{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,1]],"date-time":"2026-02-01T07:33:53Z","timestamp":1769931233537,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":40,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["CNS-2031390"],"award-info":[{"award-number":["CNS-2031390"]}]},{"name":"National Science Foundation","award":["CNS-2329540"],"award-info":[{"award-number":["CNS-2329540"]}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2031390"],"award-info":[{"award-number":["CNS-2031390"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2329540"],"award-info":[{"award-number":["CNS-2329540"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,9,30]]},"DOI":"10.1145\/3678890.3678904","type":"proceedings-article","created":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T22:23:36Z","timestamp":1727648616000},"page":"235-247","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["Gudifu: Guided Differential Fuzzing for HTTP Request Parsing Discrepancies"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-0501-1363","authenticated-orcid":false,"given":"Bahruz","family":"Jabiyev","sequence":"first","affiliation":[{"name":"Northeastern University, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-4559-2577","authenticated-orcid":false,"given":"Anthony","family":"Gavazzi","sequence":"additional","affiliation":[{"name":"Northeastern University, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-7832-5884","authenticated-orcid":false,"given":"Kaan","family":"Onarlioglu","sequence":"additional","affiliation":[{"name":"Akamai Technologies, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9988-6873","authenticated-orcid":false,"given":"Engin","family":"Kirda","sequence":"additional","affiliation":[{"name":"Northeastern University, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2024,9,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Akamai. [n. d.]. Caching. Akamai Techdocs. https:\/\/techdocs.akamai.com\/api-definitions\/docs\/caching."},{"key":"e_1_3_2_1_2_1","unstructured":"Akamai. [n. d.]. Strict Header Parsing. Akamai Techdocs. https:\/\/techdocs.akamai.com\/property-mgr\/docs\/strict-header-parsing."},{"key":"e_1_3_2_1_3_1","volume-title":"SnapFuzz: High-Throughput Fuzzing of Network Applications. In ACM SIGSOFT International Symposium on Software Testing and Analysis.","author":"Andronidis Anastasios","year":"2022","unstructured":"Anastasios Andronidis and Cristian Cadar. 2022. SnapFuzz: High-Throughput Fuzzing of Network Applications. In ACM SIGSOFT International Symposium on Software Testing and Analysis."},{"key":"e_1_3_2_1_4_1","unstructured":"Ryan Barnett. 2021. HTTP\/2 Request Smuggling. Akamai Blog. https:\/\/www.akamai.com\/blog\/security\/http-2-request-smulggling."},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"Tim Berners-Lee Roy\u00a0T. Fielding and Larry Masinter. 2005. Uniform Resource Identifier (URI): Generic Syntax. https:\/\/datatracker.ietf.org\/doc\/html\/rfc3986.","DOI":"10.17487\/rfc3986"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560624"},{"key":"e_1_3_2_1_7_1","unstructured":"Protocol Buffers. [n. d.]. Protocol Buffers - Google\u2019s data interchange format. Github Repository. https:\/\/github.com\/protocolbuffers\/protobuf."},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978394"},{"key":"e_1_3_2_1_9_1","unstructured":"Cloudflare. [n. d.]. Configure cache by status code. Cloudflare Docs. https:\/\/developers.cloudflare.com\/cache\/how-to\/configure-cache-status-code."},{"key":"e_1_3_2_1_10_1","unstructured":"Richard\u00a0I. Cook. 1998. How Complex Systems Fail. https:\/\/how.complexsystems.fail\/."},{"key":"e_1_3_2_1_11_1","unstructured":"Evan Custodio. 