{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,24]],"date-time":"2025-08-24T01:56:40Z","timestamp":1756000600287,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":80,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100002765","name":"Bundesministerium f\u00fcr Wirtschaft und Technologie","doi-asserted-by":"publisher","award":["13I40V002C"],"award-info":[{"award-number":["13I40V002C"]}],"id":[{"id":"10.13039\/501100002765","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100001659","name":"Deutsche Forschungsgemeinschaft","doi-asserted-by":"publisher","award":["390781972"],"award-info":[{"award-number":["390781972"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3548606.3560692","type":"proceedings-article","created":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T11:41:28Z","timestamp":1667821288000},"page":"1553-1567","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["DISTINCT"],"prefix":"10.1145","author":[{"given":"Louis","family":"Jannett","sequence":"first","affiliation":[{"name":"Ruhr University Bochum, Bochum, Germany"}]},{"given":"Vladislav","family":"Mladenov","sequence":"additional","affiliation":[{"name":"Ruhr University Bochum, Bochum, Germany"}]},{"given":"Christian","family":"Mainka","sequence":"additional","affiliation":[{"name":"Ruhr University Bochum, Bochum, Germany"}]},{"given":"J\u00f6rg","family":"Schwenk","sequence":"additional","affiliation":[{"name":"Ruhr University Bochum, Bochum, Germany"}]}],"member":"320","published-online":{"date-parts":[[2022,11,7]]},"reference":[{"doi-asserted-by":"publisher","key":"e_1_3_2_1_1_1","DOI":"10.1109\/CSF.2010.27"},{"unstructured":"Apple Inc. 2022. Sign in with Apple | Developer Documentation. Retrieved 08\/29\/2022 from https:\/\/developer.apple.com\/sign-in-with-apple\/.  Apple Inc. 2022. Sign in with Apple | Developer Documentation. Retrieved 08\/29\/2022 from https:\/\/developer.apple.com\/sign-in-with-apple\/.","key":"e_1_3_2_1_2_1"},{"key":"e_1_3_2_1_3_1","volume-title":"Network and Distributed System Security Symposium (NDSS).","author":"Bai Guangdong","year":"2013","unstructured":"Guangdong Bai , Jike Lei , Guozhu Meng , Sai Sathyanarayan Venkatraman , Prateek Saxena , Jun Sun , Yang Liu , Jin Song Dong , and B Guangdong . 2013 . AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations . In Network and Distributed System Security Symposium (NDSS). Guangdong Bai, Jike Lei, Guozhu Meng, Sai Sathyanarayan Venkatraman, Prateek Saxena, Jun Sun, Yang Liu, Jin Song Dong, and B Guangdong. 2013. AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_1_4_1","volume-title":"Mitchell","author":"Barth Adam","year":"2009","unstructured":"Adam Barth , Collin Jackson , and John C . Mitchell . 2009 . Securing Frame Communication in Browsers. Communications of the ACM , 52, 6, (June 2009), 83--91. issn: 0001-0782, 1557--7317. doi: 10.1145\/1516046.1516066. 10.1145\/1516046.1516066 Adam Barth, Collin Jackson, and John C. Mitchell. 2009. Securing Frame Communication in Browsers. Communications of the ACM, 52, 6, (June 2009), 83--91. issn: 0001-0782, 1557--7317. doi: 10.1145\/1516046.1516066."},{"key":"e_1_3_2_1_5_1","volume-title":"Elham Arshad, and Bruno Crispo.","author":"Benolli Michele","year":"2021","unstructured":"Michele Benolli , Seyed Ali Mirheidari , Elham Arshad, and Bruno Crispo. 2021 . The Full Gamut of an Attack : An Empirical Analysis of OAuth CSRF in the Wild. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Volume 12756 LNCS. Springer International Publishing , 21--41. isbn: 9783030808242. doi: 10.1007\/978--3-030--80825--9_2. 10.1007\/978--3-030--80825--9_2 Michele Benolli, Seyed Ali Mirheidari, Elham Arshad, and Bruno Crispo. 2021. The Full Gamut of an Attack: An Empirical Analysis of OAuth CSRF in the Wild. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Volume 12756 LNCS. Springer International Publishing, 21--41. isbn: 9783030808242. doi: 10.1007\/978--3-030--80825--9_2."},{"key":"e_1_3_2_1_6_1","volume-title":"OAuth Demystified for Mobile Application Developers. In ACM SIGSAC Conference on Computer and Communications Security. ACM","author":"Chen Eric Y.","year":"2014","unstructured":"Eric Y. Chen , Yutong Pei , Shuo Chen , Yuan Tian , Robert Kotcher , and Patrick Tague . 2014 . OAuth Demystified for Mobile Application Developers. In ACM SIGSAC Conference on Computer and Communications Security. ACM , Scottsdale Arizona USA , (November 3, 2014), 892--903. isbn: 978--1--4503--2957--6. doi: 10. 1145\/2660267.2660323. Eric Y. Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. OAuth Demystified for Mobile Application Developers. In ACM SIGSAC Conference on Computer and Communications Security. ACM, Scottsdale Arizona USA, (November 3, 2014), 892--903. isbn: 978--1--4503--2957--6. doi: 10. 1145\/2660267.2660323."},{"unstructured":"2022. Chrome DevTools Protocol | Documentation. Retrieved 08\/01\/2022 from https:\/\/chromedevtools.github.io\/devtools-protocol\/.  2022. Chrome DevTools Protocol | Documentation. Retrieved 08\/01\/2022 from https:\/\/chromedevtools.github.io\/devtools-protocol\/.","key":"e_1_3_2_1_7_1"},{"key":"e_1_3_2_1_8_1","volume-title":"Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. In 31st USENIX Security Symposium (USENIX Security . USENIX Association","author":"Balash David G.","year":"2022","unstructured":"David G. Balash , Xiaoyuan Wu , Miles Grant , Irwin Reyes , and Adam J. Aviv . 