{"id":"https://openalex.org/W2113714600","doi":"https://doi.org/10.1109/iwsess.2009.5068455","title":"A hybrid analysis framework for detecting web application vulnerabilities","display_name":"A hybrid analysis framework for detecting web application vulnerabilities","publication_year":2009,"publication_date":"2009-05-01","ids":{"openalex":"https://openalex.org/W2113714600","doi":"https://doi.org/10.1109/iwsess.2009.5068455","mag":"2113714600"},"language":"en","primary_location":{"id":"doi:10.1109/iwsess.2009.5068455","is_oa":false,"landing_page_url":"https://doi.org/10.1109/iwsess.2009.5068455","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2009 ICSE Workshop on Software Engineering for Secure Systems","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5005806240","display_name":"Mattia Monga","orcid":"https://orcid.org/0000-0003-4852-0067"},"institutions":[{"id":"https://openalex.org/I189158943","display_name":"University of Milan","ror":"https://ror.org/00wjc7c48","country_code":"IT","type":"education","lineage":["https://openalex.org/I189158943"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Mattia Monga","raw_affiliation_strings":["Universit\u00e0 degli Studi di Milano, Milan, Italy","Universit\u00e0 degli Studi di Milano-Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Universit\u00e0 degli Studi di Milano, Milan, Italy","institution_ids":["https://openalex.org/I189158943"]},{"raw_affiliation_string":"Universit\u00e0 degli Studi di Milano-Italy","institution_ids":["https://openalex.org/I189158943"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5087041174","display_name":"Roberto Paleari","orcid":null},"institutions":[{"id":"https://openalex.org/I189158943","display_name":"University of Milan","ror":"https://ror.org/00wjc7c48","country_code":"IT","type":"education","lineage":["https://openalex.org/I189158943"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Roberto Paleari","raw_affiliation_strings":["Universit\u00e0 degli Studi di Milano, Milan, Italy","Universit\u00e0 degli Studi di Milano-Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Universit\u00e0 degli Studi di Milano, Milan, Italy","institution_ids":["https://openalex.org/I189158943"]},{"raw_affiliation_string":"Universit\u00e0 degli Studi di Milano-Italy","institution_ids":["https://openalex.org/I189158943"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5017930069","display_name":"Emanuele Passerini","orcid":null},"institutions":[{"id":"https://openalex.org/I189158943","display_name":"University of Milan","ror":"https://ror.org/00wjc7c48","country_code":"IT","type":"education","lineage":["https://openalex.org/I189158943"]}],"countries":["IT"],"is_corresponding":false,"raw_author_name":"Emanuele Passerini","raw_affiliation_strings":["Universit\u00e0 degli Studi di Milano, Milan, Italy","Universit\u00e0 degli Studi di Milano-Italy"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Universit\u00e0 degli Studi di Milano, Milan, Italy","institution_ids":["https://openalex.org/I189158943"]},{"raw_affiliation_string":"Universit\u00e0 degli Studi di Milano-Italy","institution_ids":["https://openalex.org/I189158943"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":10.0936,"has_fulltext":false,"cited_by_count":30,"citation_normalized_percentile":{"value":0.9796532,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"25","last_page":"32"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9970999956130981,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9943000078201294,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/bytecode","display_name":"Bytecode","score":0.9083347320556641},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.857909083366394},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.8223938345909119},{"id":"https://openalex.org/keywords/dynamic-program-analysis","display_name":"Dynamic program analysis","score":0.6846954822540283},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.6136083602905273},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.610275387763977},{"id":"https://openalex.org/keywords/sql-injection","display_name":"SQL injection","score":0.5468785166740417},{"id":"https://openalex.org/keywords/security-analysis","display_name":"Security analysis","score":0.48417335748672485},{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.44252803921699524},{"id":"https://openalex.org/keywords/taint-checking","display_name":"Taint