{"id":"https://openalex.org/W4402442655","doi":"https://doi.org/10.1145/3650212.3680367","title":"Automated Data Binding Vulnerability Detection for Java Web Frameworks via Nested Property Graph","display_name":"Automated Data Binding Vulnerability Detection for Java Web Frameworks via Nested Property Graph","publication_year":2024,"publication_date":"2024-09-11","ids":{"openalex":"https://openalex.org/W4402442655","doi":"https://doi.org/10.1145/3650212.3680367"},"language":"en","primary_location":{"id":"doi:10.1145/3650212.3680367","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3650212.3680367","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5113377907","display_name":"Xiaoyong Yan","orcid":null},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Xiaoyong Yan","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0009-0002-7462-6420","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Biao He","orcid":"https://orcid.org/0009-0007-9851-8201"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Biao He","raw_affiliation_strings":["Ant Group, Hangzhou, China"],"raw_orcid":"https://orcid.org/0009-0007-9851-8201","affiliations":[{"raw_affiliation_string":"Ant Group, Hangzhou, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5039734151","display_name":"Wenbo Shen","orcid":"https://orcid.org/0000-0003-2899-6121"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Wenbo Shen","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0000-0003-2899-6121","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100870082","display_name":"Yu Ouyang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yu Ouyang","raw_affiliation_strings":["Ant Group, Hangzhou, China"],"raw_orcid":"https://orcid.org/0009-0002-4001-9868","affiliations":[{"raw_affiliation_string":"Ant Group, Hangzhou, China","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5113377908","display_name":"Kaihang Zhou","orcid":null},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Kaihang Zhou","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0009-0002-6339-0301","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100635711","display_name":"Xingjian Zhang","orcid":"https://orcid.org/0000-0001-8009-0242"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xingjian Zhang","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0000-0001-8009-0242","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5051279101","display_name":"Xingyu Wang","orcid":"https://orcid.org/0009-0009-9988-8065"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Xingyu Wang","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0009-0009-9988-8065","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5108801098","display_name":"Yukai Cao","orcid":"https://orcid.org/0009-0008-4122-4023"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Yukai Cao","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0009-0008-4122-4023","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5044721876","display_name":"Rui Chang","orcid":"https://orcid.org/0000-0002-0178-0171"},"institutions":[{"id":"https://openalex.org/I76130692","display_name":"Zhejiang University","ror":"https://ror.org/00a2xv884","country_code":"CN","type":"education","lineage":["https://openalex.org/I76130692"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Rui Chang","raw_affiliation_strings":["Zhejiang University, Hangzhou, China"],"raw_orcid":"https://orcid.org/0000-0002-0178-0171","affiliations":[{"raw_affiliation_string":"Zhejiang University, Hangzhou, China","institution_ids":["https://openalex.org/I76130692"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5113377907"],"corresponding_institution_ids":["https://openalex.org/I76130692"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.23448385,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1377","last_page":"1388"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998000264167786,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9984999895095825,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9980000257492065,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8124920129776001},{"id":"https://openalex.org/keywords/java","display_name":"Java","score":0.6666010618209839},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.5293681621551514},{"id":"https://openalex.org/keywords/property","display_name":"Property (philosophy)","score":0.5041974782943726},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.4574103355407715},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.43814510107040405},{"id":"https://openalex.org/keywords/theoretical-computer-science","display_name":"Theoretical