{"id":"https://openalex.org/W2892237651","doi":"https://doi.org/10.1145/3233027.3233042","title":"Understanding vulnerabilities in plugin-based web systems","display_name":"Understanding vulnerabilities in plugin-based web systems","publication_year":2018,"publication_date":"2018-09-10","ids":{"openalex":"https://openalex.org/W2892237651","doi":"https://doi.org/10.1145/3233027.3233042","mag":"2892237651"},"language":"en","primary_location":{"id":"doi:10.1145/3233027.3233042","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3233027.3233042","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 22nd International Systems and Software Product Line Conference - Volume 1","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5028296394","display_name":"Oslien Mesa","orcid":null},"institutions":[{"id":"https://openalex.org/I2699952","display_name":"Pontifical Catholic University of Rio de Janeiro","ror":"https://ror.org/01dg47b60","country_code":"BR","type":"education","lineage":["https://openalex.org/I2699952"]}],"countries":["BR"],"is_corresponding":true,"raw_author_name":"Oslien Mesa","raw_affiliation_strings":["Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro"],"affiliations":[{"raw_affiliation_string":"Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro","institution_ids":["https://openalex.org/I2699952"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5026047020","display_name":"Reginaldo Vieira","orcid":null},"institutions":[{"id":"https://openalex.org/I166595947","display_name":"Federal University of S\u00e3o Jo\u00e3o del-Rei","ror":"https://ror.org/03vrj4p82","country_code":"BR","type":"education","lineage":["https://openalex.org/I166595947"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Reginaldo Vieira","raw_affiliation_strings":["Federal University of S\u00e3o Jo\u00e3o del-Rei"],"affiliations":[{"raw_affiliation_string":"Federal University of S\u00e3o Jo\u00e3o del-Rei","institution_ids":["https://openalex.org/I166595947"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089608165","display_name":"Marx Viana","orcid":"https://orcid.org/0000-0001-9838-5495"},"institutions":[{"id":"https://openalex.org/I2699952","display_name":"Pontifical Catholic University of Rio de Janeiro","ror":"https://ror.org/01dg47b60","country_code":"BR","type":"education","lineage":["https://openalex.org/I2699952"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Marx Viana","raw_affiliation_strings":["Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro"],"affiliations":[{"raw_affiliation_string":"Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro","institution_ids":["https://openalex.org/I2699952"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5057530896","display_name":"Vin\u00edcius H. S. Durelli","orcid":"https://orcid.org/0000-0002-5768-1850"},"institutions":[{"id":"https://openalex.org/I166595947","display_name":"Federal University of S\u00e3o Jo\u00e3o del-Rei","ror":"https://ror.org/03vrj4p82","country_code":"BR","type":"education","lineage":["https://openalex.org/I166595947"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Vinicius H. S. Durelli","raw_affiliation_strings":["Federal University of S\u00e3o Jo\u00e3o del-Rei"],"affiliations":[{"raw_affiliation_string":"Federal University of S\u00e3o Jo\u00e3o del-Rei","institution_ids":["https://openalex.org/I166595947"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037756038","display_name":"Elder Cirilo","orcid":"https://orcid.org/0000-0003-1464-2314"},"institutions":[{"id":"https://openalex.org/I166595947","display_name":"Federal University of S\u00e3o Jo\u00e3o del-Rei","ror":"https://ror.org/03vrj4p82","country_code":"BR","type":"education","lineage":["https://openalex.org/I166595947"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Elder Cirilo","raw_affiliation_strings":["Federal University of S\u00e3o Jo\u00e3o del-Rei"],"affiliations":[{"raw_affiliation_string":"Federal University of S\u00e3o Jo\u00e3o del-Rei","institution_ids":["https://openalex.org/I166595947"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5062526200","display_name":"Marcos Kalinowski","orcid":"https://orcid.org/0000-0003-1445-3425"},"institutions":[{"id":"https://openalex.org/I2699952","display_name":"Pontifical Catholic University of Rio de Janeiro","ror":"https://ror.org/01dg47b60","country_code":"BR","type":"education","lineage":["https://openalex.org/I2699952"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Marcos Kalinowski","raw_affiliation_strings":["Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro"],"affiliations":[{"raw_affiliation_string":"Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro","institution_ids":["https://openalex.org/I2699952"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5021306015","display_name":"Carlos Lucena","orcid":"https://orcid.org/0000-0001-9669-2352"},"institutions":[{"id":"https://openalex.org/I2699952","display_name":"Pontifical Catholic University of Rio de Janeiro","ror":"https://ror.org/01dg47b60","country_code":"BR","type":"education","lineage":["https://openalex.org/I2699952"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Carlos Lucena","raw_affiliation_strings":["Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro"],"affiliations":[{"raw_affiliation_string":"Pontifical Catholic University of Rio, de Janeiro Rio de