{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T15:16:21Z","timestamp":1781018181316,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":133,"publisher":"ACM","license":[{"start":{"date-parts":[[2021,10,6]],"date-time":"2021-10-06T00:00:00Z","timestamp":1633478400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,10,6]]},"DOI":"10.1145\/3471621.3471846","type":"proceedings-article","created":{"date-parts":[[2021,10,7]],"date-time":"2021-10-07T14:50:46Z","timestamp":1633618246000},"page":"370-385","source":"Crossref","is-referenced-by-count":15,"title":["Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks"],"prefix":"10.1145","author":[{"given":"Xhelal","family":"Likaj","sequence":"first","affiliation":[{"name":"Saarland University, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Soheil","family":"Khodayari","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Giancarlo","family":"Pellegrino","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Germany"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2021,10,7]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n.d.]. CakePHP Documentation: Routing. https:\/\/book.cakephp.org\/3\/en\/development\/routing.html#routes-configuration.  [n.d.]. CakePHP Documentation: Routing. https:\/\/book.cakephp.org\/3\/en\/development\/routing.html#routes-configuration."},{"key":"e_1_3_2_1_2_1","unstructured":"[n.d.]. Common CSRF prevention misconceptions. https:\/\/www.nccgroup.com\/uk\/about-us\/newsroom-and-events\/blogs\/2017\/september\/common-csrf-prevention-misconceptions\/.  [n.d.]. Common CSRF prevention misconceptions. https:\/\/www.nccgroup.com\/uk\/about-us\/newsroom-and-events\/blogs\/2017\/september\/common-csrf-prevention-misconceptions\/."},{"key":"e_1_3_2_1_3_1","unstructured":"[n.d.]. Common Weakness Enumeration: A Community-Developed List of Software & Hardware Weakness Types. https:\/\/cwe.mitre.org\/data\/definitions\/352.html.  [n.d.]. Common Weakness Enumeration: A Community-Developed List of Software & Hardware Weakness Types. https:\/\/cwe.mitre.org\/data\/definitions\/352.html."},{"key":"e_1_3_2_1_4_1","unstructured":"[n.d.]. Cryptographic Storage Cheat Sheet. https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cryptographic_Storage_Cheat_Sheet.html.  [n.d.]. Cryptographic Storage Cheat Sheet. https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cryptographic_Storage_Cheat_Sheet.html."},{"key":"e_1_3_2_1_5_1","unstructured":"[n.d.]. CVE-2010-5084. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-5084.  [n.d.]. CVE-2010-5084. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-5084."},{"key":"e_1_3_2_1_6_1","unstructured":"[n.d.]. CVE-2012-1598. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2012-1598.  [n.d.]. CVE-2012-1598. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2012-1598."},{"key":"e_1_3_2_1_7_1","unstructured":"[n.d.]. CVE-2013-2213. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2013-2213.  [n.d.]. CVE-2013-2213. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2013-2213."},{"key":"e_1_3_2_1_8_1","unstructured":"[n.d.]. CVE-2014-1808. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1808.  [n.d.]. CVE-2014-1808. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1808."},{"key":"e_1_3_2_1_9_1","unstructured":"[n.d.]. CVE-2014-9720. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-9720.  [n.d.]. CVE-2014-9720. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-9720."},{"key":"e_1_3_2_1_10_1","unstructured":"[n.d.]. CVE-2015-2206. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-2206.  [n.d.]. CVE-2015-2206. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-2206."},{"key":"e_1_3_2_1_11_1","unstructured":"[n.d.]. CVE-2015-4056. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-4056.  [n.d.]. CVE-2015-4056. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-4056."},{"key":"e_1_3_2_1_12_1","unstructured":"[n.d.]. CVE-2015-6728. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-6728.  [n.d.]. CVE-2015-6728. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-6728."},{"key":"e_1_3_2_1_13_1","unstructured":"[n.d.]. CVE-2015-8125. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-8125.  [n.d.]. CVE-2015-8125. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-8125."},{"key":"e_1_3_2_1_14_1","unstructured":"[n.d.]. CVE-2015-8623. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-8623.  [n.d.]. CVE-2015-8623. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-8623."},{"key":"e_1_3_2_1_15_1","unstructured":"[n.d.]. CVE-2015-9243. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-9243.  [n.d.]. CVE-2015-9243. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-9243."},{"key":"e_1_3_2_1_16_1","unstructured":"[n.d.]. CVE-2016-10535. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-10535.  [n.d.]. CVE-2016-10535. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-10535."