References4
[1] S. Kamkar, “I’m popular,” 2005, description and
technical
explanation of the JS.Spacehero (a.k.a. “Samy”) MySpace
worm. [Online]. Available: http://namb.la/popular
[2] OECD Directorate for Science, Technology and Industry, Participative
Web and User-Created Content: Web 2.0, Wikis and
Social Networking. OECD
Publishing, Oct. 2007, ch. 2, pp.
19–25.
[3] B. Newton, “The hyper-growth of web 2.0 applications,”
Mar.
2008, seminar. [Online]. Available: http://www.innominds.
com/webinar.html
[4] R. Hansen, “XSS (cross site scripting) cheat sheet esp:
for
filter evasion,” 2008. [Online]. Available: http://ha.ckers.org/
xss.html
[5] T. Jim, N. Swamy, and
M. Hicks, “Defeating script injection
attacks with browser-enforced embedded policies,” in 16th
International World Wide Web Conference, Banff,
AB, Canada,
May 2007.
[6] World Wide Web Consortium, “Document object model
(DOM) level 2 core specification,” Nov. 2000. [Online].
Available: http://www.w3.org/TR/DOM-Level-2-Core/
[7] E. Z. Yang, “HTML Purifier.” [Online]. Available: http:
//htmlpurifier.org
[8] ——, “HTML Purifier: Default whitelist.” [Online].
Available:
http://htmlpurifier.org/live/smoketests/printDefinition.php
[9] S. Josefsson, “The Base16, Base32, and Base64 data
encodings,” Jul. 2003, RFC 3548. [Online]. Available:
http://tools.ietf.org/html/rfc3548
[10] M. Wallent, “About dynamic properties,” 1998.
[Online].
Available:
http://msdn.microsoft.com/en-us/library/ms537634.
aspx
[11] T. Berners-Lee, R. Fielding, and L. Masinter, “Uniform
resource identifier (URI): Generic syntax,” Jan. 2005, RFC
3986. [Online]. Available: http://tools.ietf.org/html/rfc3986
[12] M. Ter Louw and V. N. Venkatakrishnan, “Blueprint:
Robust
prevention of cross-site scripting attacks for existing
browsers,”
University of Illinois at Chicago, Tech. Rep., May 2009.
[13] Wikipedia contributors, “Same origin policy,” Feb.
2008.
[Online]. Available:
http://en.wikipedia.org/w/index.php?title=
Same origin policy&oldid=190222964
[14] World Wide Web Consortium, “HTML 4.01 specification,”
Dec. 1999. [Online]. Available: http://www.w3.org/TR/html4/
[15] W. Xu, S. Bhatkar, and R. Sekar, “Taint-enhanced
policy
enforcement: A practical approach to defeat a wide range of
attacks,” in 15th
USENIX Security Symposium, Vancouver, BC,
Canada, Aug. 2006.
[16] Net Applications, “Browser version market share,”
statistics for Q4 2008. [Online]. Available:
http://marketshare.hitslink.com/browser-market-share.
aspx?qprid=2&qptimeframe=Q&qpsp=39
[17] Wikipedia Contributors, “2005 Azores
subtropical storm,” Nov.
2008. [Online]. Available: http://en.wikipedia.org/w/index.
php?title=2005 Azores
subtropical storm&oldid=243545716
D. Kierznowski, “WordPress persistent XSS,” Dec.
2006. [Online]. Available: http://michaeldaw.org/md-hacks/
wordpress-persistent-xss/
V. B. Livshits and M. S. Lam, “Finding security errors
in
Java programs with static analysis,” in 14th Usenix Security
Symposium, Baltimore, MD,
USA, Jul. 2005,
pp. 271–286.
Y. Xie and A. Aiken, “Static detection of security
vulnerabilities
in scripting languages,” in 15th
USENIX Security
Symposium, Vancouver, BC,
Canada, Aug.
2006.
N. Jovanovic, C. Kruegel, and E.
Kirda, “Pixy: A static analysis
tool for detecting web application vulnerabilities,” in IEEE
Symposium on Security and Privacy, Oakland,
CA, USA,
May
2006.
G. Wassermann and Z. Su, “Static detection of
cross-site
scripting vulnerabilities,” in 30th International Conference on
Software Engineering, Leipzig, Germany,
May 2008.
] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic,
C. Kruegel, E. Kirda, and G. Vigna, “Saner: Composing
static and dynamic analysis to validate sanitization in web
applications,” in IEEE
Symposium on Security and Privacy,
Oakland, CA, USA,
May 2008.
D. Wagner, “Answers to homework #1,” 2008. [Online].
Available: http://www.cs.berkeley.edu/_daw/teaching/
cs261-f08/hws/hw1sol.html
E. Kirda, C. Kruegel, G. Vigna, and N.
Jovanovic, “Noxes: A
client-side solution for mitigating cross-site scripting
attacks,”
in 21st Annual ACM Symposium on
Applied Computing, Dijon,
France, Apr. 2006.