2022 . Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. In 31st USENIX Security Symposium (USENIX Security . USENIX Association , Boston, MA , ( August 2022 ), 3397--3414. isbn: 978--1- 939133--31--1. David G. Balash, Xiaoyuan Wu, Miles Grant, Irwin Reyes, and Adam J. Aviv. 2022. Security and Privacy Perceptions of Third-Party Application Access for Google Accounts. In 31st USENIX Security Symposium (USENIX Security . USENIX Association, Boston, MA, (August 2022), 3397--3414. isbn: 978--1- 939133--31--1."},{"key":"e_1_3_2_1_9_1","volume-title":"The Cookie Hunter: Automated Black-Box Auditing for Web Authentication and Authorization Flaws. In ACM SIGSAC Conference on Computer and Communications Security (CCS '20)","author":"Drakonakis Kostas","year":"2020","unstructured":"Kostas Drakonakis , Sotiris Ioannidis , and Jason Polakis . 2020 . The Cookie Hunter: Automated Black-Box Auditing for Web Authentication and Authorization Flaws. In ACM SIGSAC Conference on Computer and Communications Security (CCS '20) . Association for Computing Machinery, Virtual Event, USA , 1953--1970. isbn: 9781450370899. doi: 10.1145\/3372297.3417869. 10.1145\/3372297.3417869 Kostas Drakonakis, Sotiris Ioannidis, and Jason Polakis. 2020. The Cookie Hunter: Automated Black-Box Auditing for Web Authentication and Authorization Flaws. In ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, Virtual Event, USA, 1953--1970. isbn: 9781450370899. doi: 10.1145\/3372297.3417869."},{"unstructured":"Facebook Inc. 2022. Facebook Login | Developer Documentation. Retrieved 08\/29\/2022 from https:\/\/developers.facebook.com\/docs\/facebook-login.  Facebook Inc. 2022. Facebook Login | Developer Documentation. Retrieved 08\/29\/2022 from https:\/\/developers.facebook.com\/docs\/facebook-login.","key":"e_1_3_2_1_10_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_11_1","DOI":"10.1145\/3131365.3131404"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_12_1","DOI":"10.1145\/2810103.2813726"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_13_1","DOI":"10.1145\/2976749.2978385"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_14_1","DOI":"10.1109\/SP.2014.49"},{"key":"e_1_3_2_1_15_1","volume-title":"The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 189-- 202","author":"Fett Daniel","year":"2017","unstructured":"Daniel Fett , Ralf K\u00fcsters , and Guido Schmitz . 2017 . The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 189-- 202 . doi: 10.1109\/CSF.2017.20. 10.1109\/CSF.2017.20 Daniel Fett, Ralf K\u00fcsters, and Guido Schmitz. 2017. The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF). IEEE, 189-- 202. doi: 10.1109\/CSF.2017.20."},{"key":"e_1_3_2_1_16_1","volume-title":"Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society","author":"Ghasemisharif M.","year":"2022","unstructured":"M. Ghasemisharif , C. Kanich , and J. Polakis . 2022 . Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society , Los Alamitos, CA, USA , ( May 2022 ), 1524--1524. doi: 10.1109\/SP46214.2022.00095. 10.1109\/SP46214.2022.00095 M. Ghasemisharif, C. Kanich, and J. Polakis. 2022. Towards Automated Auditing for Account and Session Management Flaws in Single Sign-On Deployments. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, (May 2022), 1524--1524. doi: 10.1109\/SP46214.2022.00095."},{"key":"e_1_3_2_1_17_1","volume-title":"An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on theWeb. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Ghasemisharif Mohammad","year":"2018","unstructured":"Mohammad Ghasemisharif , Amrutha Ramesh , Stephen Checkoway , Chris Kanich , and Jason Polakis . 2018 . O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on theWeb. In 27th USENIX Security Symposium (USENIX Security 18) . USENIX Association, Baltimore, MD , (August 2018), 1475--1492. isbn: 978--1--939133-04--5. Mohammad Ghasemisharif, Amrutha Ramesh, Stephen Checkoway, Chris Kanich, and Jason Polakis. 2018. O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on theWeb. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, (August 2018), 1475--1492. isbn: 978--1--939133-04--5."},{"unstructured":"Google LLC. 2022. Google Identity | Developer Documentation. Retrieved 08\/29\/2022 from https:\/\/developers.google.com\/identity.  Google LLC. 2022. Google Identity | Developer Documentation. Retrieved 08\/29\/2022 from https:\/\/developers.google.com\/identity.","key":"e_1_3_2_1_18_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_19_1","DOI":"10.1109\/PAC.2017.30"},{"key":"e_1_3_2_1_20_1","volume-title":"DangerNeighbor Attack: Information Leakage via postMessage Mechanism in HTML5. Computers & Security, 80, (July 28","author":"Guan Chong","year":"2018","unstructured":"Chong Guan , Kun Sun , Lingguang Lei , Pingjian Wang , Yuewu Wang , and Wei Chen . 2018. DangerNeighbor Attack: Information Leakage via postMessage Mechanism in HTML5. Computers & Security, 80, (July 28 , 2018 ), 291--305. issn: 01674048. doi: 10.1016\/j.cose.2018.09.010. 