},{"key":"e_1_3_2_1_17_1","unstructured":"[n.d.]. CVE-2016-10549. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-10549.  [n.d.]. CVE-2016-10549. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-10549."},{"key":"e_1_3_2_1_18_1","unstructured":"[n.d.]. CVE-2016-5739. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-5739.  [n.d.]. CVE-2016-5739. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-5739."},{"key":"e_1_3_2_1_19_1","unstructured":"[n.d.]. CVE-2016-6582. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-6582.  [n.d.]. CVE-2016-6582. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-6582."},{"key":"e_1_3_2_1_20_1","unstructured":"[n.d.]. CVE-2016-6806. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-6806.  [n.d.]. CVE-2016-6806. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-6806."},{"key":"e_1_3_2_1_21_1","unstructured":"[n.d.]. CVE-2016-8615. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-8615.  [n.d.]. CVE-2016-8615. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2016-8615."},{"key":"e_1_3_2_1_22_1","unstructured":"[n.d.]. CVE-2017-0894. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0894.  [n.d.]. CVE-2017-0894. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0894."},{"key":"e_1_3_2_1_23_1","unstructured":"[n.d.]. CVE-2017-16136. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-16136.  [n.d.]. CVE-2017-16136. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-16136."},{"key":"e_1_3_2_1_24_1","unstructured":"[n.d.]. CVE-2017-9339. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-9339.  [n.d.]. CVE-2017-9339. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-9339."},{"key":"e_1_3_2_1_25_1","unstructured":"[n.d.]. CVE-2018-1000119. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-1000119.  [n.d.]. CVE-2018-1000119. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-1000119."},{"key":"e_1_3_2_1_26_1","unstructured":"[n.d.]. CVE-2018-10899. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-10899.  [n.d.]. CVE-2018-10899. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-10899."},{"key":"e_1_3_2_1_27_1","unstructured":"[n.d.]. CVE-2018-6651. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-6651.  [n.d.]. CVE-2018-6651. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-6651."},{"key":"e_1_3_2_1_28_1","unstructured":"[n.d.]. CVE-2019-12659. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-12659.  [n.d.]. CVE-2019-12659. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-12659."},{"key":"e_1_3_2_1_29_1","unstructured":"[n.d.]. CVE-2019-13209. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-13209.  [n.d.]. CVE-2019-13209. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-13209."},{"key":"e_1_3_2_1_30_1","unstructured":"[n.d.]. CVE-2019-14998. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-14998.  [n.d.]. CVE-2019-14998. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-14998."},{"key":"e_1_3_2_1_31_1","unstructured":"[n.d.]. CVE-2019-15515. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-15515.  [n.d.]. CVE-2019-15515. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-15515."},{"key":"e_1_3_2_1_32_1","unstructured":"[n.d.]. CVE-2019-17654. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17654.  [n.d.]. CVE-2019-17654. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17654."},{"key":"e_1_3_2_1_33_1","unstructured":"[n.d.]. CVE-2020-11825. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11825.  [n.d.]. CVE-2020-11825. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-11825."},{"key":"e_1_3_2_1_34_1","unstructured":"[n.d.]. CVE-2020-14368. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-14368.  [n.d.]. CVE-2020-14368. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-14368."},{"key":"e_1_3_2_1_35_1","unstructured":"[n.d.]. CVE-2020-25095. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-25095.  [n.d.]. CVE-2020-25095. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-25095."},{"key":"e_1_3_2_1_36_1","unstructured":"[n.d.]. CVE-2020-5261. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-5261.  [n.d.]. CVE-2020-5261. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-5261."},{"key":"e_1_3_2_1_37_1","unstructured":"[n.d.]. CVE-2021-23127. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-23127.  [n.d.]. CVE-2021-23127. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-23127."},{"key":"e_1_3_2_1_38_1","unstructured":"[n.d.]. CVE-2021-26296. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-26296.  [n.d.]. CVE-2021-26296. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-26296."},{"key":"e_1_3_2_1_39_1","unstructured":"[n.d.]. Defending against CSRF with SameSite cookies. https:\/\/portswigger.net\/web-security\/csrf\/samesite-cookies.  [n.d.]. Defending against CSRF with SameSite cookies. https:\/\/portswigger.net\/web-security\/csrf\/samesite-cookies."},{"key":"e_1_3_2_1_40_1","unstructured":"[n.d.]