{"id":"https://openalex.org/W2117353399","doi":"https://doi.org/10.3233/jcs-2009-0385","title":"Static analysis for detecting taint-style vulnerabilities in web applications","display_name":"Static analysis for detecting taint-style vulnerabilities in web applications","publication_year":2010,"publication_date":"2010-08-16","ids":{"openalex":"https://openalex.org/W2117353399","doi":"https://doi.org/10.3233/jcs-2009-0385","mag":"2117353399"},"language":"en","primary_location":{"id":"doi:10.3233/jcs-2009-0385","is_oa":false,"landing_page_url":"https://doi.org/10.3233/jcs-2009-0385","pdf_url":null,"source":{"id":"https://openalex.org/S106992369","display_name":"Journal of Computer Security","issn_l":"0926-227X","issn":["0926-227X","1875-8924"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310318577","host_organization_name":"IOS Press","host_organization_lineage":["https://openalex.org/P4310318577"],"host_organization_lineage_names":["IOS Press"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Computer Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5080797120","display_name":"Nenad Jovanovi\u0107","orcid":"https://orcid.org/0000-0002-8872-7516"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Nenad Jovanovic","raw_affiliation_strings":["Secure Systems Lab, Technical University Vienna, Vienna, Austria","Secure Systems Lab, Technical University Vienna, Vienna, Austria. E-mail: enji@seclab.tuwien.ac.at#TAB#"],"affiliations":[{"raw_affiliation_string":"Secure Systems Lab, Technical University Vienna, Vienna, Austria","institution_ids":[]},{"raw_affiliation_string":"Secure Systems Lab, Technical University Vienna, Vienna, Austria. E-mail: enji@seclab.tuwien.ac.at#TAB#","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5022177364","display_name":"Christopher Kruegel","orcid":"https://orcid.org/0000-0001-5140-3414"},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Christopher Kruegel","raw_affiliation_strings":["UC Santa Barbara, CA, USA","(Correspd. Tel.: +1 805 893 6198; Fax: +1 805 893 8553; E-mail: chris@cs.ucsb.edu) UC Santa Barbara, CA, USA. E-mail: chris@cs.ucsb.edu#TAB#"],"affiliations":[{"raw_affiliation_string":"UC Santa Barbara, CA, USA","institution_ids":["https://openalex.org/I154570441"]},{"raw_affiliation_string":"(Correspd. Tel.: +1 805 893 6198; Fax: +1 805 893 8553; E-mail: chris@cs.ucsb.edu) UC Santa Barbara, CA, USA. E-mail: chris@cs.ucsb.edu#TAB#","institution_ids":["https://openalex.org/I154570441"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5077875821","display_name":"Engin Kirda","orcid":"https://orcid.org/0000-0001-9988-6873"},"institutions":[{"id":"https://openalex.org/I1902872","display_name":"EURECOM","ror":"https://ror.org/00sse7z02","country_code":"FR","type":"education","lineage":["https://openalex.org/I1902872","https://openalex.org/I205703379"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Engin Kirda","raw_affiliation_strings":["Institut Eurecom, Sophia Antipolis, France","Institut Eurecom, Sophia Antipolis, France. E-mail: kirda@eurecom.fr"],"affiliations":[{"raw_affiliation_string":"Institut Eurecom, Sophia Antipolis, France","institution_ids":["https://openalex.org/I1902872"]},{"raw_affiliation_string":"Institut Eurecom, Sophia Antipolis, France. E-mail: kirda@eurecom.fr","institution_ids":["https://openalex.org/I1902872"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5022177364"],"corresponding_institution_ids":["https://openalex.org/I154570441"],"apc_list":null,"apc_paid":null,"fwci":9.2841,"has_fulltext":false,"cited_by_count":68,"citation_normalized_percentile":{"value":0.97744274,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":95,"max":99},"biblio":{"volume":"18","issue":"5","first_page":"861","last_page":"907"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9945999979972839,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9786999821662903,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cross-site-scripting","display_name":"Cross-site scripting","score":0.9222520589828491},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.9035685658454895},{"id":"https://openalex.org/keywords/sql-injection","display_name":"SQL injection","score":0.8797776699066162},{"id":"https://openalex.org/keywords/taint-checking","display_name":"Taint checking","score":0.8297210931777954},{"id":"https://openalex.org/keywords/scripting-language","display_name":"Scripting language","score":0.718315064907074},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.6469576358795166},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.5397272109985352},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.5202787518501282},{"id":"https://openalex.org/keywords/sql","display_name":"SQL","score":0.49854326248168945},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.4779398739337921},{"id":"https://openalex.org/keywords/static-program-analysis","display_name":"Static program analysis","score":0.47066056728363037},{"id":"https://openalex.org/keywords/web-application-security","display_name":"Web application