{"id":"https://openalex.org/W4385270157","doi":"https://doi.org/10.1109/spw59333.2023.00038","title":"Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection","display_name":"Scripted Henchmen: Leveraging XS-Leaks for Cross-Site Vulnerability Detection","publication_year":2023,"publication_date":"2023-05-01","ids":{"openalex":"https://openalex.org/W4385270157","doi":"https://doi.org/10.1109/spw59333.2023.00038"},"language":"en","primary_location":{"id":"doi:10.1109/spw59333.2023.00038","is_oa":false,"landing_page_url":"https://doi.org/10.1109/spw59333.2023.00038","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Security and Privacy Workshops (SPW)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://lirias.kuleuven.be/retrieve/c1091d6f-e366-4dd7-bda4-9658fc186622","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5061602585","display_name":"Tom Van Goethem","orcid":"https://orcid.org/0000-0001-6846-9081"},"institutions":[{"id":"https://openalex.org/I196972281","display_name":"Imec the Netherlands","ror":"https://ror.org/01ezq2j76","country_code":"NL","type":"facility","lineage":["https://openalex.org/I196972281"]},{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE","NL"],"is_corresponding":false,"raw_author_name":"Tom Van Goethem","raw_affiliation_strings":["KU Leuven,imec-DistriNet","imec-DistriNet, KU Leuven"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KU Leuven,imec-DistriNet","institution_ids":["https://openalex.org/I196972281","https://openalex.org/I99464096"]},{"raw_affiliation_string":"imec-DistriNet, KU Leuven","institution_ids":["https://openalex.org/I196972281","https://openalex.org/I99464096"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5029014592","display_name":"Iskander S\u00e1nchez-Rola","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Iskander Sanchez-Rola","raw_affiliation_strings":["Norton Research Group"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Norton Research Group","institution_ids":[]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5054031138","display_name":"Wouter Joosen","orcid":"https://orcid.org/0000-0002-7710-5092"},"institutions":[{"id":"https://openalex.org/I196972281","display_name":"Imec the Netherlands","ror":"https://ror.org/01ezq2j76","country_code":"NL","type":"facility","lineage":["https://openalex.org/I196972281"]},{"id":"https://openalex.org/I99464096","display_name":"KU Leuven","ror":"https://ror.org/05f950310","country_code":"BE","type":"education","lineage":["https://openalex.org/I99464096"]}],"countries":["BE","NL"],"is_corresponding":false,"raw_author_name":"Wouter Joosen","raw_affiliation_strings":["KU Leuven,imec-DistriNet","imec-DistriNet, KU Leuven"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"KU Leuven,imec-DistriNet","institution_ids":["https://openalex.org/I196972281","https://openalex.org/I99464096"]},{"raw_affiliation_string":"imec-DistriNet, KU Leuven","institution_ids":["https://openalex.org/I196972281","https://openalex.org/I99464096"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.8627,"has_fulltext":true,"cited_by_count":2,"citation_normalized_percentile":{"value":0.78802595,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":95,"max":96},"biblio":{"volume":null,"issue":null,"first_page":"371","last_page":"383"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.7301410436630249},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.653760552406311},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.6036785840988159},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.5882745981216431},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5795180201530457},{"id":"https://openalex.org/keywords/visitor-pattern","display_name":"Visitor pattern","score":0.5780867338180542},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.5659487247467041},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.48575595021247864},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.4572034478187561},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4501049220561981},{"id":"https://openalex.org/keywords/trustworthiness","display_name":"Trustworthiness","score":0.4283679127693176},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.42362964153289795},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.3829449713230133},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.3341473340988159},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.33276253938674927},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.16875874996185303}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7301410436630249},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.653760552406311},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.6036785840988159},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.5882745981216431},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5795180201530457},{"id":"https://openalex.org/C48947383","wikidata":"https://www.wikidata.org/wiki/Q830719","display_name":"Visitor pattern","level":2,"score":0.5780867338180542},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.5659487247467041},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.48575595021247864},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.4572034478187561},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4501049220561981},{"id":"https://openalex.org/C153701036","wikidata":"https://www.wikidata.org/wiki/Q659974","display_name":"Trustworthiness","level":2,"score":0.4283679127693176},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.42362964153289795},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.3829449713230133},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.3341473340988159},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.33276253938674927},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.16875874996185303},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0},{"id":"https://openalex.org/C15744967","wikidata":"https://www.wikidata.org/wiki/Q9418","display_name":"Psychology","level":0,"score":0.0},{"id":"https://openalex.org/C542102704","wikidata":"https://www.wikidata.org/wiki/Q183257","display_name":"Psychotherapist","level":1,"score":0.0},{"id":"https://openalex.org/C137176749","wikidata":"https://www.wikidata.org/wiki/Q4105337","display_name":"Psychological