{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,20]],"date-time":"2025-12-20T22:04:42Z","timestamp":1766268282193,"version":"3.37.3"},"reference-count":26,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2023,3,20]],"date-time":"2023-03-20T00:00:00Z","timestamp":1679270400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,3,20]],"date-time":"2023-03-20T00:00:00Z","timestamp":1679270400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2023,8]]},"DOI":"10.1007\/s10207-023-00671-5","type":"journal-article","created":{"date-parts":[[2023,3,20]],"date-time":"2023-03-20T05:02:56Z","timestamp":1679288576000},"page":"1029-1054","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Business-layer client-side racer: dynamic security testing of the web application against client-side race condition in the business layer"],"prefix":"10.1007","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0918-411X","authenticated-orcid":false,"given":"Mitra","family":"Alidoosti","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alireza","family":"Nowroozi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ahmad","family":"Nickabadi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,3,20]]},"reference":[{"key":"671_CR1","unstructured":"Flexcoin (2014). https:\/\/web.archive.org\/web\/20160408190656\/http:\/\/www.flexcoin.com\/"},{"key":"671_CR2","doi-asserted-by":"crossref","unstructured":"Paleari, R., Marrone, D., Bruschi, D., Monga, M.: On race vulnerabilities in web applications. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 126\u2013142. Springer, Berlin, Heidelberg (2008)","DOI":"10.1007\/978-3-540-70542-0_7"},{"key":"671_CR3","unstructured":"OWASP: Owasp top ten 2013 (2013). https:\/\/www.owasp.org\/index.php\/OWASP_Top_10#tab=OWASP_Top_10_for_2013"},{"key":"671_CR4","unstructured":"SANS: Cwe\/sans top 25 Most Dangerous Software Errors (2011). https:\/\/www.sans.org\/top25-software-errors"},{"key":"671_CR5","unstructured":"Trustwave: Trustwave 2011 Global Security Report Reveals Shift in Cybercrime (2011). https:\/\/www.trustwave.com\/downloads\/Trustwave_WP_Global_Security_Report_2011.pdf"},{"key":"671_CR6","unstructured":"Emous, R.J.: Towards systematic black-box testing for exploitable race conditions in web apps. Master's thesis, University of Twente"},{"issue":"2","key":"671_CR7","first-page":"131","volume":"2","author":"M Bishop","year":"1996","unstructured":"Bishop, M., Dilger, M.: Checking for race conditions in file accesses. Comput. Syst. 2(2), 131\u2013152 (1996)","journal-title":"Comput. Syst."},{"key":"671_CR8","unstructured":"CERT: Advisory CA-2000\u201302: Malicious HTML Tags Embedded in Client Web Requests (2002)"},{"key":"671_CR9","doi-asserted-by":"crossref","unstructured":"Zheng, Y., Zhang, X.: Static detection of resource contention problems in server-side scripts. In: 2012 34th International Conference on Software Engineering (ICSE), pp. 584\u2013594. IEEE (2012)","DOI":"10.1109\/ICSE.2012.6227158"},{"key":"671_CR10","doi-asserted-by":"crossref","unstructured":"Adamsen, C.Q., M\u00f8ller, A., Tip, F.: Practical initialization race detection for JavaScript web applications. In: Proceedings of the ACM on Programming Languages (2017)","DOI":"10.1145\/3133890"},{"key":"671_CR11","doi-asserted-by":"crossref","unstructured":"Adamsen, C.Q., M\u00f8ller, A., Alimadadi, S., Tip, F.: Practical AJAX race detection for JavaScript web applications. In: Proceedings of the 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (2018)","DOI":"10.1145\/3236024.3236038"},{"key":"671_CR12","doi-asserted-by":"crossref","unstructured":"Petrov, B., Vechev, M., Sridharan, M., Dolby, J.: Race detection for web applications. In: ACM SIGPLAN Notices, Vol. 47, No. 6, pp. 251\u2013262 (2012)","DOI":"10.1145\/2345156.2254095"},{"key":"671_CR13","doi-asserted-by":"crossref","unstructured":"Wang, W., Zheng, Y., Liu, P., Xu, L., Zhang, X., Eugster, P.: ARROW: automated repair of races on client-side web pages. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 201\u2013212 (2016)","DOI":"10.1145\/2931037.2931052"},{"key":"671_CR14","doi-asserted-by":"crossref","unstructured":"Adamsen, C.Q., M\u00f8ller, A., Karim, R., Sridharan, M., Tip, F., Sen, K.: Repairing event race errors by controlling nondeterminism. In: 2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE), pp. 289\u2013299 (2017)","DOI":"10.1109\/ICSE.2017.34"},{"key":"671_CR15","doi-asserted-by":"crossref","unstructured":"Mutlu, E., Tasiran, S., Livshits, B.: Detecting JavaScript races that matter. In: Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering, pp. 381\u2013392 (2015)","DOI":"10.1145\/2786805.2786820"},{"key":"671_CR16","doi-asserted-by":"crossref","unstructured":"Raychev, V., Vechev, M., Sridharan, M.: Effective race detection for event-driven programs. In: ACM SIGPLAN Notices, Vol. 48, No. 10, pp. 151\u2013166 (2013)","DOI":"10.1145\/2544173.2509538"},{"key":"671_CR17","doi-asserted-by":"crossref","unstructured":"Zhang, L., Wang, C.: RClassify: classifying race conditions in web applications via deterministic replay. In: Proceedings of the 39th International Conference on Software Engineering, pp. 278\u2013288, IEEE Press (2017)","DOI":"10.1109\/ICSE.2017.33"},{"key":"671_CR18","doi-asserted-by":"crossref","unstructured":"Hong, S., Park, Y., Kim, M.: Detecting concurrency errors in client-side Javascript web applications. In: Proceedings of the 7th IEEE International Conference on Software Testing, Verification and Validation (2014)","DOI":"10.1109\/ICST.2014.17"},{"key":"671_CR19","unstructured":"Ide, J., Bodik, R., Kimelman, D.: Concurrency concerns in rich internet applications. In: Proceedings of the Workshop on Exploiting Concurrency Eiciently and Correctly (2009)"},{"key":"671_CR20","doi-asserted-by":"crossref","unstructured":"Jensen, C.S., M\u00f9ller, A., Raychev, V., Dimitrov, D., Vechev, M.T.: Stateless model checking of event-driven applications. In: Proceedings of the 30th ACM SIGPLAN International Conference on Object-Oriented Programming, Systems,. Languages, and Applications (2015)","DOI":"10.1145\/2814270.2814282"},{"key":"671_CR21","doi-asserted-by":"publisher","unstructured":"Alidoosti, M., Nowroozi, A.: BL-ProM: Business-layer process miner of the web application. In: ISCISC, pp. 1\u20136. IEEE (2018). ISBN 978\u20131\u20135386\u20137582\u20133. https:\/\/doi.org\/10.1109\/ISCISC.2018.8546899","DOI":"10.1109\/ISCISC.2018.8546899"},{"key":"671_CR22","unstructured":"Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA (2006)"},{"issue":"2","key":"671_CR23","first-page":"65","volume":"6","author":"M Alidoosti","year":"2019","unstructured":"Alidoosti, M., Nowroozi, A., Nickabadi, A.: BLProM: a black-box approach for detecting business-layer pro cesses in the web applications. J. Comput. Secur. 6(2), 65\u201380 (2019)","journal-title":"J. Comput. Secur."},{"issue":"3","key":"671_CR24","doi-asserted-by":"publisher","first-page":"433","DOI":"10.4218\/etrij.2019-0164","volume":"42","author":"M Alidoosti","year":"2020","unstructured":"Alidoosti, M., Nowroozi, A., Nickabadi, A.: Evaluating the web-application resiliency to business-layer DoS attacks. ETRI J. 42(3), 433\u2013445 (2020). https:\/\/doi.org\/10.4218\/etrij.2019-0164","journal-title":"ETRI J."},{"key":"671_CR25","doi-asserted-by":"publisher","first-page":"116569","DOI":"10.1016\/j.eswa.2022.116569","volume":"195","author":"M Alidoosti","year":"2022","unstructured":"Alidoosti, M., Nowroozi, A., Nickabadi, A.: Semantic web racer: dynamic security testing of the web application against race condition in the business layer. Expert Syst. Appl. 195, 116569 (2022). https:\/\/doi.org\/10.1016\/j.eswa.2022.116569","journal-title":"Expert Syst. Appl."},{"issue":"1","key":"671_CR26","first-page":"83","volume":"14","author":"MA Lidoosti","year":"2021","unstructured":"Lidoosti, M.A., Nowroozi, A.N.: Business-layer session puzzling racer: dynamic security testing against session puzzling race conditions in the business layer. ISC Int. J. Inf. Secur. 14(1), 83\u2013104 (2021)","journal-title":"ISC Int. J. Inf. Secur."}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00671-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-023-00671-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-023-00671-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,7,26]],"date-time":"2023-07-26T01:08:35Z","timestamp":1690333715000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-023-00671-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,20]]},"references-count":26,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,8]]}},"alternative-id":["671"],"URL":"https:\/\/doi.org\/10.1007\/s10207-023-00671-5","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2023,3,20]]},"assertion":[{"value":"8 February 2023","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 March 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors have no conflict of interest to declare that are relevant to the content of this article.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}},{"value":"This article does not contain any studies with human participants or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}