{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T22:51:28Z","timestamp":1769727088918,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":50,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,9,30]]},"DOI":"10.1145\/3678890.3678928","type":"proceedings-article","created":{"date-parts":[[2024,9,29]],"date-time":"2024-09-29T22:23:36Z","timestamp":1727648616000},"page":"435-449","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Beyond REST: Introducing APIF for Comprehensive API Vulnerability Fuzzing"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-0852-0000","authenticated-orcid":false,"given":"Yu","family":"Wang","sequence":"first","affiliation":[{"name":"Tsinghua University, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-0924-3567","authenticated-orcid":false,"given":"Yue","family":"Xu","sequence":"additional","affiliation":[{"name":"PTLAB, Singapore and TrustAI Pte.Ltd., Singapore"}]}],"member":"320","published-online":{"date-parts":[[2024,9,30]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"d.]. APIF. Retrieved","year":"2024","unstructured":"[n. d.]. APIF. Retrieved April 15, 2024 from https:\/\/github.com\/apif-tool\/APIF_tool_2024"},{"key":"e_1_3_2_1_2_1","volume-title":"d.]. APISandbox. Retrieved","year":"2024","unstructured":"[n. d.]. APISandbox. Retrieved February 28, 2024 from https:\/\/github.com\/API-Security\/APISandbox"},{"key":"e_1_3_2_1_3_1","volume-title":"d.]. CVE-2022-41472 Vulnerability Description. Retrieved","year":"2024","unstructured":"[n. d.]. CVE-2022-41472 Vulnerability Description. Retrieved February 28, 2024 from https:\/\/www.cve.org\/CVERecord?id=CVE-2022-41472"},{"key":"e_1_3_2_1_4_1","volume-title":"d.]. Fuzzapi. Retrieved","year":"2024","unstructured":"[n. d.]. Fuzzapi. Retrieved February 28, 2024 from https:\/\/github.com\/Fuzzapi\/fuzzapi"},{"key":"e_1_3_2_1_5_1","volume-title":"Retrieved","year":"2024","unstructured":"[n. d.]. GitLab-CE Download Page. Retrieved February 28, 2024 from https:\/\/packages.gitlab.com\/gitlab\/gitlab-ce"},{"key":"e_1_3_2_1_6_1","volume-title":"d.]. MitmProxy Homepage. Retrieved","year":"2024","unstructured":"[n. d.]. MitmProxy Homepage. Retrieved February 28, 2024 from https:\/\/mitmproxy.org\/"},{"key":"e_1_3_2_1_7_1","volume-title":"Retrieved","year":"2024","unstructured":"[n. d.]. Open API Specification. Retrieved February 28, 2024 from https:\/\/swagger.io\/specification\/"},{"key":"e_1_3_2_1_8_1","volume-title":"d.]. OpenAPI-Fuzzer. Retrieved","year":"2024","unstructured":"[n. d.]. OpenAPI-Fuzzer. Retrieved February 28, 2024 from https:\/\/github.com\/matusf\/openapi-fuzzer"},{"key":"e_1_3_2_1_9_1","volume-title":"Retrieved","year":"2024","unstructured":"[n. d.]. OWASP API Security Risk List. Retrieved February 28, 2024 from https:\/\/owasp.org\/API-Security\/"},{"key":"e_1_3_2_1_10_1","volume-title":"Retrieved","year":"2024","unstructured":"[n. d.]. OWASP crAPI API Vulnerability Sandbox. Retrieved February 28, 2024 from https:\/\/github.com\/OWASP\/crAPI"},{"key":"e_1_3_2_1_11_1","volume-title":"d.]. Postman. Retrieved","year":"2024","unstructured":"[n. d.]. Postman. Retrieved February 28, 2024 from https:\/\/www.postman.com\/downloads\/"},{"key":"e_1_3_2_1_12_1","volume-title":"d.]. Restler Homepage. Retrieved","year":"2024","unstructured":"[n. d.]. Restler Homepage. Retrieved February 28, 2024 from https:\/\/github.com\/microsoft\/restler-fuzzer"},{"key":"e_1_3_2_1_13_1","volume-title":"d.]. SecLists. Retrieved","year":"2024","unstructured":"[n. d.]. SecLists. Retrieved February 28, 2024 from https:\/\/github.com\/danielmiessler\/SecLists"},{"key":"e_1_3_2_1_14_1","volume-title":"Retrieved","year":"2024","unstructured":"[n. d.]. SilverStripe CMS Homepage. Retrieved February 28, 2024 from https:\/\/www.silverstripe.org\/"},{"key":"e_1_3_2_1_15_1","volume-title":"d.]. Spree. Retrieved","year":"2024","unstructured":"[n. d.]. Spree. Retrieved February 28, 2024 from https:\/\/github.com\/spree\/spree"},{"key":"e_1_3_2_1_16_1","volume-title":"d.]. Swagger Homepage. Retrieved","year":"2024","unstructured":"[n. d.]. Swagger Homepage. Retrieved February 28, 2024 from https:\/\/swagger.io\/"},{"key":"e_1_3_2_1_17_1","volume-title":"d.]. VAmPI. Retrieved","year":"2024","unstructured":"[n. d.]. VAmPI. Retrieved February 28, 2024 from https:\/\/github.com\/erev0s\/VAmPI"},{"key":"e_1_3_2_1_18_1","volume-title":"d.]. vapi. Retrieved","year":"2024","unstructured":"[n. d.]