10.1016\/j.cose.2018.09.010 Chong Guan, Kun Sun, Lingguang Lei, Pingjian Wang, Yuewu Wang, and Wei Chen. 2018. DangerNeighbor Attack: Information Leakage via postMessage Mechanism in HTML5. Computers & Security, 80, (July 28, 2018), 291--305. issn: 01674048. doi: 10.1016\/j.cose.2018.09.010."},{"key":"e_1_3_2_1_21_1","volume-title":"Xi'an China, (May 30","author":"Guan Chong","year":"2016","unstructured":"Chong Guan , Kun Sun , Zhan Wang , and WenTao Zhu . 2016. Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure. In th ACM on Asia Conference on Computer and Communications Security. ACM , Xi'an China, (May 30 , 2016 ), 629--640. isbn: 978--1--4503--4233--9. doi: 10.1145\/2897845.2897901. 10.1145\/2897845.2897901 Chong Guan, Kun Sun, Zhan Wang, and WenTao Zhu. 2016. Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure. In th ACM on Asia Conference on Computer and Communications Security. ACM, Xi'an China, (May 30, 2016), 629--640. isbn: 978--1--4503--4233--9. doi: 10.1145\/2897845.2897901."},{"key":"e_1_3_2_1_22_1","volume-title":"Privacy-Preserving OpenID Connect. In th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20)","author":"Hammann Sven","year":"2026","unstructured":"Sven Hammann , Ralf Sasse , and David Basin . 2020. Privacy-Preserving OpenID Connect. In th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20) . Association for Computing Machinery , Taipei, Taiwan , 277-- 289. isbn: 9781450367509. doi: 10.1145\/33 2026 9.3384724. 10.1145\/3320269.3384724 Sven Hammann, Ralf Sasse, and David Basin. 2020. Privacy-Preserving OpenID Connect. In th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20). Association for Computing Machinery, Taipei, Taiwan, 277-- 289. isbn: 9781450367509. doi: 10.1145\/3320269.3384724."},{"key":"e_1_3_2_1_23_1","volume-title":"The Emperor's New APIs: On the (In)Secure Usage of New Client-side Primitives. csberkeleyedu, (January","author":"Hanna Steve","year":"2010","unstructured":"Steve Hanna , Eui Chul , Richard Shin , Devdatta Akhawe , Arman Boehm , Prateek Saxena , and Dawn Song . 2010. The Emperor's New APIs: On the (In)Secure Usage of New Client-side Primitives. csberkeleyedu, (January 2010 ). Steve Hanna, Eui Chul, Richard Shin, Devdatta Akhawe, Arman Boehm, Prateek Saxena, and Dawn Song. 2010. The Emperor's New APIs: On the (In)Secure Usage of New Client-side Primitives. csberkeleyedu, (January 2010)."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_24_1","DOI":"10.17487\/RFC6749"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_25_1","DOI":"10.1145\/2660460.2660463"},{"key":"e_1_3_2_1_26_1","volume-title":"Internet Engineering Task Force, (March 8","author":"Ideskog Jacob","year":"2021","unstructured":"Jacob Ideskog and Travis Spencer . 2021 . OAuth 2.0 Assisted Token. Internet- Draft draft-ideskog-assisted-token-05 . Internet Engineering Task Force, (March 8 , 2021). 20 pages. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ideskog-assistedtoken- 05. Jacob Ideskog and Travis Spencer. 2021. OAuth 2.0 Assisted Token. Internet- Draft draft-ideskog-assisted-token-05. Internet Engineering Task Force, (March 8, 2021). 20 pages. https:\/\/datatracker.ietf.org\/doc\/html\/draft-ideskog-assistedtoken- 05."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_27_1","DOI":"10.1109\/EuroSPW51379.2020.00096"},{"key":"e_1_3_2_1_28_1","volume-title":"Shepherd: Enabling Automatic and Large-Scale Login Security Studies. CoRR, abs\/1808.00840. arXiv","author":"Jonker Hugo","year":"2018","unstructured":"Hugo Jonker , Jelmer Kalkman , Benjamin Krumnow , Marc Sleegers , and Alan Verresen . 2018 . Shepherd: Enabling Automatic and Large-Scale Login Security Studies. CoRR, abs\/1808.00840. arXiv : 1808.00840. Hugo Jonker, Jelmer Kalkman, Benjamin Krumnow, Marc Sleegers, and Alan Verresen. 2018. Shepherd: Enabling Automatic and Large-Scale Login Security Studies. CoRR, abs\/1808.00840. arXiv: 1808.00840."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_29_1","DOI":"10.1145\/3460120.3484739"},{"key":"e_1_3_2_1_30_1","volume-title":"Internet Engineering Task Force, (November 21","author":"Kong G.","year":"2015","unstructured":"G. Kong , N. Agarwal , and W. Denniss . 2015. OAuth 2.0 IDP-IFrame-Based Implicit Flow. Internet-Draft draft-guibinkong-oauth-idp-iframe-00 . Internet Engineering Task Force, (November 21 , 2015 ). 21 pages. http:\/\/lists.openid.net\/ pipermail\/openid-specs-ab\/Week-of-Mon-20151116\/005865.html. G. Kong, N. Agarwal, and W. Denniss. 2015. OAuth 2.0 IDP-IFrame-Based Implicit Flow. Internet-Draft draft-guibinkong-oauth-idp-iframe-00. Internet Engineering Task Force, (November 21, 2015). 21 pages. http:\/\/lists.openid.net\/ pipermail\/openid-specs-ab\/Week-of-Mon-20151116\/005865.html."},{"key":"e_1_3_2_1_31_1","volume-title":"Mozilla stops developing its persona sign-in system due to low adoption. (March","author":"Lardinois Frederic","year":"2014","unstructured":"Frederic Lardinois . 2014. Mozilla stops developing its persona sign-in system due to low adoption. (March 2014 ). Retrieved 08\/01\/2022 from https : \/\/techcrunch.com\/2014\/03\/08\/mozilla-stops-developing-its-persona-sign-insystem- because-of-low-adoption\/. Frederic Lardinois. 2014. Mozilla stops developing its persona sign-in system due to low adoption. (March 2014). Retrieved 08\/01\/2022 from https : \/\/techcrunch.com\/2014\/03\/08\/mozilla-stops-developing-its-persona-sign-insystem- because-of-low-adoption\/."