{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T15:59:22Z","timestamp":1774454362342,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":52,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T00:00:00Z","timestamp":1667779200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Research Grants Council of the Hong Kong SAR, China.","award":["CUHK 14210219"],"award-info":[{"award-number":["CUHK 14210219"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,7]]},"DOI":"10.1145\/3548606.3559391","type":"proceedings-article","created":{"date-parts":[[2022,11,7]],"date-time":"2022-11-07T11:41:28Z","timestamp":1667821288000},"page":"2175-2188","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":33,"title":["TChecker"],"prefix":"10.1145","author":[{"given":"Changhua","family":"Luo","sequence":"first","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, China"}]},{"given":"Penghui","family":"Li","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, China"}]},{"given":"Wei","family":"Meng","sequence":"additional","affiliation":[{"name":"The Chinese University of Hong Kong, Hong Kong, China"}]}],"member":"320","published-online":{"date-parts":[[2022,11,7]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"2017. RIPS scanner. https:\/\/sourceforge.net\/projects\/rips-scanner\/\/.  2017. RIPS scanner. https:\/\/sourceforge.net\/projects\/rips-scanner\/\/."},{"key":"e_1_3_2_2_2_1","unstructured":"2020. SQL injection vulnerability in Joomla. https:\/\/cve.mitre.org\/cgi-bin\/ cvename.cgi?name=CVE-2020-35613.  2020. SQL injection vulnerability in Joomla. https:\/\/cve.mitre.org\/cgi-bin\/ cvename.cgi?name=CVE-2020-35613."},{"key":"e_1_3_2_2_3_1","unstructured":"2020. XSS in Drupal Core. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE- 2020-13688.  2020. XSS in Drupal Core. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE- 2020-13688."},{"key":"e_1_3_2_2_4_1","unstructured":"2020. XSS in OpenCart. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE- 2020-15478.  2020. XSS in OpenCart. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE- 2020-15478."},{"key":"e_1_3_2_2_5_1","unstructured":"2021. Basic Coding Standard. https:\/\/www.php-fig.org\/psr\/psr-1\/.  2021. Basic Coding Standard. https:\/\/www.php-fig.org\/psr\/psr-1\/."},{"key":"e_1_3_2_2_6_1","unstructured":"2021. Incomplete Navex source code. https:\/\/github.com\/aalhuz\/navex\/issues\/6.  2021. Incomplete Navex source code. https:\/\/github.com\/aalhuz\/navex\/issues\/6."},{"key":"e_1_3_2_2_7_1","unstructured":"2021. osCommerce Online Merchant. https:\/\/www.oscommerce.com.  2021. osCommerce Online Merchant. https:\/\/www.oscommerce.com."},{"key":"e_1_3_2_2_8_1","unstructured":"2021. php-ast. https:\/\/github.com\/nikic\/php-ast.  2021. php-ast. https:\/\/github.com\/nikic\/php-ast."},{"key":"e_1_3_2_2_9_1","unstructured":"2021. Stock-Management-System: An Introductory Stock Management System built on PHP jQuery with AJAX in MVC pattern. https:\/\/github.com\/haxxorsid\/stock-management-system.  2021. Stock-Management-System: An Introductory Stock Management System built on PHP jQuery with AJAX in MVC pattern. https:\/\/github.com\/haxxorsid\/stock-management-system."},{"key":"e_1_3_2_2_10_1","unstructured":"2021. XSS in WordPress. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021--39202.  2021. XSS in WordPress. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021--39202."},{"key":"e_1_3_2_2_11_1","unstructured":"2022. CWP CentOS Web Panel -- preauth RCE. https:\/\/octagon.net\/blog\/2022\/ 01\/22\/cve-2021-45467-cwp-centos-web-panel-preauth-rce\/.  2022. CWP CentOS Web Panel -- preauth RCE. https:\/\/octagon.net\/blog\/2022\/ 01\/22\/cve-2021-45467-cwp-centos-web-panel-preauth-rce\/."