{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T16:04:27Z","timestamp":1780675467737,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":72,"publisher":"ACM","funder":[{"name":"National Research Foundation of Korea","award":["RS-2023-NR076965"],"award-info":[{"award-number":["RS-2023-NR076965"]}]},{"name":"Institute of Information \\& Communications Technology Planning \\& Evaluation (IITP)","award":["RS-2020-II200153"],"award-info":[{"award-number":["RS-2020-II200153"]}]},{"name":"NSF CAREER Award","award":["2427783"],"award-info":[{"award-number":["2427783"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,4,13]]},"DOI":"10.1145\/3774904.3792378","type":"proceedings-article","created":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T21:54:34Z","timestamp":1775771674000},"page":"2917-2928","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Zelda: Feedback-driven Closed-box Fuzzing for Identifying Web Application Vulnerabilities"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6527-3120","authenticated-orcid":false,"given":"Soyoung","family":"Lee","sequence":"first","affiliation":[{"name":"Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1057-9023","authenticated-orcid":false,"given":"Sunnyeo","family":"Park","sequence":"additional","affiliation":[{"name":"Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0021-2850","authenticated-orcid":false,"given":"Yonghwi","family":"Kwon","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park, MD, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0904-2875","authenticated-orcid":false,"given":"Sooel","family":"Son","sequence":"additional","affiliation":[{"name":"Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,4,12]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Wahaibi Salim Al","year":"2023","unstructured":"Salim Al Wahaibi, Myles Foley, and Sergio Maffeis. 2023. SQIRL: Grey-Box Detection of SQL Injection Vulnerabilities Using Reinforcement Learning. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_2_1_2_1","unstructured":"Appsecco. 2024. DVNA. https:\/\/github.com\/appsecco\/dvna."},{"key":"e_1_3_2_1_3_1","volume-title":"Finite-time analysis of the multiarmed bandit problem. Machine learning","author":"Auer Peter","year":"2002","unstructured":"Peter Auer, Nicolo Cesa-Bianchi, and Paul Fischer. 2002. Finite-time analysis of the multiarmed bandit problem. Machine learning, Vol. 47 (2002), 235-256."},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.14"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-33630-5_17"},{"key":"e_1_3_2_1_6_1","unstructured":"BetterCloud. 2023. 2023 State of SaaSOps. https:\/\/pages.bettercloud.com\/rs\/719-KZY-706\/images\/2023-StateofSaaSOps-report-final.pdf."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978428"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243823"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23262"},{"key":"e_1_3_2_1_10_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Dahse Johannes","year":"2014","unstructured":"Johannes Dahse and Thorsten Holz. 2014b. Static Detection of Second-Order Vulnerabilities in Web Applications. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_2_1_11_1","unstructured":"Adam Doupe. 2024. WackoPicko. https:\/\/github.com\/adamdoupe\/WackoPicko."},{"key":"e_1_3_2_1_12_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Doup\u00e9 Adam","year":"2012","unstructured":"Adam Doup\u00e9, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/2557547.2557550"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP40001.2021.00022"},{"key":"e_1_3_2_1_15_1","volume-title":"Proceedings of the International Conference on Internet Monitoring and Protection.","author":"Esposito Damiano","year":"2018","unstructured":"Damiano Esposito, Marc Rennhard, Lukas Ruf, and Arno Wagner. 2018. Exploiting the potential of web application vulnerability scanning. In Proceedings of the International Conference on Internet Monitoring and Protection."},{"key":"e_1_3_2_1_16_1","volume-title":"USENIX Workshop on Offensive Technologies.","author":"Fioraldi Andrea","year":"2020","unstructured":"Andrea Fioraldi, Dominik Maier, Heiko Ei\u00dffeldt, and Marc Heuse. 