{"id":"https://openalex.org/W7152910086","doi":"https://doi.org/10.1145/3774904.3792378","title":"Zelda: Feedback-driven Closed-box Fuzzing for Identifying Web Application Vulnerabilities","display_name":"Zelda: Feedback-driven Closed-box Fuzzing for Identifying Web Application Vulnerabilities","publication_year":2026,"publication_date":"2026-04-09","ids":{"openalex":"https://openalex.org/W7152910086","doi":"https://doi.org/10.1145/3774904.3792378"},"language":null,"primary_location":{"id":"doi:10.1145/3774904.3792378","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792378","pdf_url":null,"source":null,"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3774904.3792378","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5133294266","display_name":"Soyoung Lee","orcid":"https://orcid.org/0000-0001-6527-3120"},"institutions":[{"id":"https://openalex.org/I157485424","display_name":"Korea Advanced Institute of Science and Technology","ror":"https://ror.org/05apxxy63","country_code":"KR","type":"education","lineage":["https://openalex.org/I157485424"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Soyoung Lee","raw_affiliation_strings":["Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0001-6527-3120","affiliations":[{"raw_affiliation_string":"Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea","institution_ids":["https://openalex.org/I157485424"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030789750","display_name":"Sunnyeo Park","orcid":"https://orcid.org/0000-0002-1057-9023"},"institutions":[{"id":"https://openalex.org/I157485424","display_name":"Korea Advanced Institute of Science and Technology","ror":"https://ror.org/05apxxy63","country_code":"KR","type":"education","lineage":["https://openalex.org/I157485424"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Sunnyeo Park","raw_affiliation_strings":["Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0002-1057-9023","affiliations":[{"raw_affiliation_string":"Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea","institution_ids":["https://openalex.org/I157485424"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5053834185","display_name":"Yonghwi Kwon","orcid":"https://orcid.org/0000-0002-0021-2850"},"institutions":[{"id":"https://openalex.org/I66946132","display_name":"University of Maryland, College Park","ror":"https://ror.org/047s2c258","country_code":"US","type":"education","lineage":["https://openalex.org/I66946132"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Yonghwi Kwon","raw_affiliation_strings":["University of Maryland, College Park, MD, USA"],"raw_orcid":"https://orcid.org/0000-0002-0021-2850","affiliations":[{"raw_affiliation_string":"University of Maryland, College Park, MD, USA","institution_ids":["https://openalex.org/I66946132"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5082893706","display_name":"Sooel Son","orcid":"https://orcid.org/0000-0003-0904-2875"},"institutions":[{"id":"https://openalex.org/I157485424","display_name":"Korea Advanced Institute of Science and Technology","ror":"https://ror.org/05apxxy63","country_code":"KR","type":"education","lineage":["https://openalex.org/I157485424"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Sooel Son","raw_affiliation_strings":["Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0003-0904-2875","affiliations":[{"raw_affiliation_string":"Korea Advanced Institute of Science and Technology, Daejeon, Republic of Korea","institution_ids":["https://openalex.org/I157485424"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.57734728,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"2917","last_page":"2928"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9546999931335449,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9546999931335449,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.013399999588727951,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.006099999882280827,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.5310999751091003},{"id":"https://openalex.org/keywords/fuzz-testing","display_name":"Fuzz testing","score":0.4142000079154968},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.3610000014305115},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.3109999895095825},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.2773999869823456}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5932999849319458},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.5310999751091003},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.42660000920295715},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.4142000079154968},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.3610000014305115},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.31839999556541443},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.3109999895095825},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2773999869823456},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.27000001072883606},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.25279998779296875},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.25110000371932983}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3774904.3792378","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792378","pdf_url":null,"source":null,"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3774904.3792378","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792378","pdf_url":null,"source":null,"license":"cc-by-nc-nd","license_id":"https://openalex.org/licenses/cc-by-nc-nd","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":30,"referenced_works":["https://openalex.org/W1983142587","https://openalex.org/W1991074244","https://openalex.org/W2086631206","https://openalex.org/W2132791332","https://openalex.org/W2134646643","https://openalex.org/W2149801502","https://openalex.org/W2506054414","https://openalex.org/W2517087431","https://openalex.org/W2535617737","https://openalex.org/W2539382385","https://openalex.org/W2574017551","https://openalex.org/W2613534458","https://openalex.org/W2732351623","https://openalex.org/W2741068848","https://openalex.org/W2746644282","https://openalex.org/W2790761820","https://openalex.org/W2806746626","https://openalex.org/W2891060526","https://openalex.org/W2979357014","https://openalex.org/W3095708133","https://openalex.org/W3136918966","https://openalex.org/W3203052926","https://openalex.org/W3207946245","https://openalex.org/W3212238191","https://openalex.org/W4224317173","https://openalex.org/W4224323202","https://openalex.org/W4225999506","https://openalex.org/W4293235803","https://openalex.org/W4311166005","https://openalex.org/W4384948751"],"related_works":[],"abstract_inverted_index":{"Despite":[0],"its":[1],"practical":[2,128],"impact,":[3],"closed-box":[4,18,50,68],"fuzzing":[5,79],"on":[6,95],"web":[7,19,51,64,129,139],"applications":[8,113],"remains":[9],"understudied.":[10],"This":[11],"paper":[12],"investigates":[13],"two":[14,84],"fundamental":[15],"limitations":[16],"of":[17,30],"fuzzing:":[20],"(1)":[21],"limited":[22],"input":[23,86],"space":[24],"exploration":[25,91,97],"due":[26],"to":[27,54,76],"the":[28,41,78,96,142],"lack":[29],"a":[31,48,67,73],"feedback":[32,61,74,121],"mechanism,":[33],"and":[34,92,105,114,123],"(2)":[35],"ineffective":[36],"exploitation":[37],"strategies":[38,88,124],"caused":[39],"by":[40],"shallow":[42],"vulnerability":[43,106,130],"identification.":[44,107],"We":[45,81],"propose":[46],"Zelda,":[47],"novel":[49],"fuzzer":[52],"designed":[53],"address":[55],"these":[56],"limitations.":[57],"Specifically,":[58],"we":[59],"infer":[60],"signals":[62],"from":[63],"responses":[65],"in":[66,127],"testing":[69],"environment,":[70],"thereby":[71],"deriving":[72],"mechanism":[75,122],"guide":[77],"process.":[80],"then":[82],"coordinate":[83],"distinct":[85],"generation":[87],"for":[89],"path":[90],"exploitation,":[93],"based":[94],"stage,":[98],"which":[99],"facilitates":[100],"both":[101],"in-page":[102],"code":[103],"coverage":[104],"Our":[108],"evaluation":[109],"across":[110],"15":[111],"real-world":[112],"nine":[115],"benchmark":[116],"sets":[117],"demonstrates":[118],"that":[119,150],"Zelda's":[120],"are":[125],"effective":[126],"discovery.":[131],"Zelda":[132,144],"uncovered":[133],"182":[134],"vulnerabilities,":[135],"outperforming":[136],"six":[137],"state-of-the-art":[138],"fuzzers.":[140],"In":[141],"wild,":[143],"further":[145],"discovered":[146],"previously":[147],"unreported":[148],"vulnerabilities":[149],"received":[151],"29":[152],"CVE":[153],"assignments.":[154]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-10T00:00:00"}