},{"key":"e_1_3_2_2_12_1","unstructured":"2022. Pulse. https:\/\/www.pulse.codacy.com\/?utm_source=codacy&utm_ medium=referral&utm_campaign=codacy_link&utm_content=nav_dropdown.  2022. Pulse. https:\/\/www.pulse.codacy.com\/?utm_source=codacy&utm_ medium=referral&utm_campaign=codacy_link&utm_content=nav_dropdown."},{"key":"e_1_3_2_2_13_1","unstructured":"2022. Usage statistics of content management systems. https:\/\/w3techs.com\/ technologies\/overview\/content_management.  2022. Usage statistics of content management systems. https:\/\/w3techs.com\/ technologies\/overview\/content_management."},{"key":"e_1_3_2_2_14_1","unstructured":"2023. RIPS-tech. https:\/\/blog.sonarsource.com\/.  2023. RIPS-tech. https:\/\/blog.sonarsource.com\/."},{"key":"e_1_3_2_2_15_1","volume-title":"Cross Site Scripting: Investigations in PHP Web Application. In International Conference on Promising Electronic Technologies.","author":"Abdalla Wasef","year":"2018","unstructured":"Wasef Abdalla , Zarul Marashdih , Zaaba Fitri , and Suwais Khaled . 2018 . Cross Site Scripting: Investigations in PHP Web Application. In International Conference on Promising Electronic Technologies. Wasef Abdalla, Zarul Marashdih, Zaaba Fitri, and Suwais Khaled. 2018. Cross Site Scripting: Investigations in PHP Web Application. In International Conference on Promising Electronic Technologies."},{"key":"e_1_3_2_2_16_1","volume-title":"Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS)","author":"Adam Doup\u00e9","year":"2014","unstructured":"Doup\u00e9 Adam , Cavedon Ludovico , Kruegel Christopher , Vigna Giovanni , and Barbara Santa . 2014 . Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner . In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS) . Scottsdale, Arizona. Doup\u00e9 Adam, Cavedon Ludovico, Kruegel Christopher, Vigna Giovanni, and Barbara Santa. 2014. Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS). Scottsdale, Arizona."},{"key":"e_1_3_2_2_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978380"},{"key":"e_1_3_2_2_18_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (Security)","author":"Alhuzali Abeer","year":"2018","unstructured":"Abeer Alhuzali , Rigel Gjomemo , Birhanu Eshete , and VN Venkatakrishnan . 2018 . NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications . In Proceedings of the 27th USENIX Security Symposium (Security) . Baltimore, MD. Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and VN Venkatakrishnan. 2018. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD."},{"key":"e_1_3_2_2_19_1","volume-title":"Finding SQL Injection and Cross Site Scripting Vulnerabilities with Diverse Static Analysis Tools. In European Dependable Computing Conference.","author":"Areej Algaith","year":"2018","unstructured":"Algaith Areej , Nunes Paulo , Jose Fonseca , Gashi Ilir , and Vieira Marco . 2018 . Finding SQL Injection and Cross Site Scripting Vulnerabilities with Diverse Static Analysis Tools. In European Dependable Computing Conference. Algaith Areej, Nunes Paulo, Jose Fonseca, Gashi Ilir, and Vieira Marco. 2018. Finding SQL Injection and Cross Site Scripting Vulnerabilities with Diverse Static Analysis Tools. In European Dependable Computing Conference."},{"key":"e_1_3_2_2_20_1","volume-title":"Proceedings of the 28th USENIX Security Symposium (Security)","author":"Babak Amin Azad","year":"2019","unstructured":"Amin Azad Babak , Laperdrix Pierre , and Nikiforakis Nick . 2019 . Less is More: Quantifying the Security Benefits of DebloatingWeb Applications . In Proceedings of the 28th USENIX Security Symposium (Security) . Santa Clara, CA. Amin Azad Babak, Laperdrix Pierre, and Nikiforakis Nick. 2019. Less is More: Quantifying the Security Benefits of DebloatingWeb Applications. In Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA."