References
[1] S. Kamkar, “I’m popular,” 2005, description and technical
explanation of the JS.Spacehero (a.k.a. “Samy”) MySpace
worm. [Online]. Available: http://namb.la/popular
[2] OECD Directorate for Science, Technology and Industry, Participative
Web and User-Created Content: Web 2.0, Wikis and
Social Networking. OECD Publishing, Oct. 2007, ch. 2, pp.
19–25.
[3] B. Newton, “The hyper-growth of web 2.0 applications,” Mar.
2008, seminar. [Online]. Available: http://www.innominds.
com/webinar.html
[4] R. Hansen, “XSS (cross site scripting) cheat sheet esp: for
filter evasion,” 2008. [Online]. Available: http://ha.ckers.org/
xss.html
[5] T. Jim, N. Swamy, and M. Hicks, “Defeating script injection
attacks with browser-enforced embedded policies,” in 16th
International World Wide Web Conference, Banff, AB, Canada,
May 2007.
[6] World Wide Web Consortium, “Document object model
(DOM) level 2 core specification,” Nov. 2000. [Online].
Available: http://www.w3.org/TR/DOM-Level-2-Core/
[7] E. Z. Yang, “HTML Purifier.” [Online]. Available: http:
//htmlpurifier.org
[8] ——, “HTML Purifier: Default whitelist.” [Online]. Available:
http://htmlpurifier.org/live/smoketests/printDefinition.php
[9] S. Josefsson, “The Base16, Base32, and Base64 data
encodings,” Jul. 2003, RFC 3548. [Online]. Available:
http://tools.ietf.org/html/rfc3548
[10] M. Wallent, “About dynamic properties,” 1998. [Online].
Available: http://msdn.microsoft.com/en-us/library/ms537634.
aspx
[11] T. Berners-Lee, R. Fielding, and L. Masinter, “Uniform
resource identifier (URI): Generic syntax,” Jan. 2005, RFC
3986. [Online]. Available: http://tools.ietf.org/html/rfc3986
[12] M. Ter Louw and V. N. Venkatakrishnan, “Blueprint: Robust
prevention of cross-site scripting attacks for existing browsers,”
University of Illinois at Chicago, Tech. Rep., May 2009.
[13] Wikipedia contributors, “Same origin policy,” Feb. 2008.
[Online]. Available: http://en.wikipedia.org/w/index.php?title=
Same origin policy&oldid=190222964
[14] World Wide Web Consortium, “HTML 4.01 specification,”
Dec. 1999. [Online]. Available: http://www.w3.org/TR/html4/
[15] W. Xu, S. Bhatkar, and R. Sekar, “Taint-enhanced policy
enforcement: A practical approach to defeat a wide range of
attacks,” in 15th USENIX Security Symposium, Vancouver, BC,
Canada, Aug. 2006.
[16] Net Applications, “Browser version market share,”
statistics for Q4 2008. [Online]. Available:
http://marketshare.hitslink.com/browser-market-share.
aspx?qprid=2&qptimeframe=Q&qpsp=39
[17] Wikipedia Contributors, “2005 Azores subtropical storm,” Nov.
2008. [Online]. Available: http://en.wikipedia.org/w/index.
php?title=2005 Azores subtropical storm&oldid=243545716
[18] D. Kierznowski, “WordPress persistent XSS,” Dec.
2006. [Online]. Available: http://michaeldaw.org/md-hacks/
wordpress-persistent-xss/
[19] V. B. Livshits and M. S. Lam, “Finding security errors in
Java programs with static analysis,” in 14th Usenix Security
Symposium, Baltimore, MD, USA, Jul. 2005, pp. 271–286.
[20] Y. Xie and A. Aiken, “Static detection of security vulnerabilities
in scripting languages,” in 15th USENIX Security
Symposium, Vancouver, BC, Canada, Aug. 2006.
[21] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis
tool for detecting web application vulnerabilities,” in IEEE
Symposium on Security and Privacy, Oakland, CA, USA, May
2006.
