{"id":"https://openalex.org/W2038173986","doi":"https://doi.org/10.1145/2557547.2557552","title":"Automated black-box detection of access control vulnerabilities in web applications","display_name":"Automated black-box detection of access control vulnerabilities in web applications","publication_year":2014,"publication_date":"2014-02-25","ids":{"openalex":"https://openalex.org/W2038173986","doi":"https://doi.org/10.1145/2557547.2557552","mag":"2038173986"},"language":"en","primary_location":{"id":"doi:10.1145/2557547.2557552","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2557547.2557552","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 4th ACM conference on Data and application security and privacy","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5023380073","display_name":"Xiaowei Li","orcid":"https://orcid.org/0000-0002-0874-814X"},"institutions":[{"id":"https://openalex.org/I1291425158","display_name":"Google (United States)","ror":"https://ror.org/00njsd438","country_code":"US","type":"company","lineage":["https://openalex.org/I1291425158","https://openalex.org/I4210128969"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Xiaowei Li","raw_affiliation_strings":["Google, Mountain View, CA, USA"],"affiliations":[{"raw_affiliation_string":"Google, Mountain View, CA, USA","institution_ids":["https://openalex.org/I1291425158"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5059074509","display_name":"Xujie Si","orcid":"https://orcid.org/0000-0002-3739-2269"},"institutions":[{"id":"https://openalex.org/I200719446","display_name":"Vanderbilt University","ror":"https://ror.org/02vm5rt34","country_code":"US","type":"education","lineage":["https://openalex.org/I200719446"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xujie Si","raw_affiliation_strings":["Vanderbilt University, Nashville, TN, USA"],"affiliations":[{"raw_affiliation_string":"Vanderbilt University, Nashville, TN, USA","institution_ids":["https://openalex.org/I200719446"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5028544932","display_name":"Yuan Xue","orcid":"https://orcid.org/0000-0002-5390-9037"},"institutions":[{"id":"https://openalex.org/I200719446","display_name":"Vanderbilt University","ror":"https://ror.org/02vm5rt34","country_code":"US","type":"education","lineage":["https://openalex.org/I200719446"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yuan Xue","raw_affiliation_strings":["Vanderbilt University, Nashville, TN, USA"],"affiliations":[{"raw_affiliation_string":"Vanderbilt University, Nashville, TN, USA","institution_ids":["https://openalex.org/I200719446"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5023380073"],"corresponding_institution_ids":["https://openalex.org/I1291425158"],"apc_list":null,"apc_paid":null,"fwci":3.1556,"has_fulltext":false,"cited_by_count":15,"citation_normalized_percentile":{"value":0.92668606,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"49","last_page":"60"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9965999722480774,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.9927999973297119,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8679713606834412},{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.687856912612915},{"id":"https://openalex.org/keywords/sql","display_name":"SQL","score":0.5788648724555969},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.5355767011642456},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.48371437191963196},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.4535156786441803},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.44411739706993103},{"id":"https://openalex.org/keywords/sql-injection","display_name":"SQL injection","score":0.44261884689331055},{"id":"https://openalex.org/keywords/security-policy","display_name":"Security policy","score":0.42322593927383423},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.42151719331741333},{"id":"https://openalex.org/keywords/granularity","display_name":"Granularity","score":0.41530150175094604},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.24710848927497864},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.2265969216823578},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.20934873819351196},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.19111132621765137},{"id":"https://openalex.org/keywords/web-search-query","display_name":"Web search query","score":0.18776467442512512},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.17782104015350342},{"id":"https://openalex.org/keywords/machine-learning","display_name":"Machine learning","score":0.14610719680786133},{"id":"https://openalex.org/keywords/query-by-example","display_name":"Query by Example","score":0.1432902216911316},{"id":"https://openalex.org/keywords/search-engine","display_name":"Search engine","score":0.1331634521484375}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8679713606834412},{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.687856912612915},{"id":"https://openalex.org/C510870499","wikidata":"https://www.wikidata.org/wiki/Q47607","display_name":"SQL","level":2,"score":0.5788648724555969},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.5355767011642456},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.48371437191963196},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.4535156786441803},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.44411739706993103},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.44261884689331055},{"id":"https://openalex.org/C154908896","wikidata":"https://www.wikidata.org/wiki/Q2167404","display_name":"Security