[1] Adbrite. http://www.adbrite.com.
[2] Malicious HTML tags embedded in client web
requests. CERT Advisory CA–2000–02, February
2000.
[3] Eric Chien. Malicious Yahooligans. Virus Bulletin,
August 2006.
[4] Henry Hanping Feng, Jonathon T. Giffin, Yong
Huang, Somesh Jha, Wenke Lee, and Barton P. Miller.
Formalizing sensitivity in static analysis for intrusion
detection. In Proceedings of the IEEE Symposium on
Security and Privacy, 2004.
[5] Mona Gandhi, Markus Jakobsson, and Jacob
Ratkiewicz. Badvertisements: Stealthy click-fraud
with unwitting accessories. Journal of Digital Forensic
Practice, 1(2), November 2006. Special Issue on
Anti-Phishing and Online Fraud, Part I.
[6] Google web toolkit.
http://code.google.com/webtoolkit/.
[7] O. Hallaraker and G. Vigna. Detecting malicious
JavaScript code in Mozilla. In Proceedings of the IEEE
International Conference on Engineering of Complex
Computer Systems (ICECCS), June 2005.
WWW 2007 / Track: Security, Privacy, Reliability, and Ethics Session: Defending Against Emerging Threats
[8] Hop home page. http://hop.inria.fr/.
[9] Collin Jackson, Andrew Bortz, Dan Boneh, and
John C. Mitchell. Protecting browser state from web
privacy attacks. In Proceedings of the 15th ACM
World Wide Web Conference, 2006.
[10] Trevor Jim, Nikhil Swamy, and Michael Hicks. BEEP:
Browser-enforced embedded policies.
http://www.research.att.com/ trevor/beep.html.
[11] Nenad Jovanovic, Christopher Kruegel, and Engin
Kirda. Precise alias analysis for static detection of web
application vulnerabilities. In Proceedings of the
Workshop on Programming Languages and Analysis
for Security (PLAS), 2006.
[12] Paj’s Home: Cryptography.
http://www.pajhome.org.uk/crypt/index.html.
[13] Engin Kirda, Christopher Kruegel, Giovanni Vigna,
and Nenad Jovanovic. Noxes: A client-side solution for
mitigating cross-site scripting attacks. In Proceedings
of the 21st ACM Symposium on Applied Computing
(SAC), Security Track, 2006.
[14] Amit Klein. DOM based cross site scripting or XSS of
the third kind. http://www.webappsec.org/
projects/articles/071105.shtml, July 2005.
[15] Shriram Krishnamurthi. The CONTINUE server (or,
how i administered PADL 2002 and 2003). In V. Dahl
and P. Wadler, editors, PADL, volume 2562 of Lecture
Notes in Computer Science. Springer, 2003.
[16] V. T. Lam, S. Antonatos, P. Akritidis, and K. G.
Anagnostakis. Puppetnets: Misusing web browsers as
a distributed attack infrastructure. In Proceedings of
the ACM Conference on Computer and
Communications Security, 2006.
[17] Jay Ligatti, Lujo Bauer, and David Walker. Edit
automata: Enforcement mechanisms for run-time
security policies. International Journal of Information
Security, 4(2):2–16, February 2005.
[18] Links: Linking theory to practice for the web.
http://groups.inf.ed.ac.uk/links/.
[19] Gervase Markham. Content restrictions. http:
//www.gerv.net/security/content-restrictions/,
January 2006. Version 0.6.
[20] MITRE. Common vulnerabilities and exposures.
http://cve.mitre.org.
[21] Anh Nguyen-Tuong, Salvatore Guarnieri, Doug
Greene, Jeff Shirley, and David Evans. Automatically
hardening web applications using precise tainting. In
Proceedings of the 20th IFIP International
Information Security Conference, 2005.
[22] Les Orchard. S3AjaxWiki.
http://decafbad.com/trac/wiki/S3Ajax.
[23] Tadeusz Pietraszek and Chris Vanden Berghe.
Defending against injection attacks through
context-sensitive string evaluation. In Recent Advances
in Intrusion Detection (RAID), volume 3858 of
Lecture Notes in Computer Science, 2005.
