References
[1] ab - Apache HTTP server benchmarking tool.
http://httpd.apache.org/docs/2.0/
programs/ab.html.
[2] McAfee: Enabling Malware Distribution and
Fraud. http://www.readwriteweb.com/
archives/mcafee enabling malware
distribution and fraud.php.
[3] SunSpider JavaScript benchmark. http://
www2.webkit.org/perf/sunspider-0.
9/sunspider.html.
[4] XXSed.com vulnerability 35059. http://www.
xssed.com/mirror/35059/.
[5] C. Anley. Advanced SQL injection in SQL server
applications. White paper, Next Generation Security
Software Ltd, 2002.
[6] E. Athanasopoulos, V. Pappas, and E. Markatos.
Code-Injection Attacks in Browsers Supporting
Policies. In Proceedings of the 2nd Workshop on
Web 2.0 Security & Privacy (W2SP), Oakland, CA,
May 2009.
[7] A. Barth, J. Caballero, andD. Song. Secure Content
Sniffing for Web Browsers or How to Stop Papers
from Reviewing Themselves. In Proceedings of the
30th IEEE Symposium on Security& Privacy, Oakland,
CA, May 2009.
[8] A. Barth, J.Weinberger, and D. Song. Cross-Origin
JavaScript Capability Leaks: Detection, Exploitation,
and Defense. In Proceedings of the 18th
USENIX Security Symposium, Montreal, Quebec,
August 2009.
[9] S. W. Boyd and A. D. Keromytis. SQLrand: Preventing
SQL Injection Attacks. In Proceedings of
the 2nd Applied Cryptography and Network Security
(ACNS) Conference, pages 292–302, 2004.
[10] S. Chen, D. Ross, and Y.-M. Wang. An Analysis
of Browser Domain-Isolation Bugs and a Light-
Weight Transparent Defense Mechanism. In Proceedings
of the 14th ACM conference on Computer
and Communications Security (CCS), pages 2–11,
New York, NY, USA, 2007. ACM.
[11] S. Designer. Return-to-libc attack. Bugtraq, Aug,
1997.
[12] R. Dhamija, J. Tygar, andM. Hearst. Why Phishing
Works. In Proceedings of the SIGCHI Conference
on Human Factors in Computing Systems, pages
581–590. ACM New York, NY, USA, 2006.
[13] A. Felt, P. Hooimeijer, D. Evans, and W. Weimer.
Talking to Strangers Without Taking their Candy:
Isolating Proxied Content. In SocialNets ’08: Proceedings
of the 1st Workshop on Social Network
Systems, pages 25–30, New York, NY, USA, 2008.
ACM.
[14] K. Fernandez and D. Pagkalos. XSSed.com. XSS
(Cross-Site Scripting) information and vulnerable
websites archive. http://www.xssed.com.
[15] J. Garrett et al. Ajax: A New Approach to Web
Applications. Adaptive path, 18, 2005.
[16] M. V. Gundy and H. Chen. Noncespaces: Using
Randomization to Enforce Information Flow
Tracking and Thwart Cross-Site Scripting Attacks.
In Proceedings of the 16th Annual Network and
Distributed System Security Symposium (NDSS),
San Diego, CA, Feb. 8-11, 2009.
[17] T. Jim, N. Swamy, and M. Hicks. Defeating Script
Injection Attacks with Browser-Enforced Embedded
Policies. InWWW ’07: Proceedings of the 16th
international conference onWorld WideWeb, pages
601–610, New York, NY, USA, 2007. ACM.
[18] S. Josefsson. RFC 4648: The Base16, Base32, and
Base64 Data Encodings, 2006. http://tools.
ietf.org/html/rfc4648.
[19] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy:
A Static Analysis Tool for Detecting Web Application
Vulnerabilities (Short Paper). In Proceedings
of the 27th IEEE Symposium on Security and
Privacy, pages 258–263, Washington, DC, USA,
2006. IEEE Computer Society.
[20] G. Kc, A. Keromytis, and V. Prevelakis. Countering
Code-Injection Attacks with Instruction-Set
Randomization. In Proceedings of the 10th ACM
conference on Computer and Communications Security,
pages 272–280. ACM New York, NY, USA,
2003.
[21] A. D. Keromytis. Randomized Instruction Sets and
Runtime Environments Past Research and Future
Directions. Number 1, pages 18–25, Piscataway,
NJ, USA, 2009. IEEE Educational Activities Department.
[22] A. Klein. DOM Based Cross Site Scripting or XSS
of the Third Kind. Web Application Security Consortium,
Articles, 4.7. 2005.