policy","level":2,"score":0.42322593927383423},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.42151719331741333},{"id":"https://openalex.org/C177774035","wikidata":"https://www.wikidata.org/wiki/Q1246948","display_name":"Granularity","level":2,"score":0.41530150175094604},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.24710848927497864},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.2265969216823578},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.20934873819351196},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.19111132621765137},{"id":"https://openalex.org/C164120249","wikidata":"https://www.wikidata.org/wiki/Q995982","display_name":"Web search query","level":3,"score":0.18776467442512512},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.17782104015350342},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.14610719680786133},{"id":"https://openalex.org/C194222762","wikidata":"https://www.wikidata.org/wiki/Q114486","display_name":"Query by Example","level":4,"score":0.1432902216911316},{"id":"https://openalex.org/C97854310","wikidata":"https://www.wikidata.org/wiki/Q19541","display_name":"Search engine","level":2,"score":0.1331634521484375},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2557547.2557552","is_oa":false,"landing_page_url":"https://doi.org/10.1145/2557547.2557552","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 4th ACM conference on Data and application security and privacy","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.7699999809265137,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":20,"referenced_works":["https://openalex.org/W33764377","https://openalex.org/W1489243061","https://openalex.org/W1559255981","https://openalex.org/W1788765617","https://openalex.org/W1861561811","https://openalex.org/W1975428729","https://openalex.org/W1980694458","https://openalex.org/W2002079460","https://openalex.org/W2008494459","https://openalex.org/W2058226530","https://openalex.org/W2070689669","https://openalex.org/W2079452443","https://openalex.org/W2086042629","https://openalex.org/W2151481990","https://openalex.org/W2157010176","https://openalex.org/W2162720432","https://openalex.org/W2402699044","https://openalex.org/W2404990348","https://openalex.org/W2408152660","https://openalex.org/W2817902725"],"related_works":["https://openalex.org/W3107810407","https://openalex.org/W4248491825","https://openalex.org/W2557302400","https://openalex.org/W2571113418","https://openalex.org/W2359391484","https://openalex.org/W2070218579","https://openalex.org/W4206678297","https://openalex.org/W3196457791","https://openalex.org/W2133089983","https://openalex.org/W3202423697"],"abstract_inverted_index":{"Access":[0],"control":[1,33,72,92,194],"vulnerabilities":[2],"within":[3,117],"web":[4,119,212],"applications":[5,79],"pose":[6],"serious":[7],"security":[8],"threats":[9],"to":[10,78,125,163,187],"the":[11,26,31,36,46,52,90,105,114,118,128,135,139,157,160,165,168,171,180,189,218],"sensitive":[12],"information":[13],"stored":[14],"at":[15,29],"back-end":[16],"databases.":[17],"Existing":[18],"approaches":[19],"are":[20,81,146],"limited":[21],"from":[22],"several":[23],"aspects,":[24],"including":[25],"coarse":[27],"granularity":[28],"which":[30,74,102],"access":[32,71,91,107,143,193],"is":[34],"modeled,":[35],"incapability":[37],"of":[38,48,70,141,208,222],"handling":[39],"complex":[40],"relationship":[41,166],"between":[42,167],"data":[43,173],"entities":[44],"and":[45,51,86,113,130,155,170,202,210,220],"requirement":[47],"source":[49],"code":[50],"specific":[53],"application":[54,129,190],"platform.":[55],"In":[56],"this":[57],"paper,":[58],"we":[59,137,183],"present":[60],"an":[61],"automated":[62],"black-box":[63],"technique":[64],"for":[65,148,191],"identifying":[66],"a":[67,96,123,198,206],"broad":[68],"range":[69],"vulnerabilities,":[73],"can":[75],"be":[76],"applied":[77],"that":[80,145],"developed":[82],"using":[83],"different":[84],"languages":[85],"platforms.":[87],"We":[88,121,196],"model":[89],"policy":[93,153,176],"based":[94],"on":[95,179],"novel":[97],"virtual":[98],"SQL":[99,111],"query":[100],"concept,":[101],"captures":[103],"both":[104],"database":[106,142],"operations":[108,144],"(i.e.,":[109,151,174],"through":[110],"queries)":[112],"post-processing":[115],"filters":[116],"application.":[120],"leverage":[122],"crawler":[124],"automatically":[126],"explore":[127],"collect":[131],"execution":[132],"traces.":[133],"From":[134],"traces,":[136],"identify":[138],"set":[140,207],"allowed":[147],"each":[149],"role":[150],"role-level":[152],"inference)":[154],"extract":[156],"constraints":[158],"over":[159,205],"operation":[161],"parameters":[162],"characterize":[164],"users":[169],"accessed":[172],"user-level":[175],"inference).":[177],"Based":[178],"inferred":[181],"policy,":[182],"construct":[184],"test":[185],"inputs":[186],"exploit":[188],"potential":[192],"flaws.":[195],"implement":[197],"prototype":[199],"system":[200],"BATMAN":[201],"evaluate":[203],"it":[204],"PHP":[209],"JSP":[211],"applications.":[213],"The":[214],"experiment":[215],"results":[216],"demonstrate":[217],"effectiveness":[219],"accuracy":[221],"our":[223],"approach.":[224]},"counts_by_year":[{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":1},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":1},{"year":2019,"cited_by_count":1},{"year":2018,"cited_by_count":1},{"year":2016,"cited_by_count":3},{"year":2014,"cited_by_count":1}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}