},{"key":"e_1_3_2_2_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.14"},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.27"},{"key":"e_1_3_2_2_23_1","volume-title":"Proceedings of the 29th USENIX Security Symposium (Security)","author":"Bulekov Alexander","year":"2020","unstructured":"Alexander Bulekov and Manuel Egele . 2020 . Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists . In Proceedings of the 29th USENIX Security Symposium (Security) . Boston, MA. Alexander Bulekov and Manuel Egele. 2020. Saphire: Sandboxing PHP Applications with Tailored System Call Allowlists. In Proceedings of the 29th USENIX Security Symposium (Security). Boston, MA."},{"key":"e_1_3_2_2_24_1","volume-title":"Proceedings of the 29th USENIX Security Symposium (Security)","author":"Chen Sanchuan","year":"2020","unstructured":"Sanchuan Chen , Zhiqiang Lin , and Yinqian Zhang . 2020 . SELECTIVETAINT: Efficient data flow tracking with static binary rewriting .. In Proceedings of the 29th USENIX Security Symposium (Security) . Boston, MA. Sanchuan Chen, Zhiqiang Lin, and Yinqian Zhang. 2020. SELECTIVETAINT: Efficient data flow tracking with static binary rewriting.. In Proceedings of the 29th USENIX Security Symposium (Security). Boston, MA."},{"key":"e_1_3_2_2_25_1","unstructured":"Penny Crosman. 2015. Banks Lose Up to $100K\/Hour to Shorter More Intense DDoS Attacks. https:\/\/www.americanbanker.com\/news\/banks-lose-up-to-100khour- to-shorter-more-intense-ddos-attacks.  Penny Crosman. 2015. Banks Lose Up to $100K\/Hour to Shorter More Intense DDoS Attacks. https:\/\/www.americanbanker.com\/news\/banks-lose-up-to-100khour- to-shorter-more-intense-ddos-attacks."},{"key":"e_1_3_2_2_26_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"e_1_3_2_2_27_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (Security)","author":"Dahse Johannes","year":"2014","unstructured":"Johannes Dahse and Thorsten Holz . 2014 . Static detection of second-order vulnerabilities in web applications . In Proceedings of the 23rd USENIX Security Symposium (Security) . San Diego, CA. Johannes Dahse and Thorsten Holz. 2014. Static detection of second-order vulnerabilities in web applications. In Proceedings of the 23rd USENIX Security Symposium (Security). San Diego, CA."},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660363"},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00022"},{"key":"e_1_3_2_2_30_1","volume-title":"Working Conference on Reverse Engineering.","author":"Fabien Duchene","year":"2013","unstructured":"Duchene Fabien , Rawat Sanjay , Richier Jean-Luc , and Groz Roland . 2013 . Ligre: Reverse-engineering of control and data flow models for black-box xss detection . In Working Conference on Reverse Engineering. Duchene Fabien, Rawat Sanjay, Richier Jean-Luc, and Groz Roland. 2013. Ligre: Reverse-engineering of control and data flow models for black-box xss detection. In Working Conference on Reverse Engineering."},{"key":"e_1_3_2_2_31_1","volume-title":"Proceedings of the ACM conference on Data and application security and privacy.","author":"Fabien Duchene","year":"2014","unstructured":"Duchene Fabien , Rawat Sanjay , Richier Jean-Luc , and Groz Roland . 2014 . Kameleonfuzz: evolutionary fuzzing for black-box xss detection . In Proceedings of the ACM conference on Data and application security and privacy. Duchene Fabien, Rawat Sanjay, Richier Jean-Luc, and Groz Roland. 2014. Kameleonfuzz: evolutionary fuzzing for black-box xss detection. In Proceedings of the ACM conference on Data and application security and privacy."},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/263698.264352"},{"key":"e_1_3_2_2_33_1","volume-title":"Proceedings of the 22nd International Symposium on Software Testing and Analysis (ISSTA)","author":"Mark","year":"2013","unstructured":"Mark Hills1, Paul Klint , and Jurgen Vinju . 