{"id":"https://openalex.org/W3204001540","doi":"https://doi.org/10.1109/sp46214.2022.9833681","title":"A Formal Security Analysis of the W3C Web Payment APIs: Attacks and Verification","display_name":"A Formal Security Analysis of the W3C Web Payment APIs: Attacks and Verification","publication_year":2022,"publication_date":"2022-05-01","ids":{"openalex":"https://openalex.org/W3204001540","doi":"https://doi.org/10.1109/sp46214.2022.9833681","mag":"3204001540"},"language":"en","primary_location":{"id":"doi:10.1109/sp46214.2022.9833681","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833681","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5017817995","display_name":"Quoc Huy","orcid":null},"institutions":[{"id":"https://openalex.org/I100066346","display_name":"University of Stuttgart","ror":"https://ror.org/04vnq7t77","country_code":"DE","type":"education","lineage":["https://openalex.org/I100066346"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Quoc Huy Do","raw_affiliation_strings":["University of Stuttgart,Stuttgart,Germany","University of Stuttgart, Stuttgart, Germany"],"affiliations":[{"raw_affiliation_string":"University of Stuttgart,Stuttgart,Germany","institution_ids":["https://openalex.org/I100066346"]},{"raw_affiliation_string":"University of Stuttgart, Stuttgart, Germany","institution_ids":["https://openalex.org/I100066346"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5057518736","display_name":"Pedram Hosseyni","orcid":"https://orcid.org/0000-0001-5618-5663"},"institutions":[{"id":"https://openalex.org/I100066346","display_name":"University of Stuttgart","ror":"https://ror.org/04vnq7t77","country_code":"DE","type":"education","lineage":["https://openalex.org/I100066346"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Pedram Hosseyni","raw_affiliation_strings":["University of Stuttgart,Stuttgart,Germany","University of Stuttgart, Stuttgart, Germany"],"affiliations":[{"raw_affiliation_string":"University of Stuttgart,Stuttgart,Germany","institution_ids":["https://openalex.org/I100066346"]},{"raw_affiliation_string":"University of Stuttgart, Stuttgart, Germany","institution_ids":["https://openalex.org/I100066346"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5088011494","display_name":"Ralf K\u00fcsters","orcid":"https://orcid.org/0000-0002-9071-9312"},"institutions":[{"id":"https://openalex.org/I100066346","display_name":"University of Stuttgart","ror":"https://ror.org/04vnq7t77","country_code":"DE","type":"education","lineage":["https://openalex.org/I100066346"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Ralf K\u00fcsters","raw_affiliation_strings":["University of Stuttgart,Stuttgart,Germany","University of Stuttgart, Stuttgart, Germany"],"affiliations":[{"raw_affiliation_string":"University of Stuttgart,Stuttgart,Germany","institution_ids":["https://openalex.org/I100066346"]},{"raw_affiliation_string":"University of Stuttgart, Stuttgart, Germany","institution_ids":["https://openalex.org/I100066346"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5032615835","display_name":"Guido Schmitz","orcid":"https://orcid.org/0000-0002-3776-5475"},"institutions":[{"id":"https://openalex.org/I100066346","display_name":"University of Stuttgart","ror":"https://ror.org/04vnq7t77","country_code":"DE","type":"education","lineage":["https://openalex.org/I100066346"]},{"id":"https://openalex.org/I184558857","display_name":"Royal Holloway University of London","ror":"https://ror.org/04g2vpn86","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I184558857"]}],"countries":["DE","GB"],"is_corresponding":false,"raw_author_name":"Guido Schmitz","raw_affiliation_strings":["University of Stuttgart,Stuttgart,Germany","Royal Holloway, University of London, Egham, Surrey, UK","University of Stuttgart, Stuttgart, Germany"],"affiliations":[{"raw_affiliation_string":"University of Stuttgart,Stuttgart,Germany","institution_ids":["https://openalex.org/I100066346"]},{"raw_affiliation_string":"Royal Holloway, University of London, Egham, Surrey, UK","institution_ids":["https://openalex.org/I184558857"]},{"raw_affiliation_string":"University of Stuttgart, Stuttgart, Germany","institution_ids":["https://openalex.org/I100066346"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5050042923","display_name":"Nils Wenzler","orcid":null},"institutions":[{"id":"https://openalex.org/I100066346","display_name":"University of Stuttgart","ror":"https://ror.org/04vnq7t77","country_code":"DE","type":"education","lineage":["https://openalex.org/I100066346"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Nils Wenzler","raw_affiliation_strings":["University of Stuttgart,Stuttgart,Germany","University of Stuttgart, Stuttgart, Germany"],"affiliations":[{"raw_affiliation_string":"University