[23] L. C. Lam and T.-c. Chiueh. A General Dynamic
Information Flow Tracking Framework for Security
Applications. In ACSAC ’06: Proceedings of the
22nd Annual Computer Security Applications Conference,
pages 463–472, Washington, DC, USA,
2006. IEEE Computer Society.
[24] A. Le Hors, P. Le Hegaret, L. Wood, G. Nicol,
J. Robie, M. Champion, and S. Byrne. Document
Object Model (DOM) Level 3 Core Specification.
World Wide Web Consortium, Recommendation
REC-DOM-Level-3-Core-20040407, 2004.
[25] M. Martin and M. S. Lam. Automatic Generation
of XSS and SQL Injection Attacks with Goaldirected
Model Checking. In Proceedings of the
17th USENIX Security symposium, pages 31–43,
Berkeley, CA, USA, 2008. USENIX Association.
[26] Y. Nadji, P. Saxena, and D. Song. Document Structure
Integrity: A Robust Basis for Cross-site Scripting
Defense. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium
(NDSS), San Diego, CA, Feb. 8-11, 2009.
[27] S. Nanda, L. Lam, and T. Chiueh. Dynamic
Multi-Process Information Flow Tracking for Web
Application Security. In Proceedings of the 8th
ACM/IFIP/USENIX international conference on
Middleware. ACM New York, NY, USA, 2007.
[28] A. Nguyen-tuong, S. Guarnieri, D. Greene,
J. Shirley, and D. Evans. Automatically Hardening
Web Applications Using Precise Tainting. In Proceedings
of the 20th IFIP International Information
Security Conference, pages 372–382, 2005.
[29] A. One. Smashing the stack for fun and profit.
Phrack magazine, 49(7), 1996.
[30] N. Provos, P.Mavrommatis,M. Rajab, and F. Monrose.
All your iFRAMES point to us. In Proceedings
of the 17th conference on Security symposium,
pages 1–15. USENIX Association, 2008.
[31] L. Richardson. Beautiful Soup-HTML/XML parser
for Python, 2008.
[32] W. Robertson and G. Vigna. Static Enforcement of
Web Application Integrity Through Strong Typing.
In Proceedings of the 18th USENIX Security Symposium,
Montreal, Quebec, August 2009.
[33] J. Ruderman. The same-origin policy, 2001.
http://www.mozilla.org/projects/
security/components/same-origin.
html.
[34] SANS Insitute. The Top Cyber Security Risks.
September 2009. http://www.sans.org/
top-cyber-security-risks/.
[35] R. Sekar. An Efficient Black-box Technique for Defeating
Web Application Attacks. In Proceedings
of the 16th Annual Network and Distributed System
Security Symposium (NDSS), San Diego, CA,
Feb. 8-11, 2009.
[36] H. Shacham. The Geometry of Innocent Flesh on
the Bone: return-into-libc without Function Calls
(on the x86). In CCS ’07: Proceedings of the
14th ACM conference on Computer and Communications
Security, pages 552–561, New York, NY,
USA, 2007. ACM.
[37] B. Tate and C. Hibbs. Ruby on Rails: Up and Running.
O’Reilly Media, Inc., 2006.
[38] M. Ter Louw and V. Venkatakrishnan. Blueprint:
Precise Browser-neutral Prevention of Cross-site
Scripting Attacks. In Proceedings of the 30th IEEE
Symposium on Security & Privacy, Oakland, CA,
May 2009.
[39] D. Veillard. Libxml2 project web page.
http://xmlsoft. org, 2004.
[40] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda,
C. Kruegel, and G. Vigna. Cross-Site Scripting
Prevention with Dynamic Data Tainting and Static
Analysis. In Proceeding of the 14th Annual Network
and Distributed System Security Symposium
(NDSS), 2007.
[41] H. J.Wang, X. Fan, J. Howell, and C. Jackson. Protection
and Communication Abstractions for Web
Browsers in MashupOS. In T. C. Bressoud and
M. F. Kaashoek, editors, SOSP, pages 1–16. ACM,
2007.
[42] H. J. Wang, C. Grier, A. Moshchuk, S. T. King,
P. Choudhury, and H. Venter. The Multi-Principal
OS Construction of the Gazelle Web Browser. In
Proceedings of the 18th USENIX Security Symposium,
Montreal, Canada, August 2009.
[43] W. Xu, E. Bhatkar, and R. Sekar. Taint-Enhanced
Policy Enforcement: A Practical Approach to Defeat
aWide Range of Attacks. In Proceedings of the
15th USENIX
[1] ab - Apache HTTP server benchmarking tool.
http://httpd.apache.org/docs/2.0/
programs/ab.html.
