{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T15:04:54Z","timestamp":1774364694843,"version":"3.50.1"},"reference-count":51,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-017"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-012"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T00:00:00Z","timestamp":1780272000000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-004"}],"funder":[{"DOI":"10.13039\/501100008081","name":"Southeast University","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100008081","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2026,6]]},"DOI":"10.1016\/j.cose.2026.104865","type":"journal-article","created":{"date-parts":[[2026,2,16]],"date-time":"2026-02-16T16:48:10Z","timestamp":1771260490000},"page":"104865","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["SpringFuzz: Comprehensive grey-box fuzzing of spring-based web applications"],"prefix":"10.1016","volume":"165","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7831-1122","authenticated-orcid":false,"given":"Dikai","family":"Zou","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3052-3828","authenticated-orcid":false,"given":"Jun","family":"Tao","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0009-4456-3271","authenticated-orcid":false,"given":"Ruijie","family":"Li","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0008-0549-4237","authenticated-orcid":false,"given":"Kecheng","family":"Zhou","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9511-2475","authenticated-orcid":false,"given":"Haotian","family":"Wu","sequence":"additional","affiliation":[]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2026.104865_bib0001","series-title":"NDSS","article-title":"Testability tarpits: the impact of code patterns on the security testing of web applications","author":"Al Kassar","year":"2022"},{"issue":"1","key":"10.1016\/j.cose.2026.104865_bib0002","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3293455","article-title":"Restful API automated test case generation with evomaster","volume":"28","author":"Arcuri","year":"2019","journal-title":"ACM Trans. Software Eng. Methodol. (TOSEM)"},{"key":"10.1016\/j.cose.2026.104865_bib0003","series-title":"NDSS","first-page":"1","article-title":"REDQUEEN: fuzzing with input-to-state correspondence","volume":"Vol. 19","author":"Aschermann","year":"2019"},{"key":"10.1016\/j.cose.2026.104865_bib0004","series-title":"2019 IEEE\/ACM 41st International Conference on Software Engineering (ICSE)","first-page":"748","article-title":"Restler: stateful rest API fuzzing","author":"Atlidakis","year":"2019"},{"key":"10.1016\/j.cose.2026.104865_bib0005","series-title":"28th USENIX Security Symposium (USENIX Security 19)","first-page":"1985","article-title":"GRIMOIRE: synthesizing structure while fuzzing","author":"Blazytko","year":"2019"},{"key":"10.1016\/j.cose.2026.104865_bib0006","series-title":"Proceedings of the 2025 Network and Distributed System Security Symposium (NDSS\u201925). doi","article-title":"NODEMEDIC-FINE: automatic detection and exploit synthesis for node. JS vulnerabilities","volume":"Vol. 10","author":"Cassel","year":"2025"},{"key":"10.1016\/j.cose.2026.104865_bib0007","unstructured":"chaitin, 2019. Xray. https:\/\/github.com\/chaitin\/xray."},{"key":"10.1016\/j.cose.2026.104865_bib0008","series-title":"2018 IEEE Symposium on Security and Privacy (SP)","first-page":"711","article-title":"Angora: efficient fuzzing by principled search","author":"Chen","year":"2018"},{"key":"10.1016\/j.cose.2026.104865_bib0009","unstructured":"CodeIntelligenceTesting, 2021. Jazzer: coverage-guided, in-process fuzzing for the JVM. https:\/\/github.com\/CodeIntelligenceTesting\/jazzer."},{"key":"10.1016\/j.cose.2026.104865_bib0010","series-title":"32nd USENIX Security Symposium (USENIX Security 23)","first-page":"5593","article-title":"NAUTILUS: automated RESTful API vulnerability detection","author":"Deng","year":"2023"},{"key":"10.1016\/j.cose.2026.104865_bib0011","series-title":"33rd USENIX Security Symposium (USENIX Security 24)","first-page":"739","article-title":"Vulnerability-oriented testing for RESTful APIs","author":"Du","year":"2024"},{"key":"10.1016\/j.cose.2026.104865_bib0012","series-title":"2021 IEEE Symposium on Security and Privacy (SP)","first-page":"1125","article-title":"Black widow: blackbox data-driven web scanning","author":"Eriksson","year":"2021"},{"issue":"PLDI","key":"10.1016\/j.cose.2026.104865_bib0013","doi-asserted-by":"crossref","first-page":"417","DOI":"10.1145\/3656394","article-title":"Efficient static vulnerability analysis for javascript with multiversion dependency graphs","volume":"8","author":"Ferreira","year":"2024","journal-title":"Proc. ACM on Program. Lang."