security","score":0.4603135287761688},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.4384801685810089},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.4007505178451538},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.3737300634384155},{"id":"https://openalex.org/keywords/web-service","display_name":"Web service","score":0.2933744490146637},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.2884637713432312},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.2670128643512726},{"id":"https://openalex.org/keywords/web-development","display_name":"Web development","score":0.15534856915473938},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.1226775050163269},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.09995099902153015}],"concepts":[{"id":"https://openalex.org/C39569185","wikidata":"https://www.wikidata.org/wiki/Q371199","display_name":"Cross-site scripting","level":5,"score":0.9222520589828491},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.9035685658454895},{"id":"https://openalex.org/C150451098","wikidata":"https://www.wikidata.org/wiki/Q506059","display_name":"SQL injection","level":5,"score":0.8797776699066162},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.8297210931777954},{"id":"https://openalex.org/C61423126","wikidata":"https://www.wikidata.org/wiki/Q187432","display_name":"Scripting language","level":2,"score":0.718315064907074},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.6469576358795166},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.5397272109985352},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.5202787518501282},{"id":"https://openalex.org/C510870499","wikidata":"https://www.wikidata.org/wiki/Q47607","display_name":"SQL","level":2,"score":0.49854326248168945},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.4779398739337921},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.47066056728363037},{"id":"https://openalex.org/C59241245","wikidata":"https://www.wikidata.org/wiki/Q4781497","display_name":"Web application security","level":4,"score":0.4603135287761688},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.4384801685810089},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.4007505178451538},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3737300634384155},{"id":"https://openalex.org/C35578498","wikidata":"https://www.wikidata.org/wiki/Q193424","display_name":"Web service","level":2,"score":0.2933744490146637},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.2884637713432312},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.2670128643512726},{"id":"https://openalex.org/C79373723","wikidata":"https://www.wikidata.org/wiki/Q386275","display_name":"Web development","level":3,"score":0.15534856915473938},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.1226775050163269},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.09995099902153015},{"id":"https://openalex.org/C164120249","wikidata":"https://www.wikidata.org/wiki/Q995982","display_name":"Web search query","level":3,"score":0.0},{"id":"https://openalex.org/C194222762","wikidata":"https://www.wikidata.org/wiki/Q114486","display_name":"Query by Example","level":4,"score":0.0},{"id":"https://openalex.org/C86803240","wikidata":"https://www.wikidata.org/wiki/Q420","display_name":"Biology","level":0,"score":0.0},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.0},{"id":"https://openalex.org/C97854310","wikidata":"https://www.wikidata.org/wiki/Q19541","display_name":"Search engine","level":2,"score":0.0},{"id":"https://openalex.org/C151730666","wikidata":"https://www.wikidata.org/wiki/Q7205","display_name":"Paleontology","level":1,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.3233/jcs-2009-0385","is_oa":false,"landing_page_url":"https://doi.org/10.3233/jcs-2009-0385","pdf_url":null,"source":{"id":"https://openalex.org/S106992369","display_name":"Journal of Computer Security","issn_l":"0926-227X","issn":["0926-227X","1875-8924"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310318577","host_organization_name":"IOS Press","host_organization_lineage":["https://openalex.org/P4310318577"],"host_organization_lineage_names":["IOS Press"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Journal of Computer Security","raw_type":"journal-article"},{"id":"pmh:oai:CiteSeerX.psu:10.1.1.174.8874","is_oa":false,"landing_page_url":"http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.174.8874","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"http://www.iseclab.org/papers/jcs10_pixy.pdf","raw_type":"text"},{"id":"pmh:oai:fr.eurecom:3237","is_oa":false,"landing_page_url":"http://www.eurecom.fr/publication/3237","pdf_url":null,"source":{"id":"https://openalex.org/S4377196942","display_name":"Graduate School and Research Center in Digital Science (EURECOM)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I1902872","host_organization_name":"EURECOM","host_organization_lineage":["https://openalex.org/I1902872"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Journal of Computer Security, Vol 18, N\u00b05, August 2010","raw_type":"Journal"}],"best_oa_location":null,"sustainable_development_goals":[{"display_name":"Reduced