{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,4]],"date-time":"2026-07-04T08:19:29Z","timestamp":1783153169586,"version":"3.54.6"},"publisher-location":"New York, NY, USA","reference-count":44,"publisher":"ACM","funder":[{"name":"National Research Foundation of Korea &#x28;NRF&#x29;","award":["RS-2025-00563143, RS-2021-NR060143"],"award-info":[{"award-number":["RS-2025-00563143, RS-2021-NR060143"]}]},{"name":"Institute of Information & communications Technology Planning & Evaluation &#x28;IITP&#x29;","award":["No.2022-0-00411, IITP-2025-RS-2021-II211810"],"award-info":[{"award-number":["No.2022-0-00411, IITP-2025-RS-2021-II211810"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,4,13]]},"DOI":"10.1145\/3774904.3792517","type":"proceedings-article","created":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T21:54:39Z","timestamp":1775771679000},"page":"3229-3239","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["SPCA: Stream Parser Confusion Attack for Web Application Firewall Evasion in HTTP\/2"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-1014-1586","authenticated-orcid":false,"given":"Kyungrok","family":"Choi","sequence":"first","affiliation":[{"name":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9984-6879","authenticated-orcid":false,"given":"Woonghee","family":"Lee","sequence":"additional","affiliation":[{"name":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4823-4194","authenticated-orcid":false,"given":"Junbeom","family":"Hur","sequence":"additional","affiliation":[{"name":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,4,12]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"WAFFLED: Exploiting Parsing Discrepancies to Bypass Web Application Firewalls. arXiv preprint arXiv:2503.10846","author":"Akhavani Seyed Ali","year":"2025","unstructured":"Seyed Ali Akhavani, Bahruz Jabiyev, Ben Kallus, Cem Topcuoglu, Sergey Bratus, and Engin Kirda. 2025. WAFFLED: Exploiting Parsing Discrepancies to Bypass Web Application Firewalls. arXiv preprint arXiv:2503.10846 (2025)."},{"key":"e_1_3_2_1_2_1","unstructured":"Alemalakra. 2018. X-WAF. https:\/\/github.com\/Alemalakra\/xWAF (Accessed: 05.02.2025)."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2018.2805763"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-31284-7_24"},{"key":"e_1_3_2_1_5_1","unstructured":"Marco Balduzzi Cristian T Gimenez Davide Balzarotti and Engin Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS."},{"key":"e_1_3_2_1_6_1","unstructured":"David Belson. 2024. Cloudflare 2024 Year in Review. https:\/\/blog.cloudflare.com\/radar-2024-year-in-review\/ (Accessed: 04.17.2025)."},{"key":"e_1_3_2_1_7_1","unstructured":"Cory Benfield. 2015. python-hyper h2 library. https:\/\/python-hyper.org\/en\/latest\/contributing.html (Accessed: 05.16.2025)."},{"key":"e_1_3_2_1_8_1","first-page":"2183","article-title":"Composition Kills","author":"Chen Jing","year":"2020","unstructured":"Jing Chen, Vern Paxson, and Jian Jiang. 2020. Composition Kills: A Case Study of Email Sender Authentication. In USENIX Security. 2183-2199.","journal-title":"A Case Study of Email Sender Authentication. In USENIX Security."},{"key":"e_1_3_2_1_9_1","first-page":"1516","article-title":"Host of Troubles","author":"Chen Jing","year":"2016","unstructured":"Jing et al. Chen. 2016. Host of Troubles: Multiple Host Ambiguities in HTTP Implementations. In CCS. 1516-1527.","journal-title":"Multiple Host Ambiguities in HTTP Implementations. In CCS."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.3390\/s23042073"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3341105.3373962"},{"key":"e_1_3_2_1_12_1","unstructured":"Eugene Kang (Ekultek). 2017. WhatWaf. https:\/\/github.com\/Ekultek\/WhatWaf (Accessed: 05.11.2025)."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/ISCISC53448.2021.9720473"},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/3121177"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3678890.3678904"},{"key":"e_1_3_2_1_16_1","first-page":"1805","article-title":"T-Reqs: HTTP request smuggling with differential fuzzing","author":"Jabiyev Bahruz","year":"2021","unstructured":"Bahruz Jabiyev, Sebastian Sprecher, Kaan Onarlioglu, and Engin Kirda. 2021. T-Reqs: HTTP request smuggling with differential fuzzing. In CCS. 1805-1820.","journal-title":"CCS."},{"key":"e_1_3_2_1_17_1","unstructured":"James Kettle. 2021. HTTP\/2: The Sequel is Always Worse. In PortSwigger Research."},{"key":"e_1_3_2_1_18_1","unstructured":"khalilbijjou. 2016. WAFNinja. https:\/\/github.com\/khalilbijjou\/WAFNinja (Accessed: 05.10.2025)."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-70890-9_1"},{"key":"e_1_3_2_1_20_1","unstructured":"Emil Lerner. 2021. http2smugl: HTTP\/2 Request Smuggling Security Testing Tool. In GitHub Repository."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1109\/ITIoTSC60379.2023.00043"},{"key":"e_1_3_2_1_22_1","unstructured":"Robin Marx. 2024. HTTP. https:\/\/almanac.httparchive.org\/en\/2024\/http (Accessed: 05.10.2025)."},{"key":"e_1_3_2_1_23_1","unstructured":"Patrick Meenan. 