{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T21:52:25Z","timestamp":1769723545649,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":68,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,15]],"date-time":"2023-11-15T00:00:00Z","timestamp":1700006400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Amazon Research Award (AWS Automated Reasoning)."},{"DOI":"10.13039\/501100004063","name":"Knut och Alice Wallenbergs Stiftelse","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100004063","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Swedish Research Council (VR)","award":["2018-04727 and 2021-06327"],"award-info":[{"award-number":["2018-04727 and 2021-06327"]}]},{"name":"Swedish Foundation for Strategic Research (SSF)","award":["RIT17-0011"],"award-info":[{"award-number":["RIT17-0011"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,15]]},"DOI":"10.1145\/3576915.3616582","type":"proceedings-article","created":{"date-parts":[[2023,11,21]],"date-time":"2023-11-21T12:35:13Z","timestamp":1700570113000},"page":"549-563","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Black Ostrich: Web Application Scanning with String Solvers"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0553-3597","authenticated-orcid":false,"given":"Benjamin","family":"Eriksson","sequence":"first","affiliation":[{"name":"Chalmers University of Technology, Gothenburg, Sweden"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4180-6118","authenticated-orcid":false,"given":"Amanda","family":"Stjerna","sequence":"additional","affiliation":[{"name":"Uppsala University, Uppsala, Sweden"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2540-7395","authenticated-orcid":false,"given":"Riccardo","family":"De Masellis","sequence":"additional","affiliation":[{"name":"Uppsala University, Uppsala, Sweden"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2733-7098","authenticated-orcid":false,"given":"Philipp","family":"R\u00fcemmer","sequence":"additional","affiliation":[{"name":"University of Regensburg &amp; Uppsala University, Regensburg, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9344-9058","authenticated-orcid":false,"given":"Andrei","family":"Sabelfeld","sequence":"additional","affiliation":[{"name":"Chalmers University of Technology, Gothenburg, Sweden"}]}],"member":"320","published-online":{"date-parts":[[2023,11,21]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"CAV","author":"Abdulla P. A.","year":"2015","unstructured":"P. A. Abdulla, M. F. Atig, Y. Chen, L. Hol\u00edk, A. Rezine, P. R\u00fcmmer, and J. Stenman. Norn: An SMT solver for string constraints. In CAV, 2015."},{"key":"e_1_3_2_1_2_1","volume-title":"USENIX Security","author":"Alhuzali A.","year":"2018","unstructured":"A. Alhuzali, R. Gjomemo, B. Eshete, and V. Venkatakrishnan. Navex: Precise and scalable exploit generation for dynamic web applications. In USENIX Security, 2018."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3484198"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2008.22"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-99524-9_24"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510047"},{"key":"e_1_3_2_1_7_1","volume-title":"SMT-LIB theory of Unicode strings. http: \/\/smtlib.cs.uiowa.edu\/theories-UnicodeStrings.shtml","author":"Barrett C.","year":"2016","unstructured":"C. Barrett, P. Fontaine, and C. Tinelli. SMT-LIB theory of Unicode strings. http: \/\/smtlib.cs.uiowa.edu\/theories-UnicodeStrings.shtml, 2016."},{"key":"e_1_3_2_1_8_1","volume-title":"Department of Computer Science","author":"Barrett C.","year":"2017","unstructured":"C. Barrett, P. Fontaine, and C. Tinelli. The SMT-LIB Standard: Version 2.6. Technical report, Department of Computer Science, The University of Iowa, 2017. www.SMT-LIB.org."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/3447852.3458718"},{"key":"e_1_3_2_1_10_1","author":"Berglund M.","year":"2021","unstructured":"M. Berglund, B. van der Merwe, and S. van Litsenborgh. Regular expressions with lookahead. J. Univers. Comput. Sci., 2021.","journal-title":"J. Univers. Comput. Sci."},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/1595696.1595711"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1007\/BF01371727"},{"key":"e_1_3_2_1_13_1","volume-title":"CCS","author":"Bisht P.","year":"2010","unstructured":"P. Bisht, T. L. Hinrichs, N. Skrupsky, R. Bobrowicz, and V. N. Venkatakrishnan. Notamper: automatic blackbox detection of parameter tampering opportunities in web applications. In CCS, 2010."