{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T12:46:10Z","timestamp":1770468370169,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":27,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,6,18]],"date-time":"2024-06-18T00:00:00Z","timestamp":1718668800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,6,18]]},"DOI":"10.1145\/3661167.3661204","type":"proceedings-article","created":{"date-parts":[[2024,6,14]],"date-time":"2024-06-14T12:24:25Z","timestamp":1718367865000},"page":"369-374","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":5,"title":["Mining REST APIs for Potential Mass Assignment Vulnerabilities"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0417-5655","authenticated-orcid":false,"given":"Arash","family":"Mazidi","sequence":"first","affiliation":[{"name":"Software and Systems Engineering, TU Clausthal, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-2594-4562","authenticated-orcid":false,"given":"Davide","family":"Corradini","sequence":"additional","affiliation":[{"name":"University of Verona, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1986-9668","authenticated-orcid":false,"given":"Mohammad","family":"Ghafari","sequence":"additional","affiliation":[{"name":"Software and Systems Engineering, TU Clausthal, Germany"}]}],"member":"320","published-online":{"date-parts":[[2024,6,18]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00083"},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00046"},{"key":"e_1_3_2_1_3_1","unstructured":"Alexander Barabanov Denis Dergunov Denis Makrushin and Aleksey Teplov.2022. Automatic detection of access control vulnerabilities via API specification processing. arXiv preprint arXiv:2201.10833."},{"key":"e_1_3_2_1_4_1","unstructured":"Jason Beeferman. 2022. Attack to Insurance APIs. https:\/\/www.texastribune.org\/2022\/05\/16\/texas-insurance-data-breach\/"},{"key":"e_1_3_2_1_5_1","unstructured":"Bookstore. 2022. Bookstore. https:\/\/github.com\/todo\/Bookstore"},{"key":"e_1_3_2_1_6_1","volume-title":"Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs. 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE).","author":"Corradini Davide","year":"2023","unstructured":"Davide Corradini, Michele Pasqua, and Mariano Ceccato. 2023. Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs. 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE)."},{"key":"e_1_3_2_1_7_1","volume-title":"RestTestGen: An Extensible Framework for Automated Black-box Testing of RESTful APIs. In 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 504\u2013508","author":"Corradini Davide","year":"2022","unstructured":"Davide Corradini, Amedeo Zampieri, Michele Pasqua, and Mariano Ceccato. 2022. RestTestGen: An Extensible Framework for Automated Black-box Testing of RESTful APIs. In 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 504\u2013508."},{"key":"e_1_3_2_1_8_1","unstructured":"CRUD. 2023. CRUD. https:\/\/github.com\/lucianopereira86\/CRUD-NodeJS-Sequelize-Swagger-MySQL"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/SANER48275.2020.9054850"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3475780"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409719"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397374"},{"key":"e_1_3_2_1_13_1","unstructured":"Jonathan Greig. 2022. Attack to digital scheduling platform. https:\/\/www.zdnet.com\/article\/flexbooker-apologizes-for-breach-of-3-7-million-user-records-credit-card-information\/"},{"key":"e_1_3_2_1_14_1","unstructured":"Tim Keary. 2022. Attack to social media platform. https:\/\/venturebeat.com\/security\/twitter-breach-api-attack\/"},{"key":"e_1_3_2_1_15_1","volume-title":"FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities. In 31st USENIX Security Symposium (USENIX Security 22)","author":"Park\u00a0Daejun Kim Sunnyeo","year":"2022","unstructured":"Sunnyeo Park\u00a0Daejun Kim, Suman Jana, and Sooel Son. 2022. FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities. In 31st USENIX Security Symposium (USENIX Security 22), 197\u2013214."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368640.3368680"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion.2019.00037"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/DeepTest52559.2021.00008"},{"key":"e_1_3_2_1_19_1","unstructured":"OWASP. 2023. OWASP. https:\/\/github.com\/mattiasanti99\/vulnerability OWASP project"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1108\/eb046814"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"crossref","unstructured":"A.\u00a0Sujan Reddy and Bhawana Rudra. 2022. Detection of injections in API requests using recurrent neural networks and transformers. International Journal of Electronic Security and Digital Forensics 638\u2013658.","DOI":"10.1504\/IJESDF.2022.126451"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24550"},{"key":"e_1_3_2_1_23_1","unstructured":"StudentAPI. 2023. StudentAPI. https:\/\/github.com\/arash-mazidi\/StudentAPI"},{"key":"e_1_3_2_1_24_1","unstructured":"The\u00a0AKTO Team. 2023. Instant Open source API security \u2192 API discovery automated business logic testing and runtime detection. https:\/\/github.com\/akto-api-security\/akto"},{"key":"e_1_3_2_1_25_1","unstructured":"The\u00a0RESTTESTGEN Team. 2023. RestTestGen: A tool and framework for automated black-box testing of RESTful APIs. https:\/\/github.com\/SeUniVr\/RestTestGen"},{"key":"e_1_3_2_1_26_1","unstructured":"Toggle. 2023. Toggle. https:\/\/github.com\/pdonatilio\/ToggleAPI"},{"key":"e_1_3_2_1_27_1","unstructured":"VAmPI. 2023. vampi. https:\/\/github.com\/erev0s\/VAmPI"}],"event":{"name":"EASE 2024: 28th International Conference on Evaluation and Assessment in Software Engineering","location":"Salerno Italy","acronym":"EASE 2024"},"container-title":["Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3661167.3661204","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3661167.3661204","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T11:16:49Z","timestamp":1755861409000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3661167.3661204"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,18]]},"references-count":27,"alternative-id":["10.1145\/3661167.3661204","10.1145\/3661167"],"URL":"https:\/\/doi.org\/10.1145\/3661167.3661204","relation":{},"subject":[],"published":{"date-parts":[[2024,6,18]]},"assertion":[{"value":"2024-06-18","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}