[22] G. Wassermann and Z. Su, “Static detection of cross-site
scripting vulnerabilities,” in 30th International Conference on
Software Engineering, Leipzig, Germany, May 2008.
[23] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic,
C. Kruegel, E. Kirda, and G. Vigna, “Saner: Composing
static and dynamic analysis to validate sanitization in web
applications,” in IEEE Symposium on Security and Privacy,
Oakland, CA, USA, May 2008.
[24] D. Wagner, “Answers to homework #1,” 2008. [Online].
Available: http://www.cs.berkeley.edu/ daw/teaching/
cs261-f08/hws/hw1sol.html
[25] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, “Noxes: A
client-side solution for mitigating cross-site scripting attacks,”
in 21st Annual ACM Symposium on Applied Computing, Dijon,
France, Apr. 2006.
[26] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel,
and G. Vigna, “Cross-site scripting prevention with dynamic
data tainting and static analysis,” in 14th Annual Network &
Distributed System Security Symposium, San Diego, CA, USA,
Feb. 2007.
[27] D. Ross, “IE 8 XSS filter architecture
/ implementation,” Aug. 2008. [Online].
Available: http://blogs.technet.com/swi/archive/2008/08/19/
ie-8-xss-filter-architecture-implementation.aspx
[28] G. Maone, “NoScript features: Anti-XSS protection.” [Online].
Available: http://noscript.net/features#xss
[29] M. Johns, B. Engelmann, and J. Posegga, “XSSDS: Serverside
detection of cross-site scripting attacks,” in 24th Annual
Computer Security Applications Conference, Anaheim, CA,
USA, Dec. 2008.
[30] R. Sekar, “An efficient black-box technique for defeating web
application attacks,” in 16th Annual Network & Distributed
System Security Symposium, San Diego, CA, USA, Feb. 2009.
[31] A. Felt, P. Hooimeijer, D. Evans, and W. Weimer, “Talking
to strangers without taking their candy: Isolating proxied
content,” in 1st International Workshop on Social Network
Systems, Glasgow, Scotland, Apr. 2008.
[32] P. Saxena, D. Song, and Y. Nadji, “Document structure integrity:
A robust basis for cross-site scripting defense,” in 16th
Annual Network & Distributed System Security Symposium,
San Diego, CA, USA, Feb. 2009.
[33] M. Van Gundy and H. Chen, “Noncespaces: Using randomization
to enforce information flow tracking and thwart crosssite
scripting attacks,” in 16th Annual Network & Distributed
System Security Symposium, San Diego, CA, USA, Feb. 2009.
[34] M. Ter Louw, P. Bisht, and V. N. Venkatakrishnan, “Analysis
of hypertext isolation techniques for cross-site scripting prevention,”
in 2nd Workshop in Web 2.0 Security and Privacy,
Oakland, CA, USA, May 2008.
[35] P. Bisht and V. N. Venkatakrishnan, “XSS-GUARD: Precise
dynamic prevention of cross-site scripting attacks,” in 5th
Conference on Detection of Intrusions & Malware, and Vulnerability
Assessment, Paris, France, Jul. 2008.
[36] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and
D. Evans, “Automatically hardening web applications using
precise tainting,” in 22nd IFIP TC 7 Conference on System
Modeling and Optimization, Turin, Italy, Jul. 2005.
[37] T. Pietraszek and C. Vanden Berghe, “Defending against
injection attacks through context-sensitive string evaluation,” in
8th International Symposium on Recent Advances in Intrusion
Detection, Seattle, WA, USA, Sep. 2005.
[38] Z. Su and G. Wassermann, “The essence of command injection
attacks in web applications,” in 33rd ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages,
Charleston, SC, USA, Jan. 2006.
[39] “PHP input filter,” 2008. [Online]. Available: http://www.
phpclasses.org/browse/package/2189.html
[40] “The KSES project,” 2008. [Online]. Available: http:
//sourceforge.net/projects/kses
[41] “The htmLawed project,” 2008. [Online].