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-27481-7_23"},{"key":"e_1_3_2_1_15_1","author":"Chandra A. K.","year":"1981","unstructured":"A. K. Chandra, D. Kozen, and L. J. Stockmeyer. Alternation. J. ACM, 1981.","journal-title":"Alternation. J. ACM"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3290362"},{"key":"e_1_3_2_1_17_1","volume-title":"FSCD","author":"Chida N.","year":"2022","unstructured":"N. Chida and T. Terauchi. On lookaheads in regular expressions with backreferences. In A. P. Felty, editor, FSCD, 2022."},{"key":"e_1_3_2_1_18_1","volume-title":"https:\/\/ commoncrawl.org\/2021\/08\/july-august-2021-crawl-archive-available\/","author":"Foundation Common Crawl","year":"2021","unstructured":"Common Crawl Foundation. July\/August 2021 crawl archive. https:\/\/ commoncrawl.org\/2021\/08\/july-august-2021-crawl-archive-available\/, 2021."},{"key":"e_1_3_2_1_19_1","volume-title":"Html: Hypertext markup language. entry input type=\"email\". https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTML\/Element\/input\/email","author":"Contributors M.","year":"2021","unstructured":"M. Contributors. Html: Hypertext markup language. entry input type=\"email\". https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTML\/Element\/input\/email, 2021."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2535838.2535849"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.5555\/1792734.1792766"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/1995376.1995394"},{"key":"e_1_3_2_1_23_1","volume-title":"USENIX Security","author":"Doup\u00e9 A.","year":"2012","unstructured":"A. Doup\u00e9, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In USENIX Security, 2012."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/WCRE.2013.6671300"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2557547.2557550"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00022"},{"key":"e_1_3_2_1_27_1","volume-title":"Black Ostrich: Web Application Scanning with String Solvers. Extended version together with data and code. https:\/\/www.cse.chalmers.se\/research\/group\/security\/black-ostrich\/","author":"Eriksson B.","year":"2023","unstructured":"B. Eriksson, A. Stjerna, R. D. Masellis, P. R\u00fcmmer, and A. Sabelfeld. Black Ostrich: Web Application Scanning with String Solvers. Extended version together with data and code. https:\/\/www.cse.chalmers.se\/research\/group\/security\/black-ostrich\/, 2023."},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2013.37"},{"key":"e_1_3_2_1_29_1","volume-title":"sqlmap","author":"Stampar B.","year":"2021","unstructured":"B. D. A. G. and M. Stampar. sqlmap, 2021."},{"key":"e_1_3_2_1_30_1","author":"Geffert V.","year":"2021","unstructured":"V. Geffert, C. A. Kapoutsis, and M. Zakzok. Complement for two-way alternating automata. Acta Informatica, 2021.","journal-title":"Complement for two-way alternating automata. Acta Informatica"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-44522-8_25"},{"key":"e_1_3_2_1_32_1","volume-title":"web-application \u00b7 GitHub Topics. https:\/\/github.com\/topics\/web-application","year":"2023","unstructured":"GitHub. web-application \u00b7 GitHub Topics. https:\/\/github.com\/topics\/web-application, 2023."},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2009.26"},{"key":"e_1_3_2_1_34_1","volume-title":"ECMAScript 2020 language specification","author":"Harband J.","year":"2020","unstructured":"J. Harband and K. Smith. ECMAScript 2020 language specification, 11th edition, 2020. https:\/\/262.ecma-international.org\/11.0\/.","edition":"11"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/WSE.2010.5623572"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3158092"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.5555\/1454320"},{"key":"e_1_3_2_1_38_1","volume-title":"You've got pwned: exploiting e-mail systems. https:\/\/www.youtube.com\/watch?v=Bpnc1-g3fMk","author":"Ceukelaire Inti De","year":"2020","unstructured":"Inti De Ceukelaire. You've got pwned: exploiting e-mail systems. https:\/\/www.youtube.com\/watch?v=Bpnc1-g3fMk, 2020."},{"key":"e_1_3_2_1_39_1","volume-title":"Spring mvc regular expression validation. https:\/\/www.javatpoint. com\/spring-mvc-regular-expression-validation","year":"2022","unstructured":"JavaPoint. Spring mvc regular expression validation. https:\/\/www.javatpoint. com\/spring-mvc-regular-expression-validation, 2022."