[24] Thomas H. Ptacek and Timothy N. Newsham.
Insertion, evasion, and denial of service: Eluding
network intrusion detection. Technical report, Secure
Networks, Inc., January 1998.
[25] Charlie Reis, John Dunagan, Helen J. Wang, Opher
Dubrovsky, and Saher Esmeir. BrowserShield:
Vulnerability-driven filtering of dynamic HTML. In
Proceedings of the USENIX Symposium on Operating
System Design and Implementation (OSDI), 2006.
[26] RSnake. XSS (cross site scripting) cheat sheet. Esp:
for filter evasion. http://ha.ckers.org/xss.html.
[27] Jesse Ruderman. Signed scripts in mozilla.
http://www.mozilla.org/projects/security/
components/signed-scripts.html.
[28] Jesse Ruderman. The same origin policy.
http://www.mozilla.org/projects/security/
components/same-origin.html, August 2001.
[29] Optimizing page load time (and a little about the
debug menu). http://webkit.org/blog/?p=75.
[30] Samy. I’m popular. http://namb.la/popular/,
October 2005. Description of the MySpace worm by
the author, including a technical explanation.
[31] Christian Schmidt. Comment on content restrictions
proposal. http://weblogs.mozillazine.org/gerv/
archives/007821.html, March 2005.
[32] Zhendong Su and Gary Wassermann. The essence of
command injection attacks in web applications. In
Proceedings of the ACM Symposium on Principles of
Programming Languages (POPL), 2006.
[33] HTML Tidy project page.
http://tidy.sourceforge.net/.
[34] David Wagner and Drew Dean. Intrusion detection via
static analysis. In Proceedings of the IEEE Symposium
on Security and Privacy, 2001.
[35] Yichen Xie and Alex Aiken. Static detection of
security vulnerabilities in scripting languages. In
Proceedings of the USENIX Security Symposium, 2006.
[36] Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor
Serikov. Javascript instrumentation for browser
security. In Proceedings of the ACM Symposium on
Principles of Programming Languages (POPL), 2007.
[2] Malicious HTML tags embedded in client web
requests. CERT Advisory CA–2000–02, February
2000.
[3] Eric Chien. Malicious Yahooligans. Virus Bulletin,
August 2006.
[4] Henry Hanping Feng, Jonathon T. Giffin, Yong
Huang, Somesh Jha, Wenke Lee, and Barton P. Miller.
Formalizing sensitivity in static analysis for intrusion
detection. In Proceedings of the IEEE Symposium on
Security and Privacy, 2004.
[5] Mona Gandhi, Markus Jakobsson, and Jacob
Ratkiewicz. Badvertisements: Stealthy click-fraud
with unwitting accessories. Journal of Digital Forensic
Practice, 1(2), November 2006. Special Issue on
Anti-Phishing and Online Fraud, Part I.
[6] Google web toolkit.
http://code.google.com/webtoolkit/.
[7] O. Hallaraker and G. Vigna. Detecting malicious
JavaScript code in Mozilla. In Proceedings of the IEEE
International Conference on Engineering of Complex
Computer Systems (ICECCS), June 2005.
WWW 2007 / Track: Security, Privacy, Reliability, and Ethics Session: Defending Against Emerging Threats
[8] Hop home page. http://hop.inria.fr/.
[9] Collin Jackson, Andrew Bortz, Dan Boneh, and
John C. Mitchell. Protecting browser state from web
privacy attacks. In Proceedings of the 15th ACM
World Wide Web Conference, 2006.
[10] Trevor Jim, Nikhil Swamy, and Michael Hicks. BEEP:
Browser-enforced embedded policies.
http://www.research.att.com/ trevor/beep.html.
[11] Nenad Jovanovic, Christopher Kruegel, and Engin
Kirda. Precise alias analysis for static detection of web
application vulnerabilities. In Proceedings of the
Workshop on Programming Languages and Analysis
for Security (PLAS), 2006.
[12] Paj’s Home: Cryptography.
http://www.pajhome.org.uk/crypt/index.html.