Available: http://www.bioinformatics.org/phplabware/internal
utilities/htmLawed/index.php
[42] S. Di Paola, “Preventing XSS with data binding.” [Online].
Available: http://www.wisec.it/sectou.php?id=46c5843ea4900
[43] D. Brettle, “NeatHtml: Displaying untrusted content securely,
efficiently, and accessibly,” Jun. 2008, white paper.
[Online]. Available: http://www.brettle.com/NeatHtml/docs/
Fighting XSS with JavaScript Judo.html
[44] Google Caja, “A source-to-source translator for securing
JavaScript-based web content.” [Online]. Available: http:
//code.google.com/p/google-caja/
[45] Microsoft Live Labs, “Web Sandbox.” [Online]. Available:
http://websandbox.livelabs.com
[46] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir,
“BrowserShield: Vulnerability-driven filtering of dynamic
HTML,” in 7th Symposium on Operating Systems Design
and Implementation, Seattle, WA, USA, Nov. 2006.
[47] D. Yu, A. Chander, N. Islam, and I. Serikov, “JavaScript
instrumentation for browser security,” in 34th Annual ACM
SIGPLAN–SIGACT Symposium on Principles of Programming
Languages, Nice, France, Jan. 2007.
[48] H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov,
“JavaScript instrumentation in practice,” in 6th Asian Symposium
on Programming Languages and Systems, Bangalore,
India, Dec. 2008.
[49] Facebook Developers, “Facebook markup language.”
[Online]. Available: http://wiki.developers.facebook.com/
index.php/FBML
[50] ——, “Facebook JavaScript.” [Online]. Available: http:
//wiki.developers.facebook.com/index.php/FBJS
[51] A. Felt, “Defacing Facebook: A security case study,” Jul.
2007, white paper. [Online]. Available:
[1] S. Kamkar, “I’m popular,” 2005, description and technical
explanation of the JS.Spacehero (a.k.a. “Samy”) MySpace
worm. [Online]. Available: http://namb.la/popular
[2] OECD Directorate for Science, Technology and Industry, Participative
Web and User-Created Content: Web 2.0, Wikis and
Social Networking. OECD Publishing, Oct. 2007, ch. 2, pp.
19–25.
[3] B. Newton, “The hyper-growth of web 2.0 applications,” Mar.
2008, seminar. [Online]. Available: http://www.innominds.
com/webinar.html
[4] R. Hansen, “XSS (cross site scripting) cheat sheet esp: for
filter evasion,” 2008. [Online]. Available: http://ha.ckers.org/
xss.html
[5] T. Jim, N. Swamy, and M. Hicks, “Defeating script injection
attacks with browser-enforced embedded policies,” in 16th
International World Wide Web Conference, Banff, AB, Canada,
May 2007.
[6] World Wide Web Consortium, “Document object model
(DOM) level 2 core specification,” Nov. 2000. [Online].
Available: http://www.w3.org/TR/DOM-Level-2-Core/
[7] E. Z. Yang, “HTML Purifier.” [Online]. Available: http:
//htmlpurifier.org
[8] ——, “HTML Purifier: Default whitelist.” [Online]. Available:
http://htmlpurifier.org/live/smoketests/printDefinition.php
[9] S. Josefsson, “The Base16, Base32, and Base64 data
encodings,” Jul. 2003, RFC 3548. [Online]. Available:
http://tools.ietf.org/html/rfc3548
[10] M. Wallent, “About dynamic properties,” 1998. [Online].
Available: http://msdn.microsoft.com/en-us/library/ms537634.
aspx
[11] T. Berners-Lee, R. Fielding, and L. Masinter, “Uniform
resource identifier (URI): Generic syntax,” Jan. 2005, RFC
3986. [Online]. Available: http://tools.ietf.org/html/rfc3986
[12] M. Ter Louw and V. N. Venkatakrishnan, “Blueprint: Robust
prevention of cross-site scripting attacks for existing browsers,”
University of Illinois at Chicago, Tech. Rep., May 2009.