. Documentation: Cross-Origin Resource Sharing. https:\/\/www.playframework.com\/documentation\/2.8.x\/CorsFilter.  [n.d.]. Documentation: Cross-Origin Resource Sharing. https:\/\/www.playframework.com\/documentation\/2.8.x\/CorsFilter."},{"key":"e_1_3_2_1_41_1","unstructured":"[n.d.]. Fetch API. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Fetch_API.  [n.d.]. Fetch API. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Fetch_API."},{"key":"e_1_3_2_1_42_1","unstructured":"[n.d.]. GitHub\u2019s Annual Report: The State of the Octoverse. https:\/\/octoverse.github.com\/.  [n.d.]. GitHub\u2019s Annual Report: The State of the Octoverse. https:\/\/octoverse.github.com\/."},{"key":"e_1_3_2_1_43_1","unstructured":"[n.d.]. Hackerone.https:\/\/hackerone.com.  [n.d.]. Hackerone.https:\/\/hackerone.com."},{"key":"e_1_3_2_1_44_1","unstructured":"[n.d.]. HackerOne Report 342693: CSRF and password reset token leakage via referer.https:\/\/hackerone.com\/reports\/342693.  [n.d.]. HackerOne Report 342693: CSRF and password reset token leakage via referer.https:\/\/hackerone.com\/reports\/342693."},{"key":"e_1_3_2_1_45_1","unstructured":"[n.d.]. HackerOne Report 426147: CORS misconfiguration lead to CSRF and account takeover.https:\/\/hackerone.com\/reports\/426147.  [n.d.]. HackerOne Report 426147: CORS misconfiguration lead to CSRF and account takeover.https:\/\/hackerone.com\/reports\/426147."},{"key":"e_1_3_2_1_46_1","unstructured":"[n.d.]. HackerOne Report 576504: Authentication bypass by abusing insecure crypto tokens in Revive Adserver. https:\/\/hackerone.com\/reports\/576504.  [n.d.]. HackerOne Report 576504: Authentication bypass by abusing insecure crypto tokens in Revive Adserver. https:\/\/hackerone.com\/reports\/576504."},{"key":"e_1_3_2_1_47_1","unstructured":"[n.d.]. HackerOne Report 577969: CORS misconfiguration allows to steal customers data and CSRF tokens.https:\/\/hackerone.com\/reports\/577969.  [n.d.]. HackerOne Report 577969: CORS misconfiguration allows to steal customers data and CSRF tokens.https:\/\/hackerone.com\/reports\/577969."},{"key":"e_1_3_2_1_48_1","unstructured":"[n.d.]. HackerOne Report 787160: Referer leakage vulnerability in rockstargames leads to Facebook\u2019s OAuth token theft.https:\/\/hackerone.com\/reports\/787160.  [n.d.]. HackerOne Report 787160: Referer leakage vulnerability in rockstargames leads to Facebook\u2019s OAuth token theft.https:\/\/hackerone.com\/reports\/787160."},{"key":"e_1_3_2_1_49_1","unstructured":"[n.d.]. HackerOne Report 975983: Site-wide CSRF on Safari due to CORS misconfiguration.https:\/\/hackerone.com\/reports\/975983.  [n.d.]. HackerOne Report 975983: Site-wide CSRF on Safari due to CORS misconfiguration.https:\/\/hackerone.com\/reports\/975983."},{"key":"e_1_3_2_1_50_1","unstructured":"[n.d.]. How do I get the parameters of a post request when using a pac4j security filter in Spark Java?https:\/\/stackoverflow.com\/questions\/43240829\/how-do-i-get-the-parameters-of-a-post-request-when-using-a-pac4j-security-filter.  [n.d.]. How do I get the parameters of a post request when using a pac4j security filter in Spark Java?https:\/\/stackoverflow.com\/questions\/43240829\/how-do-i-get-the-parameters-of-a-post-request-when-using-a-pac4j-security-filter."},{"key":"e_1_3_2_1_51_1","unstructured":"[n.d.]. HTTP State Management. https:\/\/tools.ietf.org\/html\/rfc6265.  [n.d.]. HTTP State Management. https:\/\/tools.ietf.org\/html\/rfc6265."},{"key":"e_1_3_2_1_52_1","unstructured":"[n.d.]. Hypertext Transfer Protocol (HTTP\/1.1). https:\/\/tools.ietf.org\/html\/rfc7231.  [n.d.]. Hypertext Transfer Protocol (HTTP\/1.1). https:\/\/tools.ietf.org\/html\/rfc7231."},{"key":"e_1_3_2_1_53_1","unstructured":"[n.d.]. Insecure token generation in Kayako.https:\/\/www.sjoerdlangkemper.nl\/2016\/06\/23\/insecure-tokens-in-kayako\/.  [n.d.]. Insecure token generation in Kayako.https:\/\/www.sjoerdlangkemper.nl\/2016\/06\/23\/insecure-tokens-in-kayako\/."},{"key":"e_1_3_2_1_54_1","unstructured":"[n.d.]. Java Documenation: Class SecureRandom. https:\/\/docs.oracle.com\/javase\/8\/docs\/api\/java\/security\/SecureRandom.html.  [n.d.]. Java Documenation: Class SecureRandom. https:\/\/docs.oracle.com\/javase\/8\/docs\/api\/java\/security\/SecureRandom.html."},{"key":"e_1_3_2_1_55_1","unstructured":"[n.d.]. Meteor.js and CSRF\/XSS Attacks. https:\/\/stackoverflow.com\/questions\/21807229\/meteor-js-and-csrf-xss-attacks.  [n.d.]. Meteor.js and CSRF\/XSS Attacks. https:\/\/stackoverflow.com\/questions\/21807229\/meteor-js-and-csrf-xss-attacks."},{"key":"e_1_3_2_1_56_1","unstructured":"[n.d.]. Microsoft Documentation: RandomNumberGenerator.Fill(Span < Byte >) Method. https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.security.cryptography.randomnumbergenerator.fill?view=net-5.0.  [n.d.]. Microsoft Documentation: RandomNumberGenerator.Fill(Span < Byte >) Method. https:\/\/docs.microsoft.com\/en-us\/dotnet\/api\/system.security.cryptography.randomnumbergenerator.fill?view=net-5.0."