{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,17]],"date-time":"2026-03-17T20:24:05Z","timestamp":1773779045731,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":76,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,12,2]],"date-time":"2024-12-02T00:00:00Z","timestamp":1733097600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Taishan Young Scholar Program of Shandong Province, China","award":["tsqn202211001"],"award-info":[{"award-number":["tsqn202211001"]}]},{"name":"Shandong Provincial Natural Science Foundation","award":["ZR2023MF043"],"award-info":[{"award-number":["ZR2023MF043"]}]},{"DOI":"10.13039\/501100006374","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62372268"],"award-info":[{"award-number":["62372268"]}],"id":[{"id":"10.13039\/501100006374","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Xiaomi Young Talents Program"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,12,2]]},"DOI":"10.1145\/3658644.3670294","type":"proceedings-article","created":{"date-parts":[[2024,12,9]],"date-time":"2024-12-09T12:19:20Z","timestamp":1733746760000},"page":"525-539","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-1965-0723","authenticated-orcid":false,"given":"Zidong","family":"Zhang","sequence":"first","affiliation":[{"name":"School of Cyber Science and Technology, Shandong University, Qingdao, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1119-4766","authenticated-orcid":false,"given":"Qinsheng","family":"Hou","sequence":"additional","affiliation":[{"name":"Shandong University; QI-ANXIN Technology Research Institute, Qingdao, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7445-9103","authenticated-orcid":false,"given":"Lingyun","family":"Ying","sequence":"additional","affiliation":[{"name":"QI-ANXIN Technology Research Institute, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0916-8806","authenticated-orcid":false,"given":"Wenrui","family":"Diao","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Technology, Shandong University, Qingdao, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2221-5689","authenticated-orcid":false,"given":"Yacong","family":"Gu","sequence":"additional","affiliation":[{"name":"Tsinghua University; Tsinghua University-QI-ANXIN Group JCNS, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0822-0919","authenticated-orcid":false,"given":"Rui","family":"Li","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Technology, Shandong University, Qingdao, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3367-0951","authenticated-orcid":false,"given":"Shanqing","family":"Guo","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Technology, Shandong University, Qingdao, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0083-733X","authenticated-orcid":false,"given":"Haixin","family":"Duan","sequence":"additional","affiliation":[{"name":"Tsinghua University; Quancheng Laboratory, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,12,9]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Accessed: 2024-01--27. Alipay Documentation:Mini-Program Scheme. https:\/\/opendocs.alipay.com\/support\/01rb18"},{"key":"e_1_3_2_1_2_1","unstructured":"Accessed: 2024-01--27. Alipay Mini-Program. https:\/\/global.alipay.com\/pl atform\/site\/product\/mini-program"},{"key":"e_1_3_2_1_3_1","unstructured":"Accessed: 2024-01--27. Alipay open platform: how to get any Alipay small program appId and the page path. https:\/\/open.alipay.com\/portal\/forum\/post\/17 101017"},{"key":"e_1_3_2_1_4_1","unstructured":"Accessed: 2024-01--27. APKPure. https:\/\/apkpure.net\/"},{"key":"e_1_3_2_1_5_1","unstructured":"Accessed: 2024-01--27. Baidu smart mini-program:mini-program scheme . https: \/\/smartprogram.baidu.com\/docs\/develop\/function\/opensmartprogram\/"},{"key":"e_1_3_2_1_6_1","unstructured":"Accessed: 2024-01--27. Baidu