{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:58:55Z","timestamp":1750309135827,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,9,11]],"date-time":"2024-09-11T00:00:00Z","timestamp":1726012800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"the National Key R&D Program of China","award":["No.2022YFE0113200"],"award-info":[{"award-number":["No.2022YFE0113200"]}]},{"name":"Ant Group Research Fund","award":[""],"award-info":[{"award-number":[""]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,9,11]]},"DOI":"10.1145\/3650212.3680367","type":"proceedings-article","created":{"date-parts":[[2024,9,11]],"date-time":"2024-09-11T11:44:25Z","timestamp":1726055065000},"page":"1377-1388","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Automated Data Binding Vulnerability Detection for Java Web Frameworks via Nested Property Graph"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-7462-6420","authenticated-orcid":false,"given":"Xiaoyong","family":"Yan","sequence":"first","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-9851-8201","authenticated-orcid":false,"given":"Biao","family":"He","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2899-6121","authenticated-orcid":false,"given":"Wenbo","family":"Shen","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-4001-9868","authenticated-orcid":false,"given":"Yu","family":"Ouyang","sequence":"additional","affiliation":[{"name":"Ant Group, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0002-6339-0301","authenticated-orcid":false,"given":"Kaihang","family":"Zhou","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8009-0242","authenticated-orcid":false,"given":"Xingjian","family":"Zhang","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-9988-8065","authenticated-orcid":false,"given":"Xingyu","family":"Wang","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-4122-4023","authenticated-orcid":false,"given":"Yukai","family":"Cao","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0178-0171","authenticated-orcid":false,"given":"Rui","family":"Chang","sequence":"additional","affiliation":[{"name":"Zhejiang University, Hangzhou, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,9,11]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2023.24688"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179377"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00044"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00150"},{"key":"e_1_3_2_1_5_1","volume-title":"Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities. In 2023 53rd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE","author":"Chen Xingchen","year":"2023","unstructured":"Xingchen Chen, Baizhu Wang, Ze Jin, Yun Feng, Xianglong Li, Xincheng Feng, and Qixu Liu. 2023. Tabby: Automated Gadget Chain Detection for Java Deserialization Vulnerabilities. In 2023 53rd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, Porto, Portugal. 179\u2013192."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00213"},{"key":"e_1_3_2_1_7_1","unstructured":"DataBindingStudy. 2024. DIVER. https:\/\/github.com\/DataBindingStudy\/DIVER"},{"key":"e_1_3_2_1_8_1","unstructured":"exploitdb. 2024. Exploit Database. https:\/\/www.exploit-db.com"},{"key":"e_1_3_2_1_9_1","volume-title":"14th USENIX Workshop on Offensive Technologies (WOOT 20)","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi, Dominik Maier, Heiko Ei\u00df feldt, and Marc Heuse. 2020. AFL++ : Combining Incremental Steps of Fuzzing Research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Boston, MA, USA."},{"key":"e_1_3_2_1_10_1","unstructured":"Apache Software Foundation. 2024. Apache Tomcat. https:\/\/tomcat.apache.org"},{"key":"e_1_3_2_1_11_1","unstructured":"Eclipse Foundation. 2024. Eclipse Jetty. https:\/\/eclipse.dev\/jetty"},{"key":"e_1_3_2_1_12_1","volume-title":"GREYONE: Data Flow Sensitive Fuzzing. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Gan Shuitao","year":"2020","unstructured":"Shuitao Gan, Chao Zhang, Peng Chen, Bodong Zhao, Xiaojun Qin, Dong Wu, and Zuoning Chen. 2020. GREYONE: Data Flow Sensitive Fuzzing. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA, USA. 2577\u20132594. isbn:978-1-939133-17-5"},{"key":"e_1_3_2_1_13_1","unstructured":"GitHub. 2024. GitHub. https:\/\/github.com"},{"key":"e_1_3_2_1_14_1","volume-title":"FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities. In 30th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society","author":"Gro\u00df Samuel","year":"2023","unstructured":"Samuel Gro\u00df, Simon Koch, Lukas Bernhard, Thorsten Holz, and Martin Johns. 2023. FUZZILLI: Fuzzing for JavaScript JIT Compiler Vulnerabilities. In 30th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society, San Diego, California, USA."},{"key":"e_1_3_2_1_15_1","volume-title":"Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities. In 33rd USENIX Security Symposium (USENIX Security 24)","author":"G\u00fcler Emre","year":"2024","unstructured":"Emre G\u00fcler, Sergej Schumilo, Moritz Schloegel, Nils Bars, Philipp G\u00f6rz, Xinyi Xu, Cemal Kaygusuz, and Thorsten Holz. 2024. Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities. In 33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, Philadelphia, PA."},{"key":"e_1_3_2_1_16_1","unstructured":"Ian Haken. 2018. Automated Discovery of Deserialization Gadget Chains. https:\/\/i.blackhat.com\/us-18\/Thu-August-9\/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains.pdf"},{"key":"e_1_3_2_1_17_1","unstructured":"Mu Haowen and He Biao. 2022. DataBinding2Shell. https:\/\/i.blackhat.com\/EU-22\/Wednesday-Briefings\/EU-22-Mu-Databinding2Shell-Novel-Pathways-to-RCE-Web-Frameworks.pdf"},{"key":"e_1_3_2_1_18_1","first-page":"2022","volume":"202","unstructured":"Calum Hutton. 2022. CVE-2022-22965-PoC_Payara. https:\/\/github.com\/CalumHutton\/CVE-2022-22965-PoC_Payara","journal-title":"Calum Hutton."},{"key":"e_1_3_2_1_19_1","unstructured":"Jetbrains. 2022. Java Programming - The State of Developer Ecosystem in 2022 Infographic. https:\/\/www.jetbrains.com\/lp\/devecosystem-2022\/java"},{"key":"e_1_3_2_1_20_1","volume-title":"Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection. In 29th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society","author":"Jiang Zu-Ming","year":"2022","unstructured":"Zu-Ming Jiang, Jia-Ju Bai, Kangjie Lu, and Shi-Min Hu. 2022. Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection. In 29th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society, San Diego, California, USA."},{"key":"e_1_3_2_1_21_1","first-page":"06","volume-title":"MOPT: Optimized Mutation Scheduling for Fuzzers. In 28th USENIX Security Symposium (USENIX Security 19)","author":"Lyu Chenyang","year":"2019","unstructured":"Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song, and Raheem Beyah. 2019. MOPT: Optimized Mutation Scheduling for Fuzzers. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA. 1949\u20131966. isbn:978-1-939133-06-9"},{"key":"e_1_3_2_1_22_1","volume-title":"EMS: History-Driven Mutation for Coverage-based Fuzzing. In 29th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society","author":"Lyu Chenyang","year":"2022","unstructured":"Chenyang Lyu, Shouling Ji, Xuhong Zhang, Hong Liang, Binbin Zhao, Kangjie Lu, and Raheem Beyah. 2022. EMS: History-Driven Mutation for Coverage-based Fuzzing. In 29th Annual Network and Distributed System Security Symposium, NDSS. The Internet Society, San Diego, California, USA."},{"key":"e_1_3_2_1_23_1","unstructured":"NVD. 2022. CVE-2022-22965. https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2022-22965"},{"key":"e_1_3_2_1_24_1","unstructured":"Tom Preston-Werner. 2012. Public Key Security Vulnerability and Mitigation. https:\/\/github.blog\/2012-03-04-public-key-security-vulnerability-and-mitigation"},{"key":"e_1_3_2_1_25_1","volume-title":"Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering (ASE \u201920)","author":"Rasheed Shawn","year":"2021","unstructured":"Shawn Rasheed and Jens Dietrich. 2021. A Hybrid Analysis to Detect Java Serialisation Vulnerabilities. In Proceedings of the 35th IEEE\/ACM International Conference on Automated Software Engineering (ASE \u201920). Association for Computing Machinery, New York, NY, USA. 1209\u20131213. isbn:9781450367684"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3616313"},{"key":"e_1_3_2_1_27_1","unstructured":"Stackoverflow. 