[1] David Airey. Google’s Gmail security failure leaves my
business sabotaged, December 2007. http://www.
davidairey.co.uk/google-gmail-security-hijack/.
[2] David Airey. An informal chat with Google, March
2008. http://www.davidairey.com/
google-site-links-gmail-hack-search-penalty/.
[3] Robert Auger. The cross-site request forgery
(CSRF/XSRF) FAQ, 2007. http:
//www.cgisecurity.com/articles/csrf-faq.shtml.
[4] Michael Barbaro and Tom Zeller Jr. A face is exposed
for AOL searcher no. 4417749. The New York Times,
August 2006. http://www.nytimes.com/2006/08/09/
technology/09aol.htm.
[5] Adam Barth, Collin Jackson, and John C. Mitchell.
Securing frame communication in browsers. In In
Proceedings of the 17th USENIX Security Symposium
(USENIX Security 2008), July 2008.
[6] Tim Berners-Lee, Roy Fielding, and Henrik Frystyk.
Hypertext Transfer Protocol—HTTP/1.0. RFC 1945,
May 1996.
[7] Douglas Crockford. JSONRequest, 2006.
http://json.org/JSONRequest.html.
[8] Neil Daswani, Christoph Kern, and Anita Kesavan.
Foundations of Security: What Every Programmer
Needs to Know. Apress, 2007.
[9] Rogan Dawes. Session Fixation, 2008.
http://www.owasp.org/index.php/Session_
Fixation_Protection.
[10] Rohit Dhamankar et al. Sans top-20 security risks,
2007. http://www.sans.org/top20/2007/.
[11] Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why
phishing works. In Proceedings of the Conference on
Human Factors in Computing Systems (CHI), 2006.
[12] E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach.
Web Spoofing: An Internet Con Game. In 20th
National Information Systems Security Conference,
October 1997.
[13] Brad Fitzpatrick, David Recordon, Dick Hardt,
Johnny Bufu, Josh Hoyt, et al. OpenID authentication
2.0, December 2007. http://openid.net/specs/
openid-authentication-2_0.html.
[14] Seth Fogie, Jeremiah Grossman, Robert Hansen,
Anton Rager, and Petko D. Petkov. XSS Attacks:
Cross Site Scripting Exploits and Defense. Syngress,
2007.
[15] Mozilla Foundation. Security advisory 2005-58,
September 2005. http://www.mozilla.org/security/
announce/2005/mfsa2005-58.html.
[16] Google. Security for GWT Applications. http:
//groups.google.com/group/Google-Web-Toolkit/
web/security-for-gwt-applications.
[17] Robert Hansen and Tom Stracener. Xploiting Google
gadgets: Gmalware and beyond, August 2008. Black
Hat briefing.
[18] Elliotte Rusty Harold. Privacy tip #3: Block Referer
headers in Firefox, October 2006.
http://cafe.elharo.com/privacy/privacy-tip-3
-block-referer-headers-in-firefox/.
[19] Mario Heiderich. CSRFx, 2007.
http://php-ids.org/category/csrfx/.
[20] Ian Hickson et al. Cross-document messaging.
http://www.w3.org/html/wg/html5/
#crossDocumentMessages.
[21] Ian Hickson et al. HTML 5 Working Draft. http:
//www.whatwg.org/specs/web-apps/current-work/.
[22] Dan Holevoet. Changes to inline gadgets, August
2008. http://igoogledeveloper.blogspot.com/
2008/08/changes-to-inlined-gadgets.html.
[23] Collin Jackson. Defeating frame busting techniques,
2005. http://crypto.stanford.edu/framebust/.
[24] Collin Jackson and Adam Barth. ForceHTTPS:
Protecting high-security web sites from network
attacks. In Proceedings of the 17th International
World Wide Web Conference (WWW), April 2008.
[25] Collin Jackson, Adam Barth, Andrew Bortz, Weidong
Shao, and Dan Boneh. Protecting browsers from DNS
rebinding attacks. In Proceedings of the 14th ACM
Conference on Computer and Communications
Security (CCS 2007), November 2007.
