{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:15:38Z","timestamp":1763968538101,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":41,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,16]],"date-time":"2023-10-16T00:00:00Z","timestamp":1697414400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001659","name":"Deutsche Forschungsgemeinschaft","doi-asserted-by":"publisher","award":["491039149"],"award-info":[{"award-number":["491039149"]}],"id":[{"id":"10.13039\/501100001659","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,16]]},"DOI":"10.1145\/3607199.3607223","type":"proceedings-article","created":{"date-parts":[[2023,10,3]],"date-time":"2023-10-03T22:30:51Z","timestamp":1696372251000},"page":"714-726","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Honey, I Cached our Security Tokens Re-usage of Security Tokens in the Wild"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-6891-965X","authenticated-orcid":false,"given":"Leon","family":"Trampert","sequence":"first","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9659-0700","authenticated-orcid":false,"given":"Ben","family":"Stock","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-3529-1407","authenticated-orcid":false,"given":"Sebastian","family":"Roth","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,10,16]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Adam Barth. 2011. RFC 6265: HTTP State Management Mechanism - Overview. https:\/\/www.rfc-editor.org\/rfc\/rfc6265#section-3"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00045"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978338"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.23091"},{"volume-title":"Cloudflare about the Cloudflare Network. Online @ cloudflare.com","year":"2022","key":"e_1_3_2_1_6_1","unstructured":"Cloudflare. 2022. Cloudflare about the Cloudflare Network. Online @ cloudflare.com (2022)."},{"volume-title":"Cloudflare Cache Documentation. Online @ developers.cloudflare.com","year":"2022","key":"e_1_3_2_1_7_1","unstructured":"Cloudflare. 2022. Cloudflare Cache Documentation. Online @ developers.cloudflare.com (2022)."},{"volume-title":"Cloudflare Documentation on Avoiding Web Cache Poisoning. Online @ developers.cloudflare.com","year":"2022","key":"e_1_3_2_1_8_1","unstructured":"Cloudflare. 2022. Cloudflare Documentation on Avoiding Web Cache Poisoning. Online @ developers.cloudflare.com (2022)."},{"key":"e_1_3_2_1_9_1","unstructured":"Cloudflare Inc.2022. What is a CDN? | How do CDNs work?Article. Online @ cloudflare.com (2022)."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516708"},{"key":"e_1_3_2_1_11_1","volume-title":"Same Origin Method Execution (SOME). Online @ benhayak.com","author":"Hayak Ben","year":"2015","unstructured":"Ben Hayak. 2015. Same Origin Method Execution (SOME). Online @ benhayak.com (2015)."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516723"},{"volume-title":"Size, And Market Share. Blog Post. Online @ blog.intricately.com","year":"2020","key":"e_1_3_2_1_13_1","unstructured":"Intricately. 2020. CDN Industry: Trends, Size, And Market Share. Blog Post. Online @ blog.intricately.com (2020)."},{"key":"e_1_3_2_1_14_1","unstructured":"Markus Jakobsson Zulfikar Ramzan and Sid Stamm. [n. d.]. JavaScript Breaks Free. Online @ citeseerx.ist.psu.edu ([n. d.])."},{"key":"e_1_3_2_1_15_1","volume-title":"Towards Elimination of Cross-Site Scripting on Mobile Versions of Web Applications. In International Workshop on Information Security Applications (WISA).","author":"Javed Ashar","year":"2013","unstructured":"Ashar Javed and J\u00f6rg Schwenk. 2013. Towards Elimination of Cross-Site Scripting on Mobile Versions of Web Applications. In International Workshop on Information Security Applications (WISA)."},{"key":"e_1_3_2_1_16_1","volume-title":"DOM Based Cross Site Scripting or XSS of the Third Kind. Online @ webappsec.org","author":"Klein Amit","year":"2005","unstructured":"Amit Klein. 2005. DOM Based Cross Site Scripting or XSS of the Third Kind. Online @ webappsec.org (2005)."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134091"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3471621.3471846"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_3_2_1_21_1","volume-title":"Cached and Confused: Web Cache Deception in the Wild. In USENIX Security Symposium (USENIX Security).","author":"Mirheidari Seyed\u00a0Ali","year":"2020","unstructured":"Seyed\u00a0Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. 2020. Cached and Confused: Web Cache Deception in the Wild. In USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_22_1","volume-title":"Web Cache Deception Escalates. In USENIX Security Symposium (USENIX Security).","author":"Mirheidari Seyed\u00a0Ali","year":"2022","unstructured":"Seyed\u00a0Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, and Bruno Crispo. 