[2] McAfee: Enabling Malware Distribution and
Fraud. http://www.readwriteweb.com/
archives/mcafee enabling malware
distribution and fraud.php.
[3] SunSpider JavaScript benchmark. http://
www2.webkit.org/perf/sunspider-0.
9/sunspider.html.
[4] XXSed.com vulnerability 35059. http://www.
xssed.com/mirror/35059/.
[5] C. Anley. Advanced SQL injection in SQL server
applications. White paper, Next Generation Security
Software Ltd, 2002.
[6] E. Athanasopoulos, V. Pappas, and E. Markatos.
Code-Injection Attacks in Browsers Supporting
Policies. In Proceedings of the 2nd Workshop on
Web 2.0 Security & Privacy (W2SP), Oakland, CA,
May 2009.
[7] A. Barth, J. Caballero, andD. Song. Secure Content
Sniffing for Web Browsers or How to Stop Papers
from Reviewing Themselves. In Proceedings of the
30th IEEE Symposium on Security& Privacy, Oakland,
CA, May 2009.
[8] A. Barth, J.Weinberger, and D. Song. Cross-Origin
JavaScript Capability Leaks: Detection, Exploitation,
and Defense. In Proceedings of the 18th
USENIX Security Symposium, Montreal, Quebec,
August 2009.
[9] S. W. Boyd and A. D. Keromytis. SQLrand: Preventing
SQL Injection Attacks. In Proceedings of
the 2nd Applied Cryptography and Network Security
(ACNS) Conference, pages 292–302, 2004.
[10] S. Chen, D. Ross, and Y.-M. Wang. An Analysis
of Browser Domain-Isolation Bugs and a Light-
Weight Transparent Defense Mechanism. In Proceedings
of the 14th ACM conference on Computer
and Communications Security (CCS), pages 2–11,
New York, NY, USA, 2007. ACM.
[11] S. Designer. Return-to-libc attack. Bugtraq, Aug,
1997.
[12] R. Dhamija, J. Tygar, andM. Hearst. Why Phishing
Works. In Proceedings of the SIGCHI Conference
on Human Factors in Computing Systems, pages
581–590. ACM New York, NY, USA, 2006.
[13] A. Felt, P. Hooimeijer, D. Evans, and W. Weimer.
Talking to Strangers Without Taking their Candy:
Isolating Proxied Content. In SocialNets ’08: Proceedings
of the 1st Workshop on Social Network
Systems, pages 25–30, New York, NY, USA, 2008.
ACM.
[14] K. Fernandez and D. Pagkalos. XSSed.com. XSS
(Cross-Site Scripting) information and vulnerable
websites archive. http://www.xssed.com.
[15] J. Garrett et al. Ajax: A New Approach to Web
Applications. Adaptive path, 18, 2005.
[16] M. V. Gundy and H. Chen. Noncespaces: Using
Randomization to Enforce Information Flow
Tracking and Thwart Cross-Site Scripting Attacks.
In Proceedings of the 16th Annual Network and
Distributed System Security Symposium (NDSS),
San Diego, CA, Feb. 8-11, 2009.
[17] T. Jim, N. Swamy, and M. Hicks. Defeating Script
Injection Attacks with Browser-Enforced Embedded
Policies. InWWW ’07: Proceedings of the 16th
international conference onWorld WideWeb, pages
601–610, New York, NY, USA, 2007. ACM.
[18] S. Josefsson. RFC 4648: The Base16, Base32, and
Base64 Data Encodings, 2006. http://tools.
ietf.org/html/rfc4648.
[19] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy:
A Static Analysis Tool for Detecting Web Application
Vulnerabilities (Short Paper). In Proceedings
of the 27th IEEE Symposium on Security and
Privacy, pages 258–263, Washington, DC, USA,
2006. IEEE Computer Society.
[20] G. Kc, A. Keromytis, and V. Prevelakis. Countering
Code-Injection Attacks with Instruction-Set
Randomization. In Proceedings of the 10th ACM
conference on Computer and Communications Security,
pages 272–280. ACM New York, NY, USA,
2003.
[21] A. D. Keromytis. Randomized Instruction Sets and
Runtime Environments Past Research and Future
Directions. Number 1, pages 18–25, Piscataway,
NJ, USA, 2009. IEEE Educational Activities Department.
[22] A. Klein. DOM Based Cross Site Scripting or XSS
of the Third Kind. Web Application Security Consortium,
Articles, 4.7. 2005.