},{"key":"e_1_3_2_1_57_1","unstructured":"[n.d.]. MITRE CVE database.https:\/\/cve.mitre.org\/.  [n.d.]. MITRE CVE database.https:\/\/cve.mitre.org\/."},{"key":"e_1_3_2_1_58_1","unstructured":"[n.d.]. National Vulnerability Database: CSRF statistics. https:\/\/nvd.nist.gov\/vuln\/search\/statistics?form_type=Advanced&results_type=statistics&query=CSRF&search_type=all.  [n.d.]. National Vulnerability Database: CSRF statistics. https:\/\/nvd.nist.gov\/vuln\/search\/statistics?form_type=Advanced&results_type=statistics&query=CSRF&search_type=all."},{"key":"e_1_3_2_1_59_1","unstructured":"[n.d.]. NODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWARE. http:\/\/blog.nibblesec.org\/2014\/05\/nodejs-connect-csrf-bypass-abusing.html.  [n.d.]. NODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWARE. http:\/\/blog.nibblesec.org\/2014\/05\/nodejs-connect-csrf-bypass-abusing.html."},{"key":"e_1_3_2_1_60_1","unstructured":"[n.d.]. Node.js Documentation: crypto.randomBytes. https:\/\/nodejs.org\/api\/crypto.html#crypto_crypto_randombytes_size_callback.  [n.d.]. Node.js Documentation: crypto.randomBytes. https:\/\/nodejs.org\/api\/crypto.html#crypto_crypto_randombytes_size_callback."},{"key":"e_1_3_2_1_61_1","unstructured":"[n.d.]. NPM package manger. https:\/\/www.npmjs.com\/.  [n.d.]. NPM package manger. https:\/\/www.npmjs.com\/."},{"key":"e_1_3_2_1_62_1","unstructured":"[n.d.]. Often Misused: HTTP Method Override. https:\/\/vulncat.fortify.com\/en\/detail?id=desc.dynamic.xtended_preview.often_misused_http_method_override.  [n.d.]. Often Misused: HTTP Method Override. https:\/\/vulncat.fortify.com\/en\/detail?id=desc.dynamic.xtended_preview.often_misused_http_method_override."},{"key":"e_1_3_2_1_63_1","unstructured":"[n.d.]. OWASP: Cross-Site Request Forgery Prevention Cheat Sheet. https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html.  [n.d.]. OWASP: Cross-Site Request Forgery Prevention Cheat Sheet. https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html."},{"key":"e_1_3_2_1_64_1","unstructured":"[n.d.]. OWASP: Insufficient Session-ID Length. https:\/\/owasp.org\/www-community\/vulnerabilities\/Insufficient_Session-ID_Length.  [n.d.]. OWASP: Insufficient Session-ID Length. https:\/\/owasp.org\/www-community\/vulnerabilities\/Insufficient_Session-ID_Length."},{"key":"e_1_3_2_1_65_1","unstructured":"[n.d.]. PHP 7.3: SameSite cookie support. https:\/\/php.watch\/versions\/7.3\/same-site-cookies.  [n.d.]. PHP 7.3: SameSite cookie support. https:\/\/php.watch\/versions\/7.3\/same-site-cookies."},{"key":"e_1_3_2_1_66_1","unstructured":"[n.d.]. PHP Documentation: random_bytes. https:\/\/www.php.net\/manual\/en\/function.random-bytes.php.  [n.d.]. PHP Documentation: random_bytes. https:\/\/www.php.net\/manual\/en\/function.random-bytes.php."},{"key":"e_1_3_2_1_67_1","unstructured":"[n.d.]. PHP setcookie SameSite=Strict. https:\/\/php.watch\/versions\/7.3\/same-site-cookies.  [n.d.]. PHP setcookie SameSite=Strict. https:\/\/php.watch\/versions\/7.3\/same-site-cookies."},{"key":"e_1_3_2_1_68_1","unstructured":"[n.d.]. Play filter configurations. https:\/\/www.playframework.com\/documentation\/2.8.x\/resources\/confs\/filters-helpers\/reference.conf.  [n.d.]. Play filter configurations. https:\/\/www.playframework.com\/documentation\/2.8.x\/resources\/confs\/filters-helpers\/reference.conf."},{"key":"e_1_3_2_1_69_1","unstructured":"[n.d.]. Predictable token in Froxlor that uses timestamps and the rand() method.https:\/\/github.com\/Froxlor\/Froxlor\/commit\/da4ec3e1b591de96675817a009e26e05e848a6ba.  [n.d.]. Predictable token in Froxlor that uses timestamps and the rand() method.https:\/\/github.com\/Froxlor\/Froxlor\/commit\/da4ec3e1b591de96675817a009e26e05e848a6ba."},{"key":"e_1_3_2_1_70_1","unstructured":"[n.d.]. Protecting against Cross Site Request Forgery. https:\/\/www.playframework.com\/documentation\/2.8.x\/JavaCsrf.  [n.d.]. Protecting against Cross Site Request Forgery. https:\/\/www.playframework.com\/documentation\/2.8.x\/JavaCsrf."},{"key":"e_1_3_2_1_71_1","unstructured":"[n.d.]. Python: os \u2014 Miscellaneous operating system interfaces. https:\/\/docs.python.org\/3\/library\/os.html#os.urandom.  [n.d.]. Python: os \u2014 Miscellaneous operating system interfaces. https:\/\/docs.python.org\/3\/library\/os.html#os.urandom."},{"key":"e_1_3_2_1_72_1","unstructured":"[n.d.]. Question: Was it intentional to validate crumb key for POST only?https:\/\/github.com\/hapijs\/crumb\/issues\/4.  [n.d.]. Question: Was it intentional to validate crumb key for POST only?https:\/\/github.com\/hapijs\/crumb\/issues\/4."},{"key":"e_1_3_2_1_73_1","unstructured":"[n.d.]. Safe HTTP Methods. https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/safe.  [n.d.]. Safe HTTP Methods. https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/safe."},{"key":"e_1_3_2_1_74_1","unstructured":"[n.d.]