[26] Collin Jackson, Andrew Bortz, Dan Boneh, and
John C. Mitchell. Protecting browser state from web
privacy attacks. In Proceedings of the 15th
International World Wide Web Conference (WWW),
May 2006.
[27] Martin Johns and Justus Winter. RequestRodeo:
Client side protection against session riding. In
Proceedings of the OWASP Europe 2006 Conference,
May 2006.
[28] Aaron Johnson. The Referer header, intranets and
privacy, February 2007.
http://cephas.net/blog/2007/02/06/
the-referer-header-intranets-and-privacy/.
[29] Paul Johnston and Richard Moore. Multiple browser
cookie injection vulnerabilities, September 2004.
http://www.westpoint.ltd.uk/advisories/
wp-04-0001.txt.
[30] Nenad Jovanovic, Engin Kirda, and Christopher
Kruegel. Preventing cross site request forgery attacks.
In IEEE International Conference on Security and
Privacy in Communication Networks (SecureComm),
2006.
[31] Chris Karlof, Umesh Shankar, J. D. Tygar, and David
Wagner. Dynamic pharming attacks and locked
same-origin policies for web browsers. In Proceedings
of the 14th ACM Conference on Computer and
Communications Security (CCS 2007), November
2007.
[32] Amit Klein. Exploiting the XMLHttpRequest object
in IE—Referrer spoofing and a lot more. . . , September
2005. http:
//www.cgisecurity.com/lib/XmlHTTPRequest.shtml.
[33] Peter-Paul Koch. Frame busting.
http://www.quirksmode.org/js/framebust.html.
[34] David Kristol and Lou Montulli. HTTP State
Management Mechanism. RFC 2965, October 2000.
[35] David Kristol and Lou Montulli. HTTP State
Management Mechanism. RFC 2109, February 1997.
[36] V. T. Lam, Spiros Antonatos, P. Akritidis, and
Kostas G. Anagnostakis. Puppetnets: Misusing web
browsers as a distributed attack infrastructure. In
Proceedings of the 13th ACM Conference on Computer
and Communication Security (CCS), October 2006.
[37] PHP Manual. Session handling functions. http:
//www.phpbuilder.com/manual/en/ref.session.php.
[38] Chris Masone, Kwang-Hyun Baek, and Sean Smith.
WSKE: Web server key enabled cookies. In
Proceedings of Usable Security 2007 (USEC ’07).
[39] Microsoft. XDomainRequest object.
http://msdn2.microsoft.com/en-us/library/
cc288060(VS.85).aspx.
[40] Netscape. Persistent client state: HTTP cookies.
http:
//wp.netscape.com/newsref/std/cookie_spec.html.
[41] Greg Pass, Abdur Chowdhury, and Cayley Torgeson.
A picture of search. In InfoScale ’06: Proceedings of
the 1st International Conference on Scalable
Information Systems, 2006.
[42] Petko D. Petkov. Google Gmail e-mail hijack
technique, September 2007.
http://www.gnucitizen.org/blog/
google-gmail-e-mail-hijack-technique/.
[43] Yngve Pettersen. HTTP state management
mechanism v2. IETF Internet Draft, February 2008.
http://www.ietf.org/internet-drafts/
draft-pettersen-cookie-v2-02.txt.
[44] phpBB. http://phpbb.com/.
[45] Prototype JavaScript framework.
http://www.prototypejs.org/.
[46] Ruby on rails. http://www.rubyonrails.org/.
[47] Secunia. Microsoft Internet Explorer “XMLHTTP”
HTTP request injection, September 2005.
http://secunia.com/advisories/16942/.
[48] Eric Sheridan. OWASP CSRFGuard Project, 2008.
http://www.owasp.org/index.php/CSRF_Guard.
[49] Trac. http://trac.edgewall.org/.
[50] Anne van Kesteren et al. Access control for cross-site
requests. http://www.w3.org/TR/access-control/.
[51] Luis von Ahn, Nick Hopper Manuel Blum, and John
Langford. CAPTCHA: Using hard AI problems for
security. In Eurocrypt 2003.
[52] Weilin Zhong. Session Fixation, 2008. http:
//www.owasp.org/index.php/Session_Fixation.
business sabotaged, December 2007. http://www.
davidairey.co.uk/google-gmail-security-hijack/.