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135817"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1007\/11549345_47"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.tcs.2020.12.011"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1145\/1572272.1572286"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"crossref","unstructured":"D. J. C. Klensin. Application Techniques for Checking and Transformation of Names. RFC 3696 Feb. 2004.","DOI":"10.17487\/rfc3696"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1137\/0213010"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23386"},{"key":"e_1_3_2_1_47_1","volume-title":"https:\/\/github.com\/LearnLib\/alex","year":"2023","unstructured":"LearnLib. LearnLib\/alex. https:\/\/github.com\/LearnLib\/alex, 2023."},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/3314221.3314645"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICWE.2008.24"},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-90870-6_21"},{"key":"e_1_3_2_1_52_1","volume-title":"operasoftware\/dns-ui. https:\/\/github.com\/operasoftware\/dns-ui","year":"2023","unstructured":"Opera. operasoftware\/dns-ui. https:\/\/github.com\/operasoftware\/dns-ui, 2023."},{"key":"e_1_3_2_1_53_1","volume-title":"Owasp zed attack proxy (zap)","author":"OWASP.","year":"2020","unstructured":"OWASP. Owasp zed attack proxy (zap), 2020."},{"key":"e_1_3_2_1_54_1","volume-title":"Cross site scripting prevention cheat sheet. https:\/\/cheatsheetseries. owasp.org\/cheatsheets\/Cross_Site_Scripting_Prevention_Cheat_Sheet.html","author":"OWASP.","year":"2022","unstructured":"OWASP. Cross site scripting prevention cheat sheet. https:\/\/cheatsheetseries. owasp.org\/cheatsheets\/Cross_Site_Scripting_Prevention_Cheat_Sheet.html, 2022."},{"key":"e_1_3_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2803191"},{"key":"e_1_3_2_1_56_1","volume-title":"parthbhide\/helpinghands. https:\/\/github.com\/parthbhide\/helpinghands\/","author":"Bhide Parth","year":"2020","unstructured":"Parth Bhide. parthbhide\/helpinghands. https:\/\/github.com\/parthbhide\/helpinghands\/, 2020."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_14"},{"key":"e_1_3_2_1_58_1","volume-title":"Xss in email login fields","year":"2021","unstructured":"Raghav. Xss in email login fields, 2021."},{"key":"e_1_3_2_1_59_1","volume-title":"Part 9, add validation to an asp.net core mvc app. https:\/\/learn.microsoft.com\/en-us\/aspnet\/core\/tutorials\/first-mvc-app\/validation?view=aspnetcore-7.0","author":"Anderson Rick","year":"2022","unstructured":"Rick Anderson. Part 9, add validation to an asp.net core mvc app. https:\/\/learn.microsoft.com\/en-us\/aspnet\/core\/tutorials\/first-mvc-app\/validation?view=aspnetcore-7.0, 2022."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/NCA.2014.53"},{"key":"e_1_3_2_1_61_1","volume-title":"Framework - arachni - web application security scanner framework","author":"Sarosys","year":"2019","unstructured":"Sarosys LLC. Framework - arachni - web application security scanner framework, 2019."},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2010.38"},{"key":"e_1_3_2_1_63_1","volume-title":"NDSS","author":"Saxena P.","year":"2010","unstructured":"P. Saxena, S. Hanna, P. Poosankam, and D. Song. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS, 2010."},{"key":"e_1_3_2_1_64_1","author":"Shepherdson J. C.","year":"1959","unstructured":"J. C. Shepherdson. The reduction of two-way automata to one-way automata. IBM J. Res. Dev., 1959.","journal-title":"J. Res. Dev."},{"key":"e_1_3_2_1_65_1","volume-title":"CCS","author":"Trinh M.","year":"2014","unstructured":"M. Trinh, D. Chu, and J. Jaffar. S3: A symbolic string solver for vulnerability detection in web applications. In CCS, 2014."},{"key":"e_1_3_2_1_66_1","unstructured":"W3C. Html 5.2 2021. https:\/\/www.w3.org\/TR\/2021\/SPSD-html52-20210128\/."},{"key":"e_1_3_2_1_67_1","volume-title":"How to validate an email with php. https:\/\/www.w3docs.com\/snippets\/php\/e-mail-validation.html","year":"2022","unstructured":"W3Docs. How to validate an email with php. https:\/\/www.w3docs.com\/snippets\/php\/e-mail-validation.html, 2022."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/2491411.2491456"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3616582","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3576915.3616582","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,21]],"date-time":"2025-08-21T01:34:34Z","timestamp":1755740074000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3576915.3616582"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,15]]},"references-count":68,"alternative-id":["10.1145\/3576915.3616582","10.1145\/3576915"],"URL":"https:\/\/doi.org\/10.1145\/3576915.3616582","relation":{},"subject":[],"published":{"date-parts":[[2023,11,15]]},"assertion":[{"value":"2023-11-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}