2020. AFL: combining incremental steps of fuzzing research. In USENIX Workshop on Offensive Technologies."},{"key":"e_1_3_2_1_17_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"G\u00fcler Emre","year":"2024","unstructured":"Emre G\u00fcler, Sergej Schumilo, Moritz Schloegel, Nils Bars, Philipp G\u00f6rz, Xinyi Xu, Cemal Kaygusuz, and Thorsten Holz. 2024. Atropos: Effective Fuzzing of Web Applications for Server-Side Vulnerabilities. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1145\/3471621.3471859"},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/988672.988679"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1135777.1135817"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24308"},{"key":"e_1_3_2_1_22_1","unstructured":"kashipara Group. 2024. Kashipara. https:\/\/www.kashipara.com."},{"key":"e_1_3_2_1_23_1","unstructured":"Anuj Kumar. 2024a. Hospital Management System In PHP. https:\/\/phpgurukul.com\/hospital-management-system-in-php."},{"key":"e_1_3_2_1_24_1","unstructured":"Anuj Kumar. 2024b. User Registration & Login and User Management System With admin panel. https:\/\/phpgurukul.com\/user-registration-login-and-user-management-system-with-admin-panel."},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512234"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2508859.2516703"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106295"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2018.2834476"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"crossref","unstructured":"V. M. Manes H. Han C. Han S. Cha M. Egele E. J. Schwartz and M. Woo. 2021. The Art Science and Engineering of Fuzzing: A Survey. IEEE Transactions on Software Engineering (2021) 2312-2331.","DOI":"10.1109\/TSE.2019.2946563"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23309"},{"key":"e_1_3_2_1_31_1","unstructured":"Xavi Mendez. 2024. wfuzz. https:\/\/github.com\/xmendez\/wfuzz."},{"key":"e_1_3_2_1_32_1","unstructured":"MME. 2024. bWAPP. http:\/\/www.itsecgames.com."},{"key":"e_1_3_2_1_33_1","volume-title":"Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses.","author":"Nguyen Manh-Dung","year":"2020","unstructured":"Manh-Dung Nguyen, S\u00e9bastien Bardin, Richard Bonichon, Roland Groz, and Matthieu Lemerre. 2020. Binary-level directed fuzzing for use-after-free vulnerabilities. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses."},{"key":"e_1_3_2_1_34_1","volume-title":"Proceedings of the International Conference on Dependable Systems and Networks. IEEE.","author":"Costa Nunes Paulo Jorge","year":"2015","unstructured":"Paulo Jorge Costa Nunes, Jos\u00e9 Fonseca, and Marco Vieira. 2015. phpSAFE: A security analysis tool for OOP web application plugins. In Proceedings of the International Conference on Dependable Systems and Networks. IEEE."},{"key":"e_1_3_2_1_35_1","unstructured":"OWASP. 2024a. Juice Shop. https:\/\/github.com\/juice-shop\/juice-shop."},{"key":"e_1_3_2_1_36_1","unstructured":"OWASP. 2024b. NodeGoat. https:\/\/github.com\/OWASP\/NodeGoat."},{"key":"e_1_3_2_1_37_1","unstructured":"OWASP. 2024c. WebGoat. https:\/\/github.com\/WebGoat\/WebGoat."},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses.","author":"Pellegrino Giancarlo","year":"2015","unstructured":"Giancarlo Pellegrino, Constantin Tsch\u00fcrtz, Eric Bodden, and Christian Rossow. 2015. j\u00e4k: Using dynamic analysis to crawl and test modern web applications. In Proceedings of the International Conference on Research in Attacks, Intrusions, and Defenses."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970316"},{"key":"e_1_3_2_1_40_1","unstructured":"PHPGurukul. 2024a. PHPGurukul. https:\/\/phpgurukul.com."},{"key":"e_1_3_2_1_41_1","unstructured":"PHPGurukul. 2024b. Shopping Portal. https:\/\/phpgurukul.com\/shopping-portal-free-download."},{"key":"e_1_3_2_1_42_1","unstructured":"PortSwigger. 2024a. Burp Suite - Cybersecurity Software from PortSwigger. https:\/\/portswigger.net\/burp."},{"key":"e_1_3_2_1_43_1","unstructured":"PortSwigger. 2024b. Burp Suite Customers. https:\/\/portswigger.net\/customers."