{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,6]],"date-time":"2026-02-06T03:10:51Z","timestamp":1770347451928,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":45,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,4,25]],"date-time":"2022-04-25T00:00:00Z","timestamp":1650844800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,4,25]]},"DOI":"10.1145\/3485447.3512213","type":"proceedings-article","created":{"date-parts":[[2022,4,25]],"date-time":"2022-04-25T05:11:23Z","timestamp":1650863483000},"page":"524-532","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":19,"title":["Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT Devices"],"prefix":"10.1145","author":[{"given":"Wei","family":"Xie","sequence":"first","affiliation":[{"name":"National University of Defense Technology, China"}]},{"given":"Jiongyi","family":"Chen","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, China"}]},{"given":"Zhenhua","family":"Wang","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, China"}]},{"given":"Chao","family":"Feng","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, China"}]},{"given":"Enze","family":"Wang","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, China"}]},{"given":"Yifei","family":"Gao","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, China"}]},{"given":"Baosheng","family":"Wang","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, China"}]},{"given":"Kai","family":"Lu","sequence":"additional","affiliation":[{"name":"National University of Defense Technology, China"}]}],"member":"320","published-online":{"date-parts":[[2022,4,25]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. Smart Yet Flawed: IoT Device Vulnerabilities Explained. [Online]. Avaliable: https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/internet-of-things\/smart-yet-flawed-iot-device-vulnerabilities-explained."},{"key":"e_1_3_2_1_2_1","volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19). 551\u2013566.","author":"Alrawi Omar","unstructured":"Omar Alrawi, Chaoshun Zuo, Ruian Duan, Ranjita\u00a0Pai Kasturi, Zhiqiang Lin, and Brendan Saltaformaggio. 2019. The betrayal at cloud city: An empirical analysis of cloud-based mobile backends. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 551\u2013566."},{"key":"e_1_3_2_1_3_1","unstructured":"Anastasios Arampatzis. [n. d.]. Top 10 Vulnerabilities that Make IoT Devices Insecure. [Online]. Avaliable: https:\/\/www.venafi.com\/blog\/top-10-vulnerabilities-make-iot-devices-insecure."},{"key":"e_1_3_2_1_4_1","unstructured":"boa. 2005. Boa Webserver. [Online]. Avaliable: http:\/\/www.boa.org."},{"key":"e_1_3_2_1_5_1","volume-title":"Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Network and Distributed System Security Symposium.","author":"Chen D.","year":"2016","unstructured":"Daming\u00a0D. Chen, Manuel Egele, Maverick Woo, and David Brumley. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_6_1","volume-title":"IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Network and Distributed System Security Symposium.","author":"Chen Jiongyi","year":"2018","unstructured":"Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, Xiao\u00a0Feng Wang, Wing\u00a0Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Network and Distributed System Security Symposium."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2019.00034"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2018.00052"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897900"},{"key":"e_1_3_2_1_10_1","unstructured":"CVE-2017-5521. 2017. A vulnerability of password disclosure affecting a series of Netgear devices.[Online]. Avaliable: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-5521."},{"key":"e_1_3_2_1_11_1","unstructured":"CVE-2018-11510. 2018. An unauthenticated RCE (Remote Code Execution) vulnerability affecting a NAS device.[Online]. Avaliable: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-11510."},{"key":"e_1_3_2_1_12_1","unstructured":"CVE-2019-14984. 2019. Some smart home central control units allow unauthenticated attackers to run system commands by accessing an undocumented web interface.[Online]. Avaliable: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-14984."},{"key":"e_1_3_2_1_13_1","unstructured":"CVE-2019-17512. 2019. A vulnerability affecting a router of D-Link. [Online]. Avaliable: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2019-17512."},{"key":"e_1_3_2_1_14_1","volume-title":"Usenix Conference on Security. 463\u2013478","author":"Davidson Drew","year":"2013","unstructured":"Drew Davidson, Benjamin Moench, Somesh Jha, and Thomas Ristenpart. 2013. FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution. In Usenix Conference on Security. 463\u2013478."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417869"},{"key":"e_1_3_2_1_16_1","unstructured":"NVRAM Faker. 2021. A Common Library of NVRAM Parameters for Firmware Emulation. [Online]. Avaliable: https:\/\/github.com\/zcutlip\/nvram-faker."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978370"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134050"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3290480.3290491"},{"key":"e_1_3_2_1_20_1","volume-title":"FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis. In Annual Computer Security Applications Conference. 