Reaserch Papers: May 2012

Tuesday 29 May 2012

REFERENCES12

[1] “Web application security trends report – q3-q4, 2009,”

Cenzic Inc., 2009.

[2] “UK security breach investigations report: An analysis of data

compromise cases security breach investigations report: An

analysis of data compromise cases,” 7safe, 2010.

[3] “Fall 09 website security statistics report,” WhiteHat Security,

Tech. Rep., 2009.

[4] A List Apart, “Findings from the a list apart survey for

people who make websites, 2008,” 2008. [Online]. Available:

http://aneventapart.com/alasurvey2008/

[5] “2010 CWE/SANS top 25 most dangerous programming

errors,” The MITRE Corporation, Tech. Rep., Feb 25 2010.

[Online]. Available: http://cwe.mitre.org/top25/

[6] “OWASP top 10,” OWASP, Tech. Rep., 2007. [Online].

Available: http://www.owasp.org/index.php/Top 10 2007

[7] “XSS (cross site scripting) prevention cheat sheet,” OWASP,

Jan 16 2010, available from http://www.owasp.org/.

[8] C. Jackson and H. J. Wang, “Subspace: Secure cross-domain

communication for web mashups,” in Proc. of the 16th International

World Wide Web Conference (WWW2007), Banff,

Alberta, May 8-12 2007.

[9] “Wordpress.” [Online]. Available: http://wordpress.com

[10] “phpbb.” [Online]. Available: http://www.phpbb.com

[11] “Half-million sites mostly running phpbb forum software

hacked in latest attack,” CyberInsecure.com, May 12 2008.

[12] “The web hacking incidents database 2009: Bi-annual report,”

Breach Security, Aug 2009.

[13] “IBM Internet Security Systems X-ForceR 2008 mid-year

trend statistics,” IBM Global Technology Services, Tech.

Rep., Jul 2008.

[14] “X-forceR 2009 trend and risk report: Annual review of

2009,” IBM Security Solutions, Tech. Rep., 2009.

[15] F. Howard, “Wordpress injection attack and “affiliate pingpong”,”

SophosLabs blog, 2010.

[16] C. Herley, “So long, and no thanks for the externalities:

The rational rejection of security advice by users,” Proc. of

The 2009 New Security Paradigms Workshop (NSPW’09), pp.

133—144, Sep 8-11 2009.

[17] A. Adams and M. A. Sasse, “Users are not the enemy,”

Communications of the ACM, vol. 42, no. 12, pp. 41–46,

1999.

[18] G. Wurster and P. C. van Oorschot, “The developer is the

enemy,” New Security Paradigms Workshop (NSPW’08), Sep

2008.

[19] A. Barth, C. Jackson, and J. C. Mitchell, “Robust defenses

for cross-site request forgery,” in Proc. of ACM Computer and

Communications Security (CCS’08), 2008.

[20] B. Sterne, “Security/csp/spec,” Mozilla Corporation, Tech.

Rep., 2009. [Online]. Available: https://wiki.mozilla.org/

Security/CSP

[21] T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji,

“SOMA: Mutual approval for included content in web pages,”

in Proc. of ACM Computer and Communications Security

(CCS’08), Oct 27-31 2008, pp. 89–98.

[22] P. Smith, “Top 10 firefox extensions to avoid,” Computerworld,

Apr 2007.

REFERENCES11

[1] J. Burke. Jsonrequest, part 2 (cross domain policy for

all). Blog, March 2006. URL:

http://tagneto.blogspot.com/2006/03/

jsonrequest-part-2-cross-domain-policy.html.

[2] S. Cook. A web developer’s guide to cross-site

scripting, January 2003.

http://www.giac.org/practical/GSEC/Steve_Cook_GSEC.

[3] M. Corporation. Bug 493857: Implement content

security policy.

https://bugzilla.mozilla.org/show bug.cgi?id=csp,

May 2009.

[4] M. Corporation. Content security policy formal

specification.

https://wiki.mozilla.org/Security/CSP/Spec, May

2009.

[5] D. Danchev. Mass iframe injectable attacks, March

2008.

http://ddanchev.blogspot.com/2008/03/

massive-iframe-seo-poisoning-attack.html.

[6] J. Grossman. Whitehat website security statistics

report. Whitepaper, WhiteHat,

http://www.whitehatