{"id":"https://openalex.org/W3040715571","doi":"https://doi.org/10.1145/3320269.3372201","title":"Assessing the Impact of Script Gadgets on CSP at Scale","display_name":"Assessing the Impact of Script Gadgets on CSP at Scale","publication_year":2020,"publication_date":"2020-10-05","ids":{"openalex":"https://openalex.org/W3040715571","doi":"https://doi.org/10.1145/3320269.3372201","mag":"3040715571"},"language":"en","primary_location":{"id":"doi:10.1145/3320269.3372201","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3320269.3372201","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 15th ACM Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://figshare.com/articles/conference_contribution/Assessing_the_Impact_of_Script_Gadgets_on_CSP_at_Scale/24613149","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5003170727","display_name":"Sebastian Roth","orcid":"https://orcid.org/0009-0004-3529-1407"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Sebastian Roth","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5102730269","display_name":"Michael Backes","orcid":"https://orcid.org/0000-0002-7130-9211"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Michael Backes","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087823285","display_name":"Ben Stock","orcid":"https://orcid.org/0000-0001-9659-0700"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Ben Stock","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5003170727"],"corresponding_institution_ids":["https://openalex.org/I4210128801"],"apc_list":null,"apc_paid":null,"fwci":1.6689,"has_fulltext":false,"cited_by_count":9,"citation_normalized_percentile":{"value":0.88221032,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"420","last_page":"431"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9911999702453613,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.984000027179718,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.9673380851745605},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.843559741973877},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8334734439849854},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.6854370832443237},{"id":"https://openalex.org/keywords/executable","display_name":"Executable","score":0.6475623250007629},{"id":"https://openalex.org/keywords/client-side-scripting","display_name":"Client-side scripting","score":0.575888991355896},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.5638086199760437},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.5565615296363831},{"id":"https://openalex.org/keywords/markup-language","display_name":"Markup language","score":0.5417611598968506},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4687789976596832},{"id":"https://openalex.org/keywords/html","display_name":"HTML","score":0.4555134177207947},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.4543423652648926},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.3878021836280823},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.30432429909706116},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.2685738801956177},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.22975555062294006},{"id":"https://openalex.org/keywords/web-api","display_name":"Web API","score":0.1753338873386383},{"id":"https://openalex.org/keywords/xml","display_name":"XML","score":0.1595974564552307}],"concepts":[{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.9673380851745605},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.843559741973877},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8334734439849854},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.6854370832443237},{"id":"https://openalex.org/C160145156","wikidata":"https://www.wikidata.org/wiki/Q778586","display_name":"Executable","level":2,"score":0.6475623250007629},{"id":"https://openalex.org/C195274430","wikidata":"https://www.wikidata.org/wiki/Q1650567","display_name":"Client-side scripting","level":5,"score":0.575888991355896},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.5638086199760437},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.5565615296363831},{"id":"https://openalex.org/C45874996","wikidata":"https://www.wikidata.org/wiki/Q37045","display_name":"Markup language","level":3,"score":0.5417611598968506},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4687789976596832},{"id":"https://openalex.org/C138708601","wikidata":"https://www.wikidata.org/wiki/Q8811","display_name":"HTML","level":3,"score":0.4555134177207947},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.4543423652648926},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.3878021836280823},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.30432429909706116},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.2685738801956177},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.22975555062294006},{"id":"https://openalex.org/C127613066","wikidata":"https://www.wikidata.org/wiki/Q557770","display_name":"Web API","level":4,"score":0.1753338873386383},{"id":"https://openalex.org/C8797682","wikidata":"https://www.wikidata.org/wiki/Q2115","display_name":"XML","level":2,"score":0.1595974564552307},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3320269.3372201","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3320269.3372201","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 15th ACM