{"id":"https://openalex.org/W3090513121","doi":"https://doi.org/10.1145/3377811.3380355","title":"Finding client-side business flow tampering vulnerabilities","display_name":"Finding client-side business flow tampering vulnerabilities","publication_year":2020,"publication_date":"2020-06-27","ids":{"openalex":"https://openalex.org/W3090513121","doi":"https://doi.org/10.1145/3377811.3380355","mag":"3090513121"},"language":"en","primary_location":{"id":"doi:10.1145/3377811.3380355","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3377811.3380355","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5012992701","display_name":"I Luk Kim","orcid":"https://orcid.org/0000-0002-6905-5021"},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"I Luk Kim","raw_affiliation_strings":["Purdue University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Purdue University","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5039824895","display_name":"Yunhui Zheng","orcid":"https://orcid.org/0000-0002-6794-3199"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yunhui Zheng","raw_affiliation_strings":["IBM T. J. Watson Research Center"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"IBM T. J. Watson Research Center","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5071646906","display_name":"Hogun Park","orcid":"https://orcid.org/0000-0003-0576-5806"},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Hogun Park","raw_affiliation_strings":["Purdue University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Purdue University","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072088517","display_name":"Weihang Wang","orcid":"https://orcid.org/0000-0003-1175-4409"},"institutions":[{"id":"https://openalex.org/I63190737","display_name":"University at Buffalo, State University of New York","ror":"https://ror.org/01y64my43","country_code":"US","type":"education","lineage":["https://openalex.org/I63190737"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Weihang Wang","raw_affiliation_strings":["University at Buffalo"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University at Buffalo","institution_ids":["https://openalex.org/I63190737"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101927208","display_name":"Wei You","orcid":"https://orcid.org/0000-0003-1009-6627"},"institutions":[{"id":"https://openalex.org/I78988378","display_name":"Renmin University of China","ror":"https://ror.org/041pakw92","country_code":"CN","type":"education","lineage":["https://openalex.org/I78988378"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Wei You","raw_affiliation_strings":["Renmin University of China, Beijing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Renmin University of China, Beijing, China","institution_ids":["https://openalex.org/I78988378"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5007570332","display_name":"Yousra Aafer","orcid":null},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yousra Aafer","raw_affiliation_strings":["Purdue University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Purdue University","institution_ids":["https://openalex.org/I219193219"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5107249133","display_name":"Xiangyu Zhang","orcid":"https://orcid.org/0000-0002-9544-2500"},"institutions":[{"id":"https://openalex.org/I219193219","display_name":"Purdue University West Lafayette","ror":"https://ror.org/02dqehb95","country_code":"US","type":"education","lineage":["https://openalex.org/I219193219"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Xiangyu Zhang","raw_affiliation_strings":["Purdue University"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Purdue University","institution_ids":["https://openalex.org/I219193219"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":1.9494,"has_fulltext":false,"cited_by_count":14,"citation_normalized_percentile":{"value":0.89827108,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":89,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"222","last_page":"233"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9995999932289124,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9984999895095825,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7706261277198792},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.7257140874862671},{"id":"https://openalex.org/keywords/client-side","display_name":"Client-side","score":0.6871151924133301},{"id":"https://openalex.org/keywords/side-channel-attack","display_name":"Side channel attack","score":0.6538171172142029},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5324535965919495},{"id":"https://openalex.org/keywords/attack-surface","display_name":"Attack surface","score":0.5231990814208984},{"id":"https://openalex.org/keywords/business-logic","display_name":"Business logic","score":0.49797797203063965},{"id":"https://openalex.org/keywords/overhead","display_name":"Overhead (engineering)","score":0.48947465419769287},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.44760674238204956},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4417344033718109},{"id":"https://openalex.org/keywords/internet-privacy","display_name":"Internet privacy","score":0.4391769468784332},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3520194888114929},{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.18299031257629395},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.14070135354995728},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.11069831252098083},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.10234314203262329}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7706261277198792},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.7257140874862671},{"id":"https://openalex.org/C202477664","wikidata":"https://www.wikidata.org/wiki/Q1352449","display_name":"Client-side","level":2,"score":0.6871151924133301},{"id":"https://openalex.org/C49289754","wikidata":"https://www.wikidata.org/wiki/Q2267081","display_name":"Side