References
1. Alcorn, W.: Inter-protocol communication. Whitepaper (11/13/06) (August 2006)
http://www.ngssoftware.com/research/papers/
InterProtocolCommunication.pdf
2. Burns, J.: Cross site reference forgery - an introduction to a common web application
weakness. Whitepaper (2005)
https://www.isecpartners.com/documents/XSRF Paper.pdf
3. Endler, D.: The evolution of cross-site scripting attacks. Whitepaper, iDefense Inc.
(May 2002) http://www.cgisecurity.com/lib/XSS.pdf
4. Glass, E.: The ntlm authentication protocol. (03/13/06) (2003) [online]
http://davenport.sourceforge.net/ntlm.html
5. Grossman, J.: Browser port scanning without javascript. (08/01/07) (November
2006) Website http://jeremiahgrossman.blogspot.com/2006/11/browserport-
scanning-with out.html
6. Grossman, J.: Javascript malware, port scanning, and beyond. Posting to the websecurity
mailing list (July 2006) http://www.webappsec.org/lists/websecurity/
archive/2006-07/msg00097.html
7. Grossman, J., Niedzialkowski, T.C: Hacking intranet websites from the outside. Talk
at Black Hat USA 2006 (August 2006) http://www.blackhat.com/presentations/
bh-usa-06/BH-US-06-Grossman.pdf
8. Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings
of the IEEE International Conference on Engineering of Complex Computer
Systems (ICECCS), pp. 85–94 (June 2005)
9. Le Hegaret, P., Whitmer, R., Wood, L.: Document object model (dom). W3C
recommendation (January 2005) http://www.w3.org/DOM/
10. InformAction. Noscript firefox extension. Software (2006)
http://www.noscript.net/whats
11. Ismail, O., Eto, M., Kadobayashi, Y., Yamaguchi, S.: A proposal and implementation
of automatic detection/collection system for cross-site scripting vulnerability.
In: 8th International Conference on Advanced Information Networking and Applications
(AINA04), (March 2004)
12. Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from
web privacy attacks. In: Proceedings of the 15th ACMWorldWideWeb Conference
(WWW 2006) (2006)
13. Johns, M. (somewhat) breaking the same-origin policy by undermining dnspinning.
Posting to the Bug Traq Mailinglist (August 2006)
http://www.securityfocus.com/archive/107/443429/30/180/threaded
14. Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding.
In: Piessens,F. (ed.) Proceedings of the OWASP Europe 2006 Conference, refereed
papers track, Report CW448, pp. 5 – 17. Departement Computerwetenschappen,
Katholieke Universiteit Leuven (May 2006)
15. Kanatoko. Stealing information using anti-dns pinning (30/01/07) (2006) Online
demonstration. webpage, http://www.jumperz.net/index.php?i=2&a=1&b=7
Protecting the Intranet Against “JavaScript Malware” and Related Attacks 59
16. Kanatoko. Anti-dns pinning + socket in flash (19/01/07) (January 2007) Website
http://www.jumperz.net/index.php?i=2&a=3&b=3
17. Kindermann, L.: My address java applet (11/08/06) (2003) Webpage
http://reglos.de/myaddress/MyAddress.html
18. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for
mitigating cross site scripting attacks, security. In: Security Track of the 21st ACM
Symposium on Applied Computing (SAC 2006) (April 2006)
19. SPI Labs. Detecting, analyzing, and exploiting intranet applications using
javascript. Whitepaper (July 2006)
http://www.spidynamics.com/assets/documents/JSportscan.pdf
20. Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: Misusing
web browsers as a distributed attack infrastructure. In: ACM Conference on
Computer and Communications Security (CCS’06), pp. 221–234 (2006)
21. Petkov, P.: Javascript port scanner (11/08/06), August (2006) Website
http://www.gnucitizen.org/projects/javascript-port-scanner/
22. XUL Planet. nsicontentpolicy. API Reference (11/02/07) (2006) webpage
http://www. xpcomref/ifaces/nsIContentPolicy.html
23. Mozilla Project. Mozilla port blocking (11/13/06) (2001) Webpage
http://www.mozilla.org/projects/netlib/PortBanning.html
24. Ruderman, J.: The same origin policy (01/10/06) (August 2001) Webpage
http://www.mozilla.org/projects/security/components/same-origin.html
25. Samy: Technical explanation of the myspace worm (01/10/06) (October 2005) website
http://namb.la/popular/tech.html
26. Schreiber, T.: Session riding - a widespread vulnerability in today’s web applications.
Whitepaper, SecureNet GmbH (December 2004)
http://www.securenet.de/papers/Session Riding.pdf
27. Princeton University Secure Internet Programming Group. Dns attack scenario
(February 1996) Webpage
http://www.cs.princeton.edu/sip/news/dns-scenario.html
28. Soref, J.: Dns: Spoofing and pinning (14/11/06) (September 2003) Webpage
http://viper.haque.net/∼timeless/blog/11/
29. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vig, G.: Cross site
scripting prevention with dynamic data tainting and static analysis. In: 14th Annual
Network and Distributed System Security Symposium (NDSS 2007) (2007)
30. Winter, J., Johns, M.: Localrodeo: Client side protection against javascript malware
(01/02/07) (January 2007) webpage http://databasement.net/labs/localrodeo
1. Alcorn, W.: Inter-protocol communication. Whitepaper (11/13/06) (August 2006)
http://www.ngssoftware.com/research/papers/
InterProtocolCommunication.pdf
2. Burns, J.: Cross site reference forgery - an introduction to a common web application
weakness. Whitepaper (2005)