2019. Better HTTP\/2 Prioritization for a Faster Web. https:\/\/blog.cloudflare.com\/better-http-2-prioritization-for-a-faster-web\/ (Accessed: 04.12.2025)."},{"key":"e_1_3_2_1_24_1","volume-title":"Distributed denial of service attack in HTTP\/2: review on security issues and future challenges. IEEe Access","author":"Ming Liang","year":"2024","unstructured":"Liang Ming, Yu-Beng Leau, and Ying Xie. 2024. Distributed denial of service attack in HTTP\/2: review on security issues and future challenges. IEEe Access (2024)."},{"key":"e_1_3_2_1_25_1","unstructured":"N. Moshe. 2022. JS-ON: Security-OFF: Abusing JSON-Based SQL to Bypass WAF. https:\/\/kr.claroty.com\/team82\/research\/js-on-security-off-abusing-json-based-sql-to-bypass-waf (Accessed: 04.18.2025)."},{"key":"e_1_3_2_1_26_1","unstructured":"Ossinsight. 2025. Web Framework - Ranking. https:\/\/ossinsight.io\/collections\/web-framework\/ (Accessed: 04.12.2025)."},{"key":"e_1_3_2_1_27_1","unstructured":"OWASP. 2025. OWASP coreruleset. https:\/\/coreruleset.org (Accessed: 05.12.2025)."},{"key":"e_1_3_2_1_28_1","unstructured":"Lucas Pardue and David Belson. 2023. Examining HTTP\/3 usage one year on. https:\/\/blog.cloudflare.com\/http3-usage-one-year-on (Accessed: 05.11.2025)."},{"key":"e_1_3_2_1_29_1","unstructured":"Lucas Pardue and Julien Desgats. 2023. HTTP\/2 Rapid Reset: deconstructing the record-breaking attack. https:\/\/blog.cloudflare.com\/technical-breakdown-http2-rapid-reset-ddos-attack\/ (Accessed: 04.25.2025)."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3580598"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3350911"},{"key":"e_1_3_2_1_32_1","unstructured":"Zhenyu Qu Xiaoyang Ling and Chao Wu. 2022. AutoSpear: Towards automatically bypassing and inspecting web application firewalls. In BlackHat Asia."},{"key":"e_1_3_2_1_33_1","volume-title":"Protocol-level evasion of web application firewalls. Black Hat USA","author":"Ristic Ivan","year":"2012","unstructured":"Ivan Ristic. 2012. Protocol-level evasion of web application firewalls. Black Hat USA (2012)."},{"key":"e_1_3_2_1_34_1","unstructured":"B. Rozenfeld. 2024. Best WAF Solutions in 2024\u20132025: Real-World Comparison. https:\/\/www.openappsec.io\/post\/best-waf-solutions-in-2024-2025-real-world-comparison (Accessed: 05.04.2025)."},{"key":"e_1_3_2_1_35_1","volume-title":"ModSec-Learn: Boosting ModSecurity with Machine Learning. In International Symposium on Distributed Computing and Artificial Intelligence. Springer, 23-33","author":"Scano Christian","year":"2024","unstructured":"Christian Scano, Giuseppe Floris, Biagio Montaruli, Luca Demetrio, Andrea Valenza, Luca Compagna, Davide Ariu, Luca Piras, Davide Balzarotti, and Battista Biggio. 2024. ModSec-Learn: Boosting ModSecurity with Machine Learning. In International Symposium on Distributed Computing and Artificial Intelligence. Springer, 23-33."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3492321.3519591"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN53405.2022.00014"},{"key":"e_1_3_2_1_38_1","volume-title":"Ashok Kumar Mohan, and V Anil Kumar","author":"Suresh Meenakshi","year":"2018","unstructured":"Meenakshi Suresh, PP Amritha, Ashok Kumar Mohan, and V Anil Kumar. 2018. An investigation on HTTP\/2 security. Journal of Cyber Security and Mobility (2018), 161-180."},{"key":"e_1_3_2_1_39_1","doi-asserted-by":"publisher","unstructured":"Martin Thomson and Cory Benfield. 2022. HTTP\/2. RFC 9113. doi:10.17487\/RFC9113","DOI":"10.17487\/RFC9113"},{"key":"e_1_3_2_1_40_1","unstructured":"W3Tech. 2025. Usage statistics of HTTP\/2 for websites. https:\/\/w3techs.com\/technologies\/details\/ce-http2 (Accessed: 04.10.2025)."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00129"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3178876.3186181"},{"key":"e_1_3_2_1_43_1","volume-title":"Wafbooster: Automatic boosting of waf security against mutated malicious payloads","author":"Wu Cong","year":"2024","unstructured":"Cong Wu, Jing Chen, Simeng Zhu, Wenqi Feng, Kun He, Ruiying Du, and Yang Xiang. 2024. Wafbooster: Automatic boosting of waf security against mutated malicious payloads. IEEE Transactions on Dependable and Secure Computing (2024)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.24031"}],"event":{"name":"WWW '26: The ACM Web Conference 2026","location":"Dubai United Arab Emirates","sponsor":["SIGWEB ACM Special Interest Group on Hypertext, Hypermedia, and Web"]},"container-title":["Proceedings of the ACM Web Conference 2026"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3774904.3792517","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,4]],"date-time":"2026-07-04T07:59:20Z","timestamp":1783151960000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3774904.3792517"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,12]]},"references-count":44,"alternative-id":["10.1145\/3774904.3792517","10.1145\/3774904"],"URL":"https:\/\/doi.org\/10.1145\/3774904.3792517","relation":{},"subject":[],"published":{"date-parts":[[2026,4,12]]},"assertion":[{"value":"2026-04-12","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}