{"id":"https://openalex.org/W4287851242","doi":"https://doi.org/10.1109/spw54247.2022.9833888","title":"To hash or not to hash: A security assessment of CSP\u2019s unsafe-hashes expression","display_name":"To hash or not to hash: A security assessment of CSP\u2019s unsafe-hashes expression","publication_year":2022,"publication_date":"2022-05-01","ids":{"openalex":"https://openalex.org/W4287851242","doi":"https://doi.org/10.1109/spw54247.2022.9833888"},"language":"en","primary_location":{"id":"doi:10.1109/spw54247.2022.9833888","is_oa":false,"landing_page_url":"https://doi.org/10.1109/spw54247.2022.9833888","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Security and Privacy Workshops (SPW)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://figshare.com/articles/conference_contribution/To_hash_or_not_to_hash_A_security_assessment_of_CSP_s_unsafe-hashes_expression/24614322","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5054015897","display_name":"Peter Stolz","orcid":null},"institutions":[{"id":"https://openalex.org/I91712215","display_name":"Saarland University","ror":"https://ror.org/01jdpyv68","country_code":"DE","type":"education","lineage":["https://openalex.org/I91712215"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Peter Stolz","raw_affiliation_strings":["Saarland University &amp; Bitahoy GmbH"],"affiliations":[{"raw_affiliation_string":"Saarland University &amp; Bitahoy GmbH","institution_ids":["https://openalex.org/I91712215"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5003170727","display_name":"Sebastian Roth","orcid":"https://orcid.org/0009-0004-3529-1407"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sebastian Roth","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087823285","display_name":"Ben Stock","orcid":"https://orcid.org/0000-0001-9659-0700"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Ben Stock","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5054015897"],"corresponding_institution_ids":["https://openalex.org/I91712215"],"apc_list":null,"apc_paid":null,"fwci":0.3182,"has_fulltext":false,"cited_by_count":1,"citation_normalized_percentile":{"value":0.61443975,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":94},"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"12"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9923999905586243,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9829999804496765,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.8812768459320068},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8513056039810181},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.651076078414917},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.6195746660232544},{"id":"https://openalex.org/keywords/hash-function","display_name":"Hash function","score":0.5907014608383179},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.581602931022644},{"id":"https://openalex.org/keywords/web-crawler","display_name":"Web crawler","score":0.5102770328521729},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.4825931787490845},{"id":"https://openalex.org/keywords/event","display_name":"Event (particle physics)","score":0.4239733815193176},{"id":"https://openalex.org/keywords/replay-attack","display_name":"Replay attack","score":0.41075050830841064},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.36926865577697754},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.3286973536014557},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.31908679008483887},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.23728275299072266},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.08706611394882202}],"concepts":[{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.8812768459320068},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8513056039810181},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.651076078414917},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.6195746660232544},{"id":"https://openalex.org/C99138194","wikidata":"https://www.wikidata.org/wiki/Q183427","display_name":"Hash function","level":2,"score":0.5907014608383179},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.581602931022644},{"id":"https://openalex.org/C13743948","wikidata":"https://www.wikidata.org/wiki/Q45842","display_name":"Web crawler","level":2,"score":0.5102770328521729},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.4825931787490845},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.4239733815193176},{"id":"https://openalex.org/C11560541","wikidata":"https://www.wikidata.org/wiki/Q1756025","display_name":"Replay attack","level":3,"score":0.41075050830841064},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.36926865577697754},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.3286973536014557},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.31908679008483887},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.23728275299072266},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.08706611394882202},{"id":"https://openalex.org/C121332964","wikidata":"https://www.wikidata.org/wiki/Q413","display_name":"Physics","level":0,"score":0.0},{"id":"https://openalex.org/C62520636","wikidata":"https://www.wikidata.org/wiki/Q944","display_name":"Quantum