P. Vogt, F. Nentwich, N. Jovanovic, E.
Kirda, C. Kruegel,
and G. Vigna, “Cross-site scripting prevention with dynamic
data tainting and static analysis,” in 14th Annual Network &
Distributed System Security Symposium, San Diego,
CA, USA,
Feb. 2007.
D. Ross, “IE 8 XSS filter architecture
/ implementation,” Aug. 2008. [Online].
Available: http://blogs.technet.com/swi/archive/2008/08/19/
ie-8-xss-filter-architecture-implementation.aspx
[28] G. Maone, “NoScript features: Anti-XSS protection.”
[Online].
Available: http://noscript.net/features#xss
[29] M. Johns, B. Engelmann, and J. Posegga, “XSSDS:
Serverside
detection of cross-site scripting attacks,” in 24th Annual
Computer Security Applications Conference, Anaheim,
CA,
USA, Dec. 2008.
R. Sekar, “An efficient black-box technique for
defeating web
application attacks,” in 16th
Annual Network & Distributed
System Security Symposium,
San Diego, CA, USA,
Feb. 2009.
A. Felt, P. Hooimeijer, D. Evans, and W. Weimer,
“Talking
to strangers without taking their candy: Isolating proxied
content,” in 1st
International Workshop on Social Network
Systems, Glasgow, Scotland,
Apr. 2008.
P. Saxena, D. Song, and Y. Nadji, “Document structure
integrity:
A robust basis for cross-site scripting defense,” in 16th
Annual Network & Distributed System Security
Symposium,
San Diego, CA, USA,
Feb. 2009.
M. Van Gundy and H. Chen, “Noncespaces: Using
randomization
to enforce information flow tracking and thwart crosssite
scripting attacks,” in 16th
Annual Network & Distributed
System Security Symposium,
San Diego, CA, USA,
Feb. 2009.
M. Ter Louw, P. Bisht, and V. N. Venkatakrishnan,
“Analysis
of hypertext isolation techniques for cross-site scripting
prevention,”
in 2nd Workshop in Web 2.0 Security
and Privacy,
Oakland, CA, USA,
May 2008.
[35] P. Bisht and V. N. Venkatakrishnan, “XSS-GUARD:
Precise
dynamic prevention of cross-site scripting attacks,” in 5th
Conference on Detection of Intrusions & Malware,
and Vulnerability
Assessment, Paris, France,
Jul. 2008.
A. Nguyen-Tuong, S. Guarnieri,
D. Greene, J. Shirley, and
D. Evans, “Automatically hardening web applications using
precise tainting,” in 22nd
IFIP TC 7 Conference on System
Modeling and Optimization,
Turin, Italy, Jul. 2005.
T. Pietraszek and C. Vanden Berghe, “Defending against
injection attacks through context-sensitive string
evaluation,” in
8th International Symposium on Recent Advances in
Intrusion
Detection, Seattle, WA,
USA, Sep. 2005.
Z. Su and G. Wassermann, “The essence of command
injection
attacks in web applications,” in 33rd ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages,
Charleston, SC, USA,
Jan. 2006.
“PHP input filter,” 2008. [Online]. Available:
http://www.
phpclasses.org/browse/package/2189.html
//sourceforge.net/projects/kses
“The htmLawed project,” 2008. [Online].
Available:
http://www.bioinformatics.org/phplabware/internal
utilities/htmLawed/index.php
[42] S. Di Paola, “Preventing XSS with data binding.”
[Online].
Available: http://www.wisec.it/sectou.php?id=46c5843ea4900
[43] D. Brettle, “NeatHtml: Displaying untrusted content
securely,
efficiently, and accessibly,” Jun. 2008, white paper.
[Online]. Available: http://www.brettle.com/NeatHtml/docs/
Fighting XSS with JavaScript Judo.html
[44] Google Caja, “A source-to-source translator for
securing
JavaScript-based web content.” [Online]. Available: http:
//code.google.com/p/google-caja/
Microsoft Live Labs, “Web Sandbox.” [Online].
Available:
http://websandbox.livelabs.com
C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S.
Esmeir,
“BrowserShield: Vulnerability-driven filtering of dynamic
HTML,” in 7th
Symposium on Operating Systems Design
and Implementation, Seattle, WA,
USA, Nov. 2006.
D. Yu, A. Chander, N. Islam, and I.
Serikov, “JavaScript
instrumentation for browser security,” in 34th Annual ACM
SIGPLAN–SIGACT Symposium on Principles of Programming
Languages, Nice,
France,
Jan. 2007.
H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov,
“JavaScript instrumentation in practice,” in 6th Asian Symposium
on Programming Languages and Systems, Bangalore,
India, Dec. 2008.
Facebook Developers, “Facebook markup language.”
[Online]. Available: http://wiki.developers.facebook.com/
index.php/FBML
“Facebook JavaScript.” [Online]. Available: http:
//wiki.developers.facebook.com/index.php/FBJS
A. Felt, “Defacing Facebook: A security case study,”
Jul.
2007, white paper. [Online]. Available:
http://www.cs.virginia.
edu/felt/fbook/facebook-xss.pdf
No comments:
Post a Comment