[13] Wikipedia contributors, “Same origin policy,” Feb. 2008.
[Online]. Available: http://en.wikipedia.org/w/index.php?title=
Same origin policy&oldid=190222964
[14] World Wide Web Consortium, “HTML 4.01 specification,”
Dec. 1999. [Online]. Available: http://www.w3.org/TR/html4/
[15] W. Xu, S. Bhatkar, and R. Sekar, “Taint-enhanced policy
enforcement: A practical approach to defeat a wide range of
attacks,” in 15th USENIX Security Symposium, Vancouver, BC,
Canada, Aug. 2006.
[16] Net Applications, “Browser version market share,”
statistics for Q4 2008. [Online]. Available:
http://marketshare.hitslink.com/browser-market-share.
aspx?qprid=2&qptimeframe=Q&qpsp=39
[17] Wikipedia Contributors, “2005 Azores subtropical storm,” Nov.
2008. [Online]. Available: http://en.wikipedia.org/w/index.
php?title=2005 Azores subtropical storm&oldid=243545716
[18] D. Kierznowski, “WordPress persistent XSS,” Dec.
2006. [Online]. Available: http://michaeldaw.org/md-hacks/
wordpress-persistent-xss/
[19] V. B. Livshits and M. S. Lam, “Finding security errors in
Java programs with static analysis,” in 14th Usenix Security
Symposium, Baltimore, MD, USA, Jul. 2005, pp. 271–286.
[20] Y. Xie and A. Aiken, “Static detection of security vulnerabilities
in scripting languages,” in 15th USENIX Security
Symposium, Vancouver, BC, Canada, Aug. 2006.
[21] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis
tool for detecting web application vulnerabilities,” in IEEE
Symposium on Security and Privacy, Oakland, CA, USA, May
2006.
[22] G. Wassermann and Z. Su, “Static detection of cross-site
scripting vulnerabilities,” in 30th International Conference on
Software Engineering, Leipzig, Germany, May 2008.
[23] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic,
C. Kruegel, E. Kirda, and G. Vigna, “Saner: Composing
static and dynamic analysis to validate sanitization in web
applications,” in IEEE Symposium on Security and Privacy,
Oakland, CA, USA, May 2008.
[24] D. Wagner, “Answers to homework #1,” 2008. [Online].
Available: http://www.cs.berkeley.edu/ daw/teaching/
cs261-f08/hws/hw1sol.html
[25] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, “Noxes: A
client-side solution for mitigating cross-site scripting attacks,”
in 21st Annual ACM Symposium on Applied Computing, Dijon,
France, Apr. 2006.
[26] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel,
and G. Vigna, “Cross-site scripting prevention with dynamic
data tainting and static analysis,” in 14th Annual Network &
Distributed System Security Symposium, San Diego, CA, USA,
Feb. 2007.
[27] D. Ross, “IE 8 XSS filter architecture
/ implementation,” Aug. 2008. [Online].
Available: http://blogs.technet.com/swi/archive/2008/08/19/
ie-8-xss-filter-architecture-implementation.aspx
[28] G. Maone, “NoScript features: Anti-XSS protection.” [Online].
Available: http://noscript.net/features#xss
[29] M. Johns, B. Engelmann, and J. Posegga, “XSSDS: Serverside
detection of cross-site scripting attacks,” in 24th Annual
Computer Security Applications Conference, Anaheim, CA,
USA, Dec. 2008.
[30] R. Sekar, “An efficient black-box technique for defeating web
application attacks,” in 16th Annual Network & Distributed
System Security Symposium, San Diego, CA, USA, Feb. 2009.
[31] A. Felt, P. Hooimeijer, D. Evans, and W. Weimer, “Talking
to strangers without taking their candy: Isolating proxied
content,” in 1st International Workshop on Social Network
Systems, Glasgow, Scotland, Apr. 2008.