mechanics","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1109/spw54247.2022.9833888","is_oa":false,"landing_page_url":"https://doi.org/10.1109/spw54247.2022.9833888","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2022 IEEE Security and Privacy Workshops (SPW)","raw_type":"proceedings-article"},{"id":"pmh:oai:figshare.com:article/24614322","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/To_hash_or_not_to_hash_A_security_assessment_of_CSP_s_unsafe-hashes_expression/24614322","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},{"id":"doi:10.60882/cispa.24614322.v1","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.24614322.v1","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:figshare.com:article/24614322","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/To_hash_or_not_to_hash_A_security_assessment_of_CSP_s_unsafe-hashes_expression/24614322","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.7799999713897705,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":["https://openalex.org/W2907490423","https://openalex.org/W1999250920","https://openalex.org/W2548409577","https://openalex.org/W1531015913","https://openalex.org/W3180404666","https://openalex.org/W2407701912","https://openalex.org/W1484631816","https://openalex.org/W2167752994","https://openalex.org/W2907218437","https://openalex.org/W2181766705"],"abstract_inverted_index":{"More":[0],"and":[1,19,115,123,231,339],"more":[2],"people":[3],"use":[4,12],"the":[5,24,31,43,48,51,65,82,94,117,133,149,194,217,249,290,313,341,347,350],"Web":[6,25,73,135,198],"on":[7,71,299,346],"a":[8,59,197,205,256,265,282,309],"daily":[9],"basis.":[10],"We":[11,219,263,316],"it":[13,28,85,202,211],"for":[14,107,165],"communicating,":[15],"doing":[16],"bank":[17],"transactions,":[18],"entertainment.":[20],"This":[21,242],"popularity":[22],"of":[23,30,34,45,50,96,119,151,196,208,238,258,267,274,289,296,308,343,349],"has":[26],"made":[27],"one":[29],"main":[32],"targets":[33],"attacks,":[35,47],"most":[36,337],"prominently":[37],"Cross-Site":[38],"Scripting":[39],"(XSS).":[40],"To":[41],"mitigate":[42,93],"effect":[44],"those":[46,275,297],"prevalence":[49],"Content":[52],"Security":[53],"Policy":[54],"(CSP)":[55],"is":[56,136,140,169,184,190],"increasing.":[57],"Such":[58],"policy":[60],"allows":[61],"developers":[62],"to":[63,92,109,147,158,179,185,192,215,234,255,333],"control":[64],"content":[66,78],"that":[67,126,279,294,311,318],"should":[68],"be":[69,88,159,180],"allowed":[70],"their":[72],"applications":[74],"precisely.":[75],"Because":[76],"this":[77,188],"includes":[79],"JavaScript":[80,226,284],"(via":[81],"script-src":[83],"directive),":[84],"can":[86,103,320],"also":[87],"an":[89,221],"effective":[90],"tool":[91],"damage":[95],"markup":[97],"injections":[98],"such":[99,328],"as":[100,130,161,329],"XSS.":[101],"Developers":[102],"specify":[104],"fine-grained":[105],"policies":[106],"scripts":[108,157,178],"only":[110,171,325],"allow":[111],"trusted":[112,156],"third":[113],"parties":[114],"disallow":[116],"usage":[118],"functions":[120],"like":[121],"eval":[122],"its":[124],"derivatives":[125],"directly":[127],"execute":[128],"strings":[129],"code.":[131],"As":[132],"whole":[134],"still":[137,212,304],"evolving,":[138],"so":[139],"CSP.":[141,218],"The":[142],"experimental":[143],"source-expression":[144],"unsafe-hashes":[145,314],"aims":[146],"ease":[148],"adoption":[150],"secure":[152],"CSPs,":[153],"by":[154,173],"allowing":[155,175],"used":[160],"inline":[162,177,239],"event":[163,240,270,291],"handlers":[164,292,298],"HTML":[166],"tags,":[167],"which":[168],"currently":[170],"possible":[172],"blindly":[174],"all":[176],"executed.":[181],"Our":[182,286],"goal":[183],"analyze":[186],"if":[187,201],"expression":[189],"able":[191],"improve":[193],"security":[195,209,236],"application":[199],"or":[200],"mainly":[203],"provides":[204],"false":[206],"sense":[207],"because":[210],"enables":[213],"attackers":[214,319],"bypass":[216],"built":[220],"automatic":[222],"crawler":[223,243],"utilizing":[224],"dynamic":[225],"analysis":[227,288],"using":[228],"taint":[229],"tracking":[230],"forced":[232],"execution":[233],"detect":[235],"vulnerabilities":[237],"handlers.":[241],"visited":[244],"753,715":[245],"unique":[246],"URLs":[247,260],"from":[248],"Alexa":[250],"Top":[251],"1,000":[252],"domains":[253,302],"up":[254],"maximum":[257],"500":[259],"per":[261],"domain.":[262],"collected":[264],"total":[266],"735,105":[268],"individual":[269],"handlers,":[271],"where":[272],"443":[273],"had":[276],"attribute":[277],"values":[278],"flow":[280],"into":[281],"dangerous":[283],"sink.":[285],"manual":[287],"revealed":[293],"370":[295],"34":[300],"different":[301],"are":[303],"vulnerable":[305],"in":[306,336],"presence":[307],"CSP":[310,351],"contains":[312],"expression.":[315],"show":[317],"exploit":[321],"these":[322],"flows":[323],"with":[324],"partial":[326],"injections,":[327],"adding":[330],"new":[331],"attributes":[332],"existing":[334],"tags":[335],"cases":[338],"discuss":[340],"impact":[342],"our":[344],"findings":[345],"future":[348],"standard.":[352]},"counts_by_year":[{"year":2023,"cited_by_count":1}],"updated_date":"2026-03-25T14:56:36.534964","created_date":"2025-10-10T00:00:00"}