{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,15]],"date-time":"2025-08-15T02:33:35Z","timestamp":1755225215831,"version":"3.43.0"},"publisher-location":"New York, NY, USA","reference-count":67,"publisher":"ACM","funder":[{"name":"National Research Foundation of Korea (NRF)","award":["RS-2023-NR076965"],"award-info":[{"award-number":["RS-2023-NR076965"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,8,25]]},"DOI":"10.1145\/3708821.3733889","type":"proceedings-article","created":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T06:30:56Z","timestamp":1755066656000},"page":"1323-1337","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["TrustyMon: Practical Detection of DOM-based Cross-Site Scripting Attacks Using Trusted Types"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1057-9023","authenticated-orcid":false,"given":"Sunnyeo","family":"Park","sequence":"first","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7159-565X","authenticated-orcid":false,"given":"Jihwan","family":"Kim","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-8680-7725","authenticated-orcid":false,"given":"Seongho","family":"Keum","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-2391-8233","authenticated-orcid":false,"given":"Hyunjoon","family":"Lee","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0904-2875","authenticated-orcid":false,"given":"Sooel","family":"Son","sequence":"additional","affiliation":[{"name":"KAIST, Daejeon, Republic of Korea"}]}],"member":"320","published-online":{"date-parts":[[2025,8,24]]},"reference":[{"key":"e_1_3_3_1_2_2","unstructured":"AcornJS. 2024. Acorn: A small fast JavaScript-based JavaScript parser. https:\/\/github.com\/acornjs\/acorn."},{"key":"e_1_3_3_1_3_2","unstructured":"Alexis Deveria. 2024. Can I use: Trusted Types for DOM manipulation. https:\/\/caniuse.com\/trusted-types."},{"key":"e_1_3_3_1_4_2","unstructured":"Daniel An. 2018. Find out how you stack up to new industry benchmarks for mobile page speed. https:\/\/www.thinkwithgoogle.com\/marketing-strategies\/app-and-mobile\/mobile-page-speed-new-industry-benchmarks."},{"key":"e_1_3_3_1_5_2","volume-title":"Proceedings of the USENIX Conference on Web Application Development","author":"Athanasopoulos Elias","year":"2010","unstructured":"Elias Athanasopoulos, Vasilis Pappas, Antonis Krithinakis, Spyros Ligouras, Evangelos\u00a0P Markatos, and Thomas Karagiannis. 2010. xJS: Practical XSS Prevention for Web Application Development. In Proceedings of the USENIX Conference on Web Application Development."},{"key":"e_1_3_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3447852.3458718"},{"key":"e_1_3_3_1_7_2","unstructured":"Chromium. 2019. Commit: Make trustedTypes() available on ExecutionContext. https:\/\/github.com\/chromium\/chromium\/commit\/a9f3bdb3d19326f510923daa08bd05e9e3e5fb7a."},{"key":"e_1_3_3_1_8_2","unstructured":"Chromium. 2024. Commit: Protect new setHTMLUnsafe and parseHTMLUnsafe methods with trusted types. https:\/\/github.com\/chromium\/chromium\/commit\/5f9c98130587c76019cb2692d0c850e689b4b3d2."},{"key":"e_1_3_3_1_9_2","unstructured":"Thomas Claburn. 2023. Mozilla decides Trusted Types is a worthy security feature. https:\/\/www.theregister.com\/2023\/12\/21\/mozilla_decides_trusted_types_is."},{"key":"e_1_3_3_1_10_2","unstructured":"The\u00a0MITRE Corporation. 2023. CVE. https:\/\/cve.mitre.org."},{"key":"e_1_3_3_1_11_2","unstructured":"Crawljax. 2023. Crawljax. https:\/\/github.com\/crawljax\/crawljax."},{"key":"e_1_3_3_1_12_2","doi-asserted-by":"crossref","unstructured":"Aurore Fass. 2020. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs. https:\/\/github.com\/Aurore54F\/HideNoSeek.","DOI":"10.1145\/3319535.3345656"},{"key":"e_1_3_3_1_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3345656"},{"key":"e_1_3_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.53"},{"key":"e_1_3_3_1_15_2","unstructured":"Google. 2024. The Chromium Projects. https:\/\/source.chromium.org\/chromium\/chromium\/src\/."},{"key":"e_1_3_3_1_16_2","doi-asserted-by":"crossref","unstructured":"Charu Gupta Rakesh\u00a0Kumar Singh and Amar\u00a0Kumar Mohapatra. 2022. GeneMiner: a classification approach for detection of XSS attacks on web services. Computational Intelligence and Neuroscience (2022).","DOI":"10.1155\/2022\/3675821"},{"key":"e_1_3_3_1_17_2","doi-asserted-by":"crossref","unstructured":"Shashank Gupta and Brij\u00a0Bhooshan Gupta. 2016. XSS-immune: a Google chrome extension-based XSS defensive framework for contemporary platforms of web applications. Security and Communication Networks 9 17 (2016) 3966\u20133986.","DOI":"10.1002\/sec.1579"},{"key":"e_1_3_3_1_18_2","doi-asserted-by":"crossref","unstructured":"Shashank Gupta Brij\u00a0Bhooshan Gupta and Pooja Chaudhary. 