. SameSite Cookies & CSRF Attacks. https:\/\/symfonycasts.com\/screencast\/api-platform-security\/samesite-csrf.  [n.d.]. SameSite Cookies & CSRF Attacks. https:\/\/symfonycasts.com\/screencast\/api-platform-security\/samesite-csrf."},{"key":"e_1_3_2_1_75_1","unstructured":"[n.d.]. Spark Framework CSRF Protection. https:\/\/stackoverflow.com\/questions\/43317938\/spark-framework-csrf-protection.  [n.d.]. Spark Framework CSRF Protection. https:\/\/stackoverflow.com\/questions\/43317938\/spark-framework-csrf-protection."},{"key":"e_1_3_2_1_76_1","unstructured":"[n.d.]. Spark Framework CSRF Protection. https:\/\/bottle-utils.readthedocs.io\/en\/latest\/csrf.html.  [n.d.]. Spark Framework CSRF Protection. https:\/\/bottle-utils.readthedocs.io\/en\/latest\/csrf.html."},{"key":"e_1_3_2_1_77_1","unstructured":"[n.d.]. Stackoverflow Tags. https:\/\/stackoverflow.com\/help\/tagging.  [n.d.]. Stackoverflow Tags. https:\/\/stackoverflow.com\/help\/tagging."},{"key":"e_1_3_2_1_78_1","unstructured":"[n.d.]. Symfony: [RFC] Add support for Websockets and real-time applications. https:\/\/github.com\/symfony\/symfony\/issues\/17051.  [n.d.]. Symfony: [RFC] Add support for Websockets and real-time applications. https:\/\/github.com\/symfony\/symfony\/issues\/17051."},{"key":"e_1_3_2_1_79_1","unstructured":"[n.d.]. Test your code. https:\/\/snyk.io\/test\/.  [n.d.]. Test your code. https:\/\/snyk.io\/test\/."},{"key":"e_1_3_2_1_80_1","unstructured":"[n.d.]. Tornado Github Issue 2722: Misleading CSRF Docs \/ Bug in Setting CSRF Cookie. https:\/\/github.com\/tornadoweb\/tornado\/issues\/2722.  [n.d.]. Tornado Github Issue 2722: Misleading CSRF Docs \/ Bug in Setting CSRF Cookie. https:\/\/github.com\/tornadoweb\/tornado\/issues\/2722."},{"key":"e_1_3_2_1_81_1","unstructured":"[n.d.]. The Web Origin Concept. https:\/\/www.ietf.org\/rfc\/rfc6454.txt.  [n.d.]. The Web Origin Concept. https:\/\/www.ietf.org\/rfc\/rfc6454.txt."},{"key":"e_1_3_2_1_82_1","unstructured":"[n.d.]. Why Meteor doesn\u2019t use session cookies. https:\/\/blog.meteor.com\/why-meteor-doesnt-use-session-cookies-e988544f52c9.  [n.d.]. Why Meteor doesn\u2019t use session cookies. https:\/\/blog.meteor.com\/why-meteor-doesnt-use-session-cookies-e988544f52c9."},{"key":"e_1_3_2_1_83_1","unstructured":"[n.d.]. Window.localStorage APIs. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window\/localStorage.  [n.d.]. Window.localStorage APIs. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/API\/Window\/localStorage."},{"key":"e_1_3_2_1_84_1","unstructured":"1999. Hypertext Transfer Protocol \u2013 HTTP\/1.1. https:\/\/tools.ietf.org\/html\/rfc2616#page-53.  1999. Hypertext Transfer Protocol \u2013 HTTP\/1.1. https:\/\/tools.ietf.org\/html\/rfc2616#page-53."},{"key":"e_1_3_2_1_85_1","unstructured":"2009. Netflix CSRF Revisited. https:\/\/appsecnotes.blogspot.com\/2009\/01\/netflix-csrf-revisited.html.  2009. Netflix CSRF Revisited. https:\/\/appsecnotes.blogspot.com\/2009\/01\/netflix-csrf-revisited.html."},{"key":"e_1_3_2_1_86_1","unstructured":"2010. Patching auto-complete vulnerabilities not enough Cookie Eviction to the rescue. https:\/\/blog.jeremiahgrossman.com\/2010\/07\/patching-auto-complete-vulnerabilities.html.  2010. Patching auto-complete vulnerabilities not enough Cookie Eviction to the rescue. https:\/\/blog.jeremiahgrossman.com\/2010\/07\/patching-auto-complete-vulnerabilities.html."},{"key":"e_1_3_2_1_87_1","unstructured":"2013. Twitter CSRF account control exploit. https:\/\/www.itproportal.com\/2013\/11\/07\/twitter-rapidly-fixes-csrf-account-control-exploit\/.  2013. Twitter CSRF account control exploit. https:\/\/www.itproportal.com\/2013\/11\/07\/twitter-rapidly-fixes-csrf-account-control-exploit\/."},{"key":"e_1_3_2_1_88_1","unstructured":"2016. OWASP Top Ten.https:\/\/owasp.org\/www-project-top-ten\/.  2016. OWASP Top Ten.https:\/\/owasp.org\/www-project-top-ten\/."},{"key":"e_1_3_2_1_89_1","unstructured":"2018. Client-Side CSRF. https:\/\/www.facebook.com\/notes\/facebook-bug-bounty\/client-side-csrf\/2056804174333798\/.  2018. Client-Side CSRF. https:\/\/www.facebook.com\/notes\/facebook-bug-bounty\/client-side-csrf\/2056804174333798\/."},{"key":"e_1_3_2_1_90_1","unstructured":"2019. Critical CSRF Vulnerability on Facebook. https:\/\/www.acunetix.com\/blog\/web-security-zone\/critical-csrf-vulnerability-facebook\/.  2019. Critical CSRF Vulnerability on Facebook. https:\/\/www.acunetix.com\/blog\/web-security-zone\/critical-csrf-vulnerability-facebook\/."},{"key":"e_1_3_2_1_91_1","volume-title":"Developers: Get Ready for New SameSite=None","year":"2019","unstructured":"2019. Developers: Get Ready for New SameSite=None ; Secure Cookie Settings . https:\/\/blog.chromium.org\/ 2019 \/10\/developers-get-ready-for-new.html. 2019. Developers: Get Ready for New SameSite=None; Secure Cookie Settings. https:\/\/blog.chromium.org\/2019\/10\/developers-get-ready-for-new.html."