References
1. jQuery, http://jquery.com/
2. Aas, G.: CPAN: URI::Escape, http://search.cpan.org/~gaas/URI-1.56/URI/
Escape.pm
3. Adsafe : Making javascript safe for advertising, http://www.adsafe.org/
4. How To: Prevent Cross-Site Scripting in ASP.NET, http://msdn.microsoft.com/
en-us/library/ff649310.aspx
5. Microsoft ASP.NET: Request Validation – Preventing Script Attacks, http://www.asp.
net/LEARN/whitepapers/request-validation
6. Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E., Karagiannis, T.:
xJS: practical XSS prevention for web application development. In: Proceedings of the 2010
USENIX Conference on Web Application Development (2010)
7. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.:
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications.
In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (2008)
8. Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions
for security vulnerabilities (2010)
9. Baron, D.: Mozilla’s quirks mode, https://developer.mozilla.org/en/mozilla’s_
quirks_mode
10. Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers or how to stop
papers from reviewing themselves. In: Proceedings of the 30th IEEE Symposium on Security
and Privacy, Oakland, CA (May 2009)
11. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities
(2009)
12. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss
filters. In: Proceedings of the 19th International Conference on World Wide Web, WWW
2010, pp. 91–100. ACM, New York (2010)
13. Bisht, P., Venkatakrishnan, V.: XSS-GUARD: precise dynamic prevention of cross-site
scripting attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment,
pp. 23–43 (2008)
14. Google-caja: A source-to-source translator for securing javascript-based web content,
http://code.google.com/p/google-caja/
15. CakePHP: Sanitize Class Info, http://api.cakephp.org/class/sanitize
16. Chin, E., Wagner, D.: Efficient character-level taint tracking for java. In: Proceedings of
the 2009 ACM Workshop on Secure Web Services, SWS 2009, pp. 3–12. ACM, New York
(2009)
17. Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications
via automatic partitioning. In: Proceedings of Twenty-First ACM SIGOPS Symposium
on Operating Systems Principles, pp. 31–44. ACM, New York (2007)
18. ClearSilver: Template Filters, http://www.clearsilver.net/docs/man_filters.hdf
19. CodeIgniter/system/libraries/Security.php, http://bitbucket.org/ellislab/
codeigniter/src/tip/system/libraries/Security.php
20. CodeIgniter User Guide Version 1.7.2: Input Class, http://codeigniter.com/user_
guide/libraries/input.html
21. Ctemplate: Guide to Using Auto Escape, http://google-ctemplate.googlecode.com/
svn/trunk/doc/auto_escape.html
22. django: Built-in template tags and filters, http://docs.djangoproject.com/en/dev/
ref/templates/builtins
23. Django sites : Websites powered by django, http://www.djangosites.org/
24. The Django Book: Security, http://www.djangobook.com/en/2.0/chapter20/
25. Finifter,M.,Wagner, D.: Exploring the Relationship BetweenWeb Application Development
Tools and Security. In: Proceedings of the 2nd USENIX Conference on Web Application
Development. USENIX (June 2011)
26. Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure javascript subsets.
In: Proc. of Network and Distributed System Security Symposium (2010)
27. Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for ajax intrusion detection. In:
Proceedings of the 18th International Conference on World Wide Web, WWW 2009, pp.
561–570. ACM, New York (2009)
