{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:08:47Z","timestamp":1763968127783,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":26,"publisher":"ACM","license":[{"start":{"date-parts":[[2014,3,3]],"date-time":"2014-03-03T00:00:00Z","timestamp":1393804800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2014,3,3]]},"DOI":"10.1145\/2557547.2557552","type":"proceedings-article","created":{"date-parts":[[2014,2,25]],"date-time":"2014-02-25T13:21:11Z","timestamp":1393334471000},"page":"49-60","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Automated black-box detection of access control vulnerabilities in web applications"],"prefix":"10.1145","author":[{"given":"Xiaowei","family":"Li","sequence":"first","affiliation":[{"name":"Google, Mountain View, CA, USA"}]},{"given":"Xujie","family":"Si","sequence":"additional","affiliation":[{"name":"Vanderbilt University, Nashville, TN, USA"}]},{"given":"Yuan","family":"Xue","sequence":"additional","affiliation":[{"name":"Vanderbilt University, Nashville, TN, USA"}]}],"member":"320","published-online":{"date-parts":[[2014,3,3]]},"reference":[{"doi-asserted-by":"publisher","key":"e_1_3_2_1_1_1","DOI":"10.1145\/1315245.1315250"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_2_1","DOI":"10.1145\/1866307.1866375"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_3_1","DOI":"10.1145\/2046707.2046774"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_4_1","DOI":"10.1145\/2046707.2046737"},{"unstructured":"Clover. http:\/\/www.atlassian.com\/software\/clover\/overview.  Clover. http:\/\/www.atlassian.com\/software\/clover\/overview.","key":"e_1_3_2_1_5_1"},{"key":"e_1_3_2_1_6_1","first-page":"63","volume-title":"Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection","author":"Cova M.","year":"2007","unstructured":"M. Cova , D. Balzarotti , V. Felmetsger , and G. Vigna . Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection , pages 63 -- 86 , 2007 . M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection, pages 63--86, 2007."},{"unstructured":"Crawljax. http:\/\/crawljax.com\/.  Crawljax. http:\/\/crawljax.com\/.","key":"e_1_3_2_1_7_1"},{"key":"e_1_3_2_1_8_1","first-page":"267","volume-title":"USENIX'09: Proceedings of the 18th conference on USENIX security symposium","author":"Dalton M.","year":"2009","unstructured":"M. Dalton , C. Kozyrakis , and N. Zeldovich . Nemesis: Preventing authentication and access control vulnerabilities in web applications . In USENIX'09: Proceedings of the 18th conference on USENIX security symposium , pages 267 -- 282 , 2009 . M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing authentication and access control vulnerabilities in web applications. In USENIX'09: Proceedings of the 18th conference on USENIX security symposium, pages 267--282, 2009."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_9_1","DOI":"10.1145\/2046707.2046736"},{"key":"e_1_3_2_1_10_1","first-page":"26","volume-title":"Proceedings of the 21st USENIX conference on Security symposium, Security'12","author":"Doup\u00e9 A.","year":"2012","unstructured":"A. Doup\u00e9 , L. Cavedon , C. Kruegel , and G. Vigna . Enemy of the state: A state-aware black-box web vulnerability scanner . In Proceedings of the 21st USENIX conference on Security symposium, Security'12 , pages 26 -- 26 , 2012 . A. Doup\u00e9, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In Proceedings of the 21st USENIX conference on Security symposium, Security'12, pages 26--26, 2012."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_11_1","DOI":"10.5555\/1884848.1884858"},{"key":"e_1_3_2_1_12_1","first-page":"143","volume-title":"Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10: Proceedings of the 19th conference on USENIX Security Symposium","author":"Felmetsger V.","year":"2010","unstructured":"V. Felmetsger , L. Cavedon , C. Kruegel , and G. Vigna . Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10: Proceedings of the 19th conference on USENIX Security Symposium , pages 143 -- 160 , 2010 . V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX'10: Proceedings of the 19th conference on USENIX Security Symposium, pages 143--160, 2010."