2022. Web Cache Deception Escalates. In USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_23_1","volume-title":"Top 10 Web Application Security Risks. Online @ owasp.org","author":"Application Open Web","year":"2021","unstructured":"Open Web Application Security\u00a0Project (OWASP). 2021. Top 10 Web Application Security Risks. Online @ owasp.org (2021)."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978384"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2803191"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133959"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_2_1_28_1","volume-title":"FAQ on Websites Blocking Tor. Online @ support.torproject.org","author":"Project The\u00a0Tor","year":"2022","unstructured":"The\u00a0Tor Project. 2022. FAQ on Websites Blocking Tor. Online @ support.torproject.org (2022)."},{"key":"e_1_3_2_1_29_1","unstructured":"Phil Ringnalda. [n. d.]. Getting around IE\u2019s MIME type mangling. http:\/\/weblog.philringnalda.com\/2004\/04\/06\/getting-around-ies-mime-type-mangling"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.23046"},{"key":"e_1_3_2_1_31_1","volume-title":"The Security Lottery: Measuring Client-Side Web Security Inconsistencies. In USENIX Security Symposium (USENIX Security).","author":"Roth Sebastian","year":"2022","unstructured":"Sebastian Roth, Stefano Calzavara, Moritz Wilhelm, Alvise Rabitti, and Ben Stock. 2022. The Security Lottery: Measuring Client-Side Web Security Inconsistencies. In USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_32_1","volume-title":"Struggles with CSP. In Conference on Computer and Communications Security (CCS).","author":"Roth Sebastian","year":"2021","unstructured":"Sebastian Roth, Lea Gr\u00f6ber, Michael Backes, Katharina Krombholz, and Ben Stock. 2021. 12 Angry Developers \u2013 A Qualitative Study on Developers\u2019 Struggles with CSP. In Conference on Computer and Communications Security (CCS)."},{"key":"e_1_3_2_1_33_1","volume-title":"FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Network and Distributed Systems Symposium (NDSS).","author":"Saxena Prateek","year":"2010","unstructured":"Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In Network and Distributed Systems Symposium (NDSS)."},{"key":"e_1_3_2_1_34_1","volume-title":"Reining in the Web with Content Security Policy. In International Conference on World Wide Web (WWW).","author":"Stamm Sid","year":"2010","unstructured":"Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the Web with Content Security Policy. In International Conference on World Wide Web (WWW)."},{"key":"e_1_3_2_1_35_1","volume-title":"Studying Third-Party Blockage of CSP and SRI. In Network and Distributed Systems Security Symposium (NDSS).","author":"Steffens Marius","year":"2021","unstructured":"Marius Steffens, Marius Musch, Martin Johns, and Ben Stock. 2021. Who\u2019s Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI. In Network and Distributed Systems Security Symposium (NDSS)."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23009"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"crossref","unstructured":"Ben Stock Giancarlo Pellegrino Frank Li Christian Rossow and Michael Backes. 2018. Didn\u2019t You Hear Me? - Towards More Successful Web Vulnerability Notifications. In NDSS.","DOI":"10.14722\/ndss.2018.23171"},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of ISIC: the information behaviour conference.","author":"van Loggem Brigit","year":"2014","unstructured":"Brigit van Loggem. 2014. \u2019Nobody reads the documentation\u2019: true or not?. In Proceedings of ISIC: the information behaviour conference."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978363"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11379-1_11"},{"key":"e_1_3_2_1_41_1","volume-title":"W3C Standard. Online at w3.org","author":"West Mike","year":"2021","unstructured":"Mike West. 2021. CSP Level 3. W3C Standard. Online at w3.org (2021)."}],"event":{"name":"RAID 2023: The 26th International Symposium on Research in Attacks, Intrusions and Defenses","acronym":"RAID 2023","location":"Hong Kong China"},"container-title":["Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607223","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3607199.3607223","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:35Z","timestamp":1750178255000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3607199.3607223"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,16]]},"references-count":41,"alternative-id":["10.1145\/3607199.3607223","10.1145\/3607199"],"URL":"https:\/\/doi.org\/10.1145\/3607199.3607223","relation":{},"subject":[],"published":{"date-parts":[[2023,10,16]]},"assertion":[{"value":"2023-10-16","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}