{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,13]],"date-time":"2026-02-13T23:17:14Z","timestamp":1771024634598,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":69,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,10,10]],"date-time":"2022-10-10T00:00:00Z","timestamp":1665360000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U1836210, U1836213, 62172105, 61972099, 62172104, 62102091, 62102093"],"award-info":[{"award-number":["U1836210, U1836213, 62172105, 61972099, 62172104, 62102091, 62102093"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100007219","name":"Natural Science Foundation of Shanghai","doi-asserted-by":"publisher","award":["19ZR1404800"],"award-info":[{"award-number":["19ZR1404800"]}],"id":[{"id":"10.13039\/100007219","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Key R&D Program of China","award":["2021YFB3101200"],"award-info":[{"award-number":["2021YFB3101200"]}]},{"DOI":"10.13039\/501100013105","name":"Shanghai Rising-Star Program","doi-asserted-by":"publisher","award":["21QA1400700"],"award-info":[{"award-number":["21QA1400700"]}],"id":[{"id":"10.13039\/501100013105","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Shanghai Pilot Program for Basic Research-Fudan University","award":["21TQ1400100 (21TQ012)"],"award-info":[{"award-number":["21TQ1400100 (21TQ012)"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,10,10]]},"DOI":"10.1145\/3551349.3556933","type":"proceedings-article","created":{"date-parts":[[2023,1,5]],"date-time":"2023-01-05T20:43:54Z","timestamp":1672951434000},"page":"1-13","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":7,"title":["Precise (Un)Affected Version Analysis for Web Vulnerabilities"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0726-9996","authenticated-orcid":false,"given":"Youkun","family":"Shi","sequence":"first","affiliation":[{"name":"Fudan University, China"}]},{"given":"Yuan","family":"Zhang","sequence":"additional","affiliation":[{"name":"Fudan University, China"}]},{"given":"Tianhan","family":"Luo","sequence":"additional","affiliation":[{"name":"Fudan University, China"}]},{"given":"Xiangyu","family":"Mao","sequence":"additional","affiliation":[{"name":"Fudan University, China"}]},{"given":"Min","family":"Yang","sequence":"additional","affiliation":[{"name":"Fudan University, China"}]}],"member":"320","published-online":{"date-parts":[[2023,1,5]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2020. PoC Exploits Do More Good Than Harm: Threatpost Poll. https:\/\/threatpost.com\/poc-exploits-do-more-good-than-harm-threatpost-poll\/152053\/."},{"key":"e_1_3_2_1_2_1","unstructured":"2021. How Many Websites Are There in 2021?https:\/\/websitesetup.org\/news\/how-many-websites-are-there\/."},{"key":"e_1_3_2_1_3_1","unstructured":"2021. Is It OK to Publish PoC Exploits for Vulnerabilities and Patches?https:\/\/www.helpnetsecurity.com\/2021\/05\/05\/publishing-poc-exploits\/."},{"key":"e_1_3_2_1_4_1","volume-title":"The Invicti AppSec Indicator","year":"2021","unstructured":"2021. The Invicti AppSec Indicator Spring 2021 Edition: Acunetix Web Vulnerability Report. https:\/\/www.acunetix.com\/white-papers\/acunetix-web-application-vulnerability-report-2021\/#another-victim-of-covid-19-web-application-security."},{"key":"e_1_3_2_1_5_1","unstructured":"2022. Acunetix: PHP Security. https:\/\/www.acunetix.com\/websitesecurity\/php-security-1\/."},{"key":"e_1_3_2_1_6_1","unstructured":"2022. Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org\/."},{"key":"e_1_3_2_1_7_1","unstructured":"2022. CVE-2018-15139 in NVD. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-15139."},{"key":"e_1_3_2_1_8_1","unstructured":"2022. How to Secure PHP Web Applications and Prevent Attacks?https:\/\/docs.php.earth\/security\/intro\/."},{"key":"e_1_3_2_1_9_1","unstructured":"2022. National Vulnerability Database. https:\/\/nvd.nist.gov\/."},{"key":"e_1_3_2_1_10_1","unstructured":"2022. Openwall. http:\/\/www.openwall.com\/."},{"key":"e_1_3_2_1_11_1","unstructured":"2022. OWASP Community. https:\/\/owasp.org\/www-community\/."},{"key":"e_1_3_2_1_12_1","unstructured":"2022. PHP Manual. https:\/\/www.php.net\/manual\/zh\/index.php."},{"key":"e_1_3_2_1_13_1","unstructured":"2022. PHP-Parser Source Code. https:\/\/github.com\/nikic\/PHP-Parser."},{"key":"e_1_3_2_1_14_1","unstructured":"2022. ReDebug Source Code. https:\/\/github.com\/dbrumley\/redebug."},{"key":"e_1_3_2_1_15_1","unstructured":"2022. Release of AFV. https:\/\/github.com\/seclab-fudan\/AFV."},{"key":"e_1_3_2_1_16_1","unstructured":"2022. Securityfocus. https:\/\/www.securityfocus.com\/vulnerabilities."},{"key":"e_1_3_2_1_17_1","unstructured":"2022. Universal Ctags Source Code. https:\/\/github.com\/universal-ctags\/ctags."},{"key":"e_1_3_2_1_18_1","unstructured":"2022. V-SZZ Source Code. https:\/\/figshare.com\/ndownloader\/files\/31748777."},{"key":"e_1_3_2_1_19_1","unstructured":"2022. V0Finder Source Code. https:\/\/github.com\/WOOSEUNGHOON\/V0Finder-public."