28. Google Web Toolkit: Developer’s Guide – SafeHtml, http://code.google.com/
webtoolkit/doc/latest/DevGuideSecuritySafeHtml.html
29. Hansen, R.: XSS cheat sheet (2008)
30. Hickson, I.: HTML 5 : A vocabulary and associated apis for html and xhtml, http://www.
w3.org/TR/html5/
31. HTML Purifier Team: Css quoting full disclosure (2010), http://htmlpurifier.org/
security/2010/css-quoting
32. HTML Purifier : Standards-Compliant HTML Filtering, http://htmlpurifier.org/
33. Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application
code by static analysis and runtime protection. In: Proceedings of the 13th International
Conference on World Wide Web, WWW2004, pp. 40–52. ACM, New York (2004)
34. Jean, J.: Facebook CSRF and XSS vulnerabilities: Destructive worms on a social network,
http://seclists.org/fulldisclosure/2010/Oct/35
35. JiftyManual, http://jifty.org/view/JiftyManual
36. Jovanovic, N., Kr¨ugel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application
vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy (2006)
37. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating
cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied
Computing, pp. 330–337. ACM, New York (2006)
38. KSES Developer Team: Kses php html/xhtml filter, http://sourceforge.net/
projects/kses/
39. Livshits, B., Lam, M.S.: Finding security errors in Java programs with static analysis. In:
Proceedings of the Usenix Security Symposium (2005)
40. Livshits, B., Martin, M., Lam, M.S.: SecuriFly: Runtime protection and recovery from Web
application vulnerabilities. Tech. rep., Stanford University (September 2006)
41. Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goaldirected
model checking. In: 17th USENIX Security Symposium (2008)
42. The Mason Book: Escaping Substitutions, http://www.masonbook.com/book/
chapter-2.mhtml
A Systematic Analysis of XSS Sanitization in Web Application Frameworks 169
43. Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site
scripting defense. In: NDSS (2009)
44. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening
web applications using precise tainting. In: 20th IFIP International Information Security
Conference (2005)
45. XSS Prevention Cheat Sheet, http://www.owasp.org/index.php/XSS_(Cross_Site_
Scripting)_Prevention_Cheat_Sheet
46. Pullicino, J.: Google XSS Flaw in Website Optimizer Explained (December
2010), http://www.acunetix.com/blog/web-security-zone/articles/
google-xss-website-optimizer-scripts/
47. Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong
typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM
2009, pp. 283–298. USENIX Association, Berkeley (2009)
48. Ruby on Rails Security Guide, http://guides.rubyonrails.org/security.html
49. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution
framework for javascript. In: Proceedings of the 2010 IEEE Symposium on Security and
Privacy, SP 2010, pp. 513–528. IEEE Computer Society, Washington, DC, USA (2010)
50. Saxena, P., Hanna, S., Poosankam, P., Song, D.: FLAX: Systematic discovery of client-side
validation vulnerabilities in rich web applications. In: 17th Annual Network & Distributed
System Security Symposium NDSS (2010)
51. Saxena, P., Molnar, D., Livshits, B.: Scriptgard: Preventing script injection attacks in legacy
web applications with automatic sanitization. Tech. rep., Microsoft Research (September
2010)
52. Schmidt, B.: Google Analytics XSS Vulnerability, http://spareclockcycles.org/
2011/02/03/google-analytics-xss-vulnerability/
53. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint
analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings
of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 317–331. IEEE
Computer Society, Washington, DC, USA (2010)
54. Seo, J., Lam, M.S.: Invisitype: Object-oriented security policies (2010)
55. Smarty Template Engine: escape, http://www.smarty.net/manual/en/language.
modifier.escape.php
56. Stamm, S.: Content security policy (2009), https://wiki.mozilla.org/Security/
CSP/Spec
57. Swamy, N., Corcoran, B., Hicks, M.: Fable: A language for enforcing user-defined security
policies. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2008)
58. Template::Manual::Filters, http://template-toolkit.org/docs/manual/Filters.
html
59. Mike, T.L., Venkatakrishnan, V.N.: BluePrint: Robust Prevention of Cross-site Scripting Attacks
for Existing Browsers. In: Proceedings of the IEEE Symposium on Security and Privacy
(2009)
60. TwitPwn: DOM based XSS in Twitterfall (2009), http://www.twitpwn.com/2009/07/
motb-08-dom-based-xss-in-twitterfall.html
61. Twitter: All about the “onMouseOver” incident, http://blog.twitter.com/2010/09/
all-about-onmouseover-incident.html
62. UTF-7 XSS Cheat Sheet, http://openmya.hacker.jp/hasegawa/security/utf7cs.
html
63. Venema, W.: Taint support for PHP (2007), ftp://ftp.porcupine.org/pub/php/
php-5.2.3-taint-20071103.README.html
64. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting
prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and
Distributed System Security Symposium (NDSS), vol. 42. Citeseer (2007)
65. Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: An empirical analysis
of xss sanitization in web application frameworks. Tech. Rep. UCB/EECS-2011-11,
EECS Department, University of California, Berkeley (February 2011)
66. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In:
Proceedings of the Usenix Security Symposium (2006)
67. xssterminate, http://code.google.com/p/xssterminate/
68. Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to
defeat a wide range of attacks. In: Proceedings of the 15th USENIX Security Symposium,
pp. 121–136 (2006)
69. Yii Framework: Security, http://www.yiiframework.com/doc/guide/1.1/en/
topics.security
70. Zalewski, M.: Browser security handbook. Google Code (2010), http://code.google.
com/p/browsersec/wiki/Part1
71. Zend Framework:
1. jQuery, http://jquery.com/
2. Aas, G.: CPAN: URI::Escape, http://search.cpan.org/~gaas/URI-1.56/URI/
Escape.pm
3. Adsafe : Making javascript safe for advertising, http://www.adsafe.org/
4. How To: Prevent Cross-Site Scripting in ASP.NET, http://msdn.microsoft.com/
en-us/library/ff649310.aspx
5. Microsoft ASP.NET: Request Validation – Preventing Script Attacks, http://www.asp.
net/LEARN/whitepapers/request-validation
6. Athanasopoulos, E., Pappas, V., Krithinakis, A., Ligouras, S., Markatos, E., Karagiannis, T.:
xJS: practical XSS prevention for web application development. In: Proceedings of the 2010
USENIX Conference on Web Application Development (2010)
7. Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.:
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications.