},{"key":"e_1_3_2_1_32_1","volume-title":"Samaneh Tajalizadehkhoob, Maciej Korczy'ski, and Wouter Joosen.","author":"Pochat Victor Le","year":"2019","unstructured":"Victor Le Pochat , Tom Van Goethem , Samaneh Tajalizadehkhoob, Maciej Korczy'ski, and Wouter Joosen. 2019 . Tranco : A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In th Annual Network and Distributed System Security Symposium (NDSS 2019). (February 2019). doi: 10.14722\/ndss. 2019.23386. 10.14722\/ndss Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczy'ski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In th Annual Network and Distributed System Security Symposium (NDSS 2019). (February 2019). doi: 10.14722\/ndss. 2019.23386."},{"key":"e_1_3_2_1_33_1","volume-title":"25 Million Flows Later - Large-scale Detection of DOM-based XSS. In ACM SIGSAC Conference on Computer & Communications Security - CCS '13. ACM Press","author":"Lekies Sebastian","year":"2013","unstructured":"Sebastian Lekies , Ben Stock , and Martin Johns . 2013 . 25 Million Flows Later - Large-scale Detection of DOM-based XSS. In ACM SIGSAC Conference on Computer & Communications Security - CCS '13. ACM Press , Berlin, Germany, 1193--1204. isbn: 978--1--4503--2477--9. doi: 10.1145\/2508859.2516703. 10.1145\/2508859.2516703 Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later - Large-scale Detection of DOM-based XSS. In ACM SIGSAC Conference on Computer & Communications Security - CCS '13. ACM Press, Berlin, Germany, 1193--1204. isbn: 978--1--4503--2477--9. doi: 10.1145\/2508859.2516703."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_34_1","DOI":"10.1007\/978-3-319-40667-1_18"},{"key":"e_1_3_2_1_35_1","volume-title":"Mitchell","author":"Li Wanpeng","year":"2014","unstructured":"Wanpeng Li and Chris J . Mitchell . 2014 . Security Issues in OAuth 2.0 SSO Implementations. In Information Security (Lecture Notes in Computer Science). Sherman S. M. Chow, Jan Camenisch, Lucas C. K. Hui, and Siu Ming Yiu, editors. Volume 8783. Springer International Publishing , Cham, 529--541. isbn: 978--3--319--13257-0. doi: 10.1007\/978--3--319--13257-0_34. 10.1007\/978--3--319--13257-0_34 Wanpeng Li and Chris J. Mitchell. 2014. Security Issues in OAuth 2.0 SSO Implementations. In Information Security (Lecture Notes in Computer Science). Sherman S. M. Chow, Jan Camenisch, Lucas C. K. Hui, and Siu Ming Yiu, editors. Volume 8783. Springer International Publishing, Cham, 529--541. isbn: 978--3--319--13257-0. doi: 10.1007\/978--3--319--13257-0_34."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_36_1","DOI":"10.1109\/PST.2018.8514180"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_37_1","DOI":"10.1145\/3338500.3360331"},{"key":"e_1_3_2_1_38_1","volume-title":"Conference: 2018 16th Annual Conference on Privacy, Security and Trust (PST).","volume":"11286","author":"Li Wanpeng","year":"2018","unstructured":"Wanpeng Li , Chris J. Mitchell , and Thomas Chen . 2018 . Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations . In Conference: 2018 16th Annual Conference on Privacy, Security and Trust (PST). Volume 11286 LNCS. Springer Verlag, 24--41. isbn: 9783030032500. doi: 10.1007\/978--3-030- 03251--7_3. 10.1007\/978--3-030- Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2018. Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations. In Conference: 2018 16th Annual Conference on Privacy, Security and Trust (PST). Volume 11286 LNCS. Springer Verlag, 24--41. isbn: 9783030032500. doi: 10.1007\/978--3-030- 03251--7_3."},{"key":"e_1_3_2_1_39_1","volume-title":"An Investigation of Identity- Account Inconsistency in Single Sign-On. In Web Conference 2021","author":"Liu Guannan","year":"2021","unstructured":"Guannan Liu , Xing Gao , and HainingWang. 2021 . An Investigation of Identity- Account Inconsistency in Single Sign-On. In Web Conference 2021 . ACM, Ljubljana Slovenia , (April 19, 2021), 105--117. isbn: 978--1--4503--8312--7. doi: 10.1145\/ 3442381.3450085. Guannan Liu, Xing Gao, and HainingWang. 2021. An Investigation of Identity- Account Inconsistency in Single Sign-On. In Web Conference 2021. ACM, Ljubljana Slovenia, (April 19, 2021), 105--117. isbn: 978--1--4503--8312--7. doi: 10.1145\/ 3442381.3450085."},{"key":"e_1_3_2_1_40_1","first-page":"18","volume-title":"Internet Engineering Task Force, (April 13","author":"Lodderstedt Torsten","year":"2021","unstructured":"Torsten Lodderstedt , John Bradley , Andrey Labunets , and Daniel Fett . 2021 . OAuth 2.0 Security Best Current Practice. Internet-Draft draft-ietf-oauth-securitytopics- 18 . Internet Engineering Task Force, (April 13 , 2021). 53 pages. https: \/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-security-topics- 18 . Torsten Lodderstedt, John Bradley, Andrey Labunets, and Daniel Fett. 2021. OAuth 2.0 Security Best Current Practice. Internet-Draft draft-ietf-oauth-securitytopics- 18. Internet Engineering Task Force, (April 13, 2021). 53 pages. https: \/\/datatracker.ietf.org\/doc\/html\/draft-ietf-oauth-security-topics-18."},{"unstructured":"Torsten Lodderstedt Mark McGloin and Phil Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. RFC 6819. (January 2013). doi: 10.17487\/ RFC6819. https:\/\/rfc-editor.org\/rfc\/rfc6819.txt.  