{"id":"https://openalex.org/W7152619783","doi":"https://doi.org/10.1145/3774904.3792517","title":"SPCA: Stream Parser Confusion Attack for Web Application Firewall Evasion in HTTP/2","display_name":"SPCA: Stream Parser Confusion Attack for Web Application Firewall Evasion in HTTP/2","publication_year":2026,"publication_date":"2026-04-09","ids":{"openalex":"https://openalex.org/W7152619783","doi":"https://doi.org/10.1145/3774904.3792517"},"language":null,"primary_location":{"id":"doi:10.1145/3774904.3792517","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792517","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3774904.3792517","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5114095722","display_name":"Kyungrok Choi","orcid":null},"institutions":[{"id":"https://openalex.org/I197347611","display_name":"Korea University","ror":"https://ror.org/047dqcg40","country_code":"KR","type":"education","lineage":["https://openalex.org/I197347611"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Kyungrok Choi","raw_affiliation_strings":["Computer Science and Engineering, Korea University, Seoul, Republic of Korea"],"raw_orcid":"https://orcid.org/0009-0007-1014-1586","affiliations":[{"raw_affiliation_string":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea","institution_ids":["https://openalex.org/I197347611"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5089897667","display_name":"W. Lee","orcid":"https://orcid.org/0000-0002-9984-6879"},"institutions":[{"id":"https://openalex.org/I197347611","display_name":"Korea University","ror":"https://ror.org/047dqcg40","country_code":"KR","type":"education","lineage":["https://openalex.org/I197347611"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Woonghee Lee","raw_affiliation_strings":["Computer Science and Engineering, Korea University, Seoul, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0002-9984-6879","affiliations":[{"raw_affiliation_string":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea","institution_ids":["https://openalex.org/I197347611"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5059902523","display_name":"Junbeom Hur","orcid":"https://orcid.org/0000-0002-4823-4194"},"institutions":[{"id":"https://openalex.org/I197347611","display_name":"Korea University","ror":"https://ror.org/047dqcg40","country_code":"KR","type":"education","lineage":["https://openalex.org/I197347611"]}],"countries":["KR"],"is_corresponding":false,"raw_author_name":"Junbeom Hur","raw_affiliation_strings":["Computer Science and Engineering, Korea University, Seoul, Republic of Korea"],"raw_orcid":"https://orcid.org/0000-0002-4823-4194","affiliations":[{"raw_affiliation_string":"Computer Science and Engineering, Korea University, Seoul, Republic of Korea","institution_ids":["https://openalex.org/I197347611"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":1,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I197347611"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.46708219,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"3229","last_page":"3239"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.24320000410079956,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.24320000410079956,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.18719999492168427,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.16130000352859497,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/firewall","display_name":"Firewall (physics)","score":0.6177999973297119},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.588699996471405},{"id":"https://openalex.org/keywords/evasion","display_name":"Evasion (ethics)","score":0.5684999823570251},{"id":"https://openalex.org/keywords/confusion","display_name":"Confusion","score":0.5485000014305115},{"id":"https://openalex.org/keywords/parsing","display_name":"Parsing","score":0.48330000042915344},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.3797000050544739}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7455999851226807},{"id":"https://openalex.org/C77714075","wikidata":"https://www.wikidata.org/wiki/Q5452017","display_name":"Firewall (physics)","level":5,"score":0.6177999973297119},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.597599983215332},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.588699996471405},{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.5684999823570251},{"id":"https://openalex.org/C2781140086","wikidata":"https://www.wikidata.org/wiki/Q557945","display_name":"Confusion","level":2,"score":0.5485000014305115},{"id":"https://openalex.org/C186644900","wikidata":"https://www.wikidata.org/wiki/Q194152","display_name":"Parsing","level":2,"score":0.48330000042915344},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.3797000050544739},{"id":"https://openalex.org/C11392498","wikidata":"https://www.wikidata.org/wiki/Q11288","display_name":"Web