},{"key":"e_1_3_2_1_92_1","unstructured":"2019. Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure. https:\/\/groups.google.com\/forum\/#!msg\/mozilla.dev.platform\/nx2uP0CzA9k\/BNVPWDHsAQAJ.  2019. Intent to implement: Cookie SameSite=lax by default and SameSite=none only if secure. https:\/\/groups.google.com\/forum\/#!msg\/mozilla.dev.platform\/nx2uP0CzA9k\/BNVPWDHsAQAJ."},{"key":"e_1_3_2_1_93_1","unstructured":"2020. CVE-2020-35217. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-35217.  2020. CVE-2020-35217. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-35217."},{"key":"e_1_3_2_1_94_1","unstructured":"2020. CVE-2020-35239. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-35239.  2020. CVE-2020-35239. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-35239."},{"key":"e_1_3_2_1_95_1","unstructured":"2020. SameSite cookie attribute Chromium Blink. https:\/\/www.chromestatus.com\/feature\/4672634709082112.  2020. SameSite cookie attribute Chromium Blink. https:\/\/www.chromestatus.com\/feature\/4672634709082112."},{"key":"e_1_3_2_1_96_1","volume-title":"Comparing the Usability of Cryptographic APIs. In IEEE Symposium on Security and Privacy (SP).","author":"Acar Y.","unstructured":"Y. Acar , M. Backes , S. Fahl , S. Garfinkel , D. Kim , M.\u00a0 L. Mazurek , and C. Stransky . 2017 . Comparing the Usability of Cryptographic APIs. In IEEE Symposium on Security and Privacy (SP). Y. Acar, M. Backes, S. Fahl, S. Garfinkel, D. Kim, M.\u00a0L. Mazurek, and C. Stransky. 2017. Comparing the Usability of Cryptographic APIs. In IEEE Symposium on Security and Privacy (SP)."},{"key":"e_1_3_2_1_97_1","volume-title":"The Browser Hacker\u2019s Handbook","author":"Alcorn Wade","unstructured":"Wade Alcorn , Christian Frichot , and Michele Orru . 2014. The Browser Hacker\u2019s Handbook . John Wiley & Sons . 268\u2013270 pages. Wade Alcorn, Christian Frichot, and Michele Orru. 2014. The Browser Hacker\u2019s Handbook. John Wiley & Sons. 268\u2013270 pages."},{"key":"e_1_3_2_1_98_1","unstructured":"Scott Arciszewski. [n.d.]. Preventing Timing Attacks on String Comparison with a Double HMAC Strategy. https:\/\/paragonie.com\/blog\/2015\/11\/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy.  Scott Arciszewski. [n.d.]. Preventing Timing Attacks on String Comparison with a Double HMAC Strategy. https:\/\/paragonie.com\/blog\/2015\/11\/preventing-timing-attacks-on-string-comparison-with-double-hmac-strategy."},{"key":"e_1_3_2_1_99_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"key":"e_1_3_2_1_100_1","unstructured":"Jeremiah Blatz. [n.d.]. CSRF: Attack and Defense. ([n.\u00a0d.]).  Jeremiah Blatz. [n.d.]. CSRF: Attack and Defense. ([n.\u00a0d.])."},{"key":"e_1_3_2_1_101_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00045"},{"key":"e_1_3_2_1_102_1","volume-title":"Proceedings of the 27th USENIX Conference on Security Symposium.","author":"Chen Jianjun","year":"2018","unstructured":"Jianjun Chen , Jian Jiang , Haixin Duan , Tao Wan , Shuo Chen , Vern Paxson , and Min Yang . 2018 . We Still Don\u2019t Have Secure Cross-Domain Requests: An Empirical Study of CORS . In Proceedings of the 27th USENIX Conference on Security Symposium. Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. 2018. We Still Don\u2019t Have Secure Cross-Domain Requests: An Empirical Study of CORS. In Proceedings of the 27th USENIX Conference on Security Symposium."},{"key":"e_1_3_2_1_103_1","volume-title":"Empirical Study of CORS. In 27th USENIX Security Symposium.","author":"Chen Jianjun","year":"2018","unstructured":"Jianjun Chen , Jian Jiang , Haixin Duan , Tao Wan , Shuo Chen , Vern Paxson , and Min Yang . 2018 . We Still Don\u2019t Have Secure Cross-Domain Requests: an Empirical Study of CORS. In 27th USENIX Security Symposium. Jianjun Chen, Jian Jiang, Haixin Duan, Tao Wan, Shuo Chen, Vern Paxson, and Min Yang. 2018. We Still Don\u2019t Have Secure Cross-Domain Requests: an Empirical Study of CORS. In 27th USENIX Security Symposium."},{"key":"e_1_3_2_1_104_1","doi-asserted-by":"publisher","DOI":"10.1145\/2488388.2488413"},{"key":"e_1_3_2_1_105_1","doi-asserted-by":"publisher","DOI":"10.1145\/358722.358740"},{"key":"e_1_3_2_1_106_1","unstructured":"Yoel Gluck Neal Harris and Angelo Prado. 2013. BREACH: reviving the CRIME attack. Unpublished manuscript(2013).  Yoel Gluck Neal Harris and Angelo Prado. 2013. BREACH: reviving the CRIME attack. Unpublished manuscript(2013)."},{"key":"e_1_3_2_1_107_1","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376142"},{"key":"e_1_3_2_1_108_1","unstructured":"Michael Howard and David LeBlanc. 2003. Writing secure code. Pearson Education. 350\u2013361 pages.  Michael Howard and David LeBlanc. 2003. Writing secure code. Pearson Education. 350\u2013361 pages."},{"key":"e_1_3_2_1_109_1","volume-title":"Proceedings of the 21st USENIX Conference on Security Symposium.","author":"Huang Lin-Shung","year":"2012","unstructured":"Lin-Shung Huang , Alex Moshchuk , Helen\u00a0 J. Wang , Stuart Schechter , and Collin Jackson . 