of Stuttgart,Stuttgart,Germany","institution_ids":["https://openalex.org/I100066346"]},{"raw_affiliation_string":"University of Stuttgart, Stuttgart, Germany","institution_ids":["https://openalex.org/I100066346"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5005751525","display_name":"Tim W\u00fcrtele","orcid":"https://orcid.org/0000-0002-4729-0629"},"institutions":[{"id":"https://openalex.org/I100066346","display_name":"University of Stuttgart","ror":"https://ror.org/04vnq7t77","country_code":"DE","type":"education","lineage":["https://openalex.org/I100066346"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Tim W\u00fcrtele","raw_affiliation_strings":["University of Stuttgart,Stuttgart,Germany","University of Stuttgart, Stuttgart, Germany"],"affiliations":[{"raw_affiliation_string":"University of Stuttgart,Stuttgart,Germany","institution_ids":["https://openalex.org/I100066346"]},{"raw_affiliation_string":"University of Stuttgart, Stuttgart, Germany","institution_ids":["https://openalex.org/I100066346"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":6,"corresponding_author_ids":["https://openalex.org/A5017817995"],"corresponding_institution_ids":["https://openalex.org/I100066346"],"apc_list":null,"apc_paid":null,"fwci":0.7271,"has_fulltext":false,"cited_by_count":7,"citation_normalized_percentile":{"value":0.69225382,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":98},"biblio":{"volume":"7321","issue":null,"first_page":"215","last_page":"234"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9968000054359436,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.9966999888420105,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/payment","display_name":"Payment","score":0.6643463373184204},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5969022512435913},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.5779802203178406},{"id":"https://openalex.org/keywords/payment-service-provider","display_name":"Payment service provider","score":0.5278527736663818},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.4298689663410187},{"id":"https://openalex.org/keywords/web-service","display_name":"Web service","score":0.4216550886631012},{"id":"https://openalex.org/keywords/payment-processor","display_name":"Payment processor","score":0.4124515652656555},{"id":"https://openalex.org/keywords/payment-card","display_name":"Payment card","score":0.41184067726135254},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.3200272023677826}],"concepts":[{"id":"https://openalex.org/C145097563","wikidata":"https://www.wikidata.org/wiki/Q1148747","display_name":"Payment","level":2,"score":0.6643463373184204},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5969022512435913},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.5779802203178406},{"id":"https://openalex.org/C185822510","wikidata":"https://www.wikidata.org/wiki/Q1956140","display_name":"Payment service provider","level":3,"score":0.5278527736663818},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4298689663410187},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.4216550886631012},{"id":"https://openalex.org/C190978112","wikidata":"https://www.wikidata.org/wiki/Q17074350","display_name":"Payment processor","level":3,"score":0.4124515652656555},{"id":"https://openalex.org/C21021354","wikidata":"https://www.wikidata.org/wiki/Q1207171","display_name":"Payment card","level":3,"score":0.41184067726135254},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.3200272023677826}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/sp46214.2022.9833681","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46214.2022.9833681","pdf_url":null,"source":{"id":"https://openalex.org/S4363606603","display_name":"2022 IEEE Symposium on Security and Privacy (SP)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.5699999928474426,"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320320879","display_name":"Deutsche Forschungsgemeinschaft","ror":"https://ror.org/018mejw64"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":38,"referenced_works":["https://openalex.org/W6139613","https://openalex.org/W105715719","https://openalex.org/W851575271","https://openalex.org/W1436154611","https://openalex.org/W1547554933","https://openalex.org/W1773284672","https://openalex.org/W1785797725","https://openalex.org/W1973054120","https://openalex.org/W1997143966","https://openalex.org/W2053070160","https://openalex.org/W2096473396","https://openalex.org/W2096686131","https://openalex.org/W2103475742","https://openalex.org/W2131906261","https://openalex.org/W2143190626","https://openalex.org/W2143504694","https://openalex.org/W2144271133","https://openalex.org/W2154209904","https://openalex.org