In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (2008)
8. Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: Vetting browser extensions
for security vulnerabilities (2010)
9. Baron, D.: Mozilla’s quirks mode, https://developer.mozilla.org/en/mozilla’s_
quirks_mode
10. Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers or how to stop
papers from reviewing themselves. In: Proceedings of the 30th IEEE Symposium on Security
and Privacy, Oakland, CA (May 2009)
11. Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities
(2009)
12. Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss
filters. In: Proceedings of the 19th International Conference on World Wide Web, WWW
2010, pp. 91–100. ACM, New York (2010)
13. Bisht, P., Venkatakrishnan, V.: XSS-GUARD: precise dynamic prevention of cross-site
scripting attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment,
pp. 23–43 (2008)
14. Google-caja: A source-to-source translator for securing javascript-based web content,
http://code.google.com/p/google-caja/
15. CakePHP: Sanitize Class Info, http://api.cakephp.org/class/sanitize
16. Chin, E., Wagner, D.: Efficient character-level taint tracking for java. In: Proceedings of
the 2009 ACM Workshop on Secure Web Services, SWS 2009, pp. 3–12. ACM, New York
(2009)
17. Chong, S., Liu, J., Myers, A.C., Qi, X., Vikram, K., Zheng, L., Zheng, X.: Secure web applications
via automatic partitioning. In: Proceedings of Twenty-First ACM SIGOPS Symposium
on Operating Systems Principles, pp. 31–44. ACM, New York (2007)
18. ClearSilver: Template Filters, http://www.clearsilver.net/docs/man_filters.hdf
19. CodeIgniter/system/libraries/Security.php, http://bitbucket.org/ellislab/
codeigniter/src/tip/system/libraries/Security.php
20. CodeIgniter User Guide Version 1.7.2: Input Class, http://codeigniter.com/user_
guide/libraries/input.html
21. Ctemplate: Guide to Using Auto Escape, http://google-ctemplate.googlecode.com/
svn/trunk/doc/auto_escape.html
22. django: Built-in template tags and filters, http://docs.djangoproject.com/en/dev/
ref/templates/builtins
23. Django sites : Websites powered by django, http://www.djangosites.org/
24. The Django Book: Security, http://www.djangobook.com/en/2.0/chapter20/
25. Finifter,M.,Wagner, D.: Exploring the Relationship BetweenWeb Application Development
Tools and Security. In: Proceedings of the 2nd USENIX Conference on Web Application
Development. USENIX (June 2011)
26. Finifter, M., Weinberger, J., Barth, A.: Preventing capability leaks in secure javascript subsets.
In: Proc. of Network and Distributed System Security Symposium (2010)
27. Guha, A., Krishnamurthi, S., Jim, T.: Using static analysis for ajax intrusion detection. In:
Proceedings of the 18th International Conference on World Wide Web, WWW 2009, pp.
561–570. ACM, New York (2009)