computer science","score":0.3593786358833313},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.2636966109275818}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8124920129776001},{"id":"https://openalex.org/C548217200","wikidata":"https://www.wikidata.org/wiki/Q251","display_name":"Java","level":2,"score":0.6666010618209839},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.5293681621551514},{"id":"https://openalex.org/C189950617","wikidata":"https://www.wikidata.org/wiki/Q937228","display_name":"Property (philosophy)","level":2,"score":0.5041974782943726},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.4574103355407715},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.43814510107040405},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.3593786358833313},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2636966109275818},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0},{"id":"https://openalex.org/C111472728","wikidata":"https://www.wikidata.org/wiki/Q9471","display_name":"Epistemology","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3650212.3680367","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3650212.3680367","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":9,"referenced_works":["https://openalex.org/W3203052926","https://openalex.org/W4289038676","https://openalex.org/W4324007206","https://openalex.org/W4384304635","https://openalex.org/W4384345660","https://openalex.org/W4384948751","https://openalex.org/W4385080291","https://openalex.org/W4389208725","https://openalex.org/W4402264012"],"related_works":["https://openalex.org/W2749690376","https://openalex.org/W2786317006","https://openalex.org/W4367724653","https://openalex.org/W2788563018","https://openalex.org/W4395962217","https://openalex.org/W2997587123","https://openalex.org/W4281673905","https://openalex.org/W3206385231","https://openalex.org/W1566482460","https://openalex.org/W3118256810"],"abstract_inverted_index":{"Data":[0,90],"binding":[1,16,38,80,99,133,152],"has":[2],"been":[3,197],"widely":[4,140],"adopted":[5],"by":[6],"popular":[7],"web":[8,17,22,30,84,143],"frameworks":[9,31],"due":[10],"to":[11,20,36,44,96,111,119,128,159,178,184,199],"its":[12,26],"convenience":[13],"of":[14,77,169],"automatically":[15],"request":[18],"parameters":[19],"the":[21,50,73,78,106,115,125,179,202],"program's":[23],"properties.":[24],"However,":[25],"improper":[27],"implementation":[28],"in":[29,82],"exposes":[32],"sensitive":[33],"properties,":[34,114,123],"leading":[35],"data":[37,79,98,132,151],"vulnerabilities,":[39],"which":[40],"can":[41,156],"be":[42,157],"exploited":[43,158],"launch":[45,160],"severe":[46],"attacks,":[47],"such":[48],"as":[49],"Spring4Shell":[51],"remote":[52,161],"code":[53,162],"execution.":[54],"Despite":[55],"their":[56],"criticalness,":[57],"these":[58,176],"issues":[59],"are":[60],"overlooked,":[61],"and":[62,124,130,146,148,167,182,192],"there":[63],"is":[64],"no":[65],"systematic":[66],"study":[67],"addressing":[68],"them.":[69,186],"This":[70],"paper":[71],"presents":[72],"first":[74],"automatic":[75,89],"analysis":[76],"vulnerabilities":[81,155,177],"Java":[83,142],"frameworks.":[85],"We":[86,135,172],"develop":[87],"an":[88],"bInding":[91],"Vulnerabilities":[92],"dEtectoR,":[93],"named":[94],"DIVER,":[95],"analyze":[97],"vulnerabilities.":[100,134,153],"DIVER":[101,137],"employs":[102],"three":[103],"new":[104,188],"techniques:":[105],"Nested":[107],"Property":[108],"Graph-based":[109],"Extraction":[110],"extract":[112],"nested":[113,122],"Bind-Site":[116],"Instrumentation-based":[117],"Identification":[118],"identify":[120],"bindable":[121],"Property-aware":[126],"Fuzzing":[127],"trigger":[129],"detect":[131],"evaluated":[136],"on":[138],"two":[139],"used":[141],"frameworks,":[144],"Spring":[145],"Grails,":[147],"discovered":[149],"81":[150],"These":[154],"execution,":[163],"arbitrary":[164],"file":[165],"read,":[166],"denial":[168],"service":[170],"attacks.":[171],"have":[173,196],"responsibly":[174],"reported":[175],"corresponding":[180],"teams":[181],"helped":[183],"fix":[185],"Three":[187],"CVEs":[189],"with":[190],"critical":[191],"high":[193],"severity":[194],"ratings":[195],"assigned":[198],"us,":[200],"including":[201],"infamous":[203],"Spring4Shell.":[204]},"counts_by_year":[],"updated_date":"2025-12-27T23:08:20.325037","created_date":"2025-10-10T00:00:00"}