References
[1] CERT Advisory CA-2000-02 – Malicious HTML Tags Embedded in Client Web Requests,
February 2000, URL: http://www.cert.org/advisories/CA-2000-02.html
[2] Jeremiah Grossman: Cross-Site Tracing (XST), January 2003, URL:
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
[3] Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster: Dos and Don’ts of Client Authentication
on the Web, Proceedings of the 10th USENIX Security Symposium, August 2001, URL:
http://www.pdos.lcs.mit.edu/papers/webauth:sec10.pdf
[4] Martin Johns: "SessionSafe: Implementing XSS Immune Session Handling", European
Symposium on Research in Computer Security (ESORICS 2006), Gollmann, D.;
Meier, J. & Sabelfeld, A. (ed.), Springer, LNCS 4189, pp. 444-460, 2006, URL:
http://www.informatik.uni-hamburg.de/SVS/papers/2006_esorics_SessionSafe.pdf
[5] Martin Johns, Justus Winter: "RequestRodeo: Client Side Protection against Session
Riding" in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.),
Report CW448, Departement Computerwetenschappen, Katholieke Universiteit Leuven,
Belgium, 2006, URL: http://www.informatik.unihamburg.
de/SVS/papers/2006_owasp_RequestRodeo.pdf
[6] Paul Johnston: Authentication and Session Management on the Web, November 2004, URL:
http://www.westpoint.ltd.uk/advisories/Paul_Johnston_GSEC.pdf
[7] Amit Klein: Cross-Site Scripting Explained, June 2002, URL:
http://crypto.stanford.edu/cs155/CSS.pdf
[8] Mitja Kolšek: Session Fixation Vulnerability in Web-based Applications, December 2002,
URL: http://www.acrossecurity.com/papers/session_fixation.pdf
[9] D. Kristol, L. Montulli: HTTP State Management Mechanism, RFC2109, February 1997,
URL: http://www.ietf.org/rfc/rfc2109.txt
[10] D. Kristol, L. Montulli: HTTP State Management Mechanisms, RFC2965, October 2000,
URL: http://www.ietf.org/rfc/rfc2965.txt
[11] Mozilla Bugzilla: MSIE-extension: HttpOnly cookie attribute for cross-site scripting vulnerability
prevention, Bug 178993, URL: http://bugzilla.mozilla.org/show_bug.cgi?id=178993
[12] MSDN: Mitigating Cross-Site Scripting with HTTP-only Cookies, URL:
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
[13] The OWASP Foundation: Cross Site Scripting (XSS) Flaws, URL:
http://www.owasp.org/documentation/topten/a4.html
[14] PHP Group, PHP Manual, section CXLVII Session Handling Functions, URL:
http://www.php.net/manual/en/ref.session.php
[15] SAP Library: SAP Web Dispatcher, section Session Identifiers, URL:
http://help.sap.com/saphelp_nw2004s/helpdata/en/93/33b504f33cb9468bf35f8fbd
a11294/frameset.htm
[16] Thomas Schreiber: Session Riding – A Widespread Vulnerability in Today’s Web Applications,
SecureNet GmbH, December 2004, URL:
http://www.securenet.de/papers/Session_Riding.pdf
23
[17] Peter W: Cross-Site Request Forgeries, Butgtraq mailing list, June 2001, URL:
http://www.tux.org/~peterw/csrf.txt
[1] CERT Advisory CA-2000-02 – Malicious HTML Tags Embedded in Client Web Requests,
February 2000, URL: http://www.cert.org/advisories/CA-2000-02.html
[2] Jeremiah Grossman: Cross-Site Tracing (XST), January 2003, URL:
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
[3] Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster: Dos and Don’ts of Client Authentication
on the Web, Proceedings of the 10th USENIX Security Symposium, August 2001, URL:
http://www.pdos.lcs.mit.edu/papers/webauth:sec10.pdf
[4] Martin Johns: "SessionSafe: Implementing XSS Immune Session Handling", European
Symposium on Research in Computer Security (ESORICS 2006), Gollmann, D.;
Meier, J. & Sabelfeld, A. (ed.), Springer, LNCS 4189, pp. 444-460, 2006, URL:
http://www.informatik.uni-hamburg.de/SVS/papers/2006_esorics_SessionSafe.pdf
[5] Martin Johns, Justus Winter: "RequestRodeo: Client Side Protection against Session
Riding" in Proceedings of the OWASP Europe 2006 Conference by Piessens, F. (ed.),
Report CW448, Departement Computerwetenschappen, Katholieke Universiteit Leuven,
Belgium, 2006, URL: http://www.informatik.unihamburg.
de/SVS/papers/2006_owasp_RequestRodeo.pdf
[6] Paul Johnston: Authentication and Session Management on the Web, November 2004, URL:
http://www.westpoint.ltd.uk/advisories/Paul_Johnston_GSEC.pdf
[7] Amit Klein: Cross-Site Scripting Explained, June 2002, URL:
http://crypto.stanford.edu/cs155/CSS.pdf
[8] Mitja Kolšek: Session Fixation Vulnerability in Web-based Applications, December 2002,
URL: http://www.acrossecurity.com/papers/session_fixation.pdf
[9] D. Kristol, L. Montulli: HTTP State Management Mechanism, RFC2109, February 1997,
URL: http://www.ietf.org/rfc/rfc2109.txt
[10] D. Kristol, L. Montulli: HTTP State Management Mechanisms, RFC2965, October 2000,
URL: http://www.ietf.org/rfc/rfc2965.txt
[11] Mozilla Bugzilla: MSIE-extension: HttpOnly cookie attribute for cross-site scripting vulnerability
prevention, Bug 178993, URL: http://bugzilla.mozilla.org/show_bug.cgi?id=178993
[12] MSDN: Mitigating Cross-Site Scripting with HTTP-only Cookies, URL:
http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
[13] The OWASP Foundation: Cross Site Scripting (XSS) Flaws, URL:
http://www.owasp.org/documentation/topten/a4.html
[14] PHP Group, PHP Manual, section CXLVII Session Handling Functions, URL:
http://www.php.net/manual/en/ref.session.php
[15] SAP Library: SAP Web Dispatcher, section Session Identifiers, URL:
http://help.sap.com/saphelp_nw2004s/helpdata/en/93/33b504f33cb9468bf35f8fbd
a11294/frameset.htm
[16] Thomas Schreiber: Session Riding – A Widespread Vulnerability in Today’s Web Applications,
SecureNet GmbH, December 2004, URL:
http://www.securenet.de/papers/Session_Riding.pdf
23
[17] Peter W: Cross-Site Request Forgeries, Butgtraq mailing list, June 2001, URL:
http://www.tux.org/~peterw/csrf.txt
No comments:
Post a Comment