},{"key":"e_1_3_2_1_20_1","unstructured":"2022. Wala: The T. J. Watson Libraries for Analysis. http:\/\/wala.sourceforge.net."},{"key":"e_1_3_2_1_21_1","unstructured":"2022. Website Hacking Statistics You Should Know."},{"key":"e_1_3_2_1_22_1","unstructured":"2022. Xdebug. http:\/\/xdebug.org\/."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITNG.2012.167"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978380"},{"key":"e_1_3_2_1_25_1","volume-title":"Proceedings of the 27th USENIX Security Symposium (USENIX Security). 377\u2013392","author":"Alhuzali Abeer","year":"2018","unstructured":"Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete, and VN Venkatakrishnan. 2018. NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications. In Proceedings of the 27th USENIX Security Symposium (USENIX Security). 377\u2013392."},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.14"},{"key":"e_1_3_2_1_27_1","volume-title":"A Framework for Evaluating the Results of the SZZ Approach for Identifying Bug-Introducing Changes","author":"Costa Daniel","year":"2016","unstructured":"Daniel Costa, Shane McIntosh, Weiyi Shang, Uir\u00e1 Kulesza, Roberta Coelho, and Ahmed\u00a0E. Hassan. 2016. A Framework for Evaluating the Results of the SZZ Approach for Identifying Bug-Introducing Changes. IEEE Transactions on Software Engineering (TSE) (10 2016), 1\u20131."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"e_1_3_2_1_29_1","volume-title":"Proceedings of the 23rd USENIX Security Symposium (USENIX Security). 989\u20131003","author":"Dahse Johannes","year":"2014","unstructured":"Johannes Dahse and Thorsten Holz. 2014. Static Detection of Second-Order Vulnerabilities in Web Applications. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security). 989\u20131003."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484594"},{"key":"e_1_3_2_1_31_1","volume-title":"Proceeding of the 28th USENIX Security Symposium (USENIX Security). 869\u2013885","author":"Dong Ying","year":"2019","unstructured":"Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the Detection of Inconsistencies in Public Security Vulnerability Reports. In Proceeding of the 28th USENIX Security Symposium (USENIX Security). 869\u2013885."},{"key":"e_1_3_2_1_32_1","volume-title":"Proceeding of the 21st USENIX Security Symposium (USENIX Security). 523\u2013538","author":"Doup\u00e9 Adam","year":"2012","unstructured":"Adam Doup\u00e9, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner. In Proceeding of the 21st USENIX Security Symposium (USENIX Security). 523\u2013538."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2642937.2642982"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.13"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2006.29"},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security). 2525\u20132542","author":"Khodayari Soheil","year":"2021","unstructured":"Soheil Khodayari and Giancarlo Pellegrino. 2021. JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals. In Proceedings of the 30th USENIX Security Symposium (USENIX Security). 2525\u20132542."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.62"},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of the 21th ACM\/IEEE International Conference on Automated Software Engineering (ASE).","author":"Kim Sunghun","unstructured":"Sunghun Kim, Thomas Zimmermann, Kai Pan, and E. Jr. 2006. Automatic Identification of Bug-Introducing Changes. In Proceedings of the 21th ACM\/IEEE International Conference on Automated Software Engineering (ASE)."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2991079.2991102"},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23158"},{"key":"e_1_3_2_1_41_1","volume-title":"Proceedings of the 44th ACM\/IEEE International Conference on Software Engineering (ICSE).","author":"Hassan Lingfeng\u00a0Bao Ahmed","year":"2022","unstructured":"Ahmed E.\u00a0Hassan Lingfeng\u00a0Bao, Xin\u00a0Xia and Xiaohu Yang. 2022. V-SZZ: Automatic Identification of Version Ranges Affected by CVE Vulnerabilities. In Proceedings of the 44th ACM\/IEEE International Conference on Software Engineering (ICSE)."},{"key":"e_1_3_2_1_42_1","volume-title":"International Journal of Computer Science and Information Technologies (IJCSIT)","year":"2016","unstructured":"M.tech.Scholar. 2016. To Enhance Type 4 Clone Detection in Clone Testing. International Journal of Computer Science and Information Technologies (IJCSIT) (2016)."},{"key":"e_1_3_2_1_43_1","volume-title":"Proceeding of the 27th USENIX Security Symposium (USENIX Security). 919\u2013936","author":"Mu Dongliang","year":"2018","unstructured":"Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the Reproducibility of Crowd-Reported Security vulnerabilities. In Proceeding of the 27th USENIX Security Symposium (USENIX Security). 919\u2013936."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICWR.2018.8387232"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-015-9408-2"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3338933"},{"key":"e_1_3_2_1_47_1","volume-title":"Proceeding of the 31st USENIX Security Symposium (USENIX Security).","author":"Park Sunnyeo","year":"2022","unstructured":"Sunnyeo Park, Daejun Kim, Suman Jana, and Sooel Son. 2022. FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities. In Proceeding of the 31st USENIX Security Symposium (USENIX Security)."