[1] Bugzilla. http://www.bugzilla,org/.
[2] HotCRP. http://www.cs.ucla.edu/˜kohler/hotcrp/
index.html/.
[3] OWASP: Top 10 2007. http://www.owasp.org/index.php/
Top_10_2007.
[4] E. Athanasopoulos, V. Pappas, and E. Markatos. Code injection attacks
in browsers supporting policies. In Proceedings of Web 2.0 Security and
Privacy 2009, 2009.
[5] P. Bisht and V. N. Venkatakrishnan. Xss-guard: Precise dynamic prevention
of cross-site scripting attacks. In Proceedings of the 5th international
conference on Detection of Intrusions and Malware, and Vulnerability Assessment,
DIMVA ’08, pages 23–43, Berlin, Heidelberg, 2008. Springer-
Verlag.
[6] F. Buclin. Bugzilla usage world wide. http://lpsolit.
wordpress.com/bugzilla-usage-worldwide/.
[7] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing
web application code by static analysis and runtime protection. In Proceedings
of the 13th international conference on World Wide Web, WWW
’04, pages 40–52, New York, NY, USA, 2004. ACM.
[8] T. Jim, N. Swamy, and M. Hicks. Beep: Browser-enforced embedded policies.
16th International World World Web Conference, 2007.
[9] B. Livshits and M. S. Lam. Finding security errors in Java programs with
static analysis. In Proceedings of the Usenix Security Symposium, 2005.
[10] B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and
recovery from Web application vulnerabilities. Technical report, Stanford
University, Sept. 2006.
[11] B. Livshits and U´ lfar Erlingsson. Using web application construction
frameworks to protect against code injection attacks. In Proceedings of
the 2007 workshop on Programming languages and analysis for security.
[12] L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing finegrained
security policies for JavaScript in the browser. In IEEE Symposium
on Security and Privacy, May 2010.
[13] Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust
basis for cross-site scripting defense. Proceedings of the 16th Network and
Distributed System Security Symposium, 2009.
[14] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A
symbolic execution framework for javascript. In Proceedings of the 2010
IEEE Symposium on Security and Privacy, SP ’10, pages 513–528, Washington,
DC, USA, 2010. IEEE Computer Society.
[15] P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery
of client-side validation vulnerabilities in rich web applications. In
Network & Distributed System Security Symposium, (NDSS), 2010.
[16] P. Saxena, D. Molnar, and B. Livshits. Scriptgard: Preventing script injection
attacks in legacy web applications with automatic sanitization. Technical
report, Microsoft Research, September 2010.
[17] S. Stamm. Content security policy, 2009.
[18] S. Stamm, B. Sterne, and G. Markham. Reining in the web with content
security policy. In Proceedings of the 19th international conference on
World wide web, WWW ’10, pages 921–930, New York, NY, USA, 2010.
ACM.
[19] Z. Su and G. Wassermann. The essence of command injection attacks in
web applications. 2006.
[20] Template Toolkit. http://template-toolkit.org.
[21] Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention
of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of
the IEEE Symposium on Security and Privacy, 2009.
[22] TNW: The Next Web. YouTube hacked, Justin Bieber videos targeted.
http://thenextweb.com/socialmedia/2010/07/04/
youtube-hacked-justin-bieber-videos-targeted/.
[23] G. Wassermann and Z. Su. Sound and precise analysis of web applications
for injection vulnerabilities. In Proceedings of the ACM SIGPLAN conference
on Programming language design and implementation, pages 32–41,
New York, NY, USA, 2007. ACM.
[24] G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su.
Dynamic test input generation for web applications. In Proceedings of the
International symposium on Software testing and analysis, 2008.
[25] J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A
systematic analysis of xss sanitization in web application frameworks. In
Proceedings of 16th European Symposium on Research in Computer Security
(ESORICS), 2011.
[26] WhiteHat Security. WhiteHat Webinar: Fall 2010 Website Statistics
Report. http://www.whitehatsec.com/home/resource/
presentation.html.
[27] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting
languages. In Proceedings of the Usenix Security Symposium, 2006.
[28] W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A
practical approach to defeat a wide range of attacks. In Proceedings of the
15th USENIX Security Symposium, pages 121–136, 2006.