. vapi. Retrieved February 28, 2024 from https:\/\/github.com\/roottusk\/vapi"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2022.3150618"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/3597926.3598114"},{"key":"e_1_3_2_1_21_1","volume-title":"Pythia: Grammar-Based Fuzzing of REST APIs with Coverage-guided Feedback and Learning-based Mutations. CoRR abs\/2005.11498","author":"Atlidakis Vaggelis","year":"2020","unstructured":"Vaggelis Atlidakis, Roxana Geambasu, Patrice Godefroid, Marina Polishchuk, and Baishakhi Ray. 2020. Pythia: Grammar-Based Fuzzing of REST APIs with Coverage-guided Feedback and Learning-based Mutations. CoRR abs\/2005.11498 (2020). arXiv:2005.11498https:\/\/arxiv.org\/abs\/2005.11498"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2019.00083"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00046"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3520304.3528952"},{"key":"e_1_3_2_1_25_1","unstructured":"Asma Belhadi Man Zhang and Andrea Arcuri. 2022. White-Box and Black-Box Fuzzing for GraphQL APIs. arxiv:2209.05833\u00a0[cs.SE]"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.2307\/1271434"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00213"},{"key":"e_1_3_2_1_28_1","volume-title":"Proceedings of the 32nd USENIX Conference on Security Symposium","author":"Deng Gelei","year":"2023","unstructured":"Gelei Deng, Zhiyi Zhang, Yuekang Li, Yi Liu, Tianwei Zhang, Yang Liu, Guo Yu, and Dongjin Wang. 2023. NAUTILUS: automated RESTful API vulnerability detection. In Proceedings of the 32nd USENIX Conference on Security Symposium (Anaheim, CA, USA) (SEC \u201923). USENIX Association, USA, Article 313, 17\u00a0pages."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/EDOC.2018.00031"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/QRS60937.2023.00037"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409719"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/3395363.3397374"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/2931037.2931042"},{"key":"e_1_3_2_1_34_1","volume-title":"QuickREST: Property-based Test Generation of OpenAPI-Described RESTful APIs. 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST) (2019","author":"Karlsson Stefan","year":"2019","unstructured":"Stefan Karlsson, Adnan Causevic, and Daniel Sundmark. 2019. QuickREST: Property-based Test Generation of OpenAPI-Described RESTful APIs. 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST) (2019), 131\u2013141. https:\/\/api.semanticscholar.org\/CorpusID:209439495"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/AST52587.2021.00009"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCI.2012.6158779"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3540250.3559078"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3559511"},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510133"},{"key":"e_1_3_2_1_40_1","volume-title":"MINER: A Hybrid Data-Driven Approach for REST API Fuzzing. In 32nd USENIX Security Symposium (USENIX Security 23)","author":"Lyu Chenyang","year":"2023","unstructured":"Chenyang Lyu, Jiacheng Xu, Shouling Ji, Xuhong Zhang, Qinying Wang, Binbin Zhao, Gaoning Pan, Wei Cao, Peng Chen, and Raheem Beyah. 2023. MINER: A Hybrid Data-Driven Approach for REST API Fuzzing. In 32nd USENIX Security Symposium (USENIX Security 23). 4517\u20134534."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST53961.2022.00018"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3491038"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-33702-5_31"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3340433.3342822"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460319.3469082"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/QRS54544.2021.00040"},{"key":"e_1_3_2_1_47_1","volume-title":"Milton\u00a0Mamani Torres, Alexandre Bergel, and St\u00e9phane Ducasse.","author":"Vargas Daniela\u00a0Meneses","year":"2018","unstructured":"Daniela\u00a0Meneses Vargas, Alison\u00a0Fernandez Blanco, Andreina\u00a0Cota Vidaurre, Juan Pablo\u00a0Sandoval Alcocer, Milton\u00a0Mamani Torres, Alexandre Bergel, and St\u00e9phane Ducasse. 2018. Deviation Testing: A Test Case Generation Technique for GraphQL APIs. https:\/\/api.semanticscholar.org\/CorpusID:220494731"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00024"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/3585009"},{"key":"e_1_3_2_1_50_1","unstructured":"Man Zhang Andrea Arcuri Yonggang Li Kaiming Xue Zhao Wang Jian Huo and Weiwei Huang. 2022. Fuzzing Microservices In Industry: Experience of Applying EvoMaster at Meituan. arxiv:2208.03988\u00a0[cs.SE]"}],"event":{"name":"RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses","location":"Padua Italy","acronym":"RAID '24"},"container-title":["The 27th International Symposium on Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678928","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3678890.3678928","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:18:00Z","timestamp":1750295880000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3678890.3678928"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":50,"alternative-id":["10.1145\/3678890.3678928","10.1145\/3678890"],"URL":"https:\/\/doi.org\/10.1145\/3678890.3678928","relation":{},"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-09-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}