{"id":"https://openalex.org/W4410348104","doi":"https://doi.org/10.1007/s11416-025-00556-2","title":"Defeating FIDO2/CTAP2/WebAuthn using browser in the middle and reflected cross site scripting","display_name":"Defeating FIDO2/CTAP2/WebAuthn using browser in the middle and reflected cross site scripting","publication_year":2025,"publication_date":"2025-05-14","ids":{"openalex":"https://openalex.org/W4410348104","doi":"https://doi.org/10.1007/s11416-025-00556-2"},"language":"en","primary_location":{"id":"doi:10.1007/s11416-025-00556-2","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s11416-025-00556-2","pdf_url":"https://link.springer.com/content/pdf/10.1007/s11416-025-00556-2.pdf","source":{"id":"https://openalex.org/S2764922190","display_name":"Journal of Computer Virology and Hacking Techniques","issn_l":"2263-8733","issn":["2263-8733"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Computer Virology and Hacking Techniques","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s11416-025-00556-2.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5069025192","display_name":"Christian Catalano","orcid":"https://orcid.org/0000-0003-4038-2317"},"institutions":[{"id":"https://openalex.org/I5561750","display_name":"University of Bari Aldo Moro","ror":"https://ror.org/027ynra39","country_code":"IT","type":"education","lineage":["https://openalex.org/I5561750"]}],"countries":["IT"],"is_corresponding":true,"raw_author_name":"Christian Catalano","raw_affiliation_strings":["University of Bari Aldo Moro, Bari, Italy"],"affiliations":[{"raw_affiliation_string":"University of Bari Aldo Moro, Bari, Italy","institution_ids":["https://openalex.org/I5561750"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5080353071","display_name":"Andrea Chezzi","orcid":null},"institutions":[{"id":"https://openalex.org/I142910587","display_name":"University of Salento","ror":"https://ror.org/03fc1k060","country_code":"IT","type":"education","lineage":["https://openalex.org/I142910587"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Andrea Chezzi","raw_affiliation_strings":["University of Salento, Lecce, Italy"],"affiliations":[{"raw_affiliation_string":"University of Salento, Lecce, Italy","institution_ids":["https://openalex.org/I142910587"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5065448436","display_name":"Vita Santa Barletta","orcid":"https://orcid.org/0000-0002-0163-6786"},"institutions":[{"id":"https://openalex.org/I5561750","display_name":"University of Bari Aldo Moro","ror":"https://ror.org/027ynra39","country_code":"IT","type":"education","lineage":["https://openalex.org/I5561750"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Vita Santa Barletta","raw_affiliation_strings":["University of Bari Aldo Moro, Bari, Italy"],"affiliations":[{"raw_affiliation_string":"University of Bari Aldo Moro, Bari, Italy","institution_ids":["https://openalex.org/I5561750"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5084437443","display_name":"Franco Tommasi","orcid":"https://orcid.org/0000-0003-2419-7381"},"institutions":[{"id":"https://openalex.org/I142910587","display_name":"University of Salento","ror":"https://ror.org/03fc1k060","country_code":"IT","type":"education","lineage":["https://openalex.org/I142910587"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Franco Tommasi","raw_affiliation_strings":["University of Salento, Lecce, Italy"],"affiliations":[{"raw_affiliation_string":"University of Salento, Lecce, Italy","institution_ids":["https://openalex.org/I142910587"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5069025192"],"corresponding_institution_ids":["https://openalex.org/I5561750"],"apc_list":{"value":2390,"currency":"EUR","value_usd":2990},"apc_paid":{"value":2390,"currency":"EUR","value_usd":2990},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.13969784,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"21","issue":"1","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10679","display_name":"Service-Oriented Architecture and Web Services","score":0.9918000102043152,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10679","display_name":"Service-Oriented Architecture and Web Services","score":0.9918000102043152,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12016","display_name":"Web Data Mining and Analysis","score":0.9918000102043152,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10470","display_name":"Usability and User Interface Design","score":0.9896000027656555,"subfield":{"id":"https://openalex.org/subfields/1709","display_name":"Human-Computer Interaction"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8258379697799683},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.7573964595794678},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.5065478086471558},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3835951089859009},{"id":"https://openalex.org/keywords/computer-graphics","display_name":"Computer graphics (images)","score":0.3408401608467102},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.28125447034835815},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.08484447002410889}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8258379697799683},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.7573964595794678},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.5065478086471558},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3835951089859009},{"id":"https://openalex.org/C121684516","wikidata":"https://www.wikidata.org/wiki/Q7600677","display_name":"Computer graphics (images)","level":1,"score":0.3408401608467102},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.28125447034835815},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.08484447002410889},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.0},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1007/s11416-025-00556-2","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s11416-025-00556-2","pdf_url":"https://link.springer.com/content/pdf/10.1007/s11416-025-00556-2.pdf","source":{"id":"https://openalex.org/S2764922190","display_name":"Journal of Computer Virology and Hacking Techniques","issn_l":"2263-8733","issn":["2263-8733"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Computer Virology and Hacking Techniques","raw_type":"journal-article"},{"id":"pmh:oai:ricerca.uniba.it:11586/539442","is_oa":false,"landing_page_url":"https://hdl.handle.net/11586/539442","pdf_url":null,"source":{"id":"https://openalex.org/S4377196296","display_name":"CINECA IRIS Institutional Research Information System (University of Bari Aldo Moro)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I5561750","host_organization_name":"University of Bari Aldo Moro","host_organization_lineage":["https://openalex.org/I5561750"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"info:eu-repo/semantics/article"}],"best_oa_location":{"id":"doi:10.1007/s11416-025-00556-2","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s11416-025-00556-2","pdf_url":"https://link.springer.com/content/pdf/10.1007/s11416-025-00556-2.pdf","source":{"id":"https://openalex.org/S2764922190","display_name":"Journal of Computer Virology and Hacking Techniques","issn_l":"2263-8733","issn":["2263-8733"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Computer Virology and Hacking Techniques","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G3650733657","display_name":null,"funder_award_id":"NextGenerationEU","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G4258564617","display_name":null,"funder_award_id":"European Union-NextGenerationEU","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G507880695","display_name":null,"funder_award_id":"PE00000014","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G5538284277","display_name":null,"funder_award_id":"National Recovery","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"},{"id":"https://openalex.org/G8893660128","display_name":null,"funder_award_id":"PE0000001","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4410348104.pdf","grobid_xml":"https://content.openalex.org/works/W4410348104.grobid-xml"},"referenced_works_count":16,"referenced_works":["https://openalex.org/W2121937870","https://openalex.org/W2794591479","https://openalex.org/W2885841050","https://openalex.org/W2914982603","https://openalex.org/W2934481539","https://openalex.org/W3015349823","https://openalex.org/W3153427056","https://openalex.org/W4221011074","https://openalex.org/W4245023492","https://openalex.org/W4368352712","https://openalex.org/W4372048844","https://openalex.org/W4382862382","https://openalex.org/W4388483098","https://openalex.org/W4391424210","https://openalex.org/W4392841127","https://openalex.org/W4399138172"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W4366502726","https://openalex.org/W2150889667","https://openalex.org/W4392079573","https://openalex.org/W4233984944","https://openalex.org/W3190536237","https://openalex.org/W195300121","https://openalex.org/W2017602249"],"abstract_inverted_index":{"Abstract":[0],"In":[1],"our":[2],"modern":[3],"digital":[4],"landscape,":[5],"web":[6],"browsers":[7],"play":[8],"a":[9,43,94,128,139],"crucial":[10],"role":[11],"as":[12,48],"gateways":[13],"to":[14,64,67,92,155,189],"large":[15],"amounts":[16],"of":[17,54,113,136,158,178],"information":[18],"and":[19,34,173],"services.":[20],"However,":[21,71],"recent":[22],"developments":[23],"have":[24],"demonstrated":[25],"that":[26,30,75,79,153,168,180],"the":[27,49,55,72,83,111,134,148,175],"very":[28],"features":[29],"make":[31],"browsing":[32],"convenient":[33],"seamless":[35],"can":[36,120],"be":[37,65,93,121,144,156],"exploited":[38],"by":[39,99,123,183],"malicious":[40],"actors":[41],"through":[42],"potent":[44],"threat":[45],"vector":[46],"known":[47],"\u201cBrowser-in-the-Middle\u201d":[50],"(BitM)":[51],"attack.":[52],"Most":[53],"Multi-Factor":[56],"Authen-":[57],"tication":[58],"(MFA)":[59],"security":[60],"measures":[61],"are":[62],"shown":[63],"ineffective":[66],"prevent":[68],"BitM":[69,102,118,150],"attacks.":[70],"FIDO2":[73],"Project":[74],"includes":[76],"CTAP2":[77],"protocol":[78],"works":[80],"together":[81],"with":[82],"Web":[84],"Authentication":[85],"API":[86],"(WebAuthn":[87],"API)":[88],"has":[89],"been":[90],"proven":[91],"virtually":[95,184],"unattackable":[96],"MFA":[97,162],"method":[98,163,177],"current":[100],"state-of-the-art":[101],"implementations.":[103],"At":[104],"least":[105],"until":[106],"now.":[107],"This":[108],"work":[109],"expands":[110],"range":[112],"applica-":[114],"ble":[115],"scenarios":[116],"where":[117],"attack":[119,152,187],"used":[122],"taking":[124],"its":[125],"technical":[126],"architecture":[127],"step":[129],"further:":[130],"we":[131],"show":[132],"how":[133],"effectiveness":[135],"BitM\u2014used":[137],"along":[138],"Reflected":[140],"XSS":[141],"vulnerability":[142],"exploitation\u2014can":[143],"improved":[145],"resulting":[146],"in":[147],"novel":[149],"+":[151],"proves":[154],"capable":[157],"defeating":[159],"any":[160,185],"available":[161],"includ-":[164],"ing":[165],"FIDO2/WebAuthn":[166],"solutions":[167],"rely":[169],"on":[170],"hardware":[171],"dongles":[172],"represent":[174],"only":[176],"authentication":[179],"went":[181],"undefeated":[182],"phishing":[186],"approach":[188],"date.":[190]},"counts_by_year":[],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}