Torsten Lodderstedt Mark McGloin and Phil Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. RFC 6819. (January 2013). doi: 10.17487\/ RFC6819. https:\/\/rfc-editor.org\/rfc\/rfc6819.txt.","key":"e_1_3_2_1_41_1"},{"volume-title":"Your Software at My Service: Security Analysis of SaaS Single Sign-on Solutions in the Cloud. In th Edition of the ACM Workshop on Cloud Computing Security (CCSW '14)","author":"Mainka Christian","unstructured":"Christian Mainka , Vladislav Mladenov , Florian Feldmann , Julian Krautwald , and J\u00f6rg Schwenk . 2014. Your Software at My Service: Security Analysis of SaaS Single Sign-on Solutions in the Cloud. In th Edition of the ACM Workshop on Cloud Computing Security (CCSW '14) . Association for Computing Machinery , New York, NY, USA , 93--104. isbn: 978--1--4503--3239--2. doi: 10.1145\/2664168. 2664172. 10.1145\/2664168 Christian Mainka, Vladislav Mladenov, Florian Feldmann, Julian Krautwald, and J\u00f6rg Schwenk. 2014. Your Software at My Service: Security Analysis of SaaS Single Sign-on Solutions in the Cloud. In th Edition of the ACM Workshop on Cloud Computing Security (CCSW '14). Association for Computing Machinery, New York, NY, USA, 93--104. isbn: 978--1--4503--3239--2. doi: 10.1145\/2664168. 2664172.","key":"e_1_3_2_1_42_1"},{"key":"e_1_3_2_1_43_1","volume-title":"Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite. Open Identity Summit, 251, (October","author":"Mainka Christian","year":"2015","unstructured":"Christian Mainka , Vladislav Mladenov , Tim Guenther , and J\u00f6rg Schwenk . 2015. Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite. Open Identity Summit, 251, (October 2015 ), 117--131. issn: 16175468. Christian Mainka, Vladislav Mladenov, Tim Guenther, and J\u00f6rg Schwenk. 2015. Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite. Open Identity Summit, 251, (October 2015), 117--131. issn: 16175468."},{"key":"e_1_3_2_1_44_1","volume-title":"Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 321--336","author":"Mainka Christian","year":"2016","unstructured":"Christian Mainka , Vladislav Mladenov , and J\u00f6rg Schwenk . 2016 . Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 321--336 . doi: 10.1109\/EuroSP.2016.33. 10.1109\/EuroSP.2016.33 Christian Mainka, Vladislav Mladenov, and J\u00f6rg Schwenk. 2016. Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 321--336. doi: 10.1109\/EuroSP.2016.33."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_45_1","DOI":"10.1109\/EuroSP.2017.32"},{"unstructured":"MDN. 2021. Broadcast Channel API. Retrieved 10\/28\/2021 from https:\/\/developer. mozilla.org\/en-US\/docs\/Web\/API\/Broadcast_Channel_API.  MDN. 2021. Broadcast Channel API. Retrieved 10\/28\/2021 from https:\/\/developer. mozilla.org\/en-US\/docs\/Web\/API\/Broadcast_Channel_API.","key":"e_1_3_2_1_46_1"},{"unstructured":"MDN. 2021. Channel Messaging API. Retrieved 10\/28\/2021 from https : \/ \/ developer.mozilla.org\/en-US\/docs\/Web\/API\/Channel_Messaging_API.  MDN. 2021. Channel Messaging API. Retrieved 10\/28\/2021 from https : \/ \/ developer.mozilla.org\/en-US\/docs\/Web\/API\/Channel_Messaging_API.","key":"e_1_3_2_1_47_1"},{"key":"e_1_3_2_1_48_1","volume-title":"Creating and triggering events. (October 14","author":"MDN.","year":"2021","unstructured":"MDN. 2021. Creating and triggering events. (October 14 , 2021 ). Retrieved 10\/28\/2021 from https:\/\/developer.mozilla.org\/en- US\/docs\/Web\/Events\/ Creating _and_triggering_events. MDN. 2021. Creating and triggering events. (October 14, 2021). Retrieved 10\/28\/2021 from https:\/\/developer.mozilla.org\/en- US\/docs\/Web\/Events\/ Creating_and_triggering_events."},{"unstructured":"MDN. 2022. Proxy. MDN Web Docs. Retrieved 08\/01\/2022 from https : \/ \/ developer. mozilla . org \/ en - US\/ docs \/Web \/ JavaScript \/ Reference \/ Global _ Objects\/Proxy.  MDN. 2022. Proxy. MDN Web Docs. Retrieved 08\/01\/2022 from https : \/ \/ developer. mozilla . org \/ en - US\/ docs \/Web \/ JavaScript \/ Reference \/ Global _ Objects\/Proxy.","key":"e_1_3_2_1_49_1"},{"unstructured":"MDN. 2020. Same-Origin Policy. MDN Web Docs. Retrieved 09\/26\/2020 from https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy.  MDN. 2020. Same-Origin Policy. MDN Web Docs. Retrieved 09\/26\/2020 from https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy.","key":"e_1_3_2_1_50_1"},{"unstructured":"MDN. 2021. Window.postMessage(). Retrieved 10\/28\/2021 from https:\/\/developer. mozilla.org\/en-US\/docs\/Web\/API\/Window\/postMessage.  MDN. 2021. Window.postMessage(). Retrieved 10\/28\/2021 from https:\/\/developer. mozilla.org\/en-US\/docs\/Web\/API\/Window\/postMessage.","key":"e_1_3_2_1_51_1"},{"key":"e_1_3_2_1_52_1","volume-title":"Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication. In 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS '21)","author":"Meiser Gordon","year":"2021","unstructured":"Gordon Meiser , Pierre Laperdrix , and Ben Stock . 2021 . Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication. In 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS '21) . Association for Computing Machinery, Virtual Event, Hong Kong, 110--122. isbn: 9781450382878. doi: 10.1145\/3433210.3437510. 