[2] HotCRP. http://www.cs.ucla.edu/˜kohler/hotcrp/
index.html/.
[3] OWASP: Top 10 2007. http://www.owasp.org/index.php/
Top_10_2007.
[4] E. Athanasopoulos, V. Pappas, and E. Markatos. Code injection attacks
in browsers supporting policies. In Proceedings of Web 2.0 Security and
Privacy 2009, 2009.
[5] P. Bisht and V. N. Venkatakrishnan. Xss-guard: Precise dynamic prevention
of cross-site scripting attacks. In Proceedings of the 5th international
conference on Detection of Intrusions and Malware, and Vulnerability Assessment,
DIMVA ’08, pages 23–43, Berlin, Heidelberg, 2008. Springer-
Verlag.
[6] F. Buclin. Bugzilla usage world wide. http://lpsolit.
wordpress.com/bugzilla-usage-worldwide/.
[7] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing
web application code by static analysis and runtime protection. In Proceedings
of the 13th international conference on World Wide Web, WWW
’04, pages 40–52, New York, NY, USA, 2004. ACM.
[8] T. Jim, N. Swamy, and M. Hicks. Beep: Browser-enforced embedded policies.
16th International World World Web Conference, 2007.
[9] B. Livshits and M. S. Lam. Finding security errors in Java programs with
static analysis. In Proceedings of the Usenix Security Symposium, 2005.
[10] B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and
recovery from Web application vulnerabilities. Technical report, Stanford
University, Sept. 2006.
[11] B. Livshits and U´ lfar Erlingsson. Using web application construction
frameworks to protect against code injection attacks. In Proceedings of
the 2007 workshop on Programming languages and analysis for security.
[12] L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing finegrained
security policies for JavaScript in the browser. In IEEE Symposium
on Security and Privacy, May 2010.
[13] Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust
basis for cross-site scripting defense. Proceedings of the 16th Network and
Distributed System Security Symposium, 2009.
[14] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A
symbolic execution framework for javascript. In Proceedings of the 2010
IEEE Symposium on Security and Privacy, SP ’10, pages 513–528, Washington,
DC, USA, 2010. IEEE Computer Society.
[15] P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery
of client-side validation vulnerabilities in rich web applications. In
Network & Distributed System Security Symposium, (NDSS), 2010.
[16] P. Saxena, D. Molnar, and B. Livshits. Scriptgard: Preventing script injection
attacks in legacy web applications with automatic sanitization. Technical
report, Microsoft Research, September 2010.
[17] S. Stamm. Content security policy, 2009.
[18] S. Stamm, B. Sterne, and G. Markham. Reining in the web with content
security policy. In Proceedings of the 19th international conference on
World wide web, WWW ’10, pages 921–930, New York, NY, USA, 2010.
ACM.
[19] Z. Su and G. Wassermann. The essence of command injection attacks in
web applications. 2006.
[20] Template Toolkit. http://template-toolkit.org.
[21] Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention
of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of
the IEEE Symposium on Security and Privacy, 2009.
[22] TNW: The Next Web. YouTube hacked, Justin Bieber videos targeted.
http://thenextweb.com/socialmedia/2010/07/04/
youtube-hacked-justin-bieber-videos-targeted/.
[23] G. Wassermann and Z. Su. Sound and precise analysis of web applications
for injection vulnerabilities. In Proceedings of the ACM SIGPLAN conference
on Programming language design and implementation, pages 32–41,
New York, NY, USA, 2007. ACM.
[24] G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su.
Dynamic test input generation for web applications. In Proceedings of the
International symposium on Software testing and analysis, 2008.
[25] J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A
systematic analysis of xss sanitization in web application frameworks. In
Proceedings of 16th European Symposium on Research in Computer Security
(ESORICS), 2011.
[26] WhiteHat Security. WhiteHat Webinar: Fall 2010 Website Statistics
Report. http://www.whitehatsec.com/home/resource/
presentation.html.
[27] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting
languages. In Proceedings of the Usenix Security Symposium, 2006.
[28] W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A
practical approach to defeat a wide range of attacks. In Proceedings of the
15th USENIX Security Symposium, pages 121–136, 2006.
No comments:
Post a Comment