},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_13_1","DOI":"10.1145\/2076732.2076767"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_14_1","DOI":"10.1145\/2484313.2484375"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_15_1","DOI":"10.1145\/2133601.2133605"},{"unstructured":"MySQL Proxy. http:\/\/dev.mysql.com\/doc\/refman\/5.0\/en\/mysql-proxy.html.  MySQL Proxy. http:\/\/dev.mysql.com\/doc\/refman\/5.0\/en\/mysql-proxy.html.","key":"e_1_3_2_1_16_1"},{"unstructured":"OWASP Top Ten Project 2013 Report. https:\/\/www.owasp.org\/index.php\/Top_10_2013-Top_10.  OWASP Top Ten Project 2013 Report. https:\/\/www.owasp.org\/index.php\/Top_10_2013-Top_10.","key":"e_1_3_2_1_17_1"},{"unstructured":"OWASP WebScarab Project. https:\/\/www.owasp.org\/index.php\/category:owasp_webscarab_project.  OWASP WebScarab Project. https:\/\/www.owasp.org\/index.php\/category:owasp_webscarab_project.","key":"e_1_3_2_1_18_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_19_1","DOI":"10.1109\/SP.2009.21"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_20_1","DOI":"10.1145\/2480362.2480699"},{"unstructured":"SeleniumHQ: Web Application Testing System. http:\/\/seleniumhq.org\/.  SeleniumHQ: Web Application Testing System. http:\/\/seleniumhq.org\/.","key":"e_1_3_2_1_21_1"},{"doi-asserted-by":"publisher","key":"e_1_3_2_1_22_1","DOI":"10.1145\/2048066.2048146"},{"key":"e_1_3_2_1_23_1","volume-title":"Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS'13: Proceedings of the 20th Annual Network and Distributed System Security Symposium","author":"Son S.","year":"2013","unstructured":"S. Son , K. S. McKinley , and V. Shmatikov . Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS'13: Proceedings of the 20th Annual Network and Distributed System Security Symposium , 2013 . S. Son, K. S. McKinley, and V. Shmatikov. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In NDSS'13: Proceedings of the 20th Annual Network and Distributed System Security Symposium, 2013."},{"unstructured":"Spike PHPCoverage. http:\/\/phpcoverage.sourceforge.net\/.  Spike PHPCoverage. http:\/\/phpcoverage.sourceforge.net\/.","key":"e_1_3_2_1_24_1"},{"key":"e_1_3_2_1_25_1","first-page":"11","volume-title":"Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium","author":"Sun F.","year":"2011","unstructured":"F. Sun , L. Xu , and Z. Su . Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium , pages 11 -- 11 , 2011 . F. Sun, L. Xu, and Z. Su. Static Detection of Access Control Vulnerabilities in Web Applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium, pages 11--11, 2011."},{"key":"e_1_3_2_1_26_1","volume-title":"InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations. In NDSS'13: Proceedings of the 20th Annual Network and Distributed System Security Symposium","author":"Xing L.","year":"2013","unstructured":"L. Xing , Y. Chen , X. Wang , and S. Chen . InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations. In NDSS'13: Proceedings of the 20th Annual Network and Distributed System Security Symposium , 2013 . L. Xing, Y. Chen, X. Wang, and S. Chen. InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations. In NDSS'13: Proceedings of the 20th Annual Network and Distributed System Security Symposium, 2013."}],"event":{"sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"acronym":"CODASPY'14","name":"CODASPY'14: Fourth ACM Conference on Data and Application Security and Privacy","location":"San Antonio Texas USA"},"container-title":["Proceedings of the 4th ACM conference on Data and application security and privacy"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2557547.2557552","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2557547.2557552","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T08:09:50Z","timestamp":1750234190000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2557547.2557552"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,3,3]]},"references-count":26,"alternative-id":["10.1145\/2557547.2557552","10.1145\/2557547"],"URL":"https:\/\/doi.org\/10.1145\/2557547.2557552","relation":{},"subject":[],"published":{"date-parts":[[2014,3,3]]},"assertion":[{"value":"2014-03-03","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}