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133959"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_14"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/2522920.2522925"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11227-016-1832-6"},{"key":"e_1_3_2_1_52_1","volume-title":"Proceedings of the 26th European Symposium on Research in Computer Security (ESORICS). 152\u2013172","author":"Rooij Orpheas\u00a0van","year":"2021","unstructured":"Orpheas\u00a0van Rooij, Marcos\u00a0Antonios Charalambous, Demetris Kaizer, Michalis Papaevripides, and Elias Athanasopoulos. 2021. WebFuzz: Grey-Box Fuzzing for Web Applications. In Proceedings of the 26th European Symposium on Research in Computer Security (ESORICS). 152\u2013172."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884877"},{"key":"e_1_3_2_1_54_1","unstructured":"Luis Alberto\u00a0Benthin Sanguino and Rafael Uetz. 2017. Software Vulnerability Analysis using CPE and CVE. arXiv preprint arXiv:1705.05347(2017)."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3464821"},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1145\/3412376"},{"key":"e_1_3_2_1_57_1","volume-title":"When Do Changes Induce Fixes?ACM SIGSOFT Software Engineering Notes (SEN) 30, 4","author":"\u015aliwerski Jacek","year":"2005","unstructured":"Jacek \u015aliwerski, Thomas Zimmermann, and Andreas Zeller. 2005. When Do Changes Induce Fixes?ACM SIGSOFT Software Engineering Notes (SEN) 30, 4 (2005), 1\u20135."},{"key":"e_1_3_2_1_58_1","volume-title":"Proceeding of the 20th USENIX Security Symposium (USENIX Security), Vol.\u00a064","author":"Sun Fangqi","year":"2011","unstructured":"Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static Detection of Access Control Vulnerabilities in Web Applications.. In Proceeding of the 20th USENIX Security Symposium (USENIX Security), Vol.\u00a064."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660372"},{"key":"e_1_3_2_1_60_1","volume-title":"Proceedings of the 9th Conference of the Centre for Advanced Studies on Collaborative Research (CASCON). 214\u2013224","author":"Vall\u00e9e-Rai Raja","year":"1999","unstructured":"Raja Vall\u00e9e-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 1999. Soot: A Java Bytecode Optimization Framework. In Proceedings of the 9th Conference of the Centre for Advanced Studies on Collaborative Research (CASCON). 214\u2013224."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180179"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN48987.2021.00030"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512235"},{"key":"e_1_3_2_1_64_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX Security). 3041\u20133058","author":"Woo Seunghoon","year":"2021","unstructured":"Seunghoon Woo, Dongwook Lee, Sunghan Park, Heejo Lee, and Sven Dietrich. 2021. V0Finder: Discovering the Correct Origin of Publicly Reported Software Vulnerabilities. In Proceedings of the 30th USENIX Security Symposium (USENIX Security). 3041\u20133058."},{"key":"e_1_3_2_1_65_1","volume-title":"Proceedings of the 29th USENIX Security Symposium (USENIX Security). 1165\u20131182","author":"Xiao Yang","year":"2020","unstructured":"Yang Xiao, Bihuan Chen, Chendong Yu, Zhengzi Xu, Zimu Yuan, Feng Li, Binghong Liu, Yang Liu, Wei Huo, and Wei Zou. 2020. MVP: Detecting Vulnerabilities using Patch-Enhanced Vulnerability Signatures. In Proceedings of the 29th USENIX Security Symposium (USENIX Security). 1165\u20131182."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10703-013-0189-1"},{"key":"e_1_3_2_1_67_1","volume-title":"Proceeding of 20th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).","author":"Zhang Su","year":"2020","unstructured":"Su Zhang, Xinming Ou, and Doina Caragea. 2020. Automated CPE Labeling of CVE Summaries with Machine Learning. In Proceeding of 20th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2013.6606611"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491456"}],"event":{"name":"ASE '22: 37th IEEE\/ACM International Conference on Automated Software Engineering","location":"Rochester MI USA","acronym":"ASE '22"},"container-title":["Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3551349.3556933","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3551349.3556933","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T08:30:47Z","timestamp":1755851447000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3551349.3556933"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,10,10]]},"references-count":69,"alternative-id":["10.1145\/3551349.3556933","10.1145\/3551349"],"URL":"https:\/\/doi.org\/10.1145\/3551349.3556933","relation":{},"subject":[],"published":{"date-parts":[[2022,10,10]]},"assertion":[{"value":"2023-01-05","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}