2013 . An empirical study of PHP feature usage: a static analysis perspective . In Proceedings of the 22nd International Symposium on Software Testing and Analysis (ISSTA) . Lugano, Switzerland. Mark Hills1, Paul Klint, and Jurgen Vinju. 2013. An empirical study of PHP feature usage: a static analysis perspective. In Proceedings of the 22nd International Symposium on Software Testing and Analysis (ISSTA). Lugano, Switzerland."},{"key":"e_1_3_2_2_34_1","volume-title":"Proceedings of the 42nd International Conference on Software Engineering (ICSE)","author":"Katherine Hough","year":"2020","unstructured":"Hough Katherine , Welearegai Gebrehiwet , Hammer Christian , and Bell Jonathan . 2020 . Revealing Injection Vulnerabilities by Leveraging Existing Tests . In Proceedings of the 42nd International Conference on Software Engineering (ICSE) . Seoul, Korea. Hough Katherine, Welearegai Gebrehiwet, Hammer Christian, and Bell Jonathan. 2020. Revealing Injection Vulnerabilities by Leveraging Existing Tests. In Proceedings of the 42nd International Conference on Software Engineering (ICSE). Seoul, Korea."},{"key":"e_1_3_2_2_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1882291.1882355"},{"key":"e_1_3_2_2_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3442381.3449826"},{"key":"e_1_3_2_2_37_1","volume-title":"Proceedings of the Web Conference (WWW)","author":"Li Penghui","year":"2020","unstructured":"Penghui Li , Wei Meng , Kangjie Lu , and Changhua Luo . 2020 . On the feasibility of automated built-in function modeling for PHP symbolic execution . In Proceedings of the Web Conference (WWW) . Taipei, Taiwan. Penghui Li,Wei Meng, Kangjie Lu, and Changhua Luo. 2020. On the feasibility of automated built-in function modeling for PHP symbolic execution. In Proceedings of the Web Conference (WWW). Taipei, Taiwan."},{"key":"e_1_3_2_2_38_1","volume-title":"Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS)","author":"Lu Kangjie","year":"2019","unstructured":"Kangjie Lu and Hong Hu . 2019 . Where does it go? refining indirect-call targets with multi-layer type analysis . In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS) . London, UK. Kangjie Lu and Hong Hu. 2019. Where does it go? refining indirect-call targets with multi-layer type analysis. In Proceedings of the 26th ACM Conference on Computer and Communications Security (CCS). London, UK."},{"key":"e_1_3_2_2_39_1","volume-title":"Predicting Cross-Site Scripting (XSS) Security Vulnerabilities in Web Applications. In International Joint Conference on Computer Science and Software Engineering.","author":"Mukesh Kumar","year":"2015","unstructured":"Kumar Mukesh , Mahesh Gupta , Govil Chandra , and Singh Girdhari . 2015 . Predicting Cross-Site Scripting (XSS) Security Vulnerabilities in Web Applications. In International Joint Conference on Computer Science and Software Engineering. Kumar Mukesh, Mahesh Gupta, Govil Chandra, and Singh Girdhari. 2015. Predicting Cross-Site Scripting (XSS) Security Vulnerabilities in Web Applications. In International Joint Conference on Computer Science and Software Engineering."},{"key":"e_1_3_2_2_40_1","volume-title":"Proceedings of the 27th IEEE Symposium on Security and Privacy (Oakland)","author":"Nenad Jovanovic","year":"2006","unstructured":"Jovanovic Nenad , Kruegel Christopher , and Kirda Engin . 2006 . Pixy: a static analysis tool for detecting Web application vulnerabilities . In Proceedings of the 27th IEEE Symposium on Security and Privacy (Oakland) . Oakland, CA. Jovanovic Nenad, Kruegel Christopher, and Kirda Engin. 