{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,3]],"date-time":"2026-06-03T07:28:38Z","timestamp":1780471718784,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":42,"publisher":"ACM","license":[{"start":{"date-parts":[[2016,5,30]],"date-time":"2016-05-30T00:00:00Z","timestamp":1464566400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2016,5,30]]},"DOI":"10.1145\/2897845.2897874","type":"proceedings-article","created":{"date-parts":[[2016,5,27]],"date-time":"2016-05-27T12:37:36Z","timestamp":1464352656000},"page":"651-662","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":38,"title":["Model-based Security Testing"],"prefix":"10.1145","author":[{"given":"Ronghai","family":"Yang","sequence":"first","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Guanchen","family":"Li","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Wing Cheong","family":"Lau","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Kehuan","family":"Zhang","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Pili","family":"Hu","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, Hong Kong"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2016,5,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"R. Abela. HTTP Fuzzer. acunitex.  R. Abela. HTTP Fuzzer. acunitex."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1978582.1978601"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/1456396.1456397"},{"key":"e_1_3_2_1_4_1","volume-title":"NDSS","author":"Bai G.","year":"2013","unstructured":"G. Bai , J. Lei , G. Meng , S. S. Venkatraman , P. Saxena , J. Sun , Y. Liu , and J. S. Dong . AuthScan: Automatic extraction of web authentication protocols from implementations . In NDSS , 2013 . G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. AuthScan: Automatic extraction of web authentication protocols from implementations. In NDSS, 2013."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2012.27"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455782"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.39"},{"key":"e_1_3_2_1_8_1","volume-title":"Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive","author":"Chari S.","year":"2011","unstructured":"S. Chari , C. S. Jutla , and A. Roy . Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive , 2011 . S. Chari, C. S. Jutla, and A. Roy. Universally composable security analysis of OAuth v2.0. IACR Cryptology ePrint Archive, 2011."},{"key":"e_1_3_2_1_9_1","volume-title":"Securing multiparty online services via certification of symbolic transactions","author":"Chen E. Y.","year":"2015","unstructured":"E. Y. Chen , S. Chen , S. Qadeer , and R. Wang . Securing multiparty online services via certification of symbolic transactions . 2015 . E. Y. Chen, S. Chen, S. Qadeer, and R. Wang. Securing multiparty online services via certification of symbolic transactions. 2015."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660323"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2009.14"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1353673.1353681"},{"key":"e_1_3_2_1_13_1","volume-title":"USENIX Security","author":"Doup\u00e9 A.","year":"2012","unstructured":"A. Doup\u00e9 , L. Cavedon , C. Kruegel , and G. Vigna . Enemy of the state: A state-aware black-box web vulnerability scanner . In USENIX Security , 2012 . A. Doup\u00e9, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security, 2012."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-05031-2_14"},{"key":"e_1_3_2_1_15_1","volume-title":"Proc. Microsoft Research","author":"Ernits J.","year":"2008","unstructured":"J. Ernits , M. Veanes , and J. Helander . Model-based testing of robots with NModel . Proc. Microsoft Research , 2008 . J. Ernits, M. Veanes, and J. Helander. Model-based testing of robots with NModel. Proc. Microsoft Research, 2008."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.49"},{"key":"e_1_3_2_1_17_1","volume-title":"Security evaluation of the OAuth 2.0 framework. Information Management and Computer Security, 22(3)","author":"Gibbons K.","year":"2014","unstructured":"K. Gibbons , J. O. Raw , and K. Curran . Security evaluation of the OAuth 2.0 framework. Information Management and Computer Security, 22(3) , 2014 . K. Gibbons, J. O. Raw, and K. Curran. Security evaluation of the OAuth 2.0 framework. Information Management and Computer Security, 22(3), 2014."},{"key":"e_1_3_2_1_18_1","volume-title":"RFC6749: The OAuth 2.0 authorization framework","author":"Hardt D.","year":"2012","unstructured":"D. Hardt . RFC6749: The OAuth 2.0 authorization framework . 2012 . D. Hardt. RFC6749: The OAuth 2.0 authorization framework. 2012."},{"key":"e_1_3_2_1_19_1","unstructured":"E. Homakov. The Achilles Heel of OAuth or Why Facebook Adds Special Fragment.  E. Homakov. The Achilles Heel of OAuth or Why Facebook Adds Special Fragment."},{"key":"e_1_3_2_1_20_1","unstructured":"E. Homakov. The most common OAuth2 vulnerability. http:\/\/homakov.blogspot.hk\/2012\/07\/saferweb-most-common-oauth2.html.  E. Homakov. The most common OAuth2 vulnerability. http:\/\/homakov.blogspot.hk\/2012\/07\/saferweb-most-common-oauth2.html."