2019. Mass account takeovers using HTTP Request Smuggling on https:\/\/slackb.com\/ to steal session cookies. https:\/\/hackerone.com\/reports\/737140."},{"key":"e_1_3_2_1_12_1","unstructured":"Evan Custodio. 2020. Practical Attacks Using HTTP Request Smuggling by @defparam. NahamCon. https:\/\/www.youtube.com\/watch?v=3tpnuzFLU8g."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00009"},{"key":"e_1_3_2_1_14_1","unstructured":"Envoy. 2023. HTTP connection manager (proto). envoyproxy.io. https:\/\/www.envoyproxy.io\/docs\/envoy\/latest\/api-v3\/extensions\/filters\/network\/http_connection_manager\/v3\/http_connection_manager.proto#envoy-v3-api-field-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-merge-slashes."},{"key":"e_1_3_2_1_15_1","unstructured":"Fastly. 2022. Caching configuration best practices. Fastly Documentation. https:\/\/docs.fastly.com\/en\/guides\/caching-best-practices."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"crossref","unstructured":"Roy\u00a0T. Fielding Jim Gettys Jeffrey\u00a0C. Mogul Henrik Frystyk Larry Masinter Paul Leach and Tim Berners-Lee. 1997. Hypertext Transfer Protocol \u2013 HTTP\/1.1. https:\/\/datatracker.ietf.org\/doc\/html\/rfc2616.","DOI":"10.17487\/rfc2068"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"crossref","unstructured":"Roy\u00a0T. Fielding and Julian\u00a0F. Reschke. 2014. Hypertext Transfer Protocol (HTTP\/1.1): Message Syntax and Routing. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7230.","DOI":"10.17487\/rfc7230"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","unstructured":"Roy\u00a0T. Fielding and Julian\u00a0F. Reschke. 2014. Hypertext Transfer Protocol (HTTP\/1.1): Semantics and Content. https:\/\/datatracker.ietf.org\/doc\/html\/rfc7231.","DOI":"10.17487\/rfc7231"},{"key":"e_1_3_2_1_19_1","unstructured":"Antonio Frighetto. 2019. Coverage-guided binary fuzzing with REVNG and LLVM libfuzzer. (2019)."},{"key":"e_1_3_2_1_20_1","unstructured":"Antonio Frighetto. 2020. Fuzzing binaries with LLVM\u2019s libFuzzer and rev.ng. REVNG Blog. https:\/\/rev.ng\/blog\/fuzzing-binaries."},{"key":"e_1_3_2_1_21_1","unstructured":"Google. [n. d.]. libprotobuf-mutator. Github Repository. https:\/\/github.com\/google\/libprotobuf-mutator."},{"key":"e_1_3_2_1_22_1","unstructured":"Google. [n. d.]. Structure-Aware Fuzzing with libFuzzer. Github Repository. https:\/\/github.com\/google\/fuzzing\/blob\/master\/docs\/structure-aware-fuzzing.md."},{"key":"e_1_3_2_1_23_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Jabiyev Bahruz","year":"2022","unstructured":"Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, and Engin Kirda. 2022. { FRAMESHIFTER} : Security implications of { HTTP\/2-to-HTTP\/1} conversion anomalies. In 31st USENIX Security Symposium (USENIX Security 22). 1061\u20131075."},{"key":"e_1_3_2_1_24_1","volume-title":"T-Reqs: HTTP Request Smuggling with Differential Fuzzing. In ACM Conference on Computer and Communications Security.","author":"Jabiyev Bahruz","year":"2021","unstructured":"Bahruz Jabiyev, Steven Sprecher, Kaan Onarlioglu, and Engin Kirda. 2021. T-Reqs: HTTP Request Smuggling with Differential Fuzzing. In ACM Conference on Computer and Communications Security."},{"key":"e_1_3_2_1_25_1","unstructured":"James Kettle. 2019. HTTP Desync Attacks: Request Smuggling Reborn. PortSwigger Web Security Blog. https:\/\/portswigger.net\/blog\/http-desync-attacks-request-smuggling-reborn."},{"key":"e_1_3_2_1_26_1","unstructured":"James Kettle. 2019. Stored XSS on https:\/\/paypal.com\/signin via cache poisoning. HackerOne. https:\/\/hackerone.com\/reports\/488147."},{"key":"e_1_3_2_1_27_1","unstructured":"James Kettle. 2021. HTTP\/2: The Sequel is Always Worse. PortSwigger Web Security Blog. https:\/\/portswigger.net\/research\/http2."