Smart Program. https:\/\/smartprogram.baidu.c om"},{"key":"e_1_3_2_1_7_1","unstructured":"Accessed: 2024-01--27. Chinese National Vulnerability Database (CNVD). https: \/\/www.cnvd.org.cn"},{"key":"e_1_3_2_1_8_1","unstructured":"Accessed: 2024-01--27. CNCERT\/CC. https:\/\/www.cert.org.cn\/publish\/en glish\/index.html"},{"key":"e_1_3_2_1_9_1","unstructured":"Accessed: 2024-01--27. Code Composition of a WeChat Mini Program. https: \/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/framework\/quicksta rt\/code.html"},{"key":"e_1_3_2_1_10_1","unstructured":"Accessed: 2024-01--27. CodeQL CLI. https:\/\/docs.github.com\/en\/codesecurity\/ codeql-cli"},{"key":"e_1_3_2_1_11_1","unstructured":"Accessed: 2024-01--27. CodeQL for JavaScript. https:\/\/codeql.github.com\/ docs\/codeql-language-guides\/codeql-for-javascript"},{"key":"e_1_3_2_1_12_1","unstructured":"Accessed: 2024-01--27. Decrypting WeChat DataBase. https:\/\/www.forensic focus.com\/articles\/decrypt-wechat-enmicromsgdb-database\/"},{"key":"e_1_3_2_1_13_1","unstructured":"Accessed: 2024-01--27. Events in WeChat Mini-programs. https:\/\/developers .weixin.qq.com\/miniprogram\/en\/dev\/framework\/view\/wxml\/event.html"},{"key":"e_1_3_2_1_14_1","unstructured":"Accessed: 2024-01--27. Google Play. https:\/\/play.google.com\/"},{"key":"e_1_3_2_1_15_1","unstructured":"Accessed: 2024-01--27. JavaScript HTML DOM Events. https:\/\/www.w3school s.com\/js\/js_htmldom_events.asp"},{"key":"e_1_3_2_1_16_1","unstructured":"Accessed: 2024-01--27. jieba. https:\/\/github.com\/fxsjy\/jieba"},{"key":"e_1_3_2_1_17_1","unstructured":"Accessed: 2024-01--27. Packages of WeChat Mini-Program. https:\/\/develope rs.weixin.qq.com\/miniprogram\/en\/dev\/framework\/subpackages.html"},{"key":"e_1_3_2_1_18_1","unstructured":"Accessed: 2024-01--27. Passive DNS. https:\/\/docs.umbrella.com\/investig ate\/docs\/passive-dns"},{"key":"e_1_3_2_1_19_1","unstructured":"Accessed: 2024-01--27. pywinauto. https:\/\/github.com\/pywinauto\/pywinau to"},{"key":"e_1_3_2_1_20_1","unstructured":"Accessed: 2024-01--27. Routing in ExpressJS. https:\/\/expressjs.com\/en\/gui de\/routing.html"},{"key":"e_1_3_2_1_21_1","unstructured":"Accessed: 2024-01--27. Sohu. https:\/\/www.sohu.com"},{"key":"e_1_3_2_1_22_1","unstructured":"Accessed: 2024-01--27. Tencent WeChat. https:\/\/www.wechat.com\/en\/"},{"key":"e_1_3_2_1_23_1","unstructured":"Accessed: 2024-01--27. The Metadata API for WeChat Mini-Program. https: \/\/mp.weixin.qq.com\/wxawap\/waverifyinfo"},{"key":"e_1_3_2_1_24_1","unstructured":"Accessed: 2024-01--27. The Page Object in WeChat Mini-programs. https:\/\/deve lopers.weixin.qq.com\/miniprogram\/en\/dev\/reference\/api\/Page.html"},{"key":"e_1_3_2_1_25_1","unstructured":"Accessed: 2024-01--27. Tiktok mini-program:Generate Scheme. https:\/\/develo per.open-douyin.com\/docs\/resource\/zh-CN\/mini-app\/develop\/server \/url-and-qrcode\/schema\/generate-schema-v2"},{"key":"e_1_3_2_1_26_1","unstructured":"Accessed: 2024-01--27. TikTok Mini-programs. https:\/\/www.tiktok.com\/dis cover\/mini-programs"},{"key":"e_1_3_2_1_27_1","unstructured":"Accessed: 2024-01--27. w3c:MiniApp Addressing explainer. https:\/\/github.com \/w3c\/miniapp-addressing\/blob\/main\/docs\/explainer.md"},{"key":"e_1_3_2_1_28_1","unstructured":"Accessed: 2024-01--27. WeChat Mini-Program: Cloud Base. https:\/\/develo pers.weixin.qq.com\/miniprogram\/en\/dev\/wxcloud\/basis\/gettingstarted.html"},{"key":"e_1_3_2_1_29_1","unstructured":"Accessed: 2024-01--27.WeChat Mini-program Code. https:\/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/framework\/open-ability\/qr-code.html"},{"key":"e_1_3_2_1_30_1","unstructured":"Accessed: 2024-01--27. WeChat Mini Program Host Environment. https:\/\/deve lopers.weixin.qq.com\/miniprogram\/en\/dev\/framework\/quickstart\/framework.html"},{"key":"e_1_3_2_1_31_1","unstructured":"Accessed: 