10.1145\/3433210.3437510 Gordon Meiser, Pierre Laperdrix, and Ben Stock. 2021. Careful Who You Trust: Studying the Pitfalls of Cross-Origin Communication. In 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS '21). Association for Computing Machinery, Virtual Event, Hong Kong, 110--122. isbn: 9781450382878. doi: 10.1145\/3433210.3437510."},{"key":"e_1_3_2_1_53_1","volume-title":"On the Security of Modern Single Sign-On Protocols -- Second-Order Vulnerabilities in OpenID Connect, (January 7","author":"Mladenov Vladislav","year":"2016","unstructured":"Vladislav Mladenov , Christian Mainka , and J\u00f6rg Schwenk . 2016. On the Security of Modern Single Sign-On Protocols -- Second-Order Vulnerabilities in OpenID Connect, (January 7 , 2016 ). Vladislav Mladenov, Christian Mainka, and J\u00f6rg Schwenk. 2016. On the Security of Modern Single Sign-On Protocols -- Second-Order Vulnerabilities in OpenID Connect, (January 7, 2016)."},{"volume-title":"Empirical Analysis and Privacy Implications in OAuth-Based Single Sign-On Systems. In 20th Workshop on Workshop on Privacy in the Electronic Society (WPES '21)","author":"Morkonda Srivathsan G.","unstructured":"Srivathsan G. Morkonda , Sonia Chiasson , and Paul C . van Oorschot. 2021 . Empirical Analysis and Privacy Implications in OAuth-Based Single Sign-On Systems. In 20th Workshop on Workshop on Privacy in the Electronic Society (WPES '21) . Association for Computing Machinery, Virtual Event, Republic of Korea, 195--208. isbn: 9781450385275. doi: 10.1145\/3463676.3485600. 10.1145\/3463676.3485600 Srivathsan G. Morkonda, Sonia Chiasson, and Paul C. van Oorschot. 2021. Empirical Analysis and Privacy Implications in OAuth-Based Single Sign-On Systems. In 20th Workshop on Workshop on Privacy in the Electronic Society (WPES '21). Association for Computing Machinery, Virtual Event, Republic of Korea, 195--208. isbn: 9781450385275. doi: 10.1145\/3463676.3485600.","key":"e_1_3_2_1_54_1"},{"unstructured":"OWASP. 2021. Zed Attack Proxy (ZAP). Retrieved 12\/02\/2021 from https : \/\/www.zaproxy.org\/.  OWASP. 2021. Zed Attack Proxy (ZAP). Retrieved 12\/02\/2021 from https : \/\/www.zaproxy.org\/.","key":"e_1_3_2_1_55_1"},{"unstructured":"Portswigger. 2021.DOMInvader. Retrieved 12\/02\/2021 from https:\/\/portswigger. net\/burp\/documentation\/desktop\/tools\/dom-invader\/messages-view.  Portswigger. 2021.DOMInvader. Retrieved 12\/02\/2021 from https:\/\/portswigger. net\/burp\/documentation\/desktop\/tools\/dom-invader\/messages-view.","key":"e_1_3_2_1_56_1"},{"key":"e_1_3_2_1_57_1","volume-title":"OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications. In 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, (November","author":"Rahat Tamjid Al","year":"2019","unstructured":"Tamjid Al Rahat , Yu Feng , and Yuan Tian . 2019 . OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications. In 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, (November 2019), 293--304. isbn: 978--1--7281--2508--4. doi: 10.1109\/ASE.2019.00036. 10.1109\/ASE.2019.00036 Tamjid Al Rahat, Yu Feng, and Yuan Tian. 2019. OAUTHLINT: An Empirical Study on OAuth Bugs in Android Applications. In 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, (November 2019), 293--304. isbn: 978--1--7281--2508--4. doi: 10.1109\/ASE.2019.00036."},{"unstructured":"N. Sakimura J. Bradley M. Jones B. de Medeiros and C. Mortimore. 2014. OpenID Connect Core 1.0 incorporating errata set 1. (November 8 2014). Retrieved 10\/27\/2021 from https:\/\/openid.net\/specs\/openid- connect- core- 1_0.html.  N. Sakimura J. Bradley M. Jones B. de Medeiros and C. Mortimore. 2014. OpenID Connect Core 1.0 incorporating errata set 1. (November 8 2014). Retrieved 10\/27\/2021 from https:\/\/openid.net\/specs\/openid- connect- core- 1_0.html.","key":"e_1_3_2_1_58_1"},{"key":"e_1_3_2_1_59_1","volume-title":"Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it. (December 31","author":"Sammouda Youssef","year":"2020","unstructured":"Youssef Sammouda . 2020. Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it. (December 31 , 2020 ). Retrieved 08\/29\/2022 from https:\/\/ysamm.com\/?p=510. Youssef Sammouda. 2020. Bad regex used in Facebook Javascript SDK leads to account takeovers in websites that included it. (December 31, 2020). Retrieved 08\/29\/2022 from https:\/\/ysamm.com\/?p=510."},{"key":"e_1_3_2_1_60_1","volume-title":"Anatomy of the Facebook Solution for Mobile Single Sign-on: Security Assessment and Improvements. Computers & Security, 71, (November","author":"Sciarretta Giada","year":"2017","unstructured":"Giada Sciarretta , Roberto Carbone , Silvio Ranise , and Alessandro Armando . 2017. Anatomy of the Facebook Solution for Mobile Single Sign-on: Security Assessment and Improvements. Computers & Security, 71, (November 2017 ), 71--86. issn: 01674048. doi: 10.1016\/j.cose.2017.04.011. 10.1016\/j.cose.2017.04.011 Giada Sciarretta, Roberto Carbone, Silvio Ranise, and Alessandro Armando. 2017. Anatomy of the Facebook Solution for Mobile Single Sign-on: Security Assessment and Improvements. Computers & Security, 71, (November 2017), 71--86. issn: 01674048. doi: 10.1016\/j.cose.2017.04.011."