channel attack","level":3,"score":0.6538171172142029},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5324535965919495},{"id":"https://openalex.org/C2776576444","wikidata":"https://www.wikidata.org/wiki/Q303569","display_name":"Attack surface","level":2,"score":0.5231990814208984},{"id":"https://openalex.org/C146222976","wikidata":"https://www.wikidata.org/wiki/Q1204997","display_name":"Business logic","level":2,"score":0.49797797203063965},{"id":"https://openalex.org/C2779960059","wikidata":"https://www.wikidata.org/wiki/Q7113681","display_name":"Overhead (engineering)","level":2,"score":0.48947465419769287},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.44760674238204956},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4417344033718109},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.4391769468784332},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3520194888114929},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.18299031257629395},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.14070135354995728},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.11069831252098083},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.10234314203262329},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3377811.3380355","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3377811.3380355","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.6299999952316284,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":32,"referenced_works":["https://openalex.org/W1519162333","https://openalex.org/W1551909886","https://openalex.org/W1673310716","https://openalex.org/W1954816054","https://openalex.org/W1976373002","https://openalex.org/W1977634174","https://openalex.org/W1987647365","https://openalex.org/W2002079460","https://openalex.org/W2006575153","https://openalex.org/W2023450550","https://openalex.org/W2032754744","https://openalex.org/W2060857434","https://openalex.org/W2068728255","https://openalex.org/W2068932268","https://openalex.org/W2071170332","https://openalex.org/W2089775132","https://openalex.org/W2094568767","https://openalex.org/W2095450067","https://openalex.org/W2101077503","https://openalex.org/W2119387367","https://openalex.org/W2127456326","https://openalex.org/W2133665775","https://openalex.org/W2136601052","https://openalex.org/W2143504694","https://openalex.org/W2144271133","https://openalex.org/W2395329384","https://openalex.org/W2575458798","https://openalex.org/W2604507227","https://openalex.org/W2794456160","https://openalex.org/W2899410695","https://openalex.org/W4210896998","https://openalex.org/W4247465700"],"related_works":["https://openalex.org/W4302890120","https://openalex.org/W4288264855","https://openalex.org/W2588995807","https://openalex.org/W1995482645","https://openalex.org/W2800367972","https://openalex.org/W3212202758","https://openalex.org/W3012186831","https://openalex.org/W1979999931","https://openalex.org/W2767251466","https://openalex.org/W4327978313"],"abstract_inverted_index":{"The":[0],"sheer":[1],"complexity":[2,87],"of":[3,12,25,88],"web":[4],"applications":[5],"leaves":[6],"open":[7],"a":[8,23,47,122],"large":[9],"attack":[10],"surface":[11],"business":[13,48,63,116,167],"logic.":[14],"Particularly,":[15],"in":[16,31,46],"some":[17],"scenarios,":[18],"developers":[19,70],"have":[20,145],"to":[21,28,33,62,104,127,169],"expose":[22],"portion":[24],"the":[26,29,59,76,83,86,89,108],"logic":[27,64,168],"client-side":[30,52,90,115],"order":[32],"coordinate":[34],"multiple":[35],"parties":[36],"(e.g.":[37],"merchants,":[38],"client":[39,77],"users,":[40],"and":[41,66,85,106,120,160],"third-party":[42],"payment":[43],"services)":[44],"involved":[45],"process.":[49],"However,":[50],"such":[51,130,154],"code":[53,91],"can":[54,165],"be":[55,80,94],"tampered":[56],"with":[57,73],"on":[58,136,151],"fly,":[60],"leading":[61],"perturbations":[65],"financial":[67],"loss.":[68],"Although":[69],"become":[71],"familiar":[72],"concepts":[74],"that":[75,92],"should":[78],"never":[79],"trusted,":[81],"given":[82],"size":[84],"may":[93],"even":[95],"incorporated":[96],"from":[97],"third":[98],"parties,":[99],"it":[100],"is":[101],"extremely":[102],"challenging":[103],"understand":[105],"pinpoint":[107],"vulnerability.":[109],"To":[110],"this":[111],"end,":[112],"we":[113,144],"investigate":[114],"flow":[117],"tampering":[118],"vulnerabilities":[119,150],"develop":[121],"dynamic":[123],"analysis":[124],"based":[125],"approach":[126],"automatically":[128],"identifying":[129],"vulnerabilities.":[131],"We":[132],"evaluate":[133],"our":[134],"technique":[135],"200":[137],"popular":[138],"real-world":[139],"websites.":[140],"With":[141],"negligible":[142],"overhead,":[143],"successfully":[146],"identified":[147],"27":[148],"unique":[149],"23":[152],"websites,":[153],"as":[155],"New":[156],"York":[157],"Times,":[158],"HBO,":[159],"YouTube,":[161],"where":[162],"an":[163],"adversary":[164],"interrupt":[166],"bypass":[170],"paywalls,":[171],"disable":[172],"adblocker":[173],"detection,":[174],"earn":[175],"reward":[176],"points":[177],"illicitly,":[178],"etc.":[179]},"counts_by_year":[{"year":2025,"cited_by_count":4},{"year":2024,"cited_by_count":3},{"year":2023,"cited_by_count":2},{"year":2022,"cited_by_count":1},{"year":2021,"cited_by_count":3},{"year":2020,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}