{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,30]],"date-time":"2026-01-30T07:40:39Z","timestamp":1769758839804,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":52,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,22]],"date-time":"2025-04-22T00:00:00Z","timestamp":1745280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"MUR - Italian Ministry of University and Research [funded by the European Union - NextGenerationEU]","award":["SERICS (PE00000014)"],"award-info":[{"award-number":["SERICS (PE00000014)"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,22]]},"DOI":"10.1145\/3696410.3714614","type":"proceedings-article","created":{"date-parts":[[2025,5,5]],"date-time":"2025-05-05T16:42:02Z","timestamp":1746463322000},"page":"1105-1115","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Dynamic Security Analysis of JavaScript: Are We There Yet?"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9179-8270","authenticated-orcid":false,"given":"Stefano","family":"Calzavara","sequence":"first","affiliation":[{"name":"Universit\u00e0 Ca' Foscari Venezia, Venice, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-1938-7237","authenticated-orcid":false,"given":"Samuele","family":"Casarin","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca' Foscari Venezia, Venice, Italy and Scuola IMT Alti Studi Lucca, Lucca, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0101-0692","authenticated-orcid":false,"given":"Riccardo","family":"Focardi","sequence":"additional","affiliation":[{"name":"Universit\u00e0 Ca' Foscari Venezia, Venice, Italy"}]}],"member":"320","published-online":{"date-parts":[[2025,4,22]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2024. Babel. https:\/\/babeljs.io\/"},{"key":"e_1_3_2_1_2_1","unstructured":"2024. Browserify. https:\/\/browserify.org\/"},{"key":"e_1_3_2_1_3_1","unstructured":"2024. Catapult. https:\/\/chromium.googlesource.com\/catapult\/"},{"key":"e_1_3_2_1_4_1","unstructured":"2024. CommonJS. https:\/\/wiki.commonjs.org\/wiki\/CommonJS"},{"key":"e_1_3_2_1_5_1","unstructured":"2024. mdn\/browser-compat-data. https:\/\/github.com\/mdn\/browser-compat-data"},{"key":"e_1_3_2_1_6_1","unstructured":"2024. Playwright. https:\/\/playwright.dev\/"},{"key":"e_1_3_2_1_7_1","unstructured":"2024. Puppeteer. https:\/\/pptr.dev\/"},{"key":"e_1_3_2_1_8_1","unstructured":"2024. Selenium. https:\/\/www.selenium.dev\/"},{"key":"e_1_3_2_1_9_1","unstructured":"2025. DynSecAnJS. https:\/\/github.com\/eleumasc\/DynSecAnJS"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1007\/S10207-024-00886-0"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3623382"},{"key":"e_1_3_2_1_12_1","volume-title":"A Survey of Dynamic Analysis and Test Generation for JavaScript. ACM Comput. Surv. 50, 5","author":"Andreasen Esben","year":"2017","unstructured":"Esben Andreasen, Liang Gong, Anders M\u00f8ller, Michael Pradel, Marija Selakovic, Koushik Sen, and Cristian-Alexandru Staicu. 2017. A Survey of Dynamic Analysis and Test Generation for JavaScript. ACM Comput. Surv. 50, 5 (2017), 66:1--66:36."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2009.22"},{"key":"e_1_3_2_1_14_1","volume-title":"Austin and Cormac Flanagan","author":"Thomas","year":"2012","unstructured":"Thomas H. Austin and Cormac Flanagan. 2012. Multiple facets for dynamic information flow. In POPL, John Field and Michael Hicks (Eds.). ACM, 165--178."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-54792-8_9"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jlap.2013.05.001"},{"key":"e_1_3_2_1_17_1","unstructured":"Stefano Calzavara Samuele Casarin and Riccardo Focardi. 2025. Dynamic Security Analysis of Javascript: Are We There Yet?: Dataset. https:\/\/doi.org\/10.5281\/ zenodo.14774184"},{"key":"e_1_3_2_1_18_1","unstructured":"Laurent Christophe. 2023. LinvailTaint. https:\/\/github.com\/lachrist\/aran\/ blob\/664f0a304b555bcb106f24e72734ad8c88dac429\/graveyard\/test\/live\/linvailtaint. js"},{"key":"e_1_3_2_1_19_1","volume-title":"Wolfgang De Meuter, and Coen De Roover.","author":"Christophe Laurent","year":"2016","unstructured":"Laurent Christophe, Elisa Gonzalez Boix, Wolfgang De Meuter, and Coen De Roover. 2016. Linvail: A General-Purpose Platform for Shadow Execution of JavaScript. In SANER. IEEE Computer Society, 260--270."},{"key":"e_1_3_2_1_20_1","volume-title":"Naumann","author":"Chudnov Andrey","year":"2015","unstructured":"Andrey Chudnov and David A. Naumann. 2015. Inlined Information Flow Monitoring for JavaScript. In CCS, Indrajit Ray, Ninghui Li, and Christopher Kruegel (Eds.). ACM, 629--643."