inequalities","id":"https://metadata.un.org/sdg/10","score":0.4099999964237213}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":38,"referenced_works":["https://openalex.org/W109951691","https://openalex.org/W145782308","https://openalex.org/W148396834","https://openalex.org/W582263236","https://openalex.org/W1491178396","https://openalex.org/W1505465226","https://openalex.org/W1511560695","https://openalex.org/W1553894716","https://openalex.org/W1565113942","https://openalex.org/W1600965014","https://openalex.org/W1809751277","https://openalex.org/W1963569294","https://openalex.org/W1975914482","https://openalex.org/W1983142587","https://openalex.org/W2001693166","https://openalex.org/W2003115932","https://openalex.org/W2008158744","https://openalex.org/W2043811931","https://openalex.org/W2046699259","https://openalex.org/W2050320220","https://openalex.org/W2066859698","https://openalex.org/W2085925880","https://openalex.org/W2087612811","https://openalex.org/W2095115578","https://openalex.org/W2107604680","https://openalex.org/W2114067856","https://openalex.org/W2114808014","https://openalex.org/W2124153277","https://openalex.org/W2128345802","https://openalex.org/W2131135493","https://openalex.org/W2144696387","https://openalex.org/W2148001343","https://openalex.org/W2149237601","https://openalex.org/W2158600037","https://openalex.org/W2162316255","https://openalex.org/W2613359208","https://openalex.org/W2914074464","https://openalex.org/W4285719527"],"related_works":["https://openalex.org/W2766465278","https://openalex.org/W2326347010","https://openalex.org/W2167752994","https://openalex.org/W2955734438","https://openalex.org/W2504194819","https://openalex.org/W2117353399","https://openalex.org/W2407701912","https://openalex.org/W1982746004","https://openalex.org/W4256450364","https://openalex.org/W2184634743"],"abstract_inverted_index":{"The":[0,141],"number":[1,208,231],"and":[2,21,40,74,120,135,153,171,191,214],"the":[3,12,16,19,42,55,89,93,106,118,123,147,159,176,200,222,229],"importance":[4],"of":[5,23,57,63,95,122,138,150,161,202,209,217,232],"web":[6,59,212],"applications":[7,28,60,213],"have":[8,29],"increased":[9],"rapidly":[10],"over":[11],"last":[13],"years.":[14],"At":[15],"same":[17],"time,":[18],"quantity":[20,121],"impact":[22],"security":[24,246],"vulnerabilities":[25,152,194],"in":[26,83,112,179,195],"such":[27,164],"grown":[30],"as":[31,165,226,228],"well.":[32],"Since":[33],"manual":[34],"code":[35,66],"reviews":[36],"are":[37,144],"time-consuming,":[38],"error-prone":[39],"costly,":[41],"need":[43],"for":[44,133,243],"automated":[45],"solutions":[46],"has":[47],"become":[48],"evident.":[49],"In":[50,86],"this":[51],"paper,":[52],"we":[53,70,98,116,205],"address":[54],"problem":[56],"vulnerable":[58,81],"by":[61,127],"means":[62],"static":[64,183],"source":[65],"analysis.":[67],"More":[68],"precisely,":[69],"use":[71],"flow-sensitive,":[72],"interprocedural":[73],"context-sensitive":[75],"data":[76],"flow":[77],"analysis":[78,91,103,184,224],"to":[79,88,158],"discover":[80],"points":[82],"a":[84,100,181,207],"program.":[85],"addition":[87],"taint":[90],"at":[92,105,146,187],"core":[94],"our":[96,203,238],"engine,":[97],"employ":[99],"precise":[101,136],"alias":[102],"targeted":[104,145],"unique":[107],"reference":[108],"semantics":[109],"commonly":[110],"found":[111],"scripting":[113,169,190],"languages.":[114],"Moreover,":[115],"enhance":[117],"quality":[119],"generated":[124,233],"vulnerability":[125,162],"reports":[126],"employing":[128],"an":[129],"iterative":[130],"two-phase":[131],"algorithm":[132],"fast":[134],"resolution":[137],"file":[139],"inclusions.":[140],"presented":[142,177],"concepts":[143,178],"general":[148],"class":[149],"taint-style":[151],"can":[154,240],"be":[155,241],"easily":[156],"applied":[157],"detection":[160],"types":[163],"SQL":[166,192],"injection,":[167],"cross-site":[168,189],"(XSS),":[170],"command":[172],"injection.":[173],"We":[174],"implemented":[175],"Pixy,":[180],"high-precision":[182],"tool":[185],"aimed":[186],"detecting":[188],"injection":[193],"PHP":[196],"programs.":[197],"To":[198],"demonstrate":[199],"effectiveness":[201],"techniques,":[204],"analyzed":[206],"popular,":[210],"open-source":[211],"discovered":[215],"hundreds":[216],"previously":[218],"unknown":[219],"vulnerabilities.":[220],"Both":[221],"high":[223],"speed":[225],"well":[227],"low":[230],"false":[234],"positives":[235],"show":[236],"that":[237],"techniques":[239],"used":[242],"conducting":[244],"effective":[245],"audits.":[247]},"counts_by_year":[{"year":2025,"cited_by_count":4},{"year":2023,"cited_by_count":4},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":3},{"year":2020,"cited_by_count":4},{"year":2019,"cited_by_count":4},{"year":2018,"cited_by_count":5},{"year":2017,"cited_by_count":4},{"year":2016,"cited_by_count":9},{"year":2015,"cited_by_count":5},{"year":2014,"cited_by_count":9},{"year":2013,"cited_by_count":5},{"year":2012,"cited_by_count":7}],"updated_date":"2026-04-05T17:49:38.594831","created_date":"2025-10-10T00:00:00"}