},{"key":"e_1_3_2_1_28_1","unstructured":"Iustin Ladunca. 2020. Cache Key Normalization DoS. https:\/\/youst.in\/posts\/cache-key-normalization-denial-of-service\/."},{"key":"e_1_3_2_1_29_1","unstructured":"Iustin Ladunca. 2021. Cache Poisoning at Scale. https:\/\/youst.in\/posts\/cache-poisoning-at-scale\/."},{"key":"e_1_3_2_1_30_1","volume-title":"Engineering a Safer World","author":"Leveson G.","unstructured":"Nancy\u00a0G. Leveson. 2011. Engineering a Safer World. The MIT Press, Cambridge, MA, USA."},{"key":"e_1_3_2_1_31_1","unstructured":"libFuzzer. 2023. libFuzzer \u2013 a library for coverage-guided fuzz testing. LLVM.org. https:\/\/llvm.org\/docs\/LibFuzzer.html."},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354215"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1109\/CNS56114.2022.9947273"},{"key":"e_1_3_2_1_34_1","volume-title":"Nezha: Efficient Domain-Independent Differential Testing. In IEEE Symposium on Security and Privacy.","author":"Petsios Theofilos","year":"2017","unstructured":"Theofilos Petsios, Adrian Tang, Salvatore Stolfo, Angelos\u00a0D. Keromytis, and Suman Jana. 2017. Nezha: Efficient Domain-Independent Differential Testing. In IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_1_35_1","volume-title":"AFLNET: A Greybox Fuzzer for Network Protocols. In IEEE International Conference on Software Testing, Validation and Verification.","author":"Pham Van-Thuan","year":"2020","unstructured":"Van-Thuan Pham, Marcel B\u00f6hme, and Abhik Roychoudhury. 2020. AFLNET: A Greybox Fuzzer for Network Protocols. In IEEE International Conference on Software Testing, Validation and Verification."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3427228.3427662"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3492321.3519591"},{"key":"e_1_3_2_1_38_1","volume-title":"HDiff: A Semi-automatic Framework for Discovering Semantic Gap Attack in HTTP Implementations. In IEEE\/IFIP International Conference on Dependable Systems and Networks.","author":"Shen Kaiwen","year":"2022","unstructured":"Kaiwen Shen, Jianyu Lu, Yaru Yang, Jianjun Chen, Mingming Zhang, Haixin Duan, Jia Zhang, and Xiaofeng Zheng. 2022. HDiff: A Semi-automatic Framework for Discovering Semantic Gap Attack in HTTP Implementations. In IEEE\/IFIP International Conference on Dependable Systems and Networks."},{"key":"e_1_3_2_1_39_1","unstructured":"Micha\u0142 Zalewski. 2023. american fuzzy lop. lcamtuf.coredump.cx website. https:\/\/lcamtuf.coredump.cx\/afl\/."},{"key":"e_1_3_2_1_40_1","volume-title":"TCP-Fuzz: Detecting Memory and Semantic Bugs in TCP Stacks with Fuzzing. In USENIX Annual Technical Conference.","author":"Zou Yong-Hao","year":"2021","unstructured":"Yong-Hao Zou, Jia-Ju Bai, Jielong Zhou, Jianfeng Tan, Chenggang Qin, and Shi-Min Hu. 2021. TCP-Fuzz: Detecting Memory and Semantic Bugs in TCP Stacks with Fuzzing. In USENIX Annual Technical Conference."}],"event":{"name":"RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Padua Italy","acronym":"RAID '24"},"container-title":["The 27th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678904","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/abs\/10.1145\/3678890.3678904","content-type":"text\/html","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3678890.3678904","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:00Z","timestamp":1750295880000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678904"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":40,"alternative-id":["10.1145\/3678890.3678904","10.1145\/3678890"],"URL":"https:\/\/doi.org\/10.1145\/3678890.3678904","relation":{},"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-09-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}