},{"key":"e_1_3_2_1_21_1","volume-title":"Staged information flow for javascript","author":"Chugh Ravi","unstructured":"Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner. 2009. Staged information flow for javascript. In PLDI, Michael Hind and Amer Diwan (Eds.). ACM, 50--62."},{"key":"e_1_3_2_1_22_1","unstructured":"Sourojit Das. 2024. How fast should a Website Load in 2024? | BrowserStack. https:\/\/www.browserstack.com\/guide\/how-fast-should-a-website-load"},{"key":"e_1_3_2_1_23_1","volume-title":"Reproducibility and Replicability of Web Measurement Studies","author":"Demir Nurullah","unstructured":"Nurullah Demir, Matteo Gro\u00dfe-Kampmann, Tobias Urban, ChristianWressnegger, Thorsten Holz, and Norbert Pohlmann. 2022. Reproducibility and Replicability of Web Measurement Studies. InWWW, Fr\u00e9d\u00e9rique Laforest, Rapha\u00ebl Troncy, Elena Simperl, Deepak Agarwal, Aristides Gionis, Ivan Herman, and Lionel M\u00e9dini (Eds.). ACM, 533--544."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978313"},{"key":"e_1_3_2_1_25_1","unstructured":"GitHub. 2022. The Top Programming Languages. https:\/\/octoverse.github.com\/2022\/top-programming-languages."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"crossref","unstructured":"Willem De Groef Dominique Devriese Nick Nikiforakis and Frank Piessens. 2012. FlowFox: a web browser with flexible and precise information flow control. In CCS Ting Yu George Danezis and Virgil D. Gligor (Eds.). ACM 748--759.","DOI":"10.1145\/2382196.2382275"},{"key":"e_1_3_2_1_27_1","volume-title":"JSFlow: tracking information flow in JavaScript and its APIs","author":"Hedin Daniel","unstructured":"Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld. 2014. JSFlow: tracking information flow in JavaScript and its APIs. In SAC, Yookun Cho, Sung Y. Shin, Sang-Wook Kim, Chih-Cheng Hung, and Jiman Hong (Eds.). ACM, 1663--1671."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-03237-0_17"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3589334.3645699"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2018.2878020"},{"key":"e_1_3_2_1_31_1","volume-title":"JSAI: a static analysis platform for JavaScript","author":"Kashyap Vineeth","unstructured":"Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: a static analysis platform for JavaScript. In FSE, Shing-Chi Cheung, Alessandro Orso, and Margaret-Anne D. Storey (Eds.). ACM, 121--132."},{"key":"e_1_3_2_1_32_1","volume-title":"EuroS&P","author":"Klein David","unstructured":"David Klein, Thomas Barber, Souphiane Bensalim, Ben Stock, and Martin Johns. 2022. Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions. In EuroS&P. IEEE, 236--250."},{"key":"e_1_3_2_1_33_1","volume-title":"FOOL 2012: 19th International Workshop on Foundations of Object-Oriented Languages. Citeseer, 96","author":"Lee Hongki","year":"2012","unstructured":"Hongki Lee, Sooncheol Won, Joonho Jin, Junhee Cho, and Sukyoung Ryu. 2012. SAFE: Formal specification and implementation of a scalable analysis framework for ECMAScript. In FOOL 2012: 19th International Workshop on Foundations of Object-Oriented Languages. Citeseer, 96."},{"key":"e_1_3_2_1_34_1","volume-title":"25 million flows later: large-scale detection of DOM-based XSS","author":"Lekies Sebastian","unstructured":"Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 million flows later: large-scale detection of DOM-based XSS. In CCS, Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung (Eds.). ACM, 1193--1204."},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-004-0046-8"},{"key":"e_1_3_2_1_36_1","volume-title":"Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting","author":"Melicher William","unstructured":"William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia. 2018. Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting. In NDSS. The Internet Society."},{"key":"e_1_3_2_1_37_1","volume-title":"U Can't Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild","author":"Musch Marius","unstructured":"Marius Musch and Martin Johns. 2021. U Can't Debug This: Detecting JavaScript Anti-Debugging Techniques in the Wild. In USENIX Security, Michael D. Bailey and Rachel Greenstadt (Eds.). USENIX Association, 2935--2950."},{"key":"e_1_3_2_1_38_1","volume-title":"Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation","author":"Pochat Victor Le","year":"2019","unstructured":"Victor Le Pochat, Tom van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczynski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In NDSS. The Internet Society."},{"key":"e_1_3_2_1_39_1","volume-title":"Coen De Roover, and Elisa Gonzalez Boix","author":"Scull Pupo Angel Luis","year":"2018","unstructured":"Angel Luis Scull Pupo, Laurent Christophe, Jens Nicolay, Coen De Roover, and Elisa Gonzalez Boix. 2018. Practical Information Flow Control for Web Applications. In RV (Lecture Notes in Computer Science, Vol. 11237), Christian Colombo and Martin Leucker (Eds.). Springer, 372--388."