https://www.isecpartners.com/documents/XSRF Paper.pdf
3. Endler, D.: The evolution of cross-site scripting attacks. Whitepaper, iDefense Inc.
(May 2002) http://www.cgisecurity.com/lib/XSS.pdf
4. Glass, E.: The ntlm authentication protocol. (03/13/06) (2003) [online]
http://davenport.sourceforge.net/ntlm.html
5. Grossman, J.: Browser port scanning without javascript. (08/01/07) (November
2006) Website http://jeremiahgrossman.blogspot.com/2006/11/browserport-
scanning-with out.html
6. Grossman, J.: Javascript malware, port scanning, and beyond. Posting to the websecurity
mailing list (July 2006) http://www.webappsec.org/lists/websecurity/
archive/2006-07/msg00097.html
7. Grossman, J., Niedzialkowski, T.C: Hacking intranet websites from the outside. Talk
at Black Hat USA 2006 (August 2006) http://www.blackhat.com/presentations/
bh-usa-06/BH-US-06-Grossman.pdf
8. Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings
of the IEEE International Conference on Engineering of Complex Computer
Systems (ICECCS), pp. 85–94 (June 2005)
9. Le Hegaret, P., Whitmer, R., Wood, L.: Document object model (dom). W3C
recommendation (January 2005) http://www.w3.org/DOM/
10. InformAction. Noscript firefox extension. Software (2006)
http://www.noscript.net/whats
11. Ismail, O., Eto, M., Kadobayashi, Y., Yamaguchi, S.: A proposal and implementation
of automatic detection/collection system for cross-site scripting vulnerability.
In: 8th International Conference on Advanced Information Networking and Applications
(AINA04), (March 2004)
12. Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from
web privacy attacks. In: Proceedings of the 15th ACMWorldWideWeb Conference
(WWW 2006) (2006)
13. Johns, M. (somewhat) breaking the same-origin policy by undermining dnspinning.
Posting to the Bug Traq Mailinglist (August 2006)
http://www.securityfocus.com/archive/107/443429/30/180/threaded
14. Johns, M., Winter, J.: Requestrodeo: Client side protection against session riding.
In: Piessens,F. (ed.) Proceedings of the OWASP Europe 2006 Conference, refereed
papers track, Report CW448, pp. 5 – 17. Departement Computerwetenschappen,
Katholieke Universiteit Leuven (May 2006)
15. Kanatoko. Stealing information using anti-dns pinning (30/01/07) (2006) Online
demonstration. webpage, http://www.jumperz.net/index.php?i=2&a=1&b=7
Protecting the Intranet Against “JavaScript Malware” and Related Attacks 59
16. Kanatoko. Anti-dns pinning + socket in flash (19/01/07) (January 2007) Website
http://www.jumperz.net/index.php?i=2&a=3&b=3
17. Kindermann, L.: My address java applet (11/08/06) (2003) Webpage
http://reglos.de/myaddress/MyAddress.html
18. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for
mitigating cross site scripting attacks, security. In: Security Track of the 21st ACM
Symposium on Applied Computing (SAC 2006) (April 2006)
19. SPI Labs. Detecting, analyzing, and exploiting intranet applications using
javascript. Whitepaper (July 2006)
http://www.spidynamics.com/assets/documents/JSportscan.pdf
20. Lam, V.T., Antonatos, S., Akritidis, P., Anagnostakis, K.G.: Puppetnets: Misusing
web browsers as a distributed attack infrastructure. In: ACM Conference on
Computer and Communications Security (CCS’06), pp. 221–234 (2006)
21. Petkov, P.: Javascript port scanner (11/08/06), August (2006) Website
http://www.gnucitizen.org/projects/javascript-port-scanner/
22. XUL Planet. nsicontentpolicy. API Reference (11/02/07) (2006) webpage
http://www. xpcomref/ifaces/nsIContentPolicy.html
23. Mozilla Project. Mozilla port blocking (11/13/06) (2001) Webpage
http://www.mozilla.org/projects/netlib/PortBanning.html
24. Ruderman, J.: The same origin policy (01/10/06) (August 2001) Webpage
http://www.mozilla.org/projects/security/components/same-origin.html
25. Samy: Technical explanation of the myspace worm (01/10/06) (October 2005) website
http://namb.la/popular/tech.html
26. Schreiber, T.: Session riding - a widespread vulnerability in today’s web applications.
Whitepaper, SecureNet GmbH (December 2004)
http://www.securenet.de/papers/Session Riding.pdf
27. Princeton University Secure Internet Programming Group. Dns attack scenario
(February 1996) Webpage
http://www.cs.princeton.edu/sip/news/dns-scenario.html
28. Soref, J.: Dns: Spoofing and pinning (14/11/06) (September 2003) Webpage
http://viper.haque.net/∼timeless/blog/11/
29. Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vig, G.: Cross site
scripting prevention with dynamic data tainting and static analysis. In: 14th Annual
Network and Distributed System Security Symposium (NDSS 2007) (2007)
30. Winter, J., Johns, M.: Localrodeo: Client side protection against javascript malware
(01/02/07) (January 2007) webpage http://databasement.net/labs/localrodeo
No comments:
Post a Comment