[13] Engin Kirda, Christopher Kruegel, Giovanni Vigna,
and Nenad Jovanovic. Noxes: A client-side solution for
mitigating cross-site scripting attacks. In Proceedings
of the 21st ACM Symposium on Applied Computing
(SAC), Security Track, 2006.
[14] Amit Klein. DOM based cross site scripting or XSS of
the third kind. http://www.webappsec.org/
projects/articles/071105.shtml, July 2005.
[15] Shriram Krishnamurthi. The CONTINUE server (or,
how i administered PADL 2002 and 2003). In V. Dahl
and P. Wadler, editors, PADL, volume 2562 of Lecture
Notes in Computer Science. Springer, 2003.
[16] V. T. Lam, S. Antonatos, P. Akritidis, and K. G.
Anagnostakis. Puppetnets: Misusing web browsers as
a distributed attack infrastructure. In Proceedings of
the ACM Conference on Computer and
Communications Security, 2006.
[17] Jay Ligatti, Lujo Bauer, and David Walker. Edit
automata: Enforcement mechanisms for run-time
security policies. International Journal of Information
Security, 4(2):2–16, February 2005.
[18] Links: Linking theory to practice for the web.
http://groups.inf.ed.ac.uk/links/.
[19] Gervase Markham. Content restrictions. http:
//www.gerv.net/security/content-restrictions/,
January 2006. Version 0.6.
[20] MITRE. Common vulnerabilities and exposures.
http://cve.mitre.org.
[21] Anh Nguyen-Tuong, Salvatore Guarnieri, Doug
Greene, Jeff Shirley, and David Evans. Automatically
hardening web applications using precise tainting. In
Proceedings of the 20th IFIP International
Information Security Conference, 2005.
[22] Les Orchard. S3AjaxWiki.
http://decafbad.com/trac/wiki/S3Ajax.
[23] Tadeusz Pietraszek and Chris Vanden Berghe.
Defending against injection attacks through
context-sensitive string evaluation. In Recent Advances
in Intrusion Detection (RAID), volume 3858 of
Lecture Notes in Computer Science, 2005.
[24] Thomas H. Ptacek and Timothy N. Newsham.
Insertion, evasion, and denial of service: Eluding
network intrusion detection. Technical report, Secure
Networks, Inc., January 1998.
[25] Charlie Reis, John Dunagan, Helen J. Wang, Opher
Dubrovsky, and Saher Esmeir. BrowserShield:
Vulnerability-driven filtering of dynamic HTML. In
Proceedings of the USENIX Symposium on Operating
System Design and Implementation (OSDI), 2006.
[26] RSnake. XSS (cross site scripting) cheat sheet. Esp:
for filter evasion. http://ha.ckers.org/xss.html.
[27] Jesse Ruderman. Signed scripts in mozilla.
http://www.mozilla.org/projects/security/
components/signed-scripts.html.
[28] Jesse Ruderman. The same origin policy.
http://www.mozilla.org/projects/security/
components/same-origin.html, August 2001.
[29] Optimizing page load time (and a little about the
debug menu). http://webkit.org/blog/?p=75.
[30] Samy. I’m popular. http://namb.la/popular/,
October 2005. Description of the MySpace worm by
the author, including a technical explanation.
[31] Christian Schmidt. Comment on content restrictions
proposal. http://weblogs.mozillazine.org/gerv/
archives/007821.html, March 2005.
[32] Zhendong Su and Gary Wassermann. The essence of
command injection attacks in web applications. In
Proceedings of the ACM Symposium on Principles of
Programming Languages (POPL), 2006.
[33] HTML Tidy project page.
http://tidy.sourceforge.net/.
[34] David Wagner and Drew Dean. Intrusion detection via
static analysis. In Proceedings of the IEEE Symposium
on Security and Privacy, 2001.
[35] Yichen Xie and Alex Aiken. Static detection of
security vulnerabilities in scripting languages. In
Proceedings of the USENIX Security Symposium, 2006.
[36] Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor
Serikov. Javascript instrumentation for browser
security. In Proceedings of the ACM Symposium on
Principles of Programming Languages (POPL), 2007.
No comments:
Post a Comment