{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:17:14Z","timestamp":1750306634014,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":36,"publisher":"ACM","license":[{"start":{"date-parts":[[2014,6,4]],"date-time":"2014-06-04T00:00:00Z","timestamp":1401840000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2014,6,4]]},"DOI":"10.1145\/2590296.2590324","type":"proceedings-article","created":{"date-parts":[[2014,5,30]],"date-time":"2014-05-30T18:18:31Z","timestamp":1401473911000},"page":"341-352","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Scanning of real-world web applications for parameter tampering vulnerabilities"],"prefix":"10.1145","author":[{"given":"Adonis P.H.","family":"Fung","sequence":"first","affiliation":[{"name":"The Chinese University of Hong Kong, Shatin NT, Hong Kong"}]},{"given":"Tielei","family":"Wang","sequence":"additional","affiliation":[{"name":"Georgia Institute of Technology, Atlanta, GA, USA"}]},{"given":"K. W.","family":"Cheung","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Shatin NT, Hong Kong"}]},{"given":"T. Y.","family":"Wong","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Shatin NT, Hong Kong"}]}],"member":"320","published-online":{"date-parts":[[2014,6,4]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Acunetix. Http fuzzer. http:\/\/www.acunetix.com\/blog\/docs\/http-fuzzer-tool\/.  Acunetix. Http fuzzer. http:\/\/www.acunetix.com\/blog\/docs\/http-fuzzer-tool\/."},{"key":"e_1_3_2_1_2_1","unstructured":"Acunetix. Web vulnerability scanner. http:\/\/www.acunetix.com\/vulnerability-scanner\/.  Acunetix. Web vulnerability scanner. http:\/\/www.acunetix.com\/vulnerability-scanner\/."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/2338965.2336760"},{"key":"e_1_3_2_1_4_1","unstructured":"ASP. Net validation controls. http:\/\/msdn.microsoft.com\/en-us\/library\/debza5t0.aspx.  ASP. Net validation controls. http:\/\/msdn.microsoft.com\/en-us\/library\/debza5t0.aspx."},{"key":"e_1_3_2_1_5_1","volume-title":"Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS'11","author":"Balduzzi M.","year":"2011","unstructured":"M. Balduzzi , C. T. Gimenez , D. Balzarotti , and E. Kirda . Automated discovery of parameter pollution vulnerabilities in web applications . In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS'11 , San Diego, CA, USA , 2011 . The Internet Society. M. Balduzzi, C. T. Gimenez, D. Balzarotti, and E. Kirda. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS'11, San Diego, CA, USA, 2011. The Internet Society."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.27"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866375"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046707.2046774"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/1294261.1294265"},{"key":"e_1_3_2_1_10_1","unstructured":"CWE. Cwe-472: External control of assumed-immutable web parameter. http:\/\/cwe.mitre.org\/data\/definitions\/472.html.  CWE. Cwe-472: External control of assumed-immutable web parameter. http:\/\/cwe.mitre.org\/data\/definitions\/472.html."},{"key":"e_1_3_2_1_11_1","first-page":"26","volume-title":"Proceedings of the 21st USENIX conference on Security symposium, Security'12","author":"Doup\u00e9 A.","year":"2012","unstructured":"A. Doup\u00e9 , L. Cavedon , C. Kruegel , and G. Vigna . Enemy of the state: a state-aware black-box web vulnerability scanner . In Proceedings of the 21st USENIX conference on Security symposium, Security'12 , pages 26 -- 26 , Berkeley, CA, USA , 2012 . USENIX Association. A. Doup\u00e9, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: a state-aware black-box web vulnerability scanner. In Proceedings of the 21st USENIX conference on Security symposium, Security'12, pages 26--26, Berkeley, CA, USA, 2012. USENIX Association."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.5555\/1884848.1884858"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.5555\/1929820.1929834"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1755688.1755714"},{"key":"e_1_3_2_1_15_1","volume-title":"World's best internet banks","author":"Finance Global","year":"2011","unstructured":"Global Finance . World's best internet banks 2011 . http:\/\/www.gfmag.com\/tools\/best-banks\/11485-worlds-best-internet-banks-2011.html. Global Finance. World's best internet banks 2011. http:\/\/www.gfmag.com\/tools\/best-banks\/11485-worlds-best-internet-banks-2011.html."},{"key":"e_1_3_2_1_16_1","unstructured":"Google Web Toolkit. Validation framework. concept of operations. http:\/\/code.google.com\/p\/gwt-validation\/wiki\/ConceptOfOperations.  Google Web Toolkit. Validation framework. concept of operations. http:\/\/code.google.com\/p\/gwt-validation\/wiki\/ConceptOfOperations."},{"key":"e_1_3_2_1_17_1","unstructured":"HSBC. Faq - security device. https:\/\/www.hsbc.com.hk\/1\/2\/hk\/misc\/otphelp.  HSBC. Faq - security device. https:\/\/www.hsbc.com.hk\/1\/2\/hk\/misc\/otphelp."},{"key":"e_1_3_2_1_18_1","unstructured":"HTML 5. Association of controls and forms. http:\/\/dev.w3.org\/html5\/spec\/association-of-controls-and-forms.html.  