},{"key":"10.1016\/j.cose.2026.104865_bib0014","series-title":"14th USENIX Workshop on Offensive Technologies (WOOT 20)","article-title":"AFL++: combining incremental steps of fuzzing research","author":"Fioraldi","year":"2020"},{"key":"10.1016\/j.cose.2026.104865_bib0015","unstructured":"Gauthier, F., Hassanshahi, B., Selwyn-Smith, B., Mai, T. N., Schl\u00fcter, M., Williams, M., 2021. Backrest: a model-based feedback-driven greybox fuzzer for web applications. arXiv: 2108.08455."},{"key":"10.1016\/j.cose.2026.104865_bib0016","unstructured":"Github, 2018. CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in github advanced security. https:\/\/github.com\/github\/codeql."},{"key":"10.1016\/j.cose.2026.104865_bib0017","doi-asserted-by":"crossref","unstructured":"Gnieciak, D., Szandala, T., 2025. Large language models versus static code analysis tools: a systematic benchmark for vulnerability detection. arXiv: 2508.04448.","DOI":"10.1109\/ACCESS.2025.3635168"},{"key":"10.1016\/j.cose.2026.104865_bib0018","unstructured":"google, 2016. Afl: American fuzzy lop - a security-oriented fuzzer. https:\/\/github.com\/google\/AFL."},{"key":"10.1016\/j.cose.2026.104865_bib0019","series-title":"32nd USENIX Security Symposium (USENIX Security 23)","first-page":"4535","article-title":"Systematic assessment of fuzzers using mutation analysis","author":"G\u00f6rz","year":"2023"},{"key":"10.1016\/j.cose.2026.104865_bib0020","series-title":"33rd USENIX Security Symposium (USENIX Security 24)","first-page":"4765","article-title":"Atropos: effective fuzzing of web applications for server-side vulnerabilities","author":"G\u00fcler","year":"2024"},{"key":"10.1016\/j.cose.2026.104865_bib0021","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104479","article-title":"HScheduler: an execution history-based seed scheduling strategy for hardware fuzzing","volume":"155","author":"Guo","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104865_bib0022","unstructured":"jacoco, Jacoco, 2012. https:\/\/github.com\/jacoco\/jacoco."},{"key":"10.1016\/j.cose.2026.104865_bib0023","series-title":"33rd USENIX Security Symposium (USENIX Security 24)","first-page":"2441","article-title":"SDFuzz: target states driven directed fuzzing","author":"Li","year":"2024"},{"key":"10.1016\/j.cose.2026.104865_bib0024","unstructured":"Li, Z., Dutta, S., Naik, M., 2024b. Iris: LLM-assisted static analysis for detecting security vulnerabilities. arXiv: 2405.17238."},{"key":"10.1016\/j.cose.2026.104865_bib0025","series-title":"34th USENIX Security Symposium (USENIX Security 25)","first-page":"8349","article-title":"Effective directed fuzzing with hierarchical scheduling for web vulnerability detection","author":"Lin","year":"2025"},{"key":"10.1016\/j.cose.2026.104865_bib0026","series-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","first-page":"2175","article-title":"Tchecker: precise static inter-procedural analysis for detecting taint-style vulnerabilities in php applications","author":"Luo","year":"2022"},{"key":"10.1016\/j.cose.2026.104865_bib0027","series-title":"Proceedings of the 19th ACM Asia Conference on Computer and Communications Security","first-page":"1523","article-title":"What all the phuzz is about: a coverage-guided fuzzer for finding vulnerabilities in PHP web applications","author":"Neef","year":"2024"},{"key":"10.1016\/j.cose.2026.104865_bib0028","unstructured":"OWASP, 2025. Owasp top ten. https:\/\/owasp.org\/www-project-top-ten\/."},{"key":"10.1016\/j.cose.2026.104865_bib0029","unstructured":"PortSwigger, 2024. Burp suite. https:\/\/portswigger.net\/burp."},{"key":"10.1016\/j.cose.2026.104865_bib0030","series-title":"2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","first-page":"509","article-title":"Brigadier: a datalog-based IAST framework for node. js applications","author":"Pupo","year":"2023"},{"key":"10.1016\/j.cose.2026.104865_bib0031","unstructured":"Putu Arya Dharmaadi, I., Alhanahnah, M., Pham, V.-T., Mohsen, F., Turkmen, F., 2025. Bacfuzz: Exposing the silence on broken access control vulnerabilities in web applications. arXiv: 2507."},{"key":"10.1016\/j.cose.2026.104865_bib0032","series-title":"European Symposium on Research in Computer Security","first-page":"152","article-title":"Webfuzz: grey-box fuzzing for web applications","author":"van Rooij","year":"2021"},{"key":"10.1016\/j.cose.2026.104865_bib0033","series-title":"2024 IEEE Symposium on Security and Privacy (SP)","first-page":"1974","article-title":"Sok: prudent evaluation practices for fuzzing","author":"Schloegel","year":"2024"},{"key":"10.1016\/j.cose.2026.104865_bib0034","unstructured":"semgrep, 2019. Semgrep: lightweight static analysis for many languages. Find bug variants with patterns that look like source code. https:\/\/github.com\/semgrep\/semgrep."},{"key":"10.1016\/j.cose.2026.104865_bib0035","series-title":"2022 IEEE Symposium on Security and Privacy (SP)","first-page":"2194","article-title":"Effective seed scheduling for fuzzing with graph centrality analysis","author":"She","year":"2022"},{"key":"10.1016\/j.cose.2026.104865_bib0036","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104581","article-title":"CSFuzzer: a grey-box fuzzer for network protocol using context-aware state feedback","volume":"157","author":"Song","year":"2025","journal-title":"Comput. Secur."