{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,3]],"date-time":"2026-05-03T11:01:58Z","timestamp":1777806118213,"version":"3.51.4"},"reference-count":52,"publisher":"SAGE Publications","issue":"5","license":[{"start":{"date-parts":[[2020,6,15]],"date-time":"2020-06-15T00:00:00Z","timestamp":1592179200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":["journals.sagepub.com"],"crossmark-restriction":true},"short-container-title":["Journal of Computer Security"],"published-print":{"date-parts":[[2020,9,28]]},"abstract":"<jats:p>We propose a formal and automated approach that allows one to (i) reason about vulnerabilities of web applications and (ii) combine multiple vulnerabilities for the identification of complex, multi-stage attacks. We have developed WAFEx, an automatic tool that implements our approach and we show its efficiency by applying it to real-world case studies. WAFEx was able to generate, and exploit, previously unknown attacks.<\/jats:p>","DOI":"10.3233\/jcs-181262","type":"journal-article","created":{"date-parts":[[2020,6,9]],"date-time":"2020-06-09T13:37:34Z","timestamp":1591709854000},"page":"525-576","update-policy":"https:\/\/doi.org\/10.1177\/sage-journals-update-policy","source":"Crossref","is-referenced-by-count":2,"title":["A formal and automated approach to\u00a0exploiting multi-stage attacks of\u00a0web\u00a0applications"],"prefix":"10.1177","volume":"28","author":[{"given":"Federico","family":"De Meo","sequence":"first","affiliation":[{"name":"Dipartimento di Informatica, Universit\u00e0 di Verona, Italy. E-mail:\u00a0"}]},{"given":"Luca","family":"Vigan\u00f2","sequence":"additional","affiliation":[{"name":"Department of Informatics, King\u2019s College London, United Kingdom. E-mail:\u00a0"}]}],"member":"179","published-online":{"date-parts":[[2020,6,15]]},"reference":[{"key":"ref001","doi-asserted-by":"publisher","DOI":"10.1109\/CSF.2010.27"},{"key":"ref002","doi-asserted-by":"publisher","DOI":"10.5555\/3277203.3277232"},{"key":"ref003","unstructured":"Arachni \u2013 Web application security scanner framework, http:\/\/www.arachni-scanner.com\/."},{"key":"ref004","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-28756-5_19"},{"key":"ref005","doi-asserted-by":"publisher","DOI":"10.1109\/ICSTW.2010.54"},{"key":"ref006","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-30473-6_3"},{"key":"ref007","unstructured":"ASP documentation: Including files in ASP applications, Microsoft, https:\/\/msdn.microsoft.com\/en-us\/library\/ms524876(v=vs.90).aspx."},{"key":"ref008","unstructured":"AVANTSSAR, Deliverable 2.3 (update): ASLan++ specification and tutorial, 2011, http:\/\/www.avantssar.eu."},{"key":"ref009","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2017.14"},{"key":"ref010","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2007.159"},{"key":"ref011","doi-asserted-by":"publisher","DOI":"10.1109\/SERE.2012.38"},{"key":"ref012","doi-asserted-by":"publisher","DOI":"10.1145\/2851613.2851803"},{"key":"ref013","unstructured":"M.\u00a0Carey, Penetration testing vs. vulnerability scanning \u2013 What\u2019s the difference? https:\/\/www.alienvault.com\/blogs\/security-essentials\/penetration-testing-vs-vulnerability-scanning-whats-the-difference."},{"key":"ref014","unstructured":"S.\u00a0Christey, The 2019 CWE\/SANS top 25 most dangerous programming errors, http:\/\/cwe.mitre.org\/top25."},{"key":"ref015","unstructured":"B.\u00a0Damele and A.\u00a0Guimar\u00e3es, Advanced SQL injection to operating system full control, in: BlackHat EU, 2009."},{"key":"ref016","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46598-2_13"},{"key":"ref017","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-62105-0_13"},{"key":"ref018","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1983.1056650"},{"key":"ref019","unstructured":"DotDotPwn \u2013 The directory traversal fuzzer, https:\/\/github.com\/wireghoul\/dotdotpwn."},{"key":"ref020","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-14215-4_7"},{"key":"ref021","unstructured":"DVWA: Damn vulnerable web application, RandomStorm, http:\/\/www.dvwa.co.uk\/."},{"key":"ref022","doi-asserted-by":"publisher","DOI":"10.1016\/bs.adcom.2015.11.003"},{"key":"ref023","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.1580"},{"key":"ref024","unstructured":"F.