{"id":"https://openalex.org/W4388858891","doi":"https://doi.org/10.1145/3576915.3616582","title":"Black Ostrich: Web Application Scanning with String Solvers","display_name":"Black Ostrich: Web Application Scanning with String Solvers","publication_year":2023,"publication_date":"2023-11-15","ids":{"openalex":"https://openalex.org/W4388858891","doi":"https://doi.org/10.1145/3576915.3616582"},"language":"en","primary_location":{"id":"doi:10.1145/3576915.3616582","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3576915.3616582","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616582","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616582","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5030086378","display_name":"Benjamin Eriksson","orcid":"https://orcid.org/0000-0003-0553-3597"},"institutions":[{"id":"https://openalex.org/I66862912","display_name":"Chalmers University of Technology","ror":"https://ror.org/040wg7k59","country_code":"SE","type":"education","lineage":["https://openalex.org/I66862912"]}],"countries":["SE"],"is_corresponding":true,"raw_author_name":"Benjamin Eriksson","raw_affiliation_strings":["Chalmers University of Technology, Gothenburg, Sweden"],"affiliations":[{"raw_affiliation_string":"Chalmers University of Technology, Gothenburg, Sweden","institution_ids":["https://openalex.org/I66862912"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5093307863","display_name":"Amanda Stjerna","orcid":null},"institutions":[{"id":"https://openalex.org/I123387679","display_name":"Uppsala University","ror":"https://ror.org/048a87296","country_code":"SE","type":"education","lineage":["https://openalex.org/I123387679"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Amanda Stjerna","raw_affiliation_strings":["Uppsala University, Uppsala, Sweden"],"affiliations":[{"raw_affiliation_string":"Uppsala University, Uppsala, Sweden","institution_ids":["https://openalex.org/I123387679"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5074804384","display_name":"Riccardo De Masellis","orcid":null},"institutions":[{"id":"https://openalex.org/I123387679","display_name":"Uppsala University","ror":"https://ror.org/048a87296","country_code":"SE","type":"education","lineage":["https://openalex.org/I123387679"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Riccardo De Masellis","raw_affiliation_strings":["Uppsala University, Uppsala, Sweden"],"affiliations":[{"raw_affiliation_string":"Uppsala University, Uppsala, Sweden","institution_ids":["https://openalex.org/I123387679"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5109657310","display_name":"Philipp R\u00fcemmer","orcid":null},"institutions":[{"id":"https://openalex.org/I60668342","display_name":"University of Regensburg","ror":"https://ror.org/01eezs655","country_code":"DE","type":"education","lineage":["https://openalex.org/I60668342"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Philipp R\u00fcemmer","raw_affiliation_strings":["University of Regensburg &amp; Uppsala University, Regensburg, Germany"],"affiliations":[{"raw_affiliation_string":"University of Regensburg &amp; Uppsala University, Regensburg, Germany","institution_ids":["https://openalex.org/I60668342"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5070340953","display_name":"Andrei Sabelfeld","orcid":null},"institutions":[{"id":"https://openalex.org/I66862912","display_name":"Chalmers University of Technology","ror":"https://ror.org/040wg7k59","country_code":"SE","type":"education","lineage":["https://openalex.org/I66862912"]}],"countries":["SE"],"is_corresponding":false,"raw_author_name":"Andrei Sabelfeld","raw_affiliation_strings":["Chalmers University of Technology, Gothenburg, Sweden"],"affiliations":[{"raw_affiliation_string":"Chalmers University of Technology, Gothenburg, Sweden","institution_ids":["https://openalex.org/I66862912"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5030086378"],"corresponding_institution_ids":["https://openalex.org/I66862912"],"apc_list":null,"apc_paid":null,"fwci":4.077,"has_fulltext":true,"cited_by_count":9,"citation_normalized_percentile":{"value":0.94674176,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":90,"max":98},"biblio":{"volume":null,"issue":null,"first_page":"549","last_page":"563"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":1.0,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9962999820709229,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9948999881744385,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7955334186553955},{"id":"https://openalex.org/keywords/web-crawler","display_name":"Web crawler","score":0.6860901713371277},{"id":"https://openalex.org/keywords/crawling","display_name":"Crawling","score":0.6742212176322937},{"id":"https://openalex.org/keywords/javascript","display_name":"JavaScript","score":0.6673081517219543},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.6148889064788818},{"id":"https://openalex.org/keywords/string","display_name":"String (physics)","score":0.5415573120117188},{"id":"https://openalex.org/keywords/solver","display_name":"Solver","score":0.43453019857406616},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.430553674697876},{"id":"https://openalex.org/keywords/constraint","display_name":"Constraint (computer-aided design)","score":0.42335349321365356},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3606724441051483},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.2811442017555237},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.10516592860221863},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.08760502934455872}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7955334186553955},{"id":"https://openalex.org/C13743948","wikidata":"https://www.wikidata.org/wiki/Q45842","display_name":"Web crawler","level":2,"score":0.6860901713371277},{"id":"https://openalex.org/C100368936","wikidata":"https://www.wikidata.org/wiki/Q1411725","display_name":"Crawling","level":2,"score":0.6742212176322937},{"id":"https://openalex.org/C544833334","wikidata":"https://www.wikidata.org/wiki/Q2005","display_name":"JavaScript","level":2,"score":0.6673081517219543},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.6148889064788818},{"id":"https://openalex.org/C157486923","wikidata":"https://www.wikidata.org/wiki/Q1376436","display_name":"String (physics)","level":2,"score":0.5415573120117188},{"id":"https://openalex.org/C2778770139","wikidata":"https://www.wikidata.org/wiki/Q1966904","display_name":"Solver","level":2,"score":0.43453019857406616},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.430553674697876},{"id":"https://openalex.org/C2776036281","wikidata":"https://www.wikidata.org/wiki/Q48769818","display_name":"Constraint (computer-aided design)","level":2,"score":0.42335349321365356},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3606724441051483},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.2811442017555237},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.10516592860221863},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.08760502934455872},{"id":"https://openalex.org/C71924100","wikidata":"https://www.wikidata.org/wiki/Q11190","display_name":"Medicine","level":0,"score":0.0},{"id":"https://openalex.org/C105702510","wikidata":"https://www.wikidata.org/wiki/Q514","display_name":"Anatomy","level":1,"score":0.0},{"id":"https://openalex.org/C37914503","wikidata":"https://www.wikidata.org/wiki/Q156495","display_name":"Mathematical physics","level":1,"score":0.0},{"id":"https://openalex.org/C78519656","wikidata":"https://www.wikidata.org/wiki/Q101333","display_name":"Mechanical engineering","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1145/3576915.3616582","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3576915.3616582","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616582","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:DiVA.org:uu-524309","is_oa":true,"landing_page_url":"http://urn.kb.se/resolve?urn=urn:nbn:se:uu:diva-524309","pdf_url":"https://uu.diva-portal.org/smash/get/diva2:1841967/FULLTEXT01","source":{"id":"https://openalex.org/S4306401559","display_name":"KTH Publication Database DiVA (KTH Royal Institute of Technology)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Conference paper"},{"id":"pmh:oai:research.chalmers.se:539079","is_oa":true,"landing_page_url":"https://research.chalmers.se/en/publication/539079","pdf_url":"https://research.chalmers.se/publication/539079/file/539079_Fulltext.pdf","source":{"id":"https://openalex.org/S4306402469","display_name":"Chalmers Research (Chalmers University of Technology)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I66862912","host_organization_name":"Chalmers University of Technology","host_organization_lineage":["https://openalex.org/I66862912"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":""}],"best_oa_location":{"id":"doi:10.1145/3576915.3616582","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3576915.3616582","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3576915.3616582","source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G712881263","display_name":null,"funder_award_id":"2018-","funder_id":"https://openalex.org/F4320322581","funder_display_name":"Vetenskapsr\u00e5det"},{"id":"https://openalex.org/G8683756101","display_name":null,"funder_award_id":"support","funder_id":"https://openalex.org/F4320322327","funder_display_name":"Knut och Alice Wallenbergs Stiftelse"}],"funders":[{"id":"https://openalex.org/F4320320940","display_name":"Stiftelsen f\u00f6r\u00a0Strategisk Forskning","ror":"https://ror.org/044wr7g58"},{"id":"https://openalex.org/F4320322327","display_name":"Knut och Alice Wallenbergs