{"id":"https://openalex.org/W4416549359","doi":"https://doi.org/10.1145/3719027.3765117","title":"In the DOM We Trust: Exploring the Hidden Dangers of Reading from the DOM on the Web","display_name":"In the DOM We Trust: Exploring the Hidden Dangers of Reading from the DOM on the Web","publication_year":2025,"publication_date":"2025-11-19","ids":{"openalex":"https://openalex.org/W4416549359","doi":"https://doi.org/10.1145/3719027.3765117"},"language":null,"primary_location":{"id":"doi:10.1145/3719027.3765117","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765117","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3719027.3765117","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5120467439","display_name":"Jan Drescher","orcid":"https://orcid.org/0009-0002-3840-9533"},"institutions":[{"id":"https://openalex.org/I94509681","display_name":"Technische Universit\u00e4t Braunschweig","ror":"https://ror.org/010nsgg66","country_code":"DE","type":"education","lineage":["https://openalex.org/I94509681"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Jan Drescher","raw_affiliation_strings":["Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"],"raw_orcid":"https://orcid.org/0009-0002-3840-9533","affiliations":[{"raw_affiliation_string":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany","institution_ids":["https://openalex.org/I94509681"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5113693253","display_name":"S. Mirzaei","orcid":"https://orcid.org/0009-0000-4263-2258"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sepehr Mirzaei","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0009-0000-4263-2258","affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089070556","display_name":"Soheil Khodayari","orcid":"https://orcid.org/0009-0006-1052-4774"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Soheil Khodayari","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0009-0006-1052-4774","affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saarbr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5016611640","display_name":"David Klein","orcid":"https://orcid.org/0000-0001-8468-8516"},"institutions":[{"id":"https://openalex.org/I94509681","display_name":"Technische Universit\u00e4t Braunschweig","ror":"https://ror.org/010nsgg66","country_code":"DE","type":"education","lineage":["https://openalex.org/I94509681"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"David Klein","raw_affiliation_strings":["Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"],"raw_orcid":"https://orcid.org/0000-0001-8468-8516","affiliations":[{"raw_affiliation_string":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany","institution_ids":["https://openalex.org/I94509681"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5036574988","display_name":"Thomas Barber","orcid":"https://orcid.org/0000-0002-1538-5033"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Thomas Barber","raw_affiliation_strings":["SAP SE, Karlsruhe, Germany"],"raw_orcid":"https://orcid.org/0000-0002-1538-5033","affiliations":[{"raw_affiliation_string":"SAP SE, Karlsruhe, Germany","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002067855","display_name":"Martin Johns","orcid":"https://orcid.org/0000-0003-2574-5060"},"institutions":[{"id":"https://openalex.org/I94509681","display_name":"Technische Universit\u00e4t Braunschweig","ror":"https://ror.org/010nsgg66","country_code":"DE","type":"education","lineage":["https://openalex.org/I94509681"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Martin Johns","raw_affiliation_strings":["Technische Universit\u00e4t Braunschweig, Braunschweig, Germany"],"raw_orcid":"https://orcid.org/0000-0003-2574-5060","affiliations":[{"raw_affiliation_string":"Technische Universit\u00e4t Braunschweig, Braunschweig, Germany","institution_ids":["https://openalex.org/I94509681"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5087556256","display_name":"Giancarlo Pellegrino","orcid":"https://orcid.org/0009-0007-6223-8945"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Giancarlo