2024-01--27. WeChat Mini Program Login. https:\/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/framework\/open-ability\/login.html"},{"key":"e_1_3_2_1_32_1","unstructured":"Accessed: 2024-01--27. WeChat Mini-Program Network Ability. https:\/\/develo pers.weixin.qq.com\/miniprogram\/en\/dev\/framework\/ability\/network. html"},{"key":"e_1_3_2_1_33_1","unstructured":"Accessed: 2024-01--27. WeChat Mini-Program Payment. https:\/\/pay.weixin .qq.com\/wechatpay_h5\/pages\/product\/miniapp.shtml"},{"key":"e_1_3_2_1_34_1","unstructured":"Accessed: 2024-01--27. WeChat Mini-Program Share & Forwarding. https: \/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/framework\/openability\/ share.html"},{"key":"e_1_3_2_1_35_1","unstructured":"Accessed: 2024-01--27. WeChat Mini-Programs. https:\/\/mp.weixin.qq.com\/cgi-bin\/wx?token=&lang=en_US"},{"key":"e_1_3_2_1_36_1","unstructured":"Accessed: 2024-01--27. WeChat Mini Program's Frame Interface-Page. https: \/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/reference\/api\/Page .html"},{"key":"e_1_3_2_1_37_1","unstructured":"Accessed: 2024-01--27. WeChat Mini-Programs Page Routing. https:\/\/develo pers.weixin.qq.com\/miniprogram\/en\/dev\/framework\/app-service\/rout e.html"},{"key":"e_1_3_2_1_38_1","unstructured":"Accessed: 2024-01--27. WeChat Mini-programs Storage. https:\/\/developers.w eixin.qq.com\/miniprogram\/en\/dev\/framework\/ability\/storage.html"},{"key":"e_1_3_2_1_39_1","unstructured":"Accessed: 2024-01--27. WeChat Payment Guide. https:\/\/pay.weixin.qq.com\/ wiki\/doc\/api\/wxpay\/en\/guide\/pos\/ReasonableQueryMechanism.shtml"},{"key":"e_1_3_2_1_40_1","volume-title":"2024-01--27. WeChat Revenue and Usage Statistics","author":"Accessed","year":"2024","unstructured":"Accessed: 2024-01--27. WeChat Revenue and Usage Statistics (2024). https: \/\/www.businessofapps.com\/data\/wechat-statistics"},{"key":"e_1_3_2_1_41_1","unstructured":"Accessed: 2024-01--27. WeCom Mini-programs. https:\/\/work.weixin.qq.com \/wework_admin\/wxcontacts\/wxconnection_h5_guide?t=miniProgram"},{"key":"e_1_3_2_1_42_1","unstructured":"Accessed: 2024-01--27. wxappUnpacker. https:\/\/github.com\/system-cpu\/wx appUnpacker"},{"key":"e_1_3_2_1_43_1","unstructured":"Accessed: 2024-01--27. WXML Introduction. https:\/\/developers.weixin.qq .com\/miniprogram\/en\/dev\/framework\/view\/wxml"},{"key":"e_1_3_2_1_44_1","unstructured":"Accessed: 2024-01--27. wxml-transformer. https:\/\/github.com\/imingyu\/wxm l-transformer"},{"key":"e_1_3_2_1_45_1","unstructured":"Accessed: 2024-01--27. wx.navigateTo. https:\/\/developers.weixin.qq.com \/miniprogram\/en\/dev\/api\/route\/wx.navigateTo.html"},{"key":"e_1_3_2_1_46_1","unstructured":"Accessed: 2024-01--27. wx.redirectTo. https:\/\/developers.weixin.qq.com\/m iniprogram\/en\/dev\/api\/route\/wx.redirectTo.html"},{"key":"e_1_3_2_1_47_1","unstructured":"Accessed: 2024-01--27. wx.reLaunch. https:\/\/developers.weixin.qq.com\/m iniprogram\/en\/dev\/api\/route\/wx.reLaunch.html"},{"key":"e_1_3_2_1_48_1","volume-title":"2024-04--27. WeChat Revenue and Usage Statistics","author":"Accessed","year":"2024","unstructured":"Accessed: 2024-04--27. WeChat Revenue and Usage Statistics (2024). https: \/\/developers.weixin.qq.com\/miniprogram\/en\/dev\/reference\/api\/getA pp.html"},{"key":"e_1_3_2_1_49_1","unstructured":"Accessed: 2024-06--12. MiniCAT. https:\/\/github.com\/kee1ongz\/MiniCAT"},{"key":"e_1_3_2_1_50_1","volume-title":"Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023","author":"Baskaran Supraja","year":"2023","unstructured":"Supraja Baskaran, Lianying Zhao, Mohammad Mannan, and Amr M. Youssef. 2023. Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: TheWeChat Case. In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023, Hong Kong, China, October 16--18, 2023."