server","level":3,"score":0.3345000147819519},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.29499998688697815},{"id":"https://openalex.org/C2985371682","wikidata":"https://www.wikidata.org/wiki/Q11135","display_name":"Ip address","level":2,"score":0.289000004529953},{"id":"https://openalex.org/C86444895","wikidata":"https://www.wikidata.org/wiki/Q451816","display_name":"Application firewall","level":4,"score":0.2849999964237213},{"id":"https://openalex.org/C2983909278","wikidata":"https://www.wikidata.org/wiki/Q6368","display_name":"Web browser","level":3,"score":0.27309998869895935},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.26260000467300415}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3774904.3792517","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792517","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3774904.3792517","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792517","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":17,"referenced_works":["https://openalex.org/W2169231127","https://openalex.org/W2797707263","https://openalex.org/W2810065972","https://openalex.org/W2999097465","https://openalex.org/W4214813133","https://openalex.org/W4220830491","https://openalex.org/W4286297387","https://openalex.org/W4287849789","https://openalex.org/W4307639952","https://openalex.org/W4320496375","https://openalex.org/W4362466275","https://openalex.org/W4390659426","https://openalex.org/W4391724809","https://openalex.org/W4401693813","https://openalex.org/W4402264565","https://openalex.org/W4402278186","https://openalex.org/W4402957841"],"related_works":[],"abstract_inverted_index":{"Web":[0],"Application":[1],"Firewalls":[2],"(WAFs)":[3],"are":[4],"widely":[5],"deployed":[6],"as":[7],"a":[8,31,47,156,163],"primary":[9],"defense":[10],"mechanism":[11],"against":[12,144,199],"injection-based":[13],"web":[14,153],"attacks":[15],"by":[16,129],"inspecting":[17],"HTTP":[18],"traffic":[19,225],"for":[20,169,174,180],"malicious":[21,87,132],"patterns.":[22,118],"However,":[23],"structural":[24,111],"inconsistencies":[25],"in":[26,60,114,155,223],"HTTP/2":[27,58,116],"stream":[28,62,78,104],"parsing":[29],"introduce":[30],"protocol-level":[32],"attack":[33,187],"surface":[34],"that":[35,51,208],"remains":[36],"insufficiently":[37],"examined.":[38],"We":[39,140,227],"propose":[40],"the":[41,94,170,175,181,185,191,200,230,241],"Stream":[42],"Parser":[43],"Confusion":[44],"Attack":[45],"(SPCA),":[46],"novel":[48],"evasion":[49],"technique":[50],"exploits":[52],"discrepancies":[53],"between":[54],"WAFs":[55,149],"and":[56,64,81,96,107,147,150,178,202,237],"backend":[57,152],"servers":[59],"processing":[61],"dependencies":[63],"priorities.":[65],"SPCA":[66],"operates":[67],"without":[68],"altering":[69],"payload":[70],"content,":[71],"relying":[72],"solely":[73],"on":[74,197],"RFC-compliant":[75],"manipulation":[76,211],"of":[77,98,123,167,240],"priority":[79,138],"weights":[80],"dependency":[82],"trees":[83],"to":[84,214,233],"deliver":[85],"unmodified":[86],"inputs":[88],"past":[89],"WAF":[90],"inspection.":[91,226],"To":[92],"evaluate":[93],"feasibility":[95],"generality":[97],"SPCA,":[99],"we":[100],"design":[101],"three":[102,189],"well-defined":[103],"topologies\u2014skewed,":[105],"k-ary,":[106],"unbalanced\u2014each":[108],"capturing":[109],"unique":[110],"traits":[112],"observed":[113],"real-world":[115],"scheduling":[117],"Each":[119,159],"topology's":[120],"dataset":[121],"consists":[122],"500":[124],"structurally":[125],"distinct":[126,137],"requests,":[127],"derived":[128],"embedding":[130],"100":[131],"test":[133],"cases":[134],"across":[135],"five":[136],"levels.":[139],"transmit":[141],"these":[142],"requests":[143],"13":[145],"commercial":[146,203],"open-source":[148,201],"20":[151],"frameworks":[154],"black-box":[157],"setting.":[158],"topology":[160],"individually":[161],"achieves":[162],"bypass":[164,216],"success":[165,193],"rate":[166,194],"49.66%":[168],"skewed":[171],"tree,":[172,177],"44.62%":[173],"k-ary":[176],"46.38%":[179],"unbalanced":[182],"tree.":[183],"Under":[184],"concurrent":[186],"with":[188],"topologies,":[190],"overall":[192],"exceeds":[195],"89%":[196],"average":[198],"WAFs.":[204],"These":[205],"findings":[206],"demonstrate":[207],"structure-only":[209],"protocol-compliant":[210],"is":[212],"sufficient":[213],"systematically":[215],"modern":[217],"WAFs,":[218],"revealing":[219],"critical":[220],"blind":[221],"spots":[222],"HTTP/2-aware":[224],"responsibly":[228],"disclosed":[229],"identified":[231],"issues":[232],"all":[234],"affected":[235],"vendors":[236],"received":[238],"acknowledgments":[239],"disclosures.":[242]},"counts_by_year":[],"updated_date":"2026-06-26T08:34:08.712188","created_date":"2026-04-10T00:00:00"}