2018. Hunting for DOM-Based XSS vulnerabilities in mobile cloud-based online social network. Future Generation Computer Systems 79 (2018) 319\u2013336.","DOI":"10.1016\/j.future.2017.05.038"},{"key":"e_1_3_3_1_19_2","unstructured":"Guy Podjarny (Snyk). 2017. XSS Attacks: The Next Wave. https:\/\/snyk.io\/blog\/xss-attacks-the-next-wave."},{"key":"e_1_3_3_1_20_2","unstructured":"HackerOne. 2024. The HackerOne Top 10 Vulnerability Types. https:\/\/www.hackerone.com\/top-ten-vulnerabilities."},{"key":"e_1_3_3_1_21_2","unstructured":"HAHWUL. 2021. History of OWASP TOP 10. https:\/\/www.hahwul.com\/cullinan\/history-of-owasp-top-10."},{"key":"e_1_3_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-66399-9_7"},{"key":"e_1_3_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-57735-7_13"},{"key":"e_1_3_3_1_24_2","unstructured":"Invicti. 2021. The Invicti AppSec Indicator Spring 2021 Edition: Acunetix Web Vulnerability Report. https:\/\/www.acunetix.com\/white-papers\/acunetix-web-application-vulnerability-report-2021."},{"key":"e_1_3_3_1_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3339252.3339257"},{"key":"e_1_3_3_1_26_2","unstructured":"Krzysztof Kotowicz. 2021. Trusted Types - mid 2021 report. https:\/\/storage.googleapis.com\/pub-tools-public-publication-data\/pdf\/2cbfffc0943dabf34c499f786080ffa2cda9cb4c.pdf."},{"key":"e_1_3_3_1_27_2","unstructured":"Krzysztof Kotowicz (W3C). 2024. Trusted Types. https:\/\/w3c.github.io\/trusted-types\/dist\/spec."},{"key":"e_1_3_3_1_28_2","unstructured":"Krzysztof Kotowicz (W3C). 2024. Trusted Types - DOM XSS injection sinks. https:\/\/w3c.github.io\/trusted-types\/dist\/spec\/#dom-xss-injection-sinks."},{"key":"e_1_3_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_3_3_1_31_2","doi-asserted-by":"crossref","unstructured":"Hung-Jen Liao Chun-Hung\u00a0Richard Lin Ying-Chih Lin and Kuang-Yuan Tung. 2013. Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications 36 1 (2013) 16\u201324.","DOI":"10.1016\/j.jnca.2012.09.004"},{"key":"e_1_3_3_1_32_2","unstructured":"Marmelab. 2022. gremlins.js. https:\/\/github.com\/marmelab\/gremlins.js."},{"key":"e_1_3_3_1_33_2","unstructured":"MDN. 2023. CSP: require-trusted-types-for. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Security-Policy\/require-trusted-types-for."},{"key":"e_1_3_3_1_34_2","unstructured":"MDN. 2023. CSP: trusted-types. https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/Content-Security-Policy\/trusted-types."},{"key":"e_1_3_3_1_35_2","unstructured":"MDN. 2024. IIFE. https:\/\/developer.mozilla.org\/en-US\/docs\/Glossary\/IIFE."},{"key":"e_1_3_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_3_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3450062"},{"key":"e_1_3_3_1_38_2","unstructured":"Mike West Antonio Sartori (W3C). 2024. Content Security Policy Level 3. https:\/\/w3c.github.io\/webappsec-csp."},{"key":"e_1_3_3_1_39_2","unstructured":"Mitmproxy Project. 2024. mitmproxy. https:\/\/mitmproxy.org."},{"key":"e_1_3_3_1_40_2","doi-asserted-by":"crossref","unstructured":"Dimitris Mitropoulos Konstantinos Stroggylos Diomidis Spinellis and Angelos\u00a0D Keromytis. 2016. How to train your browser: Preventing XSS attacks using contextual script fingerprints. ACM Transactions on Privacy and Security (TOPS) 19 1 (2016) 1\u201331.","DOI":"10.1145\/2939374"},{"key":"e_1_3_3_1_41_2","doi-asserted-by":"crossref","unstructured":"Marius Musch Marius Steffens Sebastian Roth Ben Stock and Martin Johns. 2019. ScriptProtect. https:\/\/github.com\/scriptprotect\/scriptprotect.","DOI":"10.1145\/3321705.3329841"},{"key":"e_1_3_3_1_42_2","first-page":"391","volume-title":"Proceedings of the ACM Asia Conference on Computer and Communications Security","author":"Musch Marius","year":"2019","unstructured":"Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, and Martin Johns. 2019. Scriptprotect: mitigating unsafe third-party javascript practices. In Proceedings of the ACM Asia Conference on Computer and Communications Security. 391\u2013402."},{"key":"e_1_3_3_1_43_2","unstructured":"OWASP. 2021. OWASP Top Ten. https:\/\/owasp.org\/www-project-top-ten4."},{"key":"e_1_3_3_1_44_2","unstructured":"OWASP. 2024. XSS Filter Evasion Cheat Sheet. https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/XSS_Filter_Evasion_Cheat_Sheet.html."