[2] David Airey. An informal chat with Google, March
2008. http://www.davidairey.com/
google-site-links-gmail-hack-search-penalty/.
[3] Robert Auger. The cross-site request forgery
(CSRF/XSRF) FAQ, 2007. http:
//www.cgisecurity.com/articles/csrf-faq.shtml.
[4] Michael Barbaro and Tom Zeller Jr. A face is exposed
for AOL searcher no. 4417749. The New York Times,
August 2006. http://www.nytimes.com/2006/08/09/
technology/09aol.htm.
[5] Adam Barth, Collin Jackson, and John C. Mitchell.
Securing frame communication in browsers. In In
Proceedings of the 17th USENIX Security Symposium
(USENIX Security 2008), July 2008.
[6] Tim Berners-Lee, Roy Fielding, and Henrik Frystyk.
Hypertext Transfer Protocol—HTTP/1.0. RFC 1945,
May 1996.
[7] Douglas Crockford. JSONRequest, 2006.
http://json.org/JSONRequest.html.
[8] Neil Daswani, Christoph Kern, and Anita Kesavan.
Foundations of Security: What Every Programmer
Needs to Know. Apress, 2007.
[9] Rogan Dawes. Session Fixation, 2008.
http://www.owasp.org/index.php/Session_
Fixation_Protection.
[10] Rohit Dhamankar et al. Sans top-20 security risks,
2007. http://www.sans.org/top20/2007/.
[11] Rachna Dhamija, J. D. Tygar, and Marti Hearst. Why
phishing works. In Proceedings of the Conference on
Human Factors in Computing Systems (CHI), 2006.
[12] E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach.
Web Spoofing: An Internet Con Game. In 20th
National Information Systems Security Conference,
October 1997.
[13] Brad Fitzpatrick, David Recordon, Dick Hardt,
Johnny Bufu, Josh Hoyt, et al. OpenID authentication
2.0, December 2007. http://openid.net/specs/
openid-authentication-2_0.html.
[14] Seth Fogie, Jeremiah Grossman, Robert Hansen,
Anton Rager, and Petko D. Petkov. XSS Attacks:
Cross Site Scripting Exploits and Defense. Syngress,
2007.
[15] Mozilla Foundation. Security advisory 2005-58,
September 2005. http://www.mozilla.org/security/
announce/2005/mfsa2005-58.html.
[16] Google. Security for GWT Applications. http:
//groups.google.com/group/Google-Web-Toolkit/
web/security-for-gwt-applications.
[17] Robert Hansen and Tom Stracener. Xploiting Google
gadgets: Gmalware and beyond, August 2008. Black
Hat briefing.
[18] Elliotte Rusty Harold. Privacy tip #3: Block Referer
headers in Firefox, October 2006.
http://cafe.elharo.com/privacy/privacy-tip-3
-block-referer-headers-in-firefox/.
[19] Mario Heiderich. CSRFx, 2007.
http://php-ids.org/category/csrfx/.
[20] Ian Hickson et al. Cross-document messaging.
http://www.w3.org/html/wg/html5/
#crossDocumentMessages.
[21] Ian Hickson et al. HTML 5 Working Draft. http:
//www.whatwg.org/specs/web-apps/current-work/.
[22] Dan Holevoet. Changes to inline gadgets, August
2008. http://igoogledeveloper.blogspot.com/
2008/08/changes-to-inlined-gadgets.html.
[23] Collin Jackson. Defeating frame busting techniques,
2005. http://crypto.stanford.edu/framebust/.
[24] Collin Jackson and Adam Barth. ForceHTTPS:
Protecting high-security web sites from network
attacks. In Proceedings of the 17th International
World Wide Web Conference (WWW), April 2008.
[25] Collin Jackson, Adam Barth, Andrew Bortz, Weidong
Shao, and Dan Boneh. Protecting browsers from DNS
rebinding attacks. In Proceedings of the 14th ACM
Conference on Computer and Communications
Security (CCS 2007), November 2007.