Asia Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:figshare.com:article/24613149","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/Assessing_the_Impact_of_Script_Gadgets_on_CSP_at_Scale/24613149","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},{"id":"doi:10.60882/cispa.24613149.v1","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.24613149.v1","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:figshare.com:article/24613149","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/Assessing_the_Impact_of_Script_Gadgets_on_CSP_at_Scale/24613149","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions","score":0.8199999928474426}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":23,"referenced_works":["https://openalex.org/W200873936","https://openalex.org/W1473921560","https://openalex.org/W1535015034","https://openalex.org/W1536367539","https://openalex.org/W1974977720","https://openalex.org/W1990421186","https://openalex.org/W1991074244","https://openalex.org/W2344312925","https://openalex.org/W2404759360","https://openalex.org/W2510134782","https://openalex.org/W2536013516","https://openalex.org/W2575436837","https://openalex.org/W2605157885","https://openalex.org/W2614073125","https://openalex.org/W2765755114","https://openalex.org/W2785237606","https://openalex.org/W2790761820","https://openalex.org/W2904027722","https://openalex.org/W2962940036","https://openalex.org/W3007024382","https://openalex.org/W3104970816","https://openalex.org/W6644187855","https://openalex.org/W6736053662"],"related_works":["https://openalex.org/W1222699389","https://openalex.org/W2417252976","https://openalex.org/W2042562985","https://openalex.org/W4250914548","https://openalex.org/W183683573","https://openalex.org/W2480890606","https://openalex.org/W641367590","https://openalex.org/W2907490423","https://openalex.org/W4382565138","https://openalex.org/W3008569659"],"abstract_inverted_index":{"The":[0],"Web,":[1],"as":[2,266,268],"one":[3],"of":[4,8,23,63,104,141,148,167,209,227,230,244,291,320,330],"the":[5,14,24,28,56,61,72,102,105,116,139,163,197,225,228,242,255,269,275,296,321],"core":[6],"technologies":[7],"modern":[9],"society,":[10],"has":[11],"profoundly":[12],"changed":[13],"way":[15],"we":[16,223,305,313],"interact":[17],"with":[18,174,262,279],"people":[19],"and":[20,246,325],"data.":[21],"One":[22],"worst":[25],"attacks":[26],"on":[27,213,238,348],"Web":[29,48,89,236],"is":[30,38,77,129,199,272],"Cross-Site":[31],"Scripting":[32],"(XSS),":[33],"in":[34,80,138,156,172,177,241,274,295],"which":[35],"an":[36,187,257],"attacker":[37,106,258],"able":[39,110],"to":[40,55,91,107,111,185,288,337,345],"inject":[41],"their":[42],"malicious":[43],"JavaScript":[44,150],"code":[45,52,96,114,151,248],"into":[46,159],"a":[47,85,88,131,135,157,168,206,215,307,338],"application,":[49],"giving":[50],"this":[51,192,221,285],"full":[53],"access":[54],"victimized":[57],"site.":[58],"To":[59,219,298],"mitigate":[60],"impact":[62],"markup":[64,128,154],"injection":[65],"flaws":[66],"that":[67,327,351],"cause":[68],"XSS,":[69],"support":[70],"for":[71,134,165,283,318],"Content":[73],"Security":[74],"Policy":[75],"(CSP)":[76],"nowadays":[78],"shipped":[79],"all":[81,210,319,331],"browsers.":[82],"Deploying":[83],"such":[84,250,354],"policy":[86],"enables":[87,286],"developer":[90],"whitelist":[92],"from":[93,115],"where":[94],"script":[95,127,143,181,264,341],"can":[97,259],"be":[98,109,335],"loaded,":[99],"essentially":[100],"constraining":[101],"capabilities":[103],"only":[108],"execute":[112],"injected":[113],"said":[117],"whitelist.":[118],"As":[119],"recently":[120],"shown":[121],"by":[122,254],"Lekies":[123,231],"et":[124,232],"al.,":[125,233],"injecting":[126],"not":[130],"necessary":[132],"prerequisite":[133],"successful":[136],"attack":[137],"presence":[140,243],"so-called":[142],"gadgets.":[144],"These":[145],"small":[146],"snippets":[147],"benign":[149],"transform":[152],"non-script":[153],"contained":[155],"page":[158],"executable":[160],"JavaScript,":[161],"opening":[162],"door":[164],"bypasses":[166],"deployed":[169],"CSP.":[170,276],"Especially":[171],"combination":[173,278],"CSP's":[175],"logic":[176,282],"handling":[178],"redirected":[179],"resources,":[180],"gadgets":[182,251],"enable":[183],"attackers":[184],"bypass":[186,289,339],"otherwise":[188,292],"secure":[189,293],"policy.":[190],"In":[191,277],"paper,":[193],"we,":[194],"therefore,":[195],"ask":[196],"question:":[198],"securely":[200],"deploying":[201],"CSP":[202,245],"even":[203,214,240],"possible":[204],"without":[205,247],"priori":[207],"knowledge":[208],"files":[211],"hosted":[212],"partially":[216],"trusted":[217],"origin?":[218],"answer":[220,300],"question,":[222,304],"investigate":[224],"severity":[226],"findings":[229],"showing":[234],"real-world":[235],"sites":[237,324,332],"which,":[239],"containing":[249],"being":[252],"added":[253],"developer,":[256],"sideload":[260],"libraries":[261],"known":[263],"gadgets,":[265],"long":[267],"hosting":[270],"site":[271],"whitelisted":[273],"CSPs":[280,317],"matching":[281],"redirects,":[284],"us":[287],"10%":[290],"policies":[294],"wild.":[297],"further":[299],"our":[301],"main":[302],"research":[303],"conduct":[306],"hypothetical":[308],"what-if":[309],"analysis.":[310],"Doing":[311],"so,":[312],"automatically":[314],"generate":[315],"sensible":[316],"Top":[322],"10,000":[323],"show":[326],"around":[328],"one-third":[329],"would":[333],"still":[334],"susceptible":[336],"through":[340],"gadget":[342],"sideloading":[343],"due":[344],"heavy":[346],"reliance":[347],"third":[349],"parties":[350],"also":[352],"host":[353],"libraries.":[355]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":3},{"year":2021,"cited_by_count":3}],"updated_date":"2026-03-25T14:56:36.534964","created_date":"2025-10-10T00:00:00"}