Stiftelse","ror":"https://ror.org/004hzzk67"},{"id":"https://openalex.org/F4320322581","display_name":"Vetenskapsr\u00e5det","ror":"https://ror.org/03zttf063"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4388858891.pdf","grobid_xml":"https://content.openalex.org/works/W4388858891.grobid-xml"},"referenced_works_count":49,"referenced_works":["https://openalex.org/W647462584","https://openalex.org/W1500042303","https://openalex.org/W1861561811","https://openalex.org/W1971842919","https://openalex.org/W1978405212","https://openalex.org/W1983801562","https://openalex.org/W1990437388","https://openalex.org/W2017035494","https://openalex.org/W2049123707","https://openalex.org/W2060218972","https://openalex.org/W2064645115","https://openalex.org/W2067195038","https://openalex.org/W2091815190","https://openalex.org/W2094568767","https://openalex.org/W2110117589","https://openalex.org/W2110318050","https://openalex.org/W2111487235","https://openalex.org/W2125672377","https://openalex.org/W2132791332","https://openalex.org/W2134126306","https://openalex.org/W2137351629","https://openalex.org/W2149612134","https://openalex.org/W2149801502","https://openalex.org/W2296241649","https://openalex.org/W2405282478","https://openalex.org/W2776845434","https://openalex.org/W2790761820","https://openalex.org/W2888830098","https://openalex.org/W2897675441","https://openalex.org/W2899573209","https://openalex.org/W2904027722","https://openalex.org/W2962940036","https://openalex.org/W3095708133","https://openalex.org/W3099242157","https://openalex.org/W3113059832","https://openalex.org/W3164306598","https://openalex.org/W3211522117","https://openalex.org/W3214872226","https://openalex.org/W4205241946","https://openalex.org/W4225922019","https://openalex.org/W4284670904","https://openalex.org/W4323026879","https://openalex.org/W4388858891","https://openalex.org/W6626619039","https://openalex.org/W6683303659","https://openalex.org/W6751122134","https://openalex.org/W6794670714","https://openalex.org/W6822517396","https://openalex.org/W6852707572"],"related_works":["https://openalex.org/W2084213350","https://openalex.org/W2566658409","https://openalex.org/W3119324922","https://openalex.org/W2352686120","https://openalex.org/W2372594123","https://openalex.org/W2358310581","https://openalex.org/W2964752624","https://openalex.org/W2026132847","https://openalex.org/W4385695127","https://openalex.org/W2137810919"],"abstract_inverted_index":{"Securing":[0],"web":[1,14,39,65,75,92,132],"applications":[2,40,93],"remains":[3],"a":[4,44,60,139,152,181,245],"pressing":[5],"challenge.":[6],"Unfortunately,":[7],"the":[8,11,29,124,129,155,173,185,195,201,215,219,259],"state":[9],"of":[10,22,43,104,141,154,168,184,192,200,218,247,258],"art":[12],"in":[13,91],"crawling":[15,66,76],"and":[16,67,94,122,159,166],"security":[17],"scanning":[18],"still":[19],"falls":[20],"short":[21],"deep":[23,64],"crawling.":[24],"A":[25],"major":[26],"roadblock":[27],"is":[28,72],"crawlers'":[30],"limited":[31],"ability":[32],"to":[33,63,73,82,112,172,189],"pass":[34,96],"input":[35,97,169],"validation":[36,98,144,249,263],"checks":[37],"when":[38],"require":[41],"data":[42],"certain":[45],"format,":[46],"such":[47],"as":[48],"email,":[49],"phone":[50],"number,":[51],"or":[52],"zip":[53],"code.":[54],"This":[55],"paper":[56],"develops":[57],"Black":[58,130,136,178],"Ostrich,":[59],"principled":[61],"approach":[62,120,230],"scanning.":[68],"The":[69],"key":[70],"idea":[71],"equip":[74],"with":[77,128],"string":[78],"constraint":[79,105,126],"solving":[80],"capabilities":[81],"dynamically":[83],"infer":[84],"suitable":[85],"inputs":[86],"from":[87,147,151],"regular":[88,115],"expression":[89],"patterns":[90,145,210,264],"thereby":[95],"checks.":[99],"To":[100],"enable":[101],"this":[102],"use":[103],"solvers,":[106],"we":[107,175,207,252],"develop":[108],"new":[109],"automata-based":[110],"techniques":[111],"process":[113],"JavaScript":[114],"expressions.":[116],"We":[117,134,225],"implement":[118],"our":[119,229],"extending":[121],"combining":[123],"Ostrich":[125,137,179],"solver":[127],"Widow":[131],"crawler.":[133],"evaluate":[135],"on":[138,211,237],"set":[140],"8,820":[142],"unique":[143],"gathered":[146],"over":[148],"21,667,978":[149],"forms":[150,165],"combination":[153],"July":[156],"2021":[157],"Common~Crawl":[158],"Tranco":[160],"top":[161],"100K.":[162],"For":[163],"these":[164,205],"reconstructions":[167],"elements":[170],"corresponding":[171],"patterns,":[174,206,250],"demonstrate":[176],"that":[177,228,254],"achieves":[180],"99%":[182],"coverage":[183,233],"form":[186],"validations":[187],"compared":[188],"an":[190],"average":[191],"36%":[193],"for":[194],"state-of-the-art":[196],"scanners.":[197],"Moreover,":[198],"out":[199,257],"66,377":[202],"domains":[203],"using":[204],"solve":[208],"all":[209],"66,309":[212],"(99%)":[213],"while":[214],"combined":[216],"efforts":[217],"other":[220],"scanners":[221],"cover":[222],"52,632":[223],"(79%).":[224],"further":[226],"show":[227],"can":[231],"boost":[232],"by":[234],"evaluating":[235],"it":[236],"three":[238],"open-source":[239],"applications.":[240],"Our":[241],"empirical":[242],"studies":[243],"include":[244],"study":[246],"email":[248,262],"where":[251],"find":[253],"213":[255],"(26%)":[256],"825":[260],"found":[261],"liberally":[265],"admit":[266],"XSS":[267],"injection":[268],"payloads.":[269]},"counts_by_year":[{"year":2026,"cited_by_count":1},{"year":2025,"cited_by_count":5},{"year":2024,"cited_by_count":2},{"year":2023,"cited_by_count":1}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2023-11-22T00:00:00"}