28. Google Web Toolkit: Developer’s Guide – SafeHtml, http://code.google.com/
webtoolkit/doc/latest/DevGuideSecuritySafeHtml.html
29. Hansen, R.: XSS cheat sheet (2008)
30. Hickson, I.: HTML 5 : A vocabulary and associated apis for html and xhtml, http://www.
w3.org/TR/html5/
31. HTML Purifier Team: Css quoting full disclosure (2010), http://htmlpurifier.org/
security/2010/css-quoting
32. HTML Purifier : Standards-Compliant HTML Filtering, http://htmlpurifier.org/
33. Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application
code by static analysis and runtime protection. In: Proceedings of the 13th International
Conference on World Wide Web, WWW2004, pp. 40–52. ACM, New York (2004)
34. Jean, J.: Facebook CSRF and XSS vulnerabilities: Destructive worms on a social network,
http://seclists.org/fulldisclosure/2010/Oct/35
35. JiftyManual, http://jifty.org/view/JiftyManual
36. Jovanovic, N., Kr¨ugel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application
vulnerabilities (short paper). In: IEEE Symposium on Security and Privacy (2006)
37. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating
cross-site scripting attacks. In: Proceedings of the 2006 ACM Symposium on Applied
Computing, pp. 330–337. ACM, New York (2006)
38. KSES Developer Team: Kses php html/xhtml filter, http://sourceforge.net/
projects/kses/
39. Livshits, B., Lam, M.S.: Finding security errors in Java programs with static analysis. In:
Proceedings of the Usenix Security Symposium (2005)
40. Livshits, B., Martin, M., Lam, M.S.: SecuriFly: Runtime protection and recovery from Web
application vulnerabilities. Tech. rep., Stanford University (September 2006)
41. Martin, M., Lam, M.S.: Automatic generation of XSS and SQL injection attacks with goaldirected
model checking. In: 17th USENIX Security Symposium (2008)
42. The Mason Book: Escaping Substitutions, http://www.masonbook.com/book/
chapter-2.mhtml
A Systematic Analysis of XSS Sanitization in Web Application Frameworks 169
43. Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site
scripting defense. In: NDSS (2009)
44. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening
web applications using precise tainting. In: 20th IFIP International Information Security
Conference (2005)
45. XSS Prevention Cheat Sheet, http://www.owasp.org/index.php/XSS_(Cross_Site_
Scripting)_Prevention_Cheat_Sheet
46. Pullicino, J.: Google XSS Flaw in Website Optimizer Explained (December
2010), http://www.acunetix.com/blog/web-security-zone/articles/
google-xss-website-optimizer-scripts/
47. Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong
typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, SSYM
2009, pp. 283–298. USENIX Association, Berkeley (2009)
48. Ruby on Rails Security Guide, http://guides.rubyonrails.org/security.html
49. Saxena, P., Akhawe, D., Hanna, S., Mao, F., McCamant, S., Song, D.: A symbolic execution
framework for javascript. In: Proceedings of the 2010 IEEE Symposium on Security and
Privacy, SP 2010, pp. 513–528. IEEE Computer Society, Washington, DC, USA (2010)
50. Saxena, P., Hanna, S., Poosankam, P., Song, D.: FLAX: Systematic discovery of client-side
validation vulnerabilities in rich web applications. In: 17th Annual Network & Distributed
System Security Symposium NDSS (2010)
51. Saxena, P., Molnar, D., Livshits, B.: Scriptgard: Preventing script injection attacks in legacy
web applications with automatic sanitization. Tech. rep., Microsoft Research (September
2010)
52. Schmidt, B.: Google Analytics XSS Vulnerability, http://spareclockcycles.org/
2011/02/03/google-analytics-xss-vulnerability/
53. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint
analysis and forward symbolic execution (but might have been afraid to ask). In: Proceedings
of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 317–331. IEEE
Computer Society, Washington, DC, USA (2010)
54. Seo, J., Lam, M.S.: Invisitype: Object-oriented security policies (2010)
55. Smarty Template Engine: escape, http://www.smarty.net/manual/en/language.
modifier.escape.php
56. Stamm, S.: Content security policy (2009), https://wiki.mozilla.org/Security/
CSP/Spec
57. Swamy, N., Corcoran, B., Hicks, M.: Fable: A language for enforcing user-defined security
policies. In: Proceedings of the IEEE Symposium on Security and Privacy (May 2008)
58. Template::Manual::Filters, http://template-toolkit.org/docs/manual/Filters.
html
59. Mike, T.L., Venkatakrishnan, V.N.: BluePrint: Robust Prevention of Cross-site Scripting Attacks
for Existing Browsers. In: Proceedings of the IEEE Symposium on Security and Privacy
(2009)
60. TwitPwn: DOM based XSS in Twitterfall (2009), http://www.twitpwn.com/2009/07/
motb-08-dom-based-xss-in-twitterfall.html
61. Twitter: All about the “onMouseOver” incident, http://blog.twitter.com/2010/09/
all-about-onmouseover-incident.html
62. UTF-7 XSS Cheat Sheet, http://openmya.hacker.jp/hasegawa/security/utf7cs.
html
63. Venema, W.: Taint support for PHP (2007), ftp://ftp.porcupine.org/pub/php/
php-5.2.3-taint-20071103.README.html
64. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross site scripting
prevention with dynamic data tainting and static analysis. In: Proceeding of the Network and
Distributed System Security Symposium (NDSS), vol. 42. Citeseer (2007)
65. Weinberger, J., Saxena, P., Akhawe, D., Finifter, M., Shin, R., Song, D.: An empirical analysis
of xss sanitization in web application frameworks. Tech. Rep. UCB/EECS-2011-11,
EECS Department, University of California, Berkeley (February 2011)
66. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In:
Proceedings of the Usenix Security Symposium (2006)
67. xssterminate, http://code.google.com/p/xssterminate/
68. Xu, W., Bhatkar, S., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to
defeat a wide range of attacks. In: Proceedings of the 15th USENIX Security Symposium,
pp. 121–136 (2006)
69. Yii Framework: Security, http://www.yiiframework.com/doc/guide/1.1/en/
topics.security
70. Zalewski, M.: Browser security handbook. Google Code (2010), http://code.google.
com/p/browsersec/wiki/Part1
71. Zend Framework:
No comments:
Post a Comment