Janeiro","institution_ids":["https://openalex.org/I2699952"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5028296394"],"corresponding_institution_ids":["https://openalex.org/I2699952"],"apc_list":null,"apc_paid":null,"fwci":0.6606,"has_fulltext":false,"cited_by_count":13,"citation_normalized_percentile":{"value":0.69508718,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"149","last_page":"159"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9993000030517578,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/plug-in","display_name":"Plug-in","score":0.8702377080917358},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7621502876281738},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.4109598994255066},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3798460066318512},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.349222332239151},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.24457845091819763},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.148524671792984},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.06540447473526001}],"concepts":[{"id":"https://openalex.org/C4924752","wikidata":"https://www.wikidata.org/wiki/Q184148","display_name":"Plug-in","level":2,"score":0.8702377080917358},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7621502876281738},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.4109598994255066},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3798460066318512},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.349222332239151},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.24457845091819763},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.148524671792984},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.06540447473526001},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3233027.3233042","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3233027.3233042","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 22nd International Systems and Software Product Line Conference - Volume 1","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":46,"referenced_works":["https://openalex.org/W3689301","https://openalex.org/W1543344803","https://openalex.org/W1880262756","https://openalex.org/W1969354810","https://openalex.org/W1970607969","https://openalex.org/W1971733255","https://openalex.org/W1979820341","https://openalex.org/W1985418344","https://openalex.org/W1986222079","https://openalex.org/W1986436601","https://openalex.org/W1993318811","https://openalex.org/W1999296854","https://openalex.org/W1999827279","https://openalex.org/W2001082470","https://openalex.org/W2009391857","https://openalex.org/W2015761648","https://openalex.org/W2024920205","https://openalex.org/W2034911954","https://openalex.org/W2043837581","https://openalex.org/W2052461839","https://openalex.org/W2052468877","https://openalex.org/W2056894403","https://openalex.org/W2057366964","https://openalex.org/W2077937403","https://openalex.org/W2088498570","https://openalex.org/W2096274199","https://openalex.org/W2100945416","https://openalex.org/W2101502756","https://openalex.org/W2110986222","https://openalex.org/W2113693268","https://openalex.org/W2120197657","https://openalex.org/W2124100711","https://openalex.org/W2126166995","https://openalex.org/W2134682016","https://openalex.org/W2135093973","https://openalex.org/W2149257325","https://openalex.org/W2152382597","https://openalex.org/W2167926541","https://openalex.org/W2209872464","https://openalex.org/W2407999381","https://openalex.org/W2480954553","https://openalex.org/W2793144087","https://openalex.org/W3010856131","https://openalex.org/W4237092605","https://openalex.org/W4251143943","https://openalex.org/W4300671282"],"related_works":["https://openalex.org/W2748952813","https://openalex.org/W2981957539","https://openalex.org/W4287378204","https://openalex.org/W47352601","https://openalex.org/W2545422590","https://openalex.org/W2779307146","https://openalex.org/W4213079707","https://openalex.org/W1631032283","https://openalex.org/W1643546019","https://openalex.org/W2167151567"],"abstract_inverted_index":{"A":[0],"common":[1,165],"software":[2],"product":[3],"line":[4],"strategy":[5],"involves":[6],"plugin-based":[7,38,215,231],"web":[8],"systems":[9],"that":[10,36],"support":[11,37],"simple":[12],"and":[13,63,68,150,182,198,234],"quick":[14],"incorporation":[15],"of":[16,34,48,140,153],"custom":[17],"behaviors.":[18],"As":[19],"a":[20,81],"result,":[21],"they":[22,191],"have":[23,179],"been":[24],"widely":[25],"adopted":[26],"to":[27,45,59,65,71,83,88,100,156,201,208,226],"create":[28],"web-based":[29,107],"applications.":[30],"Indeed,":[31],"the":[32,46,75,120,131,137,151,154,158,163,202],"popularity":[33],"ecosystems":[35],"development":[39],"(e.g.,":[40],"WordPress)":[41],"is":[42,80],"largely":[43],"due":[44],"number":[47],"customization":[49],"options":[50],"available":[51],"as":[52,124,126,145,147],"community-contributed":[53],"plugins.":[54],"However,":[55],"plugin-related":[56,176],"vulnerabilities":[57,87,102,141,177,216],"tend":[58],"be":[60,66,194,224],"recurrent,":[61],"exploitable":[62],"hard":[64],"detected":[67],"may":[69,178],"lead":[70],"severe":[72,180],"consequences":[73,181],"for":[74,186],"customized":[76],"product.":[77],"Hence,":[78],"there":[79],"need":[82],"further":[84],"understand":[85],"such":[86],"enable":[89],"preventing":[90],"relevant":[91],"security":[92],"threats.":[93],"Therefore,":[94],"we":[95,112,161],"conducted":[96],"an":[97,210],"exploratory":[98],"study":[99],"characterize":[101],"caused":[103,142],"by":[104,119,130,143],"plugins":[105,133,144],"in":[106,219],"systems.":[108],"To":[109],"this":[110],"end,":[111],"went":[113],"over":[114],"WordPress":[115,132,170],"vulnerability":[116,232],"bulletins":[117],"cataloged":[118],"National":[121],"Vulnerability":[122],"Database":[123],"well":[125,146],"associated":[127],"patches":[128],"maintained":[129],"repository.":[134],"We":[135,172],"identified":[136,162],"main":[138],"types":[139],"their":[148],"impact":[149],"size":[152],"patch":[155],"fix":[157],"vulnerability.":[159],"Moreover,":[160],"most":[164],"security-related":[166],"topics":[167],"discussed":[168],"among":[169],"developers.":[171],"observed":[173],"that,":[174],"while":[175],"might":[183],"remain":[184],"unnoticed":[185],"years":[187],"before":[188],"being":[189],"fixed,":[190],"can":[192,223],"commonly":[193],"mitigated":[195],"with":[196],"small":[197],"localized":[199],"changes":[200],"source":[203],"code.":[204],"The":[205],"characterization":[206],"helps":[207],"provide":[209],"understanding":[211],"on":[212,230],"how":[213],"typical":[214],"manifest":[217],"themselves":[218],"practice.":[220],"Such":[221],"information":[222],"helpful":[225],"steer":[227],"future":[228],"research":[229],"detection":[233],"prevention.":[235]},"counts_by_year":[{"year":2025,"cited_by_count":2},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":1},{"year":2022,"cited_by_count":2},{"year":2021,"cited_by_count":2},{"year":2019,"cited_by_count":2}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}