2012 . Clickjacking: Attacks and Defenses . In Proceedings of the 21st USENIX Conference on Security Symposium. Lin-Shung Huang, Alex Moshchuk, Helen\u00a0J. Wang, Stuart Schechter, and Collin Jackson. 2012. Clickjacking: Attacks and Defenses. In Proceedings of the 21st USENIX Conference on Security Symposium."},{"key":"e_1_3_2_1_110_1","unstructured":"David Johansson. 2017. A Double Defeat of the Double-Submit Cookie Pattern. (2017).  David Johansson. 2017. A Double Defeat of the Double-Submit Cookie Pattern. (2017)."},{"key":"e_1_3_2_1_111_1","unstructured":"Martin Johns. 2007. The three faces of CSRF. Talk at the DeepSec2007 conference.(2007). https:\/\/deepsec.net\/archive\/2007.deepsec.net\/speakers\/index.html#martin-johns.  Martin Johns. 2007. The three faces of CSRF. Talk at the DeepSec2007 conference.(2007). https:\/\/deepsec.net\/archive\/2007.deepsec.net\/speakers\/index.html#martin-johns."},{"key":"e_1_3_2_1_112_1","unstructured":"Martin Johns and Justus Winter. 2006. RequestRodeo: Client side protection against session riding. https:\/\/www.owasp.org\/images\/4\/42\/RequestRodeo-MartinJohns.pdf.  Martin Johns and Justus Winter. 2006. RequestRodeo: Client side protection against session riding. https:\/\/www.owasp.org\/images\/4\/42\/RequestRodeo-MartinJohns.pdf."},{"key":"e_1_3_2_1_113_1","volume-title":"Preventing Cross Site Request Forgery Attacks. In Second International Conference on Security and Privacy in Communication Networks and the Workshops (SecureComm).","author":"Jovanovic Nenad","year":"2006","unstructured":"Nenad Jovanovic , Engin Kirda , and Christopher Kruegel . 2006 . Preventing Cross Site Request Forgery Attacks. In Second International Conference on Security and Privacy in Communication Networks and the Workshops (SecureComm). Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006. Preventing Cross Site Request Forgery Attacks. In Second International Conference on Security and Privacy in Communication Networks and the Workshops (SecureComm)."},{"key":"e_1_3_2_1_114_1","doi-asserted-by":"publisher","DOI":"10.1109\/SECCOM.2007.4550368"},{"key":"e_1_3_2_1_115_1","volume-title":"Towards stateless, client-side driven Cross-site request forgery protection for Web applications. SAP Research","author":"Lekies Sebastian","year":"2012","unstructured":"Sebastian Lekies , Walter Tighzert , and Martin Johns . 2012. Towards stateless, client-side driven Cross-site request forgery protection for Web applications. SAP Research ( 2012 ). Sebastian Lekies, Walter Tighzert, and Martin Johns. 2012. Towards stateless, client-side driven Cross-site request forgery protection for Web applications. SAP Research (2012)."},{"key":"e_1_3_2_1_116_1","volume-title":"New ways im going to hack your web app. Blackhat AD","author":"Lundeen Rich","year":"2011","unstructured":"Rich Lundeen , Jesse Ou , and Travis Rhodes . 2011. New ways im going to hack your web app. Blackhat AD ( 2011 ), 1\u201311. Rich Lundeen, Jesse Ou, and Travis Rhodes. 2011. New ways im going to hack your web app. Blackhat AD (2011), 1\u201311."},{"key":"e_1_3_2_1_118_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-42836-9_44"},{"key":"e_1_3_2_1_119_1","volume-title":"Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. In 13th International Conference on Financial Cryptography and Data Security.","author":"Mao Ziqing","year":"2009","unstructured":"Ziqing Mao , Ninghui Li , and Ian Molloy . 2009 . Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. In 13th International Conference on Financial Cryptography and Data Security. Ziqing Mao, Ninghui Li, and Ian Molloy. 2009. Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection. In 13th International Conference on Financial Cryptography and Data Security."},{"key":"e_1_3_2_1_120_1","volume-title":"Usability and Security Effects of Code Examples on Crypto APIs. In 16th Annual Conference on Privacy, Security and Trust (PST).","author":"Mindermann Kai","year":"2018","unstructured":"Kai Mindermann and Stefan Wagner . 2018 . Usability and Security Effects of Code Examples on Crypto APIs. In 16th Annual Conference on Privacy, Security and Trust (PST). Kai Mindermann and Stefan Wagner. 2018. Usability and Security Effects of Code Examples on Crypto APIs. In 16th Annual Conference on Privacy, Security and Trust (PST)."},{"key":"e_1_3_2_1_121_1","volume-title":"Usability Smells: An Analysis of Developers\u2019 Struggle With Crypto Libraries. In Fifteenth Symposium on Usable Privacy and Security(SOUPS).","author":"Patnaik Nikhil","year":"2019","unstructured":"Nikhil Patnaik , Joseph Hallett , and Awais Rashid . 2019 . Usability Smells: An Analysis of Developers\u2019 Struggle With Crypto Libraries. In Fifteenth Symposium on Usable Privacy and Security(SOUPS). Nikhil Patnaik, Joseph Hallett, and Awais Rashid. 