\u00a0Glynn, Vulnerability assessment and penetration testing, http:\/\/www.veracode.com\/security\/vulnerability-assessment-and-penetration-testing."},{"key":"ref025","unstructured":"Google Gruyere app engine, Google, https:\/\/google-gruyere.appspot.com\/."},{"key":"ref026","unstructured":"W.G.J.\u00a0Halfond, J.\u00a0Viegas and A.\u00a0Orso, A classification of SQL-injection attacks and countermeasures, in: IEEE International Symposium on Secure Software Engineering (ISSSE), 2006."},{"key":"ref027","unstructured":"D.\u00a0Jackson, Software Abstractions: Logic, Language, and Analysis, MIT Press, 2012."},{"key":"ref028","unstructured":"Joomla!, https:\/\/www.joomla.org."},{"key":"ref029","unstructured":"MBST classification, https:\/\/qe-informatik.uibk.ac.at\/mbst-classification\/."},{"key":"ref030","doi-asserted-by":"publisher","DOI":"10.1109\/CSMR-WCRE.2014.6747216"},{"key":"ref031","unstructured":"OWASP, Top 10 for 2013, https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project."},{"key":"ref032","unstructured":"OWASP, Zed Attack Proxy (ZAP), https:\/\/www.owasp.org\/index.php\/OWASP_Zed_Attack_Proxy_Project."},{"key":"ref033","unstructured":"OWASP WebGoat project, OWASP, https:\/\/www.owasp.org\/index.php\/Category:OWASP_WebGoat_Project."},{"key":"ref034","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3133959"},{"key":"ref035","unstructured":"PHP documentation: Include, http:\/\/php.net\/manual\/it\/function.include.php."},{"key":"ref036","unstructured":"Postswigger, Burp Proxy, 2014, https:\/\/portswigger.net\/burp\/proxy.html."},{"key":"ref037","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-55415-5_3"},{"key":"ref038","doi-asserted-by":"publisher","DOI":"10.3233\/JCS-16832"},{"key":"ref039","unstructured":"SANS Institute, Penetration testing: Assessing your overall security before attackers do, https:\/\/www.sans.org\/reading-room\/whitepapers\/analyst\/penetration-testing-assessing-security-attackers-34635."},{"key":"ref040","unstructured":"sqlmap: Automatic SQL injection and database takeover tool, 2013, http:\/\/sqlmap.org."},{"key":"ref041","unstructured":"sqlninja: A SQL Server injection and takeover tool, sqlninja, http:\/\/sqlninja.sourceforge.net\/."},{"key":"ref042","unstructured":"The Java EE 5 tutorial: Reusing content in JSP pages, Oracle, http:\/\/docs.oracle.com\/javaee\/5\/tutorial\/doc\/bnajb.html."},{"key":"ref043","unstructured":"Trustwave SpiderLabs, Joomla SQL injection vulnerability exploit results in full administrative access, 2015, https:\/\/www.trustwave.com\/Resources\/SpiderLabs-Blog\/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access."},{"key":"ref044","doi-asserted-by":"publisher","DOI":"10.1007\/11805618_21"},{"key":"ref045","doi-asserted-by":"publisher","DOI":"10.1002\/stvr.456"},{"key":"ref046","doi-asserted-by":"publisher","DOI":"10.1109\/ICeND.2015.7328531"},{"key":"ref047","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2013.75"},{"key":"ref048","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-25271-6_1"},{"key":"ref049","unstructured":"Web Application Formal Exploiter (WAFEx), https:\/\/github.com\/rhaidiz\/wafex."},{"key":"ref050","unstructured":"Web Application Formal Exploiter (WAFEx) model creator, https:\/\/github.com\/rhaidiz\/wafex-model-creator."},{"key":"ref051","unstructured":"Wfuzz: The web bruteforcer, edge-security, https:\/\/github.com\/xmendez\/wfuzz."},{"key":"ref052","unstructured":"XSS-Proxy, http:\/\/xss-proxy.sourceforge.net\/."}],"container-title":["Journal of Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-181262","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/full-xml\/10.3233\/JCS-181262","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.3233\/JCS-181262","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T20:45:24Z","timestamp":1777495524000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.3233\/JCS-181262"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,6,15]]},"references-count":52,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2020,9,28]]}},"alternative-id":["10.3233\/JCS-181262"],"URL":"https:\/\/doi.org\/10.3233\/jcs-181262","relation":{},"ISSN":["0926-227X","1875-8924"],"issn-type":[{"value":"0926-227X","type":"print"},{"value":"1875-8924","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,6,15]]}}}