REFERENCES
[1] StrongWebmail CEO’s mail account hacked via XSS. ZDNet.
[Online]. Available: http://blogs.zdnet.com/security/?p=3514
[2] D. Litchfield. SQL Injection and Data Security Breaches.
[Online]. Available: http://www.davidlitchfield.com/blog/
archives/00000001.htm
[3] Websites of WHO and MI5 Hacked Using XSS
Attacks. Spamfigher.com. [Online]. Available: http:
//tinyurl.com/yfqauzo
[4] Approved Scanning Vendors. Payment Card Industry
Security Standards Council. [Online]. Available: https:
//www.pcisecuritystandards.org/pdfs/asv report.html
[5] VUPEN Security. [Online]. Available: http://www.vupen.com
[6] National Vulnerability Database. Dept. of Homeland Security
National Cyber Security Division. [Online]. Available:
http://web.nvd.nist.gov
[7] Software Assurance Tools: Web Application Security Scanner
Functional Specification, National Institute of Standards and
Technology Std., Rev. 1.0.
[8] Web Application Security Scanner Evaluation
Criteria. Web Application Security Consortium.
[Online]. Available: http://projects.webappsec.org/
Web-Application-Security-Scanner-Evaluation-Criteria
[9] OWASP Top Ten Project. Open Web Application Security
Project. [Online]. Available: http://www.owasp.org/index.
php/Category:OWASP Top Ten Project
[10] Web Security Threat Classification. Web Application Security
Consortium. [Online]. Available: http://www.webappsec.org/
projects/threat/
[11] Common Weakness Enumeration. [Online]. Available: http:
//cwe.mitre.org
[12] H. Bojinov, E. Bursztein, and D. Boneh, “Xcs: cross channel
scripting and its impact on web applications,” in CCS ’09:
Proceedings of the 16th ACM conference on Computer and
communications security. New York, NY, USA: ACM, 2009,
pp. 420–431.
[13] Common Vulnerabilities and Exposures. [Online]. Available:
http://cve.mitre.org
[14] D. Kaminsky, “Black Ops of PKI,” BlackHat USA, August
2009.
[15] M. Marlinspike, “More Tricks For Defeating SSL,” BlackHat
USA, August 2009.
[16] E. V. Nava and D. Lindsay, “Our Favorite XSS Filters and
How to Attack Them,” BlackHat USA, August 2009.
[17] Open Web Application Security Project. [Online]. Available:
http://www.owasp.org
[18] Web Application Security Consortium. [Online]. Available:
http://www.wasc.org
[19] Web Application Security Statistics. Web Application
Security Consortium. [Online]. Available: http://projects.
webappsec.org/Web-Application-Security-Statistics
[20] G. Wassermann and Z. Su, “Sound and precise analysis of
web applications for injection vulnerabilities,” SIGPLAN Not.,
vol. 42, no. 6, pp. 32–41, 2007.
[21] M. S. Lam, M. Martin, B. Livshits, and J. Whaley, “Securing
web applications with static and dynamic information flow
tracking,” in PEPM ’08: Proceedings of the 2008 ACM
SIGPLAN symposium on Partial evaluation and semanticsbased
program manipulation. New York, NY, USA: ACM,
2008, pp. 3–12.
[22] A. Kie˙zun, P. J. Guo, K. Jayaraman, and M. D. Ernst,
“Automatic creation of SQL injection and cross-site scripting
attacks,” in ICSE’09, Proceedings of the 30th International
Conference on Software Engineering, Vancouver, BC,
Canada, May 20–22, 2009.
[23] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static
analysis tool for detecting web application vulnerabilities
(short paper),” in 2006 IEEE Symposium on Security and
Privacy, 2006, pp. 258–263. [Online]. Available: http:
//www.iseclab.org/papers/pixy.pdf
[24] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y.
Kuo, “Securing web application code by static analysis and
runtime protection,” in WWW ’04: Proceedings of the 13th
international conference on World Wide Web. New York,
NY, USA: ACM, 2004, pp. 40–52.
[25] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “Secubat:
a web vulnerability scanner,” in WWW ’06: Proc. 15th Int’l
Conf. World Wide Web, 2006, pp. 247–256.
[26] S. Mcallister, E. Kirda, and C. Kruegel, “Leveraging user
interactions for in-depth testing of web applications,” in RAID
’08: Proc. 11th Int’l Symp. Recent Advances in Intrusion
Detection, 2008, pp. 191–210.
[27] F. Maggi, W. K. Robertson, C. Kr¨ugel, and G. Vigna, “Protecting
a moving target: Addressing web application concept
drift,” in RAID, 2009, pp. 21–40.
[28] Web Application Attack and Audit Framework. [Online].
Available: http://w3af.sourceforge.net/
[29] Powerfuzzer. [Online]. Available: http://www.powerfuzzer.
com/
[30] CIRT.net Nikto Scanner. [Online]. Available: http://cirt.net/
nikto2
[31] WebGoat Project. OWASP. [Online]. Available: http://www.
owasp.org/index.php/Category:OWASP WebGoat Project
[32] HacmeBank. McAfee Corp. [Online]. Available: http://www.
foundstone.com/us/resources/proddesc/hacmebank.htm
[33] AltoroMutual Bank. Watchfire Corp. [Online]. Available:
http://demo.testfire.net/
[34] Larry Suto. Analyzing the Accuracy and Time Costs
of Web Application Security Scanners. [Online]. Available:
http://ha.ckers.org/files/Accuracy and Time Costs of
Web App Scanners.pdf
[35] J. Fonseca, M. Vieira, and H. Madeira, “Testing and comparing
web vulnerability scanning tools for sql injection and
xss attacks,” Pacific Rim Int’l Symp.