},{"key":"e_1_3_3_1_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.11"},{"key":"e_1_3_3_1_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978384"},{"key":"e_1_3_3_1_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786821"},{"key":"e_1_3_3_1_48_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179311"},{"key":"e_1_3_3_1_49_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.23046"},{"key":"e_1_3_3_1_50_2","unstructured":"Snyk. 2020. The State of Open Source Security 2020. https:\/\/snyk.io\/series\/open-source-security\/report-2020."},{"key":"e_1_3_3_1_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813710"},{"key":"e_1_3_3_1_52_2","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772784"},{"key":"e_1_3_3_1_53_2","unstructured":"StatCounter. 2024. Browser Market Share Worldwide. https:\/\/gs.statcounter.com\/browser-market-share."},{"key":"e_1_3_3_1_54_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Steffens Marius","year":"2021","unstructured":"Marius Steffens, Marius Musch, Martin Johns, and Ben Stock. 2021. Who\u2019s hosting the block party? studying third-party blockage of csp and sri. In Proceedings of the Network and Distributed System Security Symposium."},{"key":"e_1_3_3_1_55_2","first-page":"971","volume-title":"Proceedings of the USENIX Security Symposium","author":"Stock Ben","year":"2017","unstructured":"Ben Stock, Martin Johns, Marius Steffens, and Michael Backes. 2017. How the Web Tangled Itself: Uncovering the History of Client-Side Web (In) Security. In Proceedings of the USENIX Security Symposium. 971\u2013987."},{"key":"e_1_3_3_1_56_2","first-page":"655","volume-title":"Proceedings of the USENIX Security Symposium","author":"Stock Ben","year":"2014","unstructured":"Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns. 2014. Precise client-side protection against DOM-based cross-site scripting. In Proceedings of the USENIX Security Symposium. 655\u2013670."},{"key":"e_1_3_3_1_57_2","first-page":"1015","volume-title":"Proceedings of the USENIX Security Symposium","author":"Stock Ben","year":"2016","unstructured":"Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In Proceedings of the USENIX Security Symposium. 1015\u20131032."},{"key":"e_1_3_3_1_58_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813625"},{"key":"e_1_3_3_1_59_2","unstructured":"Sucuri\u2019s Research. 2021. 2021 Website Threat Research Report. https:\/\/sucuri.net\/wp-content\/uploads\/2022\/04\/sucuri-2021-hacked-report.pdf."},{"key":"e_1_3_3_1_60_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-31540-4_17"},{"key":"e_1_3_3_1_61_2","unstructured":"Vimal Tarsariya (Vasundhara Infotech). 2023. Latest 13 Website Development Trends To Expect In 2023. https:\/\/vasundhara.io\/blogs\/web-development-trends."},{"key":"e_1_3_3_1_62_2","unstructured":"W3C. 2024. trusted-types. https:\/\/github.com\/w3c\/trusted-types."},{"key":"e_1_3_3_1_63_2","first-page":"1360","volume-title":"Proceedings of the International Conference on Software Engineering","author":"Wang Pei","year":"2021","unstructured":"Pei Wang, Julian Bangert, and Christoph Kern. 2021. If it\u2019s not secure, it should not compile: Preventing DOM-based XSS in large-scale web development with API hardening. In Proceedings of the International Conference on Software Engineering. 1360\u20131372."},{"key":"e_1_3_3_1_64_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW54576.2021.00013"},{"key":"e_1_3_3_1_65_2","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978363"},{"key":"e_1_3_3_1_66_2","unstructured":"Mike West. 2024. Web Mitigation Metrics - Trusted Types. https:\/\/mitigation.supply\/#trusted-types."},{"key":"e_1_3_3_1_67_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24200"},{"key":"e_1_3_3_1_68_2","unstructured":"Think with Google. 2016. Mobile Site Load Time Statistics. https:\/\/www.thinkwithgoogle.com\/consumer-insights\/consumer-trends\/mobile-site-load-time-statistics."}],"event":{"name":"ASIA CCS '25: 20th ACM Asia Conference on Computer and Communications Security","location":"Hanoi Vietnam","acronym":"ASIA CCS '25","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 20th ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3708821.3733889","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,13]],"date-time":"2025-08-13T07:25:39Z","timestamp":1755069939000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3708821.3733889"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,8,24]]},"references-count":67,"alternative-id":["10.1145\/3708821.3733889","10.1145\/3708821"],"URL":"https:\/\/doi.org\/10.1145\/3708821.3733889","relation":{},"subject":[],"published":{"date-parts":[[2025,8,24]]},"assertion":[{"value":"2025-08-24","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}