2019. Usability Smells: An Analysis of Developers\u2019 Struggle With Crypto Libraries. In Fifteenth Symposium on Usable Privacy and Security(SOUPS)."},{"key":"e_1_3_2_1_122_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133959"},{"key":"e_1_3_2_1_123_1","volume-title":"CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In International Symposium on Engineering Secure Software and Systems (ESSoS).","author":"Ryck Philippe\u00a0De","year":"2010","unstructured":"Philippe\u00a0De Ryck , Lieven Desmet , Thomas Heyman , Frank Piessens , and Wouter Joosen . 2010 . CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In International Symposium on Engineering Secure Software and Systems (ESSoS). Philippe\u00a0De Ryck, Lieven Desmet, Thomas Heyman, Frank Piessens, and Wouter Joosen. 2010. CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests. In International Symposium on Engineering Secure Software and Systems (ESSoS)."},{"key":"e_1_3_2_1_124_1","volume-title":"European Symposium on Research in Computer Security (ESORICS).","author":"Ryck Philippe\u00a0De","year":"2011","unstructured":"Philippe\u00a0De Ryck , Lieven Desmet , Wouter Joosen , and Frank Piessens . 2011 . Automatic and Precise Client-Side Protection against CSRF Attacks . In European Symposium on Research in Computer Security (ESORICS). Philippe\u00a0De Ryck, Lieven Desmet, Wouter Joosen, and Frank Piessens. 2011. Automatic and Precise Client-Side Protection against CSRF Attacks. In European Symposium on Research in Computer Security (ESORICS)."},{"key":"e_1_3_2_1_125_1","unstructured":"Christian Schneider. [n.d.]. Cross-Site WebSocket Hijacking. https:\/\/christian-schneider.net\/CrossSiteWebSocketHijacking.html.  Christian Schneider. [n.d.]. Cross-Site WebSocket Hijacking. https:\/\/christian-schneider.net\/CrossSiteWebSocketHijacking.html."},{"key":"e_1_3_2_1_126_1","unstructured":"Thomas Schreiber. 2004. Session Riding-A Widespread Vulnerability in Today\u2019s Web Applications.(2004).  Thomas Schreiber. 2004. Session Riding-A Widespread Vulnerability in Today\u2019s Web Applications.(2004)."},{"key":"e_1_3_2_1_127_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2010.12"},{"key":"e_1_3_2_1_128_1","unstructured":"Robin Sharma. 2017. Preventing cross-site attacks using same-site cookies. https:\/\/blogs.dropbox.com\/tech\/2017\/03\/preventing-cross-site-attacks-using-same-site-cookies\/.  Robin Sharma. 2017. Preventing cross-site attacks using same-site cookies. https:\/\/blogs.dropbox.com\/tech\/2017\/03\/preventing-cross-site-attacks-using-same-site-cookies\/."},{"key":"e_1_3_2_1_129_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.45"},{"key":"e_1_3_2_1_130_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813632"},{"key":"e_1_3_2_1_131_1","unstructured":"Mike West. 2019. Incrementally Better Cookies. (2019). https:\/\/tools.ietf.org\/html\/draft-west-cookie-incrementalism-00.  Mike West. 2019. Incrementally Better Cookies. (2019). https:\/\/tools.ietf.org\/html\/draft-west-cookie-incrementalism-00."},{"key":"e_1_3_2_1_132_1","volume-title":"IEEE International Conference on Information and Automation for Sustainability (ICIAfS).","author":"Wijayarathna Chamila","unstructured":"Chamila Wijayarathna and Nalin A . \u00a0G. Arachchilage. 2018. A methodology to Evaluate the Usability of Security APIs . In IEEE International Conference on Information and Automation for Sustainability (ICIAfS). Chamila Wijayarathna and Nalin A.\u00a0G. Arachchilage. 2018. A methodology to Evaluate the Usability of Security APIs. In IEEE International Conference on Information and Automation for Sustainability (ICIAfS)."},{"key":"e_1_3_2_1_133_1","unstructured":"John Wilander. 2012. Advanced CSRF and Stateless Anti-CSRF. (2012).  John Wilander. 2012. Advanced CSRF and Stateless Anti-CSRF. (2012)."},{"key":"e_1_3_2_1_134_1","volume-title":"Cross-Site Request Forgeries: Exploitation and Prevention","author":"Zeller William","unstructured":"William Zeller and Edward\u00a0 W. Felten . 2008. Cross-Site Request Forgeries: Exploitation and Prevention . In Princeton University . William Zeller and Edward\u00a0W. Felten. 2008. Cross-Site Request Forgeries: Exploitation and Prevention. In Princeton University."}],"event":{"name":"RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses","location":"San Sebastian Spain","acronym":"RAID '21"},"container-title":["24th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3471621.3471846","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3471621.3471846","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T21:24:49Z","timestamp":1750195489000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3471621.3471846"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,10,6]]},"references-count":133,"alternative-id":["10.1145\/3471621.3471846","10.1145\/3471621"],"URL":"https:\/\/doi.org\/10.1145\/3471621.3471846","relation":{},"subject":[],"published":{"date-parts":[[2021,10,6]]}}}