[32] P. Saxena, D. Song, and Y. Nadji, “Document structure integrity:
A robust basis for cross-site scripting defense,” in 16th
Annual Network & Distributed System Security Symposium,
San Diego, CA, USA, Feb. 2009.
[33] M. Van Gundy and H. Chen, “Noncespaces: Using randomization
to enforce information flow tracking and thwart crosssite
scripting attacks,” in 16th Annual Network & Distributed
System Security Symposium, San Diego, CA, USA, Feb. 2009.
[34] M. Ter Louw, P. Bisht, and V. N. Venkatakrishnan, “Analysis
of hypertext isolation techniques for cross-site scripting prevention,”
in 2nd Workshop in Web 2.0 Security and Privacy,
Oakland, CA, USA, May 2008.
[35] P. Bisht and V. N. Venkatakrishnan, “XSS-GUARD: Precise
dynamic prevention of cross-site scripting attacks,” in 5th
Conference on Detection of Intrusions & Malware, and Vulnerability
Assessment, Paris, France, Jul. 2008.
[36] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and
D. Evans, “Automatically hardening web applications using
precise tainting,” in 22nd IFIP TC 7 Conference on System
Modeling and Optimization, Turin, Italy, Jul. 2005.
[37] T. Pietraszek and C. Vanden Berghe, “Defending against
injection attacks through context-sensitive string evaluation,” in
8th International Symposium on Recent Advances in Intrusion
Detection, Seattle, WA, USA, Sep. 2005.
[38] Z. Su and G. Wassermann, “The essence of command injection
attacks in web applications,” in 33rd ACM SIGPLAN–
SIGACT Symposium on Principles of Programming Languages,
Charleston, SC, USA, Jan. 2006.
[39] “PHP input filter,” 2008. [Online]. Available: http://www.
phpclasses.org/browse/package/2189.html
[40] “The KSES project,” 2008. [Online]. Available: http:
//sourceforge.net/projects/kses
[41] “The htmLawed project,” 2008. [Online].
Available: http://www.bioinformatics.org/phplabware/internal
utilities/htmLawed/index.php
[42] S. Di Paola, “Preventing XSS with data binding.” [Online].
Available: http://www.wisec.it/sectou.php?id=46c5843ea4900
[43] D. Brettle, “NeatHtml: Displaying untrusted content securely,
efficiently, and accessibly,” Jun. 2008, white paper.
[Online]. Available: http://www.brettle.com/NeatHtml/docs/
Fighting XSS with JavaScript Judo.html
[44] Google Caja, “A source-to-source translator for securing
JavaScript-based web content.” [Online]. Available: http:
//code.google.com/p/google-caja/
[45] Microsoft Live Labs, “Web Sandbox.” [Online]. Available:
http://websandbox.livelabs.com
[46] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir,
“BrowserShield: Vulnerability-driven filtering of dynamic
HTML,” in 7th Symposium on Operating Systems Design
and Implementation, Seattle, WA, USA, Nov. 2006.
[47] D. Yu, A. Chander, N. Islam, and I. Serikov, “JavaScript
instrumentation for browser security,” in 34th Annual ACM
SIGPLAN–SIGACT Symposium on Principles of Programming
Languages, Nice, France, Jan. 2007.
[48] H. Kikuchi, D. Yu, A. Chander, H. Inamura, and I. Serikov,
“JavaScript instrumentation in practice,” in 6th Asian Symposium
on Programming Languages and Systems, Bangalore,
India, Dec. 2008.
[49] Facebook Developers, “Facebook markup language.”
[Online]. Available: http://wiki.developers.facebook.com/
index.php/FBML
[50] ——, “Facebook JavaScript.” [Online]. Available: http:
//wiki.developers.facebook.com/index.php/FBJS
[51] A. Felt, “Defacing Facebook: A security case study,” Jul.
2007, white paper. [Online]. Available:
No comments:
Post a Comment