"},{"key":"key-10.1145\/3178876.3186090-19","unstructured":"Artur Janc and Lukasz Olejnik. 2010. Feasibility and Real-World Implications of Web Browser History Detection. In Web 2.0 Security and Privacy (W2SP)."},{"key":"key-10.1145\/3178876.3186090-20","doi-asserted-by":"crossref","unstructured":"Christoph Kern. 2014. Securing the Tangled Web. Commun. ACM 57, no. 9 (2014), 38--47.","DOI":"10.1145\/2643134"},{"key":"key-10.1145\/3178876.3186090-21","unstructured":"Christoph Kerschbaumer. 2016. Mitigating MIME Confusion Attacks in Firefox. https:\/\/blog.mozilla.org\/security\/2016\/08\/26\/ mitigating-mime-confusion-attacks-in-firefox\/. (2016)."},{"key":"key-10.1145\/3178876.3186090-22","unstructured":"James Kettle. 2015. Detecting and Exploiting Path-Relative Stylesheet Import (PRSSI) Vulnerabilities. http:\/\/blog.portswigger.net\/2015\/02\/prssi.html. (2015)."},{"key":"key-10.1145\/3178876.3186090-23","unstructured":"Masato Kinugawa. 2015. CSS based Attack: Abusing Unicode-Range of @fontface. http:\/\/mksben.l0.cm\/2015\/10\/css-based-attack-abusing-unicode-range. html. (2015)."},{"key":"key-10.1145\/3178876.3186090-24","unstructured":"Sebastian Lekies. 2016. How to bypass CSP nonces with DOM XSS. http: \/\/sirdarckcat.blogspot.com\/2016\/12\/how-to-bypass-csp-nonces-with-dom-xss. html. (2016)."},{"key":"key-10.1145\/3178876.3186090-25","doi-asserted-by":"crossref","unstructured":"Sebastian Lekies, Krzysztof Kotowicz, Samuel Grob, Eduardo A. Vela Nava, and Martin Johns. 2017. Code-Reuse Attacks for the Web: Breaking Cross-Site Scripting Mitigations via Script Gadgets. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/3133956.3134091"},{"key":"key-10.1145\/3178876.3186090-26","unstructured":"Sebastian Lekies, Krzysztof Kotowicz, and Eduardo Vela Nava. 2017. Breaking XSS mitigations via Script Gadgets. In Black Hat USA."},{"key":"key-10.1145\/3178876.3186090-27","doi-asserted-by":"crossref","unstructured":"Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later - Large-scale Detection of DOM-based XSS. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/2508859.2516703"},{"key":"key-10.1145\/3178876.3186090-28","unstructured":"Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In USENIX Security Symposium."},{"key":"key-10.1145\/3178876.3186090-29","doi-asserted-by":"crossref","unstructured":"Bin Liang, Wei You, Liangkun Liu, Wenchang Shi, and Mario Heiderich. 2014. Scriptless Timing Attacks on Web Browser Privacy. In IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN).","DOI":"10.1109\/DSN.2014.93"},{"key":"key-10.1145\/3178876.3186090-30","unstructured":"Nera W. C. Liu and Albert Yu. 2014. Ultimate DOM Based XSS Detection Scanner On Cloud. In Black Hat Asia."},{"key":"key-10.1145\/3178876.3186090-31","doi-asserted-by":"crossref","unstructured":"Mike Ter Louw and V.N. Venkatakrishnan. 2009. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In IEEE Symposium on Security and Privacy (S&P).","DOI":"10.1109\/SP.2009.33"},{"key":"key-10.1145\/3178876.3186090-32","unstructured":"Giorgio Maone. 2009. NoScript. https:\/\/noscript.net\/. (2009)."},{"key":"key-10.1145\/3178876.3186090-33","unstructured":"MDN. 2018. X-Content-Type-Options. https:\/\/developer.mozilla.org\/en-US\/docs\/ Web\/HTTP\/Headers\/X-Content-Type-Options. (2018)."},{"key":"key-10.1145\/3178876.3186090-34","unstructured":"Microsoft. 2015. Understanding the Compatibility View List. https:\/\/msdn. microsoft.com\/en-us\/library\/gg699485(v=vs.85).aspx. (2015)."},{"key":"key-10.1145\/3178876.3186090-35","unstructured":"Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In Network and Distributed System Security Symposium (NDSS)."},{"key":"key-10.1145\/3178876.3186090-36","doi-asserted-by":"crossref","unstructured":"Terri Oda, Glenn Wurster, P. C. van Oorschot, and Anil Somayaji. 2008. SOMA: Mutual Approval for Included Content in Web Pages. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/1455770.1455783"},{"key":"key-10.1145\/3178876.3186090-37","unstructured":"OWASP. 2016. Cross-site Scripting (XSS). https:\/\/www.owasp.org\/index.php\/ Cross-site_Scripting_(XSS). (2016)."},{"key":"key-10.1145\/3178876.3186090-38","unstructured":"OWASP. 2017. Clickjacking Defense Cheat Sheet. https:\/\/www.owasp.org\/index. php\/Clickjacking_Defense_Cheat_Sheet. (2017)."},{"key":"key-10.1145\/3178876.3186090-39","unstructured":"OWASP. 2017. Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet. https:\/\/www.owasp.org\/index.php\/Cross-Site_Request_Forgery_(CSRF) _Prevention_Cheat_Sheet. (2017)."},{"key":"key-10.1145\/3178876.3186090-40","unstructured":"OWASP. 2017. XSS (Cross Site Scripting) Prevention Cheat Sheet. https:\/\/www. owasp.org\/index.php\/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet. (2017)."},{"key":"key-10.1145\/3178876.3186090-41","unstructured":"David Ross. 2008. IE 8 XSS Filter Architecture \/ Implementation. https:\/\/blogs.technet.microsoft.com\/srd\/2008\/08\/19\/ ie-8-xss-filter-architecture-implementation\/. (2008)."},{"key":"key-10.1145\/3178876.3186090-42","unstructured":"Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson. 2010. Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites. In IEEE Oakland Web 2.0 Security and Privacy (W2SP)."},{"key":"key-10.1145\/3178876.3186090-43","doi-asserted-by":"crossref","unstructured":"Mike Samuel, Prateek Saxena, and Dawn Song. 2011. Context-Sensitive AutoSanitization in Web Templating Languages Using Type Qualifiers. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/2046707.2046775"},{"key":"key-10.1145\/3178876.3186090-44","unstructured":"Henri Sivonen. 2013. Activating Browser Modes with Doctype. https:\/\/hsivonen. fi\/doctype\/. (2013)."},{"key":"key-10.1145\/3178876.3186090-45","doi-asserted-by":"crossref","unstructured":"Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the Web with Content Security Policy. In International World Wide Web Conference (WWW).","DOI":"10.1145\/1772690.1772784"},{"key":"key-10.1145\/3178876.3186090-46","unstructured":"Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise Client-side Protection against DOM-based Cross-Site Scripting. In USENIX Security Symposium."},{"key":"key-10.1145\/3178876.3186090-47","unstructured":"Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In USENIX Security Symposium."},{"key":"key-10.1145\/3178876.3186090-48","unstructured":"Takeshi Terada. 2015. A Few RPO Exploitation Techniques. https:\/\/www.mbsd. jp\/Whitepaper\/rpo.pdf. (2015)."},{"key":"key-10.1145\/3178876.3186090-49","unstructured":"W3C. 2011. CSS Syntax and Basic Data Types. http:\/\/www.w3.org\/TR\/CSS2\/ syndata.html. (2011)."},{"key":"key-10.1145\/3178876.3186090-50","unstructured":"W3C. 2015. Content Security Policy Level 2. https:\/\/www.w3.org\/TR\/CSP2\/. (2015)."},{"key":"key-10.1145\/3178876.3186090-51","unstructured":"Wappalyzer. 2017. Identify technologies on websites. https:\/\/www.wappalyzer. com\/. (2017)."},{"key":"key-10.1145\/3178876.3186090-52","doi-asserted-by":"crossref","unstructured":"Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. 2016. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. In ACM Conference on Computer and Communications Security (CCS).","DOI":"10.1145\/2976749.2978363"},{"key":"key-10.1145\/3178876.3186090-53","doi-asserted-by":"crossref","unstructured":"Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song. 2011. An Empirical Analysis of XSS Sanitization in Web Application Frameworks. In European Conference on Research in Computer Security (ESORICS).","DOI":"10.1007\/978-3-642-23822-2_9"},{"key":"key-10.1145\/3178876.3186090-54","unstructured":"XSS Jigsaw. 2015. CSS: Cascading Style Scripting. http:\/\/blog.innerht.ml\/ cascading-style-scripting\/. (2015)."},{"key":"key-10.1145\/3178876.3186090-55","unstructured":"XSS Jigsaw. 2016. RPO Gadgets. http:\/\/blog.innerht.ml\/rpo-gadgets\/. (2016)."}],"event":{"name":"the 2018 World Wide Web Conference","location":"Lyon, France","acronym":"WWW '18","number":"2018","sponsor":["SIGWEB, ACM Special Interest Group on Hypertext, Hypermedia, and Web","IW3C2, International World Wide Web Conference Committee"],"start":{"date-parts":[[2018,4,23]]},"end":{"date-parts":[[2018,4,27]]}},"container-title":["Proceedings of the 2018 World Wide Web Conference on World Wide Web - WWW '18"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3178876.3186090","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/dl.acm.org\/ft_gateway.cfm?id=3186090&ftid=1957498&dwn=1","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T02:11:28Z","timestamp":1750212688000},"score":1,"resource":{"primary":{"URL":"http:\/\/dl.acm.org\/citation.cfm?doid=3178876.3186090"}},"subtitle":[],"proceedings-subject":"World Wide Web","short-title":[],"issued":{"date-parts":[[2018]]},"references-count":55,"URL":"https:\/\/doi.org\/10.1145\/3178876.3186090","relation":{},"subject":[],"published":{"date-parts":[[2018]]}}}