},{"key":"e_1_3_2_1_61_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment (Lecture Notes in Computer Science)","author":"Shernan Ethan","year":"2055","unstructured":"Ethan Shernan , Henry Carter , Dave Tian , Patrick Traynor , and Kevin Butler . 2015. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations . In Detection of Intrusions and Malware, and Vulnerability Assessment (Lecture Notes in Computer Science) . Magnus Almgren, Vincenzo Gulisano, and Federico Maggi, editors. Volume 9148. Springer International Publishing , Cham, 239--260. isbn: 978--3--319-- 2055 0--2. doi: 10.1007\/978- 3--319--20550--2_13. 10.1007\/978- Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, and Kevin Butler. 2015. More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations. In Detection of Intrusions and Malware, and Vulnerability Assessment (Lecture Notes in Computer Science). Magnus Almgren, Vincenzo Gulisano, and Federico Maggi, editors. Volume 9148. Springer International Publishing, Cham, 239--260. isbn: 978--3--319--20550--2. doi: 10.1007\/978- 3--319--20550--2_13."},{"key":"e_1_3_2_1_62_1","volume-title":"MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications. In ACM Asia Conference on Computer and Communications Security. ACM","author":"Shi Shangcheng","year":"2019","unstructured":"Shangcheng Shi , Xianbo Wang , and Wing Cheong Lau . 2019 . MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications. In ACM Asia Conference on Computer and Communications Security. ACM , New York, NY, USA , (July 2019), 269--282. isbn: 9781450367523. doi: 10.1145\/3321705.3329801. 10.1145\/3321705.3329801 Shangcheng Shi, Xianbo Wang, and Wing Cheong Lau. 2019. MoSSOT: An Automated Blackbox Tester for Single Sign-On Vulnerabilities in Mobile Applications. In ACM Asia Conference on Computer and Communications Security. ACM, New York, NY, USA, (July 2019), 269--282. isbn: 9781450367523. doi: 10.1145\/3321705.3329801."},{"key":"e_1_3_2_1_63_1","volume-title":"20th Annual Network and Distributed System Security Symposium, NDSS 2013","author":"Son Sooel","year":"2013","unstructured":"Sooel Son and Vitaly Shmatikov . 2013 . The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites . In 20th Annual Network and Distributed System Security Symposium, NDSS 2013 , San Diego, California, USA, February 24--27 , 2013. The Internet Society. Sooel Son and Vitaly Shmatikov. 2013. The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24--27, 2013. The Internet Society."},{"key":"e_1_3_2_1_64_1","volume-title":"ACM SIGSAC Conference on Computer and Communications Security (CCS '20)","author":"Steffens Marius","year":"2020","unstructured":"Marius Steffens and Ben Stock . 2020 . PMForce: Systematically Analyzing post- Message Handlers at Scale . In ACM SIGSAC Conference on Computer and Communications Security (CCS '20) . Association for Computing Machinery, New York, NY, USA, 493--505. isbn: 978--1--4503--7089--9. doi: 10.1145\/3372297.3417267. 10.1145\/3372297.3417267 Marius Steffens and Ben Stock. 2020. PMForce: Systematically Analyzing post- Message Handlers at Scale. In ACM SIGSAC Conference on Computer and Communications Security (CCS '20). Association for Computing Machinery, New York, NY, USA, 493--505. isbn: 978--1--4503--7089--9. doi: 10.1145\/3372297.3417267."},{"key":"e_1_3_2_1_65_1","volume-title":"Observation Is Better: Intersection Observer V2. web.dev. (February 26","author":"Steiner Thomas","year":"2021","unstructured":"Thomas Steiner . 2021. Trust Is Good , Observation Is Better: Intersection Observer V2. web.dev. (February 26 , 2021 ). Retrieved 06\/28\/2021 from https : \/\/web.dev\/intersectionobserver-v2\/. Thomas Steiner. 2021. Trust Is Good, Observation Is Better: Intersection Observer V2. web.dev. (February 26, 2021). Retrieved 06\/28\/2021 from https : \/\/web.dev\/intersectionobserver-v2\/."},{"key":"e_1_3_2_1_66_1","volume-title":"How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium (USENIX Security 17)","author":"Stock Ben","year":"2017","unstructured":"Ben Stock , Martin Johns , Marius Steffens , and Michael Backes . 2017 . How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium (USENIX Security 17) . USENIX Association, Vancouver, BC , (August 2017), 971--987. isbn: 978--1--931971--40--9. Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, (August 2017), 971--987. isbn: 978--1--931971--40--9."},{"key":"e_1_3_2_1_67_1","volume-title":"Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks. (January 31","author":"Sudhodanan Avinash","year":"2020","unstructured":"Avinash Sudhodanan , Soheil Khodayari , and Juan Caballero . 2020. Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks. (January 31 , 2020 ). arXiv: 1908.02204 [cs]. Retrieved 05\/21\/2021 from http: \/\/arxiv.org\/abs\/1908.02204. Avinash Sudhodanan, Soheil Khodayari, and Juan Caballero. 2020. Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks. (January 31, 2020). arXiv: 1908.02204 [cs]. Retrieved 05\/21\/2021 from http: \/\/arxiv.org\/abs\/1908.02204."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_68_1","DOI":"10.1145\/2382196.2382238"},{"unstructured":"Terjanq. 2022. Terjanq\/same-origin-XSS: Same origin XSS challenge. Retrieved 08\/16\/2022 from https:\/\/github.com\/terjanq\/same-origin-xss.  Terjanq. 