/W2229250518","https://openalex.org/W2272156155","https://openalex.org/W2274730982","https://openalex.org/W2400522057","https://openalex.org/W2604903677","https://openalex.org/W2613387059","https://openalex.org/W2962768977","https://openalex.org/W2963149044","https://openalex.org/W2964194080","https://openalex.org/W3129371464","https://openalex.org/W3140670915","https://openalex.org/W3168249503","https://openalex.org/W3204001540","https://openalex.org/W6604243033","https://openalex.org/W6623621951","https://openalex.org/W6628310567","https://openalex.org/W6713125784","https://openalex.org/W6736295370","https://openalex.org/W6792553156","https://openalex.org/W7000657772"],"related_works":["https://openalex.org/W2255420981","https://openalex.org/W1568055055","https://openalex.org/W1573618587","https://openalex.org/W2910027329","https://openalex.org/W2620430233","https://openalex.org/W1956359756","https://openalex.org/W1485527520","https://openalex.org/W4285317943","https://openalex.org/W2282821933","https://openalex.org/W2998084162"],"abstract_inverted_index":{"Payment":[0,122,180,193,228,337],"is":[1,83,106,186,236],"an":[2,136,283],"essential":[3],"part":[4],"of":[5,18,89,178,201,212,225,248],"e-commerce.":[6],"Merchants":[7],"usually":[8],"rely":[9],"on":[10,238],"third-parties,":[11],"so-called":[12],"payment":[13,21,30,43,101,109,165,263],"processors,":[14,166],"who":[15,308],"take":[16],"care":[17],"transferring":[19],"the":[20,23,26,34,37,56,61,81,93,99,120,139,176,191,221,226,239,244,249,261,266,292,300,305,318,327,334],"from":[22,135],"customer":[24,35],"to":[25,52,91,107,118,146,252,259,281,299,317],"merchant.":[27],"How":[28],"a":[29,40,64,86,111,231,278],"processor":[31,44],"interacts":[32],"with":[33,63],"and":[36,59,68,79,97,133,156,163,295,329,331],"merchant":[38,280],"varies":[39],"lot.":[41],"Each":[42],"typically":[45],"invents":[46],"its":[47],"own":[48],"protocol":[49],"that":[50,190,276,333],"has":[51,206],"be":[53,131,197],"integrated":[54],"into":[55,114,265],"merchant\u2019s":[57],"application":[58],"provides":[60],"user":[62,70],"new,":[65],"potentially":[66],"unknown":[67],"confusing":[69],"experience.Pushed":[71],"by":[72,199,321,326],"major":[73,148],"companies,":[74],"including":[75],"Apple,":[76],"Google,":[77],"Master-card,":[78],"Visa,":[80],"W3C":[82,301,328],"currently":[84],"developing":[85],"new":[87,126,161,214,262,273],"set":[88],"standards":[90],"unify":[92],"online":[94],"checkout":[95,127],"process":[96,128],"\u201cstreamline":[98],"user\u2019s":[100],"experience\u201d.":[102],"The":[103,184],"main":[104],"idea":[105],"integrate":[108,260],"as":[110,119,151,168,302,304],"native":[112],"functionality":[113,264],"web":[115,250],"browsers,":[116,149],"referred":[117],"Web":[121,179,192,227,240,336],"APIs.":[123],"While":[124],"this":[125,217],"will":[129,195],"indeed":[130,339],"simple":[132],"convenient":[134],"end-user":[137],"perspective,":[138],"technical":[140],"realization":[141],"requires":[142],"rather":[143],"significant":[144],"changes":[145],"browsers.Many":[147],"such":[150,167,223],"Chrome,":[152,330],"Firefox,":[153],"Edge,":[154],"Safari,":[155],"Opera,":[157],"already":[158],"implement":[159],"these":[160,213,297,311],"standards,":[162,230],"many":[164],"Google":[169],"Pay,":[170,172],"Apple":[171],"or":[173],"Stripe,":[174],"support":[175],"use":[177],"APIs":[181,194,229,338],"for":[182],"payments.":[183],"ecosystem":[185],"constantly":[187],"growing,":[188],"meaning":[189],"likely":[196],"used":[198],"millions":[200],"people":[202],"worldwide.So":[203],"far,":[204],"there":[205],"been":[207,324],"no":[208],"in-depth":[209],"security":[210,342],"analysis":[211,224,270],"standards.":[215],"In":[216],"paper,":[218],"we":[219,257,314],"present":[220],"first":[222],"rigorous":[232],"formal":[233],"analysis.":[234],"It":[235],"based":[237],"Infrastructure":[241],"Model":[242],"(WIM),":[243],"most":[245],"comprehensive":[246],"model":[247],"infrastructure":[251],"date,":[253],"which,":[254],"among":[255],"others,":[256],"extend":[258],"generic":[267],"browser":[268],"model.Our":[269],"reveals":[271],"two":[272],"critical":[274],"vulnerabilities":[275],"allow":[277],"malicious":[279],"over-charge":[282],"unsuspecting":[284],"customer.":[285],"We":[286],"have":[287,309,323],"verified":[288],"our":[289],"attacks":[290],"using":[291],"Chrome":[293,306],"implementation":[294],"reported":[296],"problems":[298],"well":[303],"developers,":[307],"acknowledged":[310],"problems.":[312],"Moreover,":[313],"propose":[315],"fixes":[316],"standard,":[319],"which":[320],"now":[322],"adopted":[325],"prove":[332],"fixed":[335],"satisfy":[340],"strong":[341],"properties.":[343]},"counts_by_year":[{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}