[23] L. C. Lam and T.-c. Chiueh. A General Dynamic
Information Flow Tracking Framework for Security
Applications. In ACSAC ’06: Proceedings of the
22nd Annual Computer Security Applications Conference,
pages 463–472, Washington, DC, USA,
2006. IEEE Computer Society.
[24] A. Le Hors, P. Le Hegaret, L. Wood, G. Nicol,
J. Robie, M. Champion, and S. Byrne. Document
Object Model (DOM) Level 3 Core Specification.
World Wide Web Consortium, Recommendation
REC-DOM-Level-3-Core-20040407, 2004.
[25] M. Martin and M. S. Lam. Automatic Generation
of XSS and SQL Injection Attacks with Goaldirected
Model Checking. In Proceedings of the
17th USENIX Security symposium, pages 31–43,
Berkeley, CA, USA, 2008. USENIX Association.
[26] Y. Nadji, P. Saxena, and D. Song. Document Structure
Integrity: A Robust Basis for Cross-site Scripting
Defense. In Proceedings of the 16th Annual
Network and Distributed System Security Symposium
(NDSS), San Diego, CA, Feb. 8-11, 2009.
[27] S. Nanda, L. Lam, and T. Chiueh. Dynamic
Multi-Process Information Flow Tracking for Web
Application Security. In Proceedings of the 8th
ACM/IFIP/USENIX international conference on
Middleware. ACM New York, NY, USA, 2007.
[28] A. Nguyen-tuong, S. Guarnieri, D. Greene,
J. Shirley, and D. Evans. Automatically Hardening
Web Applications Using Precise Tainting. In Proceedings
of the 20th IFIP International Information
Security Conference, pages 372–382, 2005.
[29] A. One. Smashing the stack for fun and profit.
Phrack magazine, 49(7), 1996.
[30] N. Provos, P.Mavrommatis,M. Rajab, and F. Monrose.
All your iFRAMES point to us. In Proceedings
of the 17th conference on Security symposium,
pages 1–15. USENIX Association, 2008.
[31] L. Richardson. Beautiful Soup-HTML/XML parser
for Python, 2008.
[32] W. Robertson and G. Vigna. Static Enforcement of
Web Application Integrity Through Strong Typing.
In Proceedings of the 18th USENIX Security Symposium,
Montreal, Quebec, August 2009.
[33] J. Ruderman. The same-origin policy, 2001.
http://www.mozilla.org/projects/
security/components/same-origin.
html.
[34] SANS Insitute. The Top Cyber Security Risks.
September 2009. http://www.sans.org/
top-cyber-security-risks/.
[35] R. Sekar. An Efficient Black-box Technique for Defeating
Web Application Attacks. In Proceedings
of the 16th Annual Network and Distributed System
Security Symposium (NDSS), San Diego, CA,
Feb. 8-11, 2009.
[36] H. Shacham. The Geometry of Innocent Flesh on
the Bone: return-into-libc without Function Calls
(on the x86). In CCS ’07: Proceedings of the
14th ACM conference on Computer and Communications
Security, pages 552–561, New York, NY,
USA, 2007. ACM.
[37] B. Tate and C. Hibbs. Ruby on Rails: Up and Running.
O’Reilly Media, Inc., 2006.
[38] M. Ter Louw and V. Venkatakrishnan. Blueprint:
Precise Browser-neutral Prevention of Cross-site
Scripting Attacks. In Proceedings of the 30th IEEE
Symposium on Security & Privacy, Oakland, CA,
May 2009.
[39] D. Veillard. Libxml2 project web page.
http://xmlsoft. org, 2004.
[40] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda,
C. Kruegel, and G. Vigna. Cross-Site Scripting
Prevention with Dynamic Data Tainting and Static
Analysis. In Proceeding of the 14th Annual Network
and Distributed System Security Symposium
(NDSS), 2007.
[41] H. J.Wang, X. Fan, J. Howell, and C. Jackson. Protection
and Communication Abstractions for Web
Browsers in MashupOS. In T. C. Bressoud and
M. F. Kaashoek, editors, SOSP, pages 1–16. ACM,
2007.
[42] H. J. Wang, C. Grier, A. Moshchuk, S. T. King,
P. Choudhury, and H. Venter. The Multi-Principal
OS Construction of the Gazelle Web Browser. In
Proceedings of the 18th USENIX Security Symposium,
Montreal, Canada, August 2009.
[43] W. Xu, E. Bhatkar, and R. Sekar. Taint-Enhanced
Policy Enforcement: A Practical Approach to Defeat
aWide Range of Attacks. In Proceedings of the
15th USENIX
No comments:
Post a Comment