HTML 5. Association of controls and forms. http:\/\/dev.w3.org\/html5\/spec\/association-of-controls-and-forms.html."},{"key":"e_1_3_2_1_19_1","unstructured":"JSON. Javascript objection notation. http:\/\/json.org\/.  JSON. Javascript objection notation. http:\/\/json.org\/."},{"key":"e_1_3_2_1_20_1","unstructured":"A. Judson. Tamper data :: Add-ons for firefox. https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/tamper-data\/.  A. Judson. Tamper data :: Add-ons for firefox. https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/tamper-data\/."},{"key":"e_1_3_2_1_21_1","first-page":"11","volume-title":"Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10","author":"Mickens J.","year":"2010","unstructured":"J. Mickens , J. Elson , and J. Howell . Mugshot: deterministic capture and replay for javascript applications . In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10 , pages 11 -- 11 , Berkeley, CA, USA , 2010 . USENIX Association. J. Mickens, J. Elson, and J. Howell. Mugshot: deterministic capture and replay for javascript applications. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI'10, pages 11--11, Berkeley, CA, USA, 2010. USENIX Association."},{"key":"e_1_3_2_1_22_1","unstructured":"Mozilla. Introduction to using xpath in javascript. https:\/\/developer.mozilla.org\/en\/Introduction_to_using_XPath_in_Javascript.  Mozilla. Introduction to using xpath in javascript. https:\/\/developer.mozilla.org\/en\/Introduction_to_using_XPath_in_Javascript."},{"key":"e_1_3_2_1_23_1","unstructured":"Mozilla. Mutationobserver. https:\/\/developer.mozilla.org\/en-US\/docs\/DOM\/MutationObserver.  Mozilla. Mutationobserver. https:\/\/developer.mozilla.org\/en-US\/docs\/DOM\/MutationObserver."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/375360.375365"},{"key":"e_1_3_2_1_25_1","unstructured":"OWASP. Fuzzing with webscarab. https:\/\/www.owasp.org\/index.php\/Fuzzing_with_WebScarab.  OWASP. Fuzzing with webscarab. https:\/\/www.owasp.org\/index.php\/Fuzzing_with_WebScarab."},{"key":"e_1_3_2_1_26_1","first-page":"A4","volume":"10","author":"OWASP","year":"2013","unstructured":"OWASP . Top 10 2013 A4 -Insecure Direct Object References. https:\/\/www.owasp.org\/index.php\/Top_10_2013-A4-Insecure_Direct_Object_References. OWASP. Top 10 2013 A4-Insecure Direct Object References. https:\/\/www.owasp.org\/index.php\/Top_10_2013-A4-Insecure_Direct_Object_References.","journal-title":"Top"},{"key":"e_1_3_2_1_27_1","unstructured":"PhantomJS. Headless webkit with javascript api.http:\/\/phantomjs.org\/.  PhantomJS. Headless webkit with javascript api.http:\/\/phantomjs.org\/."},{"key":"e_1_3_2_1_28_1","unstructured":"J. Resig. jquery. http:\/\/jquery.com\/.  J. Resig. jquery. http:\/\/jquery.com\/."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.38"},{"key":"e_1_3_2_1_30_1","unstructured":"Selenium. Web browser automation. http:\/\/seleniumhq.org\/.  Selenium. Web browser automation. http:\/\/seleniumhq.org\/."},{"key":"e_1_3_2_1_31_1","unstructured":"Skipfish. Web application security scanner. https:\/\/code.google.com\/p\/skipfish\/.  Skipfish. Web application security scanner. https:\/\/code.google.com\/p\/skipfish\/."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653685"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.30"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.26"},{"key":"e_1_3_2_1_35_1","volume-title":"Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS'13","author":"Xing L.","year":"2013","unstructured":"L. Xing , Y. Chen , X. Wang , and S. Chen . Integuard: Toward automatic protection of third-party web service integrations . In Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS'13 , San Diego, CA, USA , 2013 . The Internet Society. L. Xing, Y. Chen, X. Wang, and S. Chen. Integuard: Toward automatic protection of third-party web service integrations. In Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS'13, San Diego, CA, USA, 2013. The Internet Society."},{"key":"e_1_3_2_1_36_1","unstructured":"S. Yang. Search engine keyword highlighting with javascript. http:\/\/scott.yang.id.au\/code\/se-hilite\/.  S. Yang. Search engine keyword highlighting with javascript. http:\/\/scott.yang.id.au\/code\/se-hilite\/."}],"event":{"name":"ASIA CCS '14: 9th ACM Symposium on Information, Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Kyoto Japan","acronym":"ASIA CCS '14"},"container-title":["Proceedings of the 9th ACM symposium on Information, computer and communications security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2590296.2590324","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2590296.2590324","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T06:55:51Z","timestamp":1750229751000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2590296.2590324"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014,6,4]]},"references-count":36,"alternative-id":["10.1145\/2590296.2590324","10.1145\/2590296"],"URL":"https:\/\/doi.org\/10.1145\/2590296.2590324","relation":{},"subject":[],"published":{"date-parts":[[2014,6,4]]},"assertion":[{"value":"2014-06-04","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}