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660460.2660463"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.25080\/Majora-ebaa42b7-008"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.5555\/1349741"},{"key":"e_1_3_2_1_24_1","unstructured":"W. Jing. Covert redirect attack. http:\/\/tetraph.com\/covert_redirect.  W. Jing. Covert redirect attack. http:\/\/tetraph.com\/covert_redirect."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.49"},{"key":"e_1_3_2_1_26_1","volume-title":"RFC6819: OAuth 2.0 threat model and security considerations","author":"Lodderstedt T.","year":"2013","unstructured":"T. Lodderstedt , M. McGloin , and P. Hunt . RFC6819: OAuth 2.0 threat model and security considerations . 2013 . T. Lodderstedt, M. McGloin, and P. Hunt. RFC6819: OAuth 2.0 threat model and security considerations. 2013."},{"key":"e_1_3_2_1_27_1","volume-title":"HotSpot'14-2nd Workshop on Hot Issues in Security Principles and Trust","author":"Maatoug G.","year":"2014","unstructured":"G. Maatoug , F. Dadeau , and M. Rusinowitch . Model-based vulnerability testing of payment protocol implementations . In HotSpot'14-2nd Workshop on Hot Issues in Security Principles and Trust , 2014 . G. Maatoug, F. Dadeau, and M. Rusinowitch. Model-based vulnerability testing of payment protocol implementations. In HotSpot'14-2nd Workshop on Hot Issues in Security Principles and Trust, 2014."},{"key":"e_1_3_2_1_28_1","volume-title":"Citizen Lab","author":"Marczak B.","year":"2015","unstructured":"B. Marczak , N. Weaver , J. Dalek , R. Ensafi , D. Fifield , S. McKune , A. Rey , J. Scott-Railton , R. Deibert , and V. Paxson . China's great cannon . Citizen Lab , 2015 . B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. China's great cannon. Citizen Lab, 2015."},{"key":"e_1_3_2_1_29_1","volume-title":"SOFSEM","author":"Miculan M.","year":"2011","unstructured":"M. Miculan and C. Urban . Formal analysis of Facebook Connect Single Sign-On authentication protocol . In SOFSEM , 2011 . M. Miculan and C. Urban. Formal analysis of Facebook Connect Single Sign-On authentication protocol. In SOFSEM, 2011."},{"key":"e_1_3_2_1_30_1","unstructured":"B. Muthukadan. Selinum with Python.  B. Muthukadan. Selinum with Python."},{"key":"e_1_3_2_1_31_1","unstructured":"OAuth.io. CasperJs Automated Testing for The OAuth Flow.  OAuth.io. CasperJs Automated Testing for The OAuth Flow."},{"key":"e_1_3_2_1_32_1","unstructured":"OWASP. Fuzzing with WebScarab.  OWASP. Fuzzing with WebScarab."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSNT.2011.141"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23021"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/2591062.2591180"},{"key":"e_1_3_2_1_36_1","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment.","author":"Shernan E.","year":"2015","unstructured":"E. Shernan , H. Carter , D. Tian , P. Traynor , and K. Butler . More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations . In Detection of Intrusions and Malware, and Vulnerability Assessment. 2015 . E. Shernan, H. Carter, D. Tian, P. Traynor, and K. Butler. More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In Detection of Intrusions and Malware, and Vulnerability Assessment. 2015."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382238"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2012.02.005"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.30"},{"key":"e_1_3_2_1_40_1","volume-title":"USENIX Security","author":"Wang R.","year":"2013","unstructured":"R. Wang , Y. Zhou , S. Chen , S. Qadeer , D. Evans , and Y. Gurevich . Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization . In USENIX Security , 2013 . R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization. In USENIX Security, 2013."},{"key":"e_1_3_2_1_41_1","volume-title":"NDSS","author":"Xing L.","year":"2013","unstructured":"L. Xing , Y. Chen , X. Wang , and S. Chen . Integuard: Toward automatic protection of third-party web service integrations . In NDSS , 2013 . L. Xing, Y. Chen, X. Wang, and S. Chen. Integuard: Toward automatic protection of third-party web service integrations. In NDSS, 2013."},{"key":"e_1_3_2_1_42_1","volume-title":"USENIX Security","author":"Zhou Y.","year":"2014","unstructured":"Y. Zhou and D. Evans . SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities . USENIX Security , 2014 . Y. Zhou and D. Evans. SSOScan: Automated testing of web applications for Single Sign-On vulnerabilities. USENIX Security, 2014."}],"event":{"name":"ASIA CCS '16: ACM Asia Conference on Computer and Communications Security","location":"Xi'an China","acronym":"ASIA CCS '16","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897874","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2897845.2897874","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T05:07:01Z","timestamp":1750223221000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2897845.2897874"}},"subtitle":["An Empirical Study on OAuth 2.0 Implementations"],"short-title":[],"issued":{"date-parts":[[2016,5,30]]},"references-count":42,"alternative-id":["10.1145\/2897845.2897874","10.1145\/2897845"],"URL":"https:\/\/doi.org\/10.1145\/2897845.2897874","relation":{},"subject":[],"published":{"date-parts":[[2016,5,30]]},"assertion":[{"value":"2016-05-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}