},{"issue":"3","key":"10.1016\/j.cose.2026.104865_bib0037","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3332371","article-title":"Static identification of injection attacks in java","volume":"41","author":"Spoto","year":"2019","journal-title":"ACM Trans. Program. Lang. Syst. (TOPLAS)"},{"key":"10.1016\/j.cose.2026.104865_bib0038","unstructured":"Spring, 2023. Spring. https:\/\/spring.io."},{"key":"10.1016\/j.cose.2026.104865_bib0039","series-title":"Proceedings of the 30th ACM Sigsoft International Symposium on Software Testing and Analysis","first-page":"244","article-title":"Gramatron: effective grammar-aware fuzzing","author":"Srivastava","year":"2021"},{"key":"10.1016\/j.cose.2026.104865_bib0040","series-title":"Proceedings of the ACM\/IEEE 42nd International Conference on Software Engineering","first-page":"198","article-title":"Extracting taint specifications for javascript libraries","author":"Staicu","year":"2020"},{"key":"10.1016\/j.cose.2026.104865_bib0041","series-title":"2023 IEEE Symposium on Security and Privacy (SP)","first-page":"2658","article-title":"Toss a fault to your witcher: applying grey-box coverage-guided mutational fuzzing to detect sql and command injection vulnerabilities","author":"Trickel","year":"2023"},{"key":"10.1016\/j.cose.2026.104865_bib0042","series-title":"2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST)","first-page":"142","article-title":"RestTestGen: automated black-box testing of restful apis","author":"Viglianisi","year":"2020"},{"key":"10.1016\/j.cose.2026.104865_bib0043","unstructured":"vmware, 2024. The state of spring 2024. https:\/\/www.vmware.com\/docs\/vmw-the-state-of-spring."},{"key":"10.1016\/j.cose.2026.104865_bib0044","series-title":"2025 IEEE Symposium on Security and Privacy (SP)","first-page":"886","article-title":"Predator: directed web application fuzzing for efficient vulnerability validation","author":"Wang","year":"2025"},{"key":"10.1016\/j.cose.2026.104865_bib0045","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2024.103811","article-title":"NCMFuzzer: Using non-critical field mutation and test case combination to improve the efficiency of ics protocol fuzzing","volume":"141","author":"Wanyan","year":"2024","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104865_bib0046","series-title":"Proceedings of the 44th International Conference on Software Engineering","first-page":"426","article-title":"Combinatorial testing of restful apis","author":"Wu","year":"2022"},{"key":"10.1016\/j.cose.2026.104865_bib0047","series-title":"27th USENIX Security Symposium (USENIX Security 18)","first-page":"745","article-title":"QSYM: a practical concolic execution engine tailored for hybrid fuzzing","author":"Yun","year":"2018"},{"key":"10.1016\/j.cose.2026.104865_bib0048","doi-asserted-by":"crossref","DOI":"10.1016\/j.cose.2025.104621","article-title":"MSNFuzz: multi-criteria state-sensitive network protocol fuzzing","volume":"158","author":"Zhai","year":"2025","journal-title":"Comput. Secur."},{"key":"10.1016\/j.cose.2026.104865_bib0049","series-title":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","first-page":"1257","article-title":"Profile-guided system optimizations for accelerated greybox fuzzing","author":"Zhang","year":"2023"},{"issue":"11s","key":"10.1016\/j.cose.2026.104865_bib0050","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3512345","article-title":"Fuzzing: a survey for roadmap","volume":"54","author":"Zhu","year":"2022","journal-title":"ACM Comput. Surv. (CSUR)"},{"issue":"11s","key":"10.1016\/j.cose.2026.104865_bib0051","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3512345","article-title":"Fuzzing: a survey for roadmap","volume":"54","author":"Zhu","year":"2022","journal-title":"ACM Comput. Surv. (CSUR)"}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826000416?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826000416?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T14:19:33Z","timestamp":1774361973000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826000416"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6]]},"references-count":51,"alternative-id":["S0167404826000416"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.104865","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,6]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"SpringFuzz: Comprehensive grey-box fuzzing of spring-based web applications","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.104865","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 Elsevier Ltd. All rights are reserved, including those for text and data mining, AI training, and similar technologies.","name":"copyright","label":"Copyright"}],"article-number":"104865"}}