},{"key":"e_1_3_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624426"},{"key":"e_1_3_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/2554850.2554909"},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2025113.2025125"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635904"},{"key":"e_1_3_2_1_55_1","volume-title":"Proceedings of the 30th USENIX Security Symposium (USENIX-Sec), August 11--13","author":"Khodayari Soheil","year":"2021","unstructured":"Soheil Khodayari and Giancarlo Pellegrino. 2021. JAW: Studying Client-side CSRF with Hybrid Property Graphs and Declarative Traversals. In Proceedings of the 30th USENIX Security Symposium (USENIX-Sec), August 11--13, 2021."},{"key":"e_1_3_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3356197"},{"key":"e_1_3_2_1_57_1","volume-title":"MiniTracker: Large-Scale Sensitive Information Tracking in Mini Apps","author":"Li Wei","year":"2023","unstructured":"Wei Li, Borui Yang, Hangyu Ye, Liyao Xiang, Qingxiao Tao, Xinbing Wang, and Chenghu Zhou. 2023. MiniTracker: Large-Scale Sensitive Information Tracking in Mini Apps. IEEE Transactions on Dependable and Secure Computing (2023)."},{"key":"e_1_3_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624431"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417255"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00151"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3472749.3474737"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-C.2017.4"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133959"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624428"},{"key":"e_1_3_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00086"},{"key":"e_1_3_2_1_66_1","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX-Sec)","author":"Wang Chao","year":"2023","unstructured":"Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. One Size Does Not Fit All: Uncovering and Exploiting Cross Platform Discrepant APIs in WeChat. In Proceedings of the 32nd USENIX Security Symposium (USENIX-Sec), Anaheim, CA, USA, August 9--11, 2023."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624435"},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510114"},{"key":"e_1_3_2_1_69_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624427"},{"key":"e_1_3_2_1_70_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560597"},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624434"},{"key":"e_1_3_2_1_72_1","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX-Sec)","author":"Zhang Lei","year":"2022","unstructured":"Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity Confusion in WebView-based Mobile App-in-app Ecosystems. In Proceedings of the 31st USENIX Security Symposium (USENIX-Sec), Boston, MA, USA, August 10--12, 2022."},{"key":"e_1_3_2_1_73_1","doi-asserted-by":"publisher","DOI":"10.1145\/3410220.3460106"},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616591"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624430"},{"key":"e_1_3_2_1_76_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605762.3624433"}],"event":{"name":"CCS '24: ACM SIGSAC Conference on Computer and Communications Security","location":"Salt Lake City UT USA","acronym":"CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670294","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3658644.3670294","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T06:04:47Z","timestamp":1755842687000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3658644.3670294"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,2]]},"references-count":76,"alternative-id":["10.1145\/3658644.3670294","10.1145\/3658644"],"URL":"https:\/\/doi.org\/10.1145\/3658644.3670294","relation":{},"subject":[],"published":{"date-parts":[[2024,12,2]]},"assertion":[{"value":"2024-12-09","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}