[1] StrongWebmail CEO’s mail account hacked via XSS. ZDNet.
[Online]. Available: http://blogs.zdnet.com/security/?p=3514
[2] D. Litchfield. SQL Injection and Data Security Breaches.
[Online]. Available: http://www.davidlitchfield.com/blog/
archives/00000001.htm
[3] Websites of WHO and MI5 Hacked Using XSS
Attacks. Spamfigher.com. [Online]. Available: http:
//tinyurl.com/yfqauzo
[4] Approved Scanning Vendors. Payment Card Industry
Security Standards Council. [Online]. Available: https:
//www.pcisecuritystandards.org/pdfs/asv report.html
[5] VUPEN Security. [Online]. Available: http://www.vupen.com
[6] National Vulnerability Database. Dept. of Homeland Security
National Cyber Security Division. [Online]. Available:
http://web.nvd.nist.gov
[7] Software Assurance Tools: Web Application Security Scanner
Functional Specification, National Institute of Standards and
Technology Std., Rev. 1.0.
[8] Web Application Security Scanner Evaluation
Criteria. Web Application Security Consortium.
[Online]. Available: http://projects.webappsec.org/
Web-Application-Security-Scanner-Evaluation-Criteria
[9] OWASP Top Ten Project. Open Web Application Security
Project. [Online]. Available: http://www.owasp.org/index.
php/Category:OWASP Top Ten Project
[10] Web Security Threat Classification. Web Application Security
Consortium. [Online]. Available: http://www.webappsec.org/
projects/threat/
[11] Common Weakness Enumeration. [Online]. Available: http:
//cwe.mitre.org
[12] H. Bojinov, E. Bursztein, and D. Boneh, “Xcs: cross channel
scripting and its impact on web applications,” in CCS ’09:
Proceedings of the 16th ACM conference on Computer and
communications security. New York, NY, USA: ACM, 2009,
pp. 420–431.
[13] Common Vulnerabilities and Exposures. [Online]. Available:
http://cve.mitre.org
[14] D. Kaminsky, “Black Ops of PKI,” BlackHat USA, August
2009.
[15] M. Marlinspike, “More Tricks For Defeating SSL,” BlackHat
USA, August 2009.
[16] E. V. Nava and D. Lindsay, “Our Favorite XSS Filters and
How to Attack Them,” BlackHat USA, August 2009.
[17] Open Web Application Security Project. [Online]. Available:
http://www.owasp.org
[18] Web Application Security Consortium. [Online]. Available:
http://www.wasc.org
[19] Web Application Security Statistics. Web Application
Security Consortium. [Online]. Available: http://projects.
webappsec.org/Web-Application-Security-Statistics
[20] G. Wassermann and Z. Su, “Sound and precise analysis of
web applications for injection vulnerabilities,” SIGPLAN Not.,
vol. 42, no. 6, pp. 32–41, 2007.
[21] M. S. Lam, M. Martin, B. Livshits, and J. Whaley, “Securing
web applications with static and dynamic information flow
tracking,” in PEPM ’08: Proceedings of the 2008 ACM
SIGPLAN symposium on Partial evaluation and semanticsbased
program manipulation. New York, NY, USA: ACM,
2008, pp. 3–12.
[22] A. Kie˙zun, P. J. Guo, K. Jayaraman, and M. D. Ernst,
“Automatic creation of SQL injection and cross-site scripting
attacks,” in ICSE’09, Proceedings of the 30th International
Conference on Software Engineering, Vancouver, BC,
Canada, May 20–22, 2009.
[23] N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static
analysis tool for detecting web application vulnerabilities
(short paper),” in 2006 IEEE Symposium on Security and
Privacy, 2006, pp. 258–263. [Online]. Available: http:
//www.iseclab.org/papers/pixy.pdf
[24] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y.
Kuo, “Securing web application code by static analysis and
runtime protection,” in WWW ’04: Proceedings of the 13th
international conference on World Wide Web. New York,
NY, USA: ACM, 2004, pp. 40–52.
[25] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, “Secubat:
a web vulnerability scanner,” in WWW ’06: Proc. 15th Int’l
Conf. World Wide Web, 2006, pp. 247–256.
[26] S. Mcallister, E. Kirda, and C. Kruegel, “Leveraging user
interactions for in-depth testing of web applications,” in RAID
’08: Proc. 11th Int’l Symp. Recent Advances in Intrusion
Detection, 2008, pp. 191–210.
[27] F. Maggi, W. K. Robertson, C. Kr¨ugel, and G. Vigna, “Protecting
a moving target: Addressing web application concept
drift,” in RAID, 2009, pp. 21–40.
[28] Web Application Attack and Audit Framework. [Online].
Available: http://w3af.sourceforge.net/
[29] Powerfuzzer. [Online]. Available: http://www.powerfuzzer.
com/
[30] CIRT.net Nikto Scanner. [Online]. Available: http://cirt.net/
nikto2
[31] WebGoat Project. OWASP. [Online]. Available: http://www.
owasp.org/index.php/Category:OWASP WebGoat Project
[32] HacmeBank. McAfee Corp. [Online]. Available: http://www.
foundstone.com/us/resources/proddesc/hacmebank.htm
[33] AltoroMutual Bank. Watchfire Corp. [Online]. Available:
http://demo.testfire.net/
[34] Larry Suto. Analyzing the Accuracy and Time Costs
of Web Application Security Scanners. [Online]. Available:
http://ha.ckers.org/files/Accuracy and Time Costs of
Web App Scanners.pdf
[35] J. Fonseca, M. Vieira, and H. Madeira, “Testing and comparing
web vulnerability scanning tools for sql injection and
xss attacks,” Pacific Rim Int’l Symp.
No comments:
Post a Comment