checking","score":0.43617239594459534},{"id":"https://openalex.org/keywords/aspectj","display_name":"AspectJ","score":0.4345329999923706},{"id":"https://openalex.org/keywords/program-analysis","display_name":"Program analysis","score":0.43424010276794434},{"id":"https://openalex.org/keywords/buffer-overflow","display_name":"Buffer overflow","score":0.43349123001098633},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.43241772055625916},{"id":"https://openalex.org/keywords/interface","display_name":"Interface (matter)","score":0.423283189535141},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.4169691503047943},{"id":"https://openalex.org/keywords/dynamic-data","display_name":"Dynamic data","score":0.41099661588668823},{"id":"https://openalex.org/keywords/web-service","display_name":"Web service","score":0.4077439606189728},{"id":"https://openalex.org/keywords/distributed-computing","display_name":"Distributed computing","score":0.3832508325576782},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.35067999362945557},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.30857181549072266},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.2797977328300476},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.2697054445743561},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.251997172832489},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.19932600855827332},{"id":"https://openalex.org/keywords/aspect-oriented-programming","display_name":"Aspect-oriented programming","score":0.1925646960735321},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.14144441485404968},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.1162155270576477}],"concepts":[{"id":"https://openalex.org/C2779818221","wikidata":"https://www.wikidata.org/wiki/Q837330","display_name":"Bytecode","level":3,"score":0.9083347320556641},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.857909083366394},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.8223938345909119},{"id":"https://openalex.org/C140006998","wikidata":"https://www.wikidata.org/wiki/Q2499307","display_name":"Dynamic program analysis","level":3,"score":0.6846954822540283},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.6136083602905273},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.610275387763977},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.5468785166740417},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.48417335748672485},{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.44252803921699524},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.43617239594459534},{"id":"https://openalex.org/C2781009160","wikidata":"https://www.wikidata.org/wiki/Q735604","display_name":"AspectJ","level":4,"score":0.4345329999923706},{"id":"https://openalex.org/C98183937","wikidata":"https://www.wikidata.org/wiki/Q2112188","display_name":"Program analysis","level":2,"score":0.43424010276794434},{"id":"https://openalex.org/C40842320","wikidata":"https://www.wikidata.org/wiki/Q19423","display_name":"Buffer overflow","level":2,"score":0.43349123001098633},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.43241772055625916},{"id":"https://openalex.org/C113843644","wikidata":"https://www.wikidata.org/wiki/Q901882","display_name":"Interface (matter)","level":4,"score":0.423283189535141},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.4169691503047943},{"id":"https://openalex.org/C197298091","wikidata":"https://www.wikidata.org/wiki/Q5318963","display_name":"Dynamic data","level":2,"score":0.41099661588668823},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.4077439606189728},{"id":"https://openalex.org/C120314980","wikidata":"https://www.wikidata.org/wiki/Q180634","display_name":"Distributed computing","level":1,"score":0.3832508325576782},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.35067999362945557},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.30857181549072266},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.2797977328300476},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.2697054445743561},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.251997172832489},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.19932600855827332},{"id":"https://openalex.org/C60051680","wikidata":"https://www.wikidata.org/wiki/Q30267","display_name":"Aspect-oriented programming","level":3,"score":0.1925646960735321},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.14144441485404968},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.1162155270576477},{"id":"https://openalex.org/C157915830","wikidata":"https://www.wikidata.org/wiki/Q2928001","display_name":"Bubble","level":2,"score":0.0},{"id":"https://openalex.org/C164120249","wikidata":"https://www.wikidata.org/wiki/Q995982","display_name":"Web