733\u2013745","author":"Kim Mingeun","year":"2020","unstructured":"Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae Kim. 2020. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis. In Annual Computer Security Applications Conference. 733\u2013745."},{"key":"e_1_3_2_1_21_1","unstructured":"lighttpd. 2021. Home - Lighttpd - fly light. [Online]. Avaliable: https:\/\/www.lighttpd.net."},{"key":"e_1_3_2_1_22_1","volume-title":"d.]. Top 10 IoT applications","author":"Lueth Knud\u00a0Lasse","year":"2020","unstructured":"Knud\u00a0Lasse Lueth. [n. d.]. Top 10 IoT applications in 2020. [Online]. Avaliable: https:\/\/iot-analytics.com\/top-10-iot-applications-in-2020."},{"key":"e_1_3_2_1_23_1","unstructured":"minihttpd. 2018. mini-httpd - small HTTP server. [Online]. Avaliable: https:\/\/acme.com\/software\/mini_httpd."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"crossref","unstructured":"Marius Muench Jan Stijohann Frank Kargl Aur\u00e9lien Francillon and Davide Balzarotti. 2018. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices.. In NDSS.","DOI":"10.14722\/ndss.2018.23166"},{"key":"e_1_3_2_1_25_1","volume-title":"The OWASP Top 10","author":"OWASP.","year":"2021","unstructured":"OWASP. 2021. The OWASP Top 10 2021. [Online]. Avaliable: https:\/\/owasp.org\/Top10\/."},{"key":"e_1_3_2_1_26_1","unstructured":"Danny Palmer. [n. d.]. These new vulnerabilities put millions of IoT devices at risk so patch now. [Online]. Avaliable: https:\/\/www.zdnet.com\/article\/these-new-vulnerabilities-millions-of-iot-devives-at-risk-so-patch-now\/."},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"crossref","unstructured":"Giancarlo Pellegrino and Davide Balzarotti. 2014. Toward Black-Box Detection of Logic Flaws in Web Applications.. In NDSS.","DOI":"10.14722\/ndss.2014.23021"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.49"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3432893"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00066"},{"key":"e_1_3_2_1_31_1","volume-title":"26th {USENIX} Security Symposium ({USENIX} Security 17). 781\u2013798.","author":"Redini Nilo","unstructured":"Nilo Redini, Aravind Machiry, Dipanjan Das, Yanick Fratantonio, Antonio Bianchi, Eric Gustafson, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2017. Bootstomp: on the security of bootloaders in mobile devices. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 781\u2013798."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338507.3358616"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.45"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.3390\/app10114015"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3433210.3453685"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134018"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.3390\/app11199094"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.3390\/app11073120"},{"key":"e_1_3_2_1_39_1","volume-title":"CryptoREX: Large-scale Analysis of Cryptographic Misuse in IoT Devices. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID}","author":"Zhang Li","year":"2019","unstructured":"Li Zhang, Jiongyi Chen, Wenrui Diao, Shanqing Guo, Jian Weng, and Kehuan Zhang. 2019. CryptoREX: Large-scale Analysis of Cryptographic Misuse in IoT Devices. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019). 151\u2013164."},{"key":"e_1_3_2_1_40_1","volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19). 1099\u20131114.","author":"Zheng Yaowen","unstructured":"Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 1099\u20131114."},{"key":"e_1_3_2_1_41_1","volume-title":"28th {USENIX} Security Symposium ({USENIX} Security 19). 1133\u20131150.","author":"Zhou Wei","unstructured":"Wei Zhou, Yan Jia, Yao Yao, Lipeng Zhu, Le Guan, Yuhang Mao, Peng Liu, and Yuqing Zhang. 2019. Discovering and understanding the security hazards in the interactions between iot devices, mobile apps, and clouds on smart home platforms. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 1133\u20131150."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3038912.3052609"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00009"},{"key":"e_1_3_2_1_44_1","unstructured":"Chaoshun Zuo Wubing Wang Zhiqiang Lin and Rui Wang. 2016. Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services.. In NDSS."},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134089"}],"event":{"name":"WWW '22: The ACM Web Conference 2022","location":"Virtual Event, Lyon France","acronym":"WWW '22","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM Web Conference 2022"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485447.3512213","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3485447.3512213","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T19:30:13Z","timestamp":1750188613000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3485447.3512213"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,25]]},"references-count":45,"alternative-id":["10.1145\/3485447.3512213","10.1145\/3485447"],"URL":"https:\/\/doi.org\/10.1145\/3485447.3512213","relation":{},"subject":[],"published":{"date-parts":[[2022,4,25]]},"assertion":[{"value":"2022-04-25","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}