{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,14]],"date-time":"2026-03-14T18:39:52Z","timestamp":1773513592444,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":28,"publisher":"ACM","license":[{"start":{"date-parts":[[2020,12,7]],"date-time":"2020-12-07T00:00:00Z","timestamp":1607299200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100004801","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1617985, 1642129"],"award-info":[{"award-number":["1617985, 1642129"]}],"id":[{"id":"10.13039\/501100004801","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100015089","name":"Office of Naval Research","doi-asserted-by":"publisher","award":["N00014-20-1-2734"],"award-info":[{"award-number":["N00014-20-1-2734"]}],"id":[{"id":"10.13039\/100015089","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2020,12,7]]},"DOI":"10.1145\/3427228.3427290","type":"proceedings-article","created":{"date-parts":[[2020,12,9]],"date-time":"2020-12-09T22:20:18Z","timestamp":1607552418000},"page":"643-654","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["Security Study of Service Worker Cross-Site Scripting."],"prefix":"10.1145","author":[{"given":"Phakpoom","family":"Chinprutthiwong","sequence":"first","affiliation":[{"name":"Texas A&M University, United States of America"}]},{"given":"Raj","family":"Vardhan","sequence":"additional","affiliation":[{"name":"Texas A&M University, United States of America"}]},{"given":"GuangLiang","family":"Yang","sequence":"additional","affiliation":[{"name":"Texas A&M University, United States of America"}]},{"given":"Guofei","family":"Gu","sequence":"additional","affiliation":[{"name":"Texas A&M University, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2020,12,8]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[\n  1\n  ]  [n.d.]. https:\/\/babeljs.io\/.  [1] [n.d.]. https:\/\/babeljs.io\/."},{"key":"e_1_3_2_1_2_1","unstructured":"[\n  2\n  ]  [n.d.]. https:\/\/maierfelix.github.io\/Iroh\/.  [2] [n.d.]. https:\/\/maierfelix.github.io\/Iroh\/."},{"key":"e_1_3_2_1_3_1","unstructured":"[\n  3\n  ]  [n.d.]. https:\/\/github.com\/maierfelix\/Iroh\/blob\/master\/API.md.  [3] [n.d.]. https:\/\/github.com\/maierfelix\/Iroh\/blob\/master\/API.md."},{"key":"e_1_3_2_1_4_1","unstructured":"[\n  4\n  ]  [n.d.]. https:\/\/www.similarweb.com\/.  [4] [n.d.]. https:\/\/www.similarweb.com\/."},{"key":"e_1_3_2_1_5_1","unstructured":"[\n  5\n  ]  [n.d.]. https:\/\/web.archive.org\/.  [5] [n.d.]. https:\/\/web.archive.org\/."},{"key":"e_1_3_2_1_6_1","unstructured":"[\n  6\n  ]  [n.d.]. https:\/\/www.openbugbounty.org\/.  [6] [n.d.]. https:\/\/www.openbugbounty.org\/."},{"key":"e_1_3_2_1_7_1","unstructured":"[\n  7\n  ]  [n.d.]. https:\/\/www.w3.org\/TR\/CSP3\/#framework-directive-source-list.  [7] [n.d.]. https:\/\/www.w3.org\/TR\/CSP3\/#framework-directive-source-list."},{"key":"e_1_3_2_1_8_1","unstructured":"[\n  8\n  ]  [n.d.]. https:\/\/tools.ietf.org\/html\/rfc3986#section-3.3.  [8] [n.d.]. https:\/\/tools.ietf.org\/html\/rfc3986#section-3.3."},{"key":"e_1_3_2_1_9_1","unstructured":"[\n  9\n  ]  [n.d.]. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Manifest\/serviceworker.  [9] [n.d.]. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Manifest\/serviceworker."},{"key":"e_1_3_2_1_10_1","unstructured":"[\n  10\n  ]  [n.d.]. https:\/\/c0nradsc0rner.com\/2016\/06\/17\/xss-persistence-using-jsonp-and-serviceworkers\/.  [10] [n.d.]. https:\/\/c0nradsc0rner.com\/2016\/06\/17\/xss-persistence-using-jsonp-and-serviceworkers\/."},{"key":"e_1_3_2_1_11_1","unstructured":"[\n  11\n  ]  [n.d.]. https:\/\/jshint.com\/.  [11] [n.d.]. https:\/\/jshint.com\/."},{"key":"e_1_3_2_1_12_1","unstructured":"[\n  12\n  ]  [n.d.]. https:\/\/github.com\/SonarSource\/SonarJS.  [12] [n.d.]. https:\/\/github.com\/SonarSource\/SonarJS."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3355369.3355599"},{"key":"e_1_3_2_1_14_1","volume-title":"Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017","author":"Lauinger Tobias","year":"2017","unstructured":"Tobias Lauinger , Abdelberi Chaabane , Sajjad Arshad , William Robertson , Christo Wilson , and Engin Kirda . 2017 . Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017 , San Diego, California, USA, February 26 - March 1, 2017. The Internet Society. Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. 2017. Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26 - March 1, 2017. The Internet Society."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243867"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_3_2_1_19_1","volume-title":"Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities. In 2018 IEEE Symposium on Security and Privacy, SP 2018","author":"Mendoza Abner","year":"2018","unstructured":"Abner Mendoza and Guofei Gu . 2018 . Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities. In 2018 IEEE Symposium on Security and Privacy, SP 2018 , Proceedings, 21-23 May 2018, San Francisco, California, USA. IEEE, 756\u2013769. https:\/\/doi.org\/10.1109\/SP. 2018.00039 10.1109\/SP.2018.00039 Abner Mendoza and Guofei Gu. 2018. Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities. In 2018 IEEE Symposium on Security and Privacy, SP 2018, Proceedings, 21-23 May 2018, San Francisco, California, USA. IEEE, 756\u2013769. https:\/\/doi.org\/10.1109\/SP.2018.00039"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382274"},{"key":"e_1_3_2_1_21_1","volume-title":"Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019","author":"Papadopoulos Panagiotis","year":"2019","unstructured":"Panagiotis Papadopoulos , Panagiotis Ilia , Michalis Polychronakis , Evangelos\u00a0 P. Markatos , Sotiris Ioannidis , and Giorgos Vasiliadis . 2019 . Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019 , San Diego, California, USA , February 24-27, 2019. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/master-of-web-puppets-abusing-web-browsers-for-persistent-and-stealthy-computation\/ Panagiotis Papadopoulos, Panagiotis Ilia, Michalis Polychronakis, Evangelos\u00a0P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. 2019. Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/master-of-web-puppets-abusing-web-browsers-for-persistent-and-stealthy-computation\/"},{"key":"e_1_3_2_1_22_1","volume-title":"Proceedings of the Network and Distributed System Security Symposium, NDSS 2010","author":"Saxena Prateek","year":"2010","unstructured":"Prateek Saxena , Steve Hanna , Pongsin Poosankam , and Dawn Song . 2010 . FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications . In Proceedings of the Network and Distributed System Security Symposium, NDSS 2010 , San Diego, California, USA, 28th February - 3rd March 2010. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss2010\/flax-systematic-discovery-client-side-validation-vulnerabilities-rich-web-applications Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA, 28th February - 3rd March 2010. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss2010\/flax-systematic-discovery-client-side-validation-vulnerabilities-rich-web-applications"},{"key":"e_1_3_2_1_23_1","volume-title":"Don\u2019t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019","author":"Steffens Marius","year":"2019","unstructured":"Marius Steffens , Christian Rossow , Martin Johns , and Ben Stock . 2019 . Don\u2019t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019 , San Diego, California, USA , February 24-27, 2019. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/dont-trust-the-locals-investigating-the-prevalence-of-persistent-client-side-cross-site-scripting-in-the-wild\/ Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. 2019. Don\u2019t Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. The Internet Society. https:\/\/www.ndss-symposium.org\/ndss-paper\/dont-trust-the-locals-investigating-the-prevalence-of-persistent-client-side-cross-site-scripting-in-the-wild\/"},{"key":"e_1_3_2_1_24_1","volume-title":"How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium, USENIX Security 2017","author":"Stock Ben","year":"2017","unstructured":"Ben Stock , Martin Johns , Marius Steffens , and Michael Backes . 2017 . How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium, USENIX Security 2017 , Vancouver, BC, Canada , August 16-18, 2017., Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 971\u2013987. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/stock Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., Engin Kirda and Thomas Ristenpart (Eds.). USENIX Association, 971\u2013987. https:\/\/www.usenix.org\/conference\/usenixsecurity17\/technical-sessions\/presentation\/stock"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818019"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Takuya Watanabe Eitaro Shioji Mitsuaki Akiyama and Tatsuya Mori. 2020. Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites.  Takuya Watanabe Eitaro Shioji Mitsuaki Akiyama and Tatsuya Mori. 2020. Melting Pot of Origins: Compromising the Intermediary Web Services that Rehost Websites.","DOI":"10.14722\/ndss.2020.24140"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978363"},{"key":"e_1_3_2_1_28_1","volume-title":"Proc. IEEE Symp. Security and Privacy. 850\u2013865","author":"Zhou Y.","year":"2015","unstructured":"Y. Zhou and D. Evans . 2015. Understanding and Monitoring Embedded Web Scripts . In Proc. IEEE Symp. Security and Privacy. 850\u2013865 . https:\/\/doi.org\/10.1109\/SP. 2015 .57 10.1109\/SP.2015.57 Y. Zhou and D. Evans. 2015. Understanding and Monitoring Embedded Web Scripts. In Proc. IEEE Symp. Security and Privacy. 850\u2013865. https:\/\/doi.org\/10.1109\/SP.2015.57"}],"event":{"name":"ACSAC '20: Annual Computer Security Applications Conference","location":"Austin USA","acronym":"ACSAC '20"},"container-title":["Annual Computer Security Applications Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427290","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3427228.3427290","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3427228.3427290","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T22:02:25Z","timestamp":1750197745000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3427228.3427290"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,12,7]]},"references-count":28,"alternative-id":["10.1145\/3427228.3427290","10.1145\/3427228"],"URL":"https:\/\/doi.org\/10.1145\/3427228.3427290","relation":{},"subject":[],"published":{"date-parts":[[2020,12,7]]},"assertion":[{"value":"2020-12-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}