2023. 2023 Developer Survey. https:\/\/survey.stackoverflow.co\/2023"},{"key":"e_1_3_2_1_28_1","volume-title":"Proceedings of the 32nd USENIX Conference on Security Symposium (SEC \u201923)","author":"Stone Leo","year":"2023","unstructured":"Leo Stone, Rishi Ranjan, Stefan Nagy, and Matthew Hicks. 2023. No Linux, No Problem: Fast and Correct Windows Binary Fuzzing via Target-Embedded Snapshotting. In Proceedings of the 32nd USENIX Conference on Security Symposium (SEC \u201923). USENIX Association, USA. Article 275, 17 pages. isbn:978-1-939133-37-3"},{"key":"e_1_3_2_1_29_1","unstructured":"Check Point Research Team. 2022. 16% of organizations worldwide impacted by Spring4Shell Zero-day vulnerability exploitation attempts since outbreak. https:\/\/blog.checkpoint.com\/security\/16-of-organizations-worldwide-impacted-by-spring4shell-zero-day-vulnerability-exploitation-attempts-since-outbreak"},{"key":"e_1_3_2_1_30_1","unstructured":"CheatSheets Series Team. 2024. Mass Assignment Cheat Sheet. https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Mass_Assignment_Cheat_Sheet.html"},{"key":"e_1_3_2_1_31_1","unstructured":"Spring Team. 2022. Validation Data Binding and Type Conversion. https:\/\/docs.spring.io\/spring-framework\/docs\/5.3.15\/reference\/html\/core.html##validation"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179317"},{"key":"e_1_3_2_1_33_1","volume-title":"Demetris Kaizer, Michalis Papaevripides, and Elias Athanasopoulos.","author":"van Rooij Orpheas","year":"2021","unstructured":"Orpheas van Rooij, Marcos Antonios Charalambous, Demetris Kaizer, Michalis Papaevripides, and Elias Athanasopoulos. 2021. webFuzz: Grey-Box Fuzzing for Web Applications. In Computer Security \u2013 ESORICS 2021, Elisa Bertino, Haya Shulman, and Michael Waidner (Eds.). Springer International Publishing, Cham. 152\u2013172."},{"key":"e_1_3_2_1_34_1","unstructured":"Brian Vermeer. 2022. Spring4Shell extends to Glassfish and Payara: same vulnerability new exploit. https:\/\/snyk.io\/blog\/spring4shell-rce-vulnerability-glassfish-payara"},{"key":"e_1_3_2_1_35_1","first-page":"2010","volume":"201","author":"Wu Benson","unstructured":"Benson Wu, Fyodor Y, and Meder Kydyraliev. 2010. CVE-2010-1622. http:\/\/blog.o0o.nu\/2010\/06\/cve-2010-1622.html","journal-title":"Meder Kydyraliev."},{"key":"e_1_3_2_1_36_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Xiao Feng","year":"2021","unstructured":"Feng Xiao, Jianwei Huang, Yichang Xiong, Guangliang Yang, Hong Hu, Guofei Gu, and Wenke Lee. 2021. Abusing Hidden Properties to Attack the Node.js Ecosystem. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Vancouver, B.C., Canada. 2951\u20132968. isbn:978-1-939133-24-3"},{"key":"e_1_3_2_1_37_1","unstructured":"Michal Zalewski. 2024. american fuzzy lop. https:\/\/lcamtuf.coredump.cx\/afl"},{"key":"e_1_3_2_1_38_1","volume-title":"Cefuzz: An Directed Fuzzing Framework for PHP RCE Vulnerability. Electronics, 11, 5","author":"Zhao Jiazhen","year":"2022","unstructured":"Jiazhen Zhao, Yuliang Lu, Kailong Zhu, Zehan Chen, and Hui Huang. 2022. Cefuzz: An Directed Fuzzing Framework for PHP RCE Vulnerability. Electronics, 11, 5 (2022)."}],"event":{"name":"ISSTA '24: 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","AITO"],"location":"Vienna Austria","acronym":"ISSTA '24"},"container-title":["Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3650212.3680367","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3650212.3680367","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:50:08Z","timestamp":1750287008000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3650212.3680367"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,11]]},"references-count":38,"alternative-id":["10.1145\/3650212.3680367","10.1145\/3650212"],"URL":"https:\/\/doi.org\/10.1145\/3650212.3680367","relation":{},"subject":[],"published":{"date-parts":[[2024,9,11]]},"assertion":[{"value":"2024-09-11","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}