},{"key":"e_1_3_2_1_44_1","unstructured":"Projectworlds. 2024. Online Doctor Appointment Booking System PHP and Mysql. https:\/\/projectworlds.in\/free-projects\/php-projects\/online-doctor-appointment-booking-system-php-and-mysql."},{"key":"e_1_3_2_1_45_1","unstructured":"PyPI. 2024a. requests. https:\/\/pypi.org\/project\/requests."},{"key":"e_1_3_2_1_46_1","unstructured":"PyPI. 2024b. selenium. https:\/\/pypi.org\/project\/selenium."},{"key":"e_1_3_2_1_47_1","unstructured":"Qualys. 2024. Customers. https:\/\/www.qualys.com\/customers."},{"key":"e_1_3_2_1_48_1","unstructured":"Rapid7. 2024. Customers. https:\/\/www.rapid7.com\/customers."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23404"},{"key":"e_1_3_2_1_50_1","unstructured":"Derick Rethans. 2024. Xdebug. https:\/\/xdebug.org."},{"key":"e_1_3_2_1_51_1","unstructured":"Leonard Richardson. 2024. Beautiful Soup. https:\/\/www.crummy.com\/software\/BeautifulSoup."},{"key":"e_1_3_2_1_52_1","unstructured":"SEFCOM. 2023. Experiments from the Witcher paper. https:\/\/github.com\/sefcom\/Witcher-experiment."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2993600.2993606"},{"key":"e_1_3_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23368"},{"key":"e_1_3_2_1_55_1","unstructured":"Nicolas Surribas. 2024. Wapiti. https:\/\/wapiti.sourceforge.io."},{"key":"e_1_3_2_1_56_1","unstructured":"DVWA team. 2024. DVWA. https:\/\/github.com\/digininja\/DVWA."},{"key":"e_1_3_2_1_57_1","unstructured":"Tenable. 2024. Customers. https:\/\/www.tenable.com\/customers."},{"key":"e_1_3_2_1_58_1","unstructured":"Sanoop Thomas. 2024. XVWA. https:\/\/github.com\/s4n7h0\/xvwa."},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179317"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-88418-5_8"},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2021.24486"},{"key":"e_1_3_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484577"},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jpdc.2017.07.006"},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368088.1368112"},{"key":"e_1_3_2_1_65_1","unstructured":"Joe Watkins. 2024. PCOV - CodeCoverage compatible driver for PHP. https:\/\/github.com\/krakjoe\/pcov."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485447.3512235"},{"key":"e_1_3_2_1_67_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Xie Yichen","year":"2006","unstructured":"Yichen Xie and Alex Aiken. 2006. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the USENIX Security Symposium."},{"key":"e_1_3_2_1_68_1","doi-asserted-by":"publisher","DOI":"10.1145\/3517036"},{"key":"e_1_3_2_1_69_1","volume-title":"JavaScript instrumentation for browser security. ACM SIGPLAN Notices","author":"Yu Dachuan","year":"2007","unstructured":"Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. ACM SIGPLAN Notices (2007)."},{"key":"e_1_3_2_1_70_1","unstructured":"Michal Zalewski. 2024. American Fuzzy Lop. https:\/\/lcamtuf.coredump.cx\/afl."},{"key":"e_1_3_2_1_71_1","volume-title":"Cefuzz: An directed fuzzing framework for php rce vulnerability. Electronics.","author":"Zhao Jiazhen","year":"2022","unstructured":"Jiazhen Zhao, Yuliang Lu, Kailong Zhu, Zehan Chen, and Hui Huang. 2022a. Cefuzz: An directed fuzzing framework for php rce vulnerability. Electronics."},{"key":"e_1_3_2_1_72_1","doi-asserted-by":"publisher","DOI":"10.1145\/3564625.3564660"}],"event":{"name":"WWW '26: The ACM Web Conference 2026","location":"Dubai United Arab Emirates","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM Web Conference 2026"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3774904.3792378","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,5]],"date-time":"2026-06-05T15:39:41Z","timestamp":1780673981000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3774904.3792378"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,12]]},"references-count":72,"alternative-id":["10.1145\/3774904.3792378","10.1145\/3774904"],"URL":"https:\/\/doi.org\/10.1145\/3774904.3792378","relation":{},"subject":[],"published":{"date-parts":[[2026,4,12]]},"assertion":[{"value":"2026-04-12","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}