},{"key":"e_1_3_2_1_40_1","unstructured":"IBM Research. 2006. T.J.Watson Libraries for Analysis (WALA). http:\/\/wala.sf.net [Accessed 18-04--2024]."},{"key":"e_1_3_2_1_41_1","volume-title":"The Security Lottery: Measuring Client-Side Web Security Inconsistencies. In 31st USENIX Security Symposium, USENIX Security 2022","author":"Roth Sebastian","year":"2022","unstructured":"Sebastian Roth, Stefano Calzavara, Moritz Wilhelm, Alvise Rabitti, and Ben Stock. 2022. The Security Lottery: Measuring Client-Side Web Security Inconsistencies. In 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10--12, 2022, Kevin R. B. Butler and Kurt Thomas (Eds.). USENIX Association, 2047--2064. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/ roth"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2002.806121"},{"key":"e_1_3_2_1_43_1","volume-title":"FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications","author":"Saxena Prateek","year":"2010","unstructured":"Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010. FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications. In NDSS. The Internet Society."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2018.01.017"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"crossref","unstructured":"Koushik Sen Swaroop Kalasapur Tasneem G. Brutch and Simon Gibbs. 2013. Jalangi: a selective record-replay and dynamic analysis framework for JavaScript. In ESEC\/FSE Bertrand Meyer Luciano Baresi and Mira Mezini (Eds.). ACM 488--498.","DOI":"10.1145\/2491411.2491447"},{"key":"e_1_3_2_1_46_1","volume-title":"EuroS&P","author":"Sj\u00f6sten Alexander","unstructured":"Alexander Sj\u00f6sten, Daniel Hedin, and Andrei Sabelfeld. 2021. EssentialFP: Exposing the Essence of Browser Fingerprinting. In EuroS&P. IEEE, 32--48."},{"key":"e_1_3_2_1_47_1","volume-title":"Stack Overflow Developer Survey","author":"Overflow Stack","year":"2023","unstructured":"Stack Overflow. 2023. Stack Overflow Developer Survey 2023. https:\/\/survey.stackoverflow.co\/2023\/?utm_source=socialshare&utm_medium=social&utm_campaign=dev-survey-2023."},{"key":"e_1_3_2_1_48_1","volume-title":"Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild","author":"Steffens Marius","unstructured":"Marius Steffens, Christian Rossow, Martin Johns, and Ben Stock. 2019. Don't Trust The Locals: Investigating the Prevalence of Persistent Client-Side Cross-Site Scripting in the Wild. In NDSS. The Internet Society."},{"key":"e_1_3_2_1_49_1","volume-title":"USENIX Security","author":"Stock Ben","unstructured":"Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise Client-side Protection against DOM-based Cross-Site Scripting. In USENIX Security, Kevin Fu and Jaeyeon Jung (Eds.). USENIX Association, 655--670."},{"key":"e_1_3_2_1_50_1","volume-title":"Analysis of JavaScript Programs: Challenges and Research Trends. ACM Comput. Surv. 50, 4","author":"Sun Kwangwon","year":"2017","unstructured":"Kwangwon Sun and Sukyoung Ryu. 2017. Analysis of JavaScript Programs: Challenges and Research Trends. ACM Comput. Surv. 50, 4 (2017), 59:1--59:34."},{"key":"e_1_3_2_1_51_1","volume-title":"Hybrid security analysis of web JavaScript code via dynamic partial evaluation","author":"Tripp Omer","unstructured":"Omer Tripp, Pietro Ferrara, and Marco Pistoia. 2014. Hybrid security analysis of web JavaScript code via dynamic partial evaluation. In ISSTA, Corina S. Pasareanu and Darko Marinov (Eds.). ACM, 49--59."},{"key":"e_1_3_2_1_52_1","volume-title":"Ryder","author":"Wei Shiyi","year":"2013","unstructured":"Shiyi Wei and Barbara G. Ryder. 2013. Practical blended taint analysis for JavaScript. In ISSTA, Mauro Pezz\u00e8 and Mark Harman (Eds.). ACM, 336--346."}],"event":{"name":"WWW '25: The ACM Web Conference 2025","location":"Sydney NSW Australia","acronym":"WWW '25","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM on Web Conference 2025"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714614","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696410.3714614","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:34Z","timestamp":1750295914000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696410.3714614"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,22]]},"references-count":52,"alternative-id":["10.1145\/3696410.3714614","10.1145\/3696410"],"URL":"https:\/\/doi.org\/10.1145\/3696410.3714614","relation":{},"subject":[],"published":{"date-parts":[[2025,4,22]]},"assertion":[{"value":"2025-04-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}