search query","level":3,"score":0.0},{"id":"https://openalex.org/C97854310","wikidata":"https://www.wikidata.org/wiki/Q19541","display_name":"Search engine","level":2,"score":0.0},{"id":"https://openalex.org/C194222762","wikidata":"https://www.wikidata.org/wiki/Q114486","display_name":"Query by Example","level":4,"score":0.0},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.0},{"id":"https://openalex.org/C129307140","wikidata":"https://www.wikidata.org/wiki/Q6795880","display_name":"Maximum bubble pressure method","level":3,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/iwsess.2009.5068455","is_oa":false,"landing_page_url":"https://doi.org/10.1109/iwsess.2009.5068455","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2009 ICSE Workshop on Software Engineering for Secure Systems","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.47999998927116394,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":22,"referenced_works":["https://openalex.org/W23242426","https://openalex.org/W109951691","https://openalex.org/W175329226","https://openalex.org/W1491178396","https://openalex.org/W1511560695","https://openalex.org/W1553894716","https://openalex.org/W1564377853","https://openalex.org/W1598083179","https://openalex.org/W1983142587","https://openalex.org/W2008158744","https://openalex.org/W2028806953","https://openalex.org/W2085925880","https://openalex.org/W2111487235","https://openalex.org/W2127637733","https://openalex.org/W2148001343","https://openalex.org/W2293624369","https://openalex.org/W4247632680","https://openalex.org/W4285719527","https://openalex.org/W6600897621","https://openalex.org/W6604462143","https://openalex.org/W6607172604","https://openalex.org/W6635665485"],"related_works":["https://openalex.org/W2070229111","https://openalex.org/W2065407468","https://openalex.org/W2785957750","https://openalex.org/W1537921975","https://openalex.org/W2766465278","https://openalex.org/W2047267493","https://openalex.org/W2110520096","https://openalex.org/W2035862850","https://openalex.org/W2153919898","https://openalex.org/W2277664936"],"abstract_inverted_index":{"Increasingly,":[0],"web":[1,30,105],"applications":[2,31],"handle":[3],"sensitive":[4],"data":[5],"and":[6,96,127],"interface":[7],"with":[8,20],"critical":[9],"back-end":[10],"components,":[11],"but":[12],"are":[13,150],"often":[14],"written":[15],"by":[16],"poorly":[17],"experienced":[18],"programmers":[19],"low":[21],"security":[22],"skills.":[23],"The":[24],"majority":[25],"of":[26,38,41,50,94,102,120],"vulnerabilities":[27,103],"that":[28,89,133],"affect":[29],"can":[32],"be":[33],"ascribed":[34],"to":[35,60,115,136],"the":[36,92,100,117,121,153],"lack":[37],"proper":[39],"validation":[40],"user's":[42],"input,":[43],"before":[44],"it":[45],"is":[46,68,113,134],"used":[47,114],"as":[48],"argument":[49],"an":[51],"output":[52],"function.":[53],"Several":[54],"program":[55],"analysis":[56,87,155],"techniques":[57],"were":[58],"proposed":[59],"automatically":[61],"spot":[62],"these":[63,148],"vulnerabilities.":[64],"One":[65],"particularly":[66],"effective":[67],"dynamic":[69,97,122,154],"taint":[70],"analysis.":[71],"Unfortunately,":[72],"this":[73,81],"approach":[74],"introduces":[75],"a":[76,85,107,129],"significant":[77],"run-time":[78,118],"penalty.":[79],"In":[80],"paper,":[82],"we":[83],"present":[84],"hybrid":[86],"framework":[88],"blends":[90],"together":[91],"strengths":[93],"static":[95,108],"approaches":[98],"for":[99,142],"detection":[101],"in":[104],"applications:":[106],"analysis,":[109],"performed":[110],"just":[111],"once,":[112],"reduce":[116],"overhead":[119],"monitoring":[123],"phase.":[124,156],"We":[125],"designed":[126],"implemented":[128],"tool,":[130],"called":[131],"Phan,":[132],"able":[135],"statically":[137],"analyze":[138],"PHP":[139],"bytecode":[140],"searching":[141],"dangerous":[143],"code":[144],"statements;":[145],"then,":[146],"only":[147],"statements":[149],"monitored":[151],"during":[152]},"counts_by_year":[{"year":2025,"cited_by_count":4},{"year":2024,"cited_by_count":1},{"year":2022,"cited_by_count":2},{"year":2020,"cited_by_count":1},{"year":2017,"cited_by_count":1},{"year":2016,"cited_by_count":5},{"year":2013,"cited_by_count":3},{"year":2012,"cited_by_count":7}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}