2022. Terjanq\/same-origin-XSS: Same origin XSS challenge. Retrieved 08\/16\/2022 from https:\/\/github.com\/terjanq\/same-origin-xss.","key":"e_1_3_2_1_69_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_70_1","DOI":"10.1145\/2991079.2991105"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_71_1","DOI":"10.1109\/SP.2012.30"},{"key":"e_1_3_2_1_72_1","volume-title":"Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In 22nd USENIX Security Symposium (USENIX Security 13)","author":"Wang Rui","year":"2013","unstructured":"Rui Wang , Yuchen Zhou , Shuo Chen , Shaz Qadeer , David Evans , and Yuri Gurevich . 2013 . Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In 22nd USENIX Security Symposium (USENIX Security 13) . USENIX Association, Washington, D.C. , (August 2013), 399--314. isbn: 978--1--931971-03--4. Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, and Yuri Gurevich. 2013. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Washington, D.C., (August 2013), 399--314. isbn: 978--1--931971-03--4."},{"key":"e_1_3_2_1_73_1","volume-title":"MoScan: A Model-Based Vulnerability Scanner for Web Single Sign-On Services. In ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM","author":"Hassanshahi Behnaz","year":"2021","unstructured":"HanlinWei, Behnaz Hassanshahi , Guangdong Bai , Padmanabhan Krishnan , and Kostyantyn Vorobyov . 2021 . MoScan: A Model-Based Vulnerability Scanner for Web Single Sign-On Services. In ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM , Virtual Denmark , (July 11, 2021), 678--681. isbn: 978--1--4503--8459--9. doi: 10.1145\/3460319.3469081. 10.1145\/3460319.3469081 HanlinWei, Behnaz Hassanshahi, Guangdong Bai, Padmanabhan Krishnan, and Kostyantyn Vorobyov. 2021. MoScan: A Model-Based Vulnerability Scanner for Web Single Sign-On Services. In ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM, Virtual Denmark, (July 11, 2021), 678--681. isbn: 978--1--4503--8459--9. doi: 10.1145\/3460319.3469081."},{"key":"e_1_3_2_1_74_1","first-page":"00","volume-title":"Internet Engineering Task Force, (October 18","author":"Yamaguchi Toru","year":"2015","unstructured":"Toru Yamaguchi , Nat Sakimura , and Nov Matake . 2015 . OAuth 2.0 Web Message Response Mode. Internet-Draft draft-sakimura-oauth-wmrm-00 . Internet Engineering Task Force, (October 18 , 2015). 17 pages. https:\/\/datatracker.ietf. org\/doc\/html\/draft-sakimura-oauth-wmrm- 00 . Toru Yamaguchi, Nat Sakimura, and Nov Matake. 2015. OAuth 2.0 Web Message Response Mode. Internet-Draft draft-sakimura-oauth-wmrm-00. Internet Engineering Task Force, (October 18, 2015). 17 pages. https:\/\/datatracker.ietf. org\/doc\/html\/draft-sakimura-oauth-wmrm-00."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_75_1","DOI":"10.1145\/2897845.2897874"},{"key":"e_1_3_2_1_76_1","volume-title":"SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14)","author":"Zhou Yuchen","year":"2014","unstructured":"Yuchen Zhou and David Evans . 2014 . SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14) . USENIX Association, San Diego, CA , (August 2014), 495--510. isbn: 978--1--931971--15--7. Yuchen Zhou and David Evans. 2014. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, (August 2014), 495--510. isbn: 978--1--931971--15--7."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_77_1","DOI":"10.1145\/3133956.3134089"},{"doi-asserted-by":"crossref","unstructured":"Karsten Meyer zu Selhausen and Daniel Fett. 2022. OAuth 2.0 Authorization Server Issuer Identification. RFC 9207. (March 2022). doi: 10.17487\/RFC9207. https:\/\/www.rfc-editor.org\/info\/rfc9207. 10.17487\/RFC9207","key":"#cr-split#-e_1_3_2_1_78_1.1","DOI":"10.17487\/RFC9207"},{"doi-asserted-by":"crossref","unstructured":"Karsten Meyer zu Selhausen and Daniel Fett. 2022. OAuth 2.0 Authorization Server Issuer Identification. RFC 9207. (March 2022). doi: 10.17487\/RFC9207. https:\/\/www.rfc-editor.org\/info\/rfc9207.","key":"#cr-split#-e_1_3_2_1_78_1.2","DOI":"10.17487\/RFC9207"},{"key":"e_1_3_2_1_79_1","volume-title":"A Classification Framework for Web Browser Cross-Context Communication. arXiv:1108.4770 [cs], (August","author":"Zuzak Ivan","year":"2011","unstructured":"Ivan Zuzak , Marko Ivankovic , and Ivan Budiselic . 2011. A Classification Framework for Web Browser Cross-Context Communication. arXiv:1108.4770 [cs], (August 2011 ). arXiv: 1108.4770 [cs]. Ivan Zuzak, Marko Ivankovic, and Ivan Budiselic. 2011. A Classification Framework for Web Browser Cross-Context Communication. arXiv:1108.4770 [cs], (August 2011). arXiv: 1108.4770 [cs]."}],"event":{"sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"acronym":"CCS '22","name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA"},"container-title":["Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560692","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3548606.3560692","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:48:59Z","timestamp":1750182539000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3560692"}},"subtitle":["Identity Theft using In-Browser Communications in Dual-Window Single Sign-On"],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":80,"alternative-id":["10.1145\/3548606.3560692","10.1145\/3548606"],"URL":"https:\/\/doi.org\/10.1145\/3548606.3560692","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}