{"id":"https://openalex.org/W3206830212","doi":"https://doi.org/10.1145/3471621.3471846","title":"Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks","display_name":"Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks","publication_year":2021,"publication_date":"2021-10-06","ids":{"openalex":"https://openalex.org/W3206830212","doi":"https://doi.org/10.1145/3471621.3471846","mag":"3206830212"},"language":"en","primary_location":{"id":"doi:10.1145/3471621.3471846","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3471621.3471846","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"24th International Symposium on Research in Attacks, Intrusions and Defenses","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://figshare.com/articles/conference_contribution/Where_We_Stand_or_Fall_An_Analysis_of_CSRF_Defenses_in_Web_Frameworks/24613791","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5016445148","display_name":"Xhelal Likaj","orcid":null},"institutions":[{"id":"https://openalex.org/I91712215","display_name":"Saarland University","ror":"https://ror.org/01jdpyv68","country_code":"DE","type":"education","lineage":["https://openalex.org/I91712215"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Xhelal Likaj","raw_affiliation_strings":["Saarland University, Germany"],"affiliations":[{"raw_affiliation_string":"Saarland University, Germany","institution_ids":["https://openalex.org/I91712215"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089070556","display_name":"Soheil Khodayari","orcid":"https://orcid.org/0009-0006-1052-4774"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Soheil Khodayari","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087556256","display_name":"Giancarlo Pellegrino","orcid":"https://orcid.org/0009-0007-6223-8945"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Giancarlo Pellegrino","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5016445148"],"corresponding_institution_ids":["https://openalex.org/I91712215"],"apc_list":null,"apc_paid":null,"fwci":4.542,"has_fulltext":false,"cited_by_count":18,"citation_normalized_percentile":{"value":0.95019101,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"370","last_page":"385"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9939000010490417,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9900000095367432,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.8191001415252686},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7329919934272766},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.6570015549659729},{"id":"https://openalex.org/keywords/python","display_name":"Python (programming language)","score":0.6453884243965149},{"id":"https://openalex.org/keywords/popularity","display_name":"Popularity","score":0.6358407139778137},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.5790345668792725},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.5707047581672668},{"id":"https://openalex.org/keywords/documentation","display_name":"Documentation","score":0.5412508845329285},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.5052621960639954},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.4908817410469055},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.44139716029167175},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.44109246134757996},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.4216950833797455},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3845439553260803},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.3377598524093628},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.32538676261901855},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.18158170580863953},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.1632009744644165},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.1577591598033905},{"id":"https://openalex.org/keywords/political-science","display_name":"Political science","score":0.09160476922988892}],"concepts":[{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.8191001415252686},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7329919934272766},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.6570015549659729},{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.6453884243965149},{"id":"https://openalex.org/C2780586970","wikidata":"https://www.wikidata.org/wiki/Q1357284","display_name":"Popularity","level":2,"score":0.6358407139778137},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.5790345668792725},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.5707047581672668},{"id":"https://openalex.org/C56666940","wikidata":"https://www.wikidata.org/wiki/Q788790","display_name":"Documentation","level":2,"score":0.5412508845329285},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.5052621960639954},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.4908817410469055},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.44139716029167175},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