[26] Collin Jackson, Andrew Bortz, Dan Boneh, and
John C. Mitchell. Protecting browser state from web
privacy attacks. In Proceedings of the 15th
International World Wide Web Conference (WWW),
May 2006.
[27] Martin Johns and Justus Winter. RequestRodeo:
Client side protection against session riding. In
Proceedings of the OWASP Europe 2006 Conference,
May 2006.
[28] Aaron Johnson. The Referer header, intranets and
privacy, February 2007.
http://cephas.net/blog/2007/02/06/
the-referer-header-intranets-and-privacy/.
[29] Paul Johnston and Richard Moore. Multiple browser
cookie injection vulnerabilities, September 2004.
http://www.westpoint.ltd.uk/advisories/
wp-04-0001.txt.
[30] Nenad Jovanovic, Engin Kirda, and Christopher
Kruegel. Preventing cross site request forgery attacks.
In IEEE International Conference on Security and
Privacy in Communication Networks (SecureComm),
2006.
[31] Chris Karlof, Umesh Shankar, J. D. Tygar, and David
Wagner. Dynamic pharming attacks and locked
same-origin policies for web browsers. In Proceedings
of the 14th ACM Conference on Computer and
Communications Security (CCS 2007), November
2007.
[32] Amit Klein. Exploiting the XMLHttpRequest object
in IE—Referrer spoofing and a lot more. . . , September
2005. http:
//www.cgisecurity.com/lib/XmlHTTPRequest.shtml.
[33] Peter-Paul Koch. Frame busting.
http://www.quirksmode.org/js/framebust.html.
[34] David Kristol and Lou Montulli. HTTP State
Management Mechanism. RFC 2965, October 2000.
[35] David Kristol and Lou Montulli. HTTP State
Management Mechanism. RFC 2109, February 1997.
[36] V. T. Lam, Spiros Antonatos, P. Akritidis, and
Kostas G. Anagnostakis. Puppetnets: Misusing web
browsers as a distributed attack infrastructure. In
Proceedings of the 13th ACM Conference on Computer
and Communication Security (CCS), October 2006.
[37] PHP Manual. Session handling functions. http:
//www.phpbuilder.com/manual/en/ref.session.php.
[38] Chris Masone, Kwang-Hyun Baek, and Sean Smith.
WSKE: Web server key enabled cookies. In
Proceedings of Usable Security 2007 (USEC ’07).
[39] Microsoft. XDomainRequest object.
http://msdn2.microsoft.com/en-us/library/
cc288060(VS.85).aspx.
[40] Netscape. Persistent client state: HTTP cookies.
http:
//wp.netscape.com/newsref/std/cookie_spec.html.
[41] Greg Pass, Abdur Chowdhury, and Cayley Torgeson.
A picture of search. In InfoScale ’06: Proceedings of
the 1st International Conference on Scalable
Information Systems, 2006.
[42] Petko D. Petkov. Google Gmail e-mail hijack
technique, September 2007.
http://www.gnucitizen.org/blog/
google-gmail-e-mail-hijack-technique/.
[43] Yngve Pettersen. HTTP state management
mechanism v2. IETF Internet Draft, February 2008.
http://www.ietf.org/internet-drafts/
draft-pettersen-cookie-v2-02.txt.
[44] phpBB. http://phpbb.com/.
[45] Prototype JavaScript framework.
http://www.prototypejs.org/.
[46] Ruby on rails. http://www.rubyonrails.org/.
[47] Secunia. Microsoft Internet Explorer “XMLHTTP”
HTTP request injection, September 2005.
http://secunia.com/advisories/16942/.
[48] Eric Sheridan. OWASP CSRFGuard Project, 2008.
http://www.owasp.org/index.php/CSRF_Guard.
[49] Trac. http://trac.edgewall.org/.
[50] Anne van Kesteren et al. Access control for cross-site
requests. http://www.w3.org/TR/access-control/.
[51] Luis von Ahn, Nick Hopper Manuel Blum, and John
Langford. CAPTCHA: Using hard AI problems for
security. In Eurocrypt 2003.
[52] Weilin Zhong. Session Fixation, 2008. http:
//www.owasp.org/index.php/Session_Fixation.
No comments:
Post a Comment