resilience","level":2,"score":0.0},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/spw59333.2023.00038","is_oa":false,"landing_page_url":"https://doi.org/10.1109/spw59333.2023.00038","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Security and Privacy Workshops (SPW)","raw_type":"proceedings-article"},{"id":"pmh:oai:lirias2repo.kuleuven.be:20.500.12942/725006","is_oa":true,"landing_page_url":"https://lirias.kuleuven.be/handle/20.500.12942/725006","pdf_url":"https://lirias.kuleuven.be/retrieve/c1091d6f-e366-4dd7-bda4-9658fc186622","source":{"id":"https://openalex.org/S4306401954","display_name":"Lirias (KU Leuven)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I99464096","host_organization_name":"KU Leuven","host_organization_lineage":["https://openalex.org/I99464096"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"44th IEEE Security and Privacy Workshops (SPW), CA, San Francisco, 22-25 May 2023","raw_type":"info:eu-repo/semantics/publishedVersion"}],"best_oa_location":{"id":"pmh:oai:lirias2repo.kuleuven.be:20.500.12942/725006","is_oa":true,"landing_page_url":"https://lirias.kuleuven.be/handle/20.500.12942/725006","pdf_url":"https://lirias.kuleuven.be/retrieve/c1091d6f-e366-4dd7-bda4-9658fc186622","source":{"id":"https://openalex.org/S4306401954","display_name":"Lirias (KU Leuven)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I99464096","host_organization_name":"KU Leuven","host_organization_lineage":["https://openalex.org/I99464096"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"44th IEEE Security and Privacy Workshops (SPW), CA, San Francisco, 22-25 May 2023","raw_type":"info:eu-repo/semantics/publishedVersion"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16","score":0.5699999928474426}],"awards":[{"id":"https://openalex.org/G6014534120","display_name":null,"funder_award_id":"101019206","funder_id":"https://openalex.org/F4320320300","funder_display_name":"European Commission"}],"funders":[{"id":"https://openalex.org/F4320320300","display_name":"European Commission","ror":"https://ror.org/00k4n6c32"},{"id":"https://openalex.org/F4320322308","display_name":"KU Leuven","ror":"https://ror.org/05f950310"}],"has_content":{"grobid_xml":false,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4385270157.pdf"},"referenced_works_count":50,"referenced_works":["https://openalex.org/W1485337887","https://openalex.org/W1491237615","https://openalex.org/W1965209910","https://openalex.org/W1970867218","https://openalex.org/W1985683032","https://openalex.org/W1987644478","https://openalex.org/W1988160443","https://openalex.org/W2034120733","https://openalex.org/W2048018257","https://openalex.org/W2062533261","https://openalex.org/W2098395374","https://openalex.org/W2108384401","https://openalex.org/W2165701072","https://openalex.org/W2398147205","https://openalex.org/W2510134782","https://openalex.org/W2514714814","https://openalex.org/W2589930484","https://openalex.org/W2890228473","https://openalex.org/W2904027722","https://openalex.org/W2914630606","https://openalex.org/W2930110112","https://openalex.org/W2960248881","https://openalex.org/W2962776979","https://openalex.org/W2962940036","https://openalex.org/W2963603877","https://openalex.org/W2980614388","https://openalex.org/W3007732466","https://openalex.org/W3008757785","https://openalex.org/W3010520343","https://openalex.org/W3024201913","https://openalex.org/W3036557299","https://openalex.org/W3049709743","https://openalex.org/W3115307203","https://openalex.org/W3214196324","https://openalex.org/W4235202118","https://openalex.org/W4281396748","https://openalex.org/W4289038676","https://openalex.org/W4299301436","https://openalex.org/W6600897621","https://openalex.org/W6602593815","https://openalex.org/W6629287744","https://openalex.org/W6685791942","https://openalex.org/W6712483131","https://openalex.org/W6719369174","https://openalex.org/W6743752906","https://openalex.org/W6762875752","https://openalex.org/W6771995623","https://openalex.org/W6776693929","https://openalex.org/W6980155234","https://openalex.org/W7034844013"],"related_works":["https://openalex.org/W2548409577","https://openalex.org/W2407701912","https://openalex.org/W3180404666","https://openalex.org/W1531015913","https://openalex.org/W1484631816","https://openalex.org/W2167752994","https://openalex.org/W2907218437","https://openalex.org/W2117221897","https://openalex.org/W52209804","https://openalex.org/W3149638606"],"abstract_inverted_index":{"The":[0],"key":[1],"security":[2,34,134],"principle":[3],"that":[4,17,57,73,131],"browsers":[5],"adhere":[6],"to,":[7],"such":[8],"as":[9],"the":[10,24,105,140],"same-origin":[11],"policy":[12],"and":[13,107,112],"site":[14,41],"isolation,":[15],"ensure":[16],"when":[18],"visiting":[19],"a":[20,39,93,96,117],"potentially":[21,59],"untrusted":[22],"website,":[23],"web":[25,87,98],"page":[26],"is":[27],"loaded":[28],"in":[29,49,89],"an":[30,81,102],"isolated":[31],"environment.":[32],"These":[33],"measures":[35,135],"aim":[36],"to":[37,79,84,95,138],"prevent":[38],"malicious":[40,97,114],"from":[42,62,116,125],"extracting":[43],"information":[44,61],"about":[45],"cross-origin":[46,144],"resources.":[47],"However,":[48],"recent":[50],"years,":[51],"several":[52],"techniques":[53],"have":[54],"been":[55],"discovered":[56],"leak":[58],"sensitive":[60],"responses":[63],"sent":[64],"by":[65],"other":[66,90],"sites.":[67],"In":[68],"this":[69],"paper,":[70],"we":[71,129],"show":[72],"these":[74],"XS-Leaks":[75],"can":[76],"be":[77],"used":[78],"force":[80],"unwitting":[82],"visitor":[83],"detect":[85],"prevalent":[86],"vulnerabilities":[88],"websites":[91],"during":[92],"visit":[94],"page.":[99],"This":[100],"lets":[101],"adversary":[103],"leverage":[104],"computing":[106],"network":[108],"resources":[109],"of":[110,120,143],"visitors":[111],"send":[113],"requests":[115],"large":[118],"variety":[119],"trustworthy":[121],"IP":[122],"addresses":[123],"originating":[124],"residential":[126],"networks.":[127],"Finally,":[128],"find":[130],"currently":[132],"deployed":[133],"are":[136],"inadequate":[137],"thwart":[139],"realistic":[141],"threat":[142],"vulnerability":[145],"detection.":[146]},"counts_by_year":[{"year":2025,"cited_by_count":2}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}