.44109246134757996},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.4216950833797455},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3845439553260803},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.3377598524093628},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.32538676261901855},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.18158170580863953},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.1632009744644165},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.1577591598033905},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.09160476922988892},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3471621.3471846","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3471621.3471846","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"24th International Symposium on Research in Attacks, Intrusions and Defenses","raw_type":"proceedings-article"},{"id":"pmh:oai:figshare.com:article/24613791","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/Where_We_Stand_or_Fall_An_Analysis_of_CSRF_Defenses_in_Web_Frameworks/24613791","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},{"id":"doi:10.60882/cispa.24613791.v1","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.24613791.v1","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:figshare.com:article/24613791","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/Where_We_Stand_or_Fall_An_Analysis_of_CSRF_Defenses_in_Web_Frameworks/24613791","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},"sustainable_development_goals":[{"score":0.6800000071525574,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":29,"referenced_works":["https://openalex.org/W39495240","https://openalex.org/W626019294","https://openalex.org/W1224296734","https://openalex.org/W1490705928","https://openalex.org/W1607985412","https://openalex.org/W1774682829","https://openalex.org/W1896223928","https://openalex.org/W1965209910","https://openalex.org/W2001788001","https://openalex.org/W2072978486","https://openalex.org/W2090184259","https://openalex.org/W2119085032","https://openalex.org/W2153106208","https://openalex.org/W2399498356","https://openalex.org/W2698406033","https://openalex.org/W2733075145","https://openalex.org/W2752602409","https://openalex.org/W2889140200","https://openalex.org/W2897702533","https://openalex.org/W2899231924","https://openalex.org/W2914012796","https://openalex.org/W2914630606","https://openalex.org/W2917439412","https://openalex.org/W2943467804","https://openalex.org/W2944337000","https://openalex.org/W2952447725","https://openalex.org/W2979997947","https://openalex.org/W3030213528","https://openalex.org/W4255314660"],"related_works":["https://openalex.org/W2907490423","https://openalex.org/W2548409577","https://openalex.org/W2338961676","https://openalex.org/W2070218579","https://openalex.org/W2314230716","https://openalex.org/W2547817202","https://openalex.org/W2188829598","https://openalex.org/W331060086","https://openalex.org/W3156816392","https://openalex.org/W4312473963"],"abstract_inverted_index":{"Cross-Site":[0],"Request":[1],"Forgery":[2],"(CSRF)":[3],"is":[4,17],"among":[5],"the":[6,30,44,52,80,84,108,115,121,139],"oldest":[7],"web":[8,41,88,124],"vulnerabilities":[9],"that,":[10],"despite":[11],"its":[12],"popularity":[13],"and":[14,71,98,111],"severity,":[15],"it":[16],"still":[18],"an":[19,56],"understudied":[20],"security":[21,32],"problem.":[22],"In":[23],"this":[24],"paper,":[25],"we":[26,66,78],"undertake":[27],"one":[28],"of":[29,34,54,63,83,123],"first":[31],"evaluations":[33],"CSRF":[35,69,141],"defense":[36],"as":[37],"implemented":[38,109,140],"by":[39,135],"popular":[40,87],"frameworks,":[42],"with":[43],"overarching":[45],"goal":[46],"to":[47,51,106,114,137],"identify":[48,67],"additional":[49],"explanations":[50],"occurrences":[53],"such":[55],"old":[57],"vulnerability.":[58],"Starting":[59],"from":[60],"a":[61],"review":[62],"existing":[64],"literature,":[65],"16":[68],"defenses":[70,110,142],"18":[72],"potential":[73],"threats":[74],"agains":[75],"them.":[76],"Then,":[77],"evaluate":[79],"source":[81],"code":[82],"44":[85],"most":[86],"frameworks":[89],"across":[90],"five":[91],"languages":[92],"(i.e.,":[93],"JavaScript,":[94],"Python,":[95],"Java,":[96],"PHP,":[97],"C#)":[99],"covering":[100],"about":[101],"5.5":[102],"million":[103],"LoCs,":[104],"intending":[105],"determine":[107],"their":[112],"exposure":[113],"identified":[116],"threats.":[117],"We":[118],"also":[119],"quantify":[120],"quality":[122],"frameworks\u2019":[125],"documentation,":[126],"looking":[127],"for":[128],"incomplete,":[129],"misleading,":[130],"or":[131],"insufficient":[132],"information":[133],"required":[134],"developers":[136],"use":[138],"correctly.":[143]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":8},{"year":2023,"cited_by_count":5},{"year":2022,"cited_by_count":3}],"updated_date":"2026-03-25T14:56:36.534964","created_date":"2025-10-10T00:00:00"}