Pellegrino","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security, Saabr\u00fccken, Germany"],"raw_orcid":"https://orcid.org/0009-0007-6223-8945","affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Saabr\u00fccken, Germany","institution_ids":["https://openalex.org/I4210128801"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.46167679,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"3042","last_page":"3056"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.906000018119812,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.906000018119812,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.052799999713897705,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.006200000178068876,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.828499972820282},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.7910000085830688},{"id":"https://openalex.org/keywords/document-object-model","display_name":"Document Object Model","score":0.7127000093460083},{"id":"https://openalex.org/keywords/markup-language","display_name":"Markup language","score":0.6704999804496765},{"id":"https://openalex.org/keywords/client-side-scripting","display_name":"Client-side scripting","score":0.5863999724388123},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.5471000075340271},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4948999881744385},{"id":"https://openalex.org/keywords/web-page","display_name":"Web page","score":0.47440001368522644},{"id":"https://openalex.org/keywords/dynamic-web-page","display_name":"Dynamic web page","score":0.47360000014305115}],"concepts":[{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.828499972820282},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.7910000085830688},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7638000249862671},{"id":"https://openalex.org/C137922610","wikidata":"https://www.wikidata.org/wiki/Q2093","display_name":"Document Object Model","level":3,"score":0.7127000093460083},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.7031999826431274},{"id":"https://openalex.org/C45874996","wikidata":"https://www.wikidata.org/wiki/Q37045","display_name":"Markup language","level":3,"score":0.6704999804496765},{"id":"https://openalex.org/C195274430","wikidata":"https://www.wikidata.org/wiki/Q1650567","display_name":"Client-side scripting","level":5,"score":0.5863999724388123},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.5471000075340271},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4948999881744385},{"id":"https://openalex.org/C21959979","wikidata":"https://www.wikidata.org/wiki/Q36774","display_name":"Web page","level":2,"score":0.47440001368522644},{"id":"https://openalex.org/C100158260","wikidata":"https://www.wikidata.org/wiki/Q1650567","display_name":"Dynamic web page","level":3,"score":0.47360000014305115},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.453900009393692},{"id":"https://openalex.org/C138708601","wikidata":"https://www.wikidata.org/wiki/Q8811","display_name":"HTML","level":3,"score":0.4205999970436096},{"id":"https://openalex.org/C554936623","wikidata":"https://www.wikidata.org/wiki/Q199657","display_name":"Reading (process)","level":2,"score":0.4205999970436096},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.41370001435279846},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.36149999499320984},{"id":"https://openalex.org/C89505385","wikidata":"https://www.wikidata.org/wiki/Q47146","display_name":"User interface","level":2,"score":0.35249999165534973},{"id":"https://openalex.org/C40305131","wikidata":"https://www.wikidata.org/wiki/Q2616305","display_name":"Obfuscation","level":2,"score":0.34360000491142273},{"id":"https://openalex.org/C89159866","wikidata":"https://www.wikidata.org/wiki/Q4119753","display_name":"Style sheet","level":3,"score":0.3400999903678894},{"id":"https://openalex.org/C189139006","wikidata":"https://www.wikidata.org/wiki/Q166074","display_name":"XHTML","level":4,"score":0.33880001306533813},{"id":"https://openalex.org/C2984519610","wikidata":"https://www.wikidata.org/wiki/Q35127","display_name":"Web site","level":3,"score":0.31859999895095825},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.3140000104904175},{"id":"https://openalex.org/C2983909278","wikidata":"https://www.wikidata.org/wiki/Q6368","display_name":"Web browser","level":3,"score":0.3003999888896942},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.2937000095844269},{"id":"https://openalex.org/C107457646","wikidata":"https://www.wikidata.org/wiki/Q207434","display_name":"Human\u2013computer