2006. Pixy: a static analysis tool for detecting Web application vulnerabilities. In Proceedings of the 27th IEEE Symposium on Security and Privacy (Oakland). Oakland, CA."},{"key":"e_1_3_2_2_41_1","volume-title":"Proceedings of the 37th International Conference on Software Engineering (ICSE)","author":"Nguyen Hung Viet","unstructured":"Hung Viet Nguyen , Christian Kastner , and Tien N. Nguyen . 2015. Varis: IDE Support for Embedded Client Code in PHP Web Applications . In Proceedings of the 37th International Conference on Software Engineering (ICSE) . Florence, Italy. Hung Viet Nguyen, Christian Kastner, and Tien N. Nguyen. 2015. Varis: IDE Support for Embedded Client Code in PHP Web Applications. In Proceedings of the 37th International Conference on Software Engineering (ICSE). Florence, Italy."},{"key":"e_1_3_2_2_42_1","volume-title":"Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS)","author":"Oswaldo Olivo","year":"2015","unstructured":"Olivo Oswaldo , Dillig Isil , and Lin Calvin . 2015 . Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities inWeb Applications . In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS) . Denver, Colorado. Olivo Oswaldo, Dillig Isil, and Lin Calvin. 2015. Detecting and Exploiting Second Order Denial-of-Service Vulnerabilities inWeb Applications. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). Denver, Colorado."},{"key":"e_1_3_2_2_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_14"},{"key":"e_1_3_2_2_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2950290.2950312"},{"key":"e_1_3_2_2_45_1","unstructured":"AAG IT Services. 2019. How often do Cyber Attacks occur? https:\/\/aagit. com\/how-often-do-cyber-attacks-occur\/.  AAG IT Services. 2019. How often do Cyber Attacks occur? https:\/\/aagit. com\/how-often-do-cyber-attacks-occur\/."},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/2166956.2166964"},{"key":"e_1_3_2_2_47_1","volume-title":"Proceedings of the 19th USENIX Security Symposium (Security)","author":"Viktoria Felmetsger","year":"2010","unstructured":"Felmetsger Viktoria , Cavedon Ludovico , Kruegel Christopher , and Vigna Giovanni . 2010 . Toward automated detection of logic vulnerabilities in web applications .. In Proceedings of the 19th USENIX Security Symposium (Security) . Washington, DC. Felmetsger Viktoria, Cavedon Ludovico, Kruegel Christopher, and Vigna Giovanni. 2010. Toward automated detection of logic vulnerabilities in web applications.. In Proceedings of the 19th USENIX Security Symposium (Security). Washington, DC."},{"key":"e_1_3_2_2_48_1","unstructured":"W3Techs. 2021. Usage statistics of PHP for websites. https:\/\/w3techs.com\/ technologies\/details\/pl-php.  W3Techs. 2021. Usage statistics of PHP for websites. https:\/\/w3techs.com\/ technologies\/details\/pl-php."},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/1250734.1250739"},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2014.44"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.54"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23164"}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3559391","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3548606.3559391","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:50:57Z","timestamp":1750182657000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3548606.3559391"}},"subtitle":["Precise Static Inter-Procedural Analysis for Detecting Taint-Style Vulnerabilities in PHP Applications"],"short-title":[],"issued":{"date-parts":[[2022,11,7]]},"references-count":52,"alternative-id":["10.1145\/3548606.3559391","10.1145\/3548606"],"URL":"https:\/\/doi.org\/10.1145\/3548606.3559391","relation":{},"subject":[],"published":{"date-parts":[[2022,11,7]]},"assertion":[{"value":"2022-11-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}