interaction","level":1,"score":0.29319998621940613},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.27000001072883606},{"id":"https://openalex.org/C49774154","wikidata":"https://www.wikidata.org/wiki/Q131765","display_name":"Multimedia","level":1,"score":0.2556999921798706},{"id":"https://openalex.org/C196388810","wikidata":"https://www.wikidata.org/wiki/Q631877","display_name":"RuleML","level":5,"score":0.2517000138759613}],"mesh":[],"locations_count":4,"locations":[{"id":"doi:10.1145/3719027.3765117","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765117","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:figshare.com:article/32770650","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/In_the_DOM_We_Trust_Exploring_the_Hidden_Dangers_of_Reading_from_the_DOM_on_the_Web/32770650","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Conference contribution"},{"id":"doi:10.60882/cispa.32770650","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.32770650","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"ConferenceProceeding"},{"id":"doi:10.60882/cispa.32770650.v1","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.32770650.v1","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"ConferenceProceeding"}],"best_oa_location":{"id":"doi:10.1145/3719027.3765117","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3719027.3765117","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G18682879","display_name":"EXC 2092: CyberSicherheit im Zeitalter gro\u00dfskaliger Angreifer (CASA)","funder_award_id":"390781972","funder_id":"https://openalex.org/F4320320879","funder_display_name":"Deutsche Forschungsgemeinschaft"}],"funders":[{"id":"https://openalex.org/F4320320879","display_name":"Deutsche Forschungsgemeinschaft","ror":"https://ror.org/018mejw64"}],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":25,"referenced_works":["https://openalex.org/W1991074244","https://openalex.org/W1992114977","https://openalex.org/W2002447170","https://openalex.org/W2055931054","https://openalex.org/W2095851690","https://openalex.org/W2400353634","https://openalex.org/W2743909715","https://openalex.org/W2790761820","https://openalex.org/W2901089484","https://openalex.org/W3008757785","https://openalex.org/W3040715571","https://openalex.org/W3046732376","https://openalex.org/W3164306598","https://openalex.org/W3206830212","https://openalex.org/W3216878076","https://openalex.org/W4225999506","https://openalex.org/W4252443823","https://openalex.org/W4283332017","https://openalex.org/W4307020316","https://openalex.org/W4385679748","https://openalex.org/W4396758731","https://openalex.org/W4402263908","https://openalex.org/W4402264500","https://openalex.org/W4402288715","https://openalex.org/W4408749801"],"related_works":[],"abstract_inverted_index":{"The":[0],"DOM":[1,93],"tree":[2],"is":[3],"a":[4,21,105,114],"central":[5],"part":[6],"of":[7,56,77,87,117],"modern":[8],"web":[9],"development,":[10],"enabling":[11],"JavaScript":[12,58],"to":[13],"interact":[14],"with":[15,60],"page":[16],"content":[17],"and":[18,37,129],"structure.":[19],"Only":[20],"few":[22],"prior":[23],"studies":[24],"have":[25,44],"studied":[26],"its":[27,30],"trustworthiness,":[28],"despite":[29],"widespread":[31],"use":[32],"in":[33,104,113],"guiding":[34],"program":[35],"logic":[36],"security":[38],"decisions.":[39],"Most":[40],"notably,":[41],"script":[42,71,98],"gadgets":[43,72,94],"shown":[45],"how":[46],"this":[47,66],"trust":[48],"can":[49,83,111],"be":[50],"exploited":[51],"by":[52],"triggering":[53],"the":[54,75,78,85],"execution":[55,86],"benign":[57],"fragments":[59,88],"seemingly":[61],"harmless":[62],"markup":[63,81],"injections.":[64],"In":[65],"paper,":[67],"we":[68,91],"show":[69],"that":[70,90],"are":[73],"only":[74],"tip":[76],"iceberg.":[79],"Seemingly-benign":[80],"injections":[82],"trigger":[84],"-":[89,95],"call":[92],"that,":[96],"unlike":[97],"gadgets,":[99],"do":[100],"not":[101],"necessarily":[102],"result":[103,112],"cross-site":[106,125],"scripting":[107],"vulnerability.":[108],"Instead,":[109],"they":[110],"broader":[115],"set":[116],"attacks,":[118,124,128],"such":[119],"as":[120],"browser":[121],"request":[122,126],"hijacking":[123],"forgery":[127],"user":[130],"interface":[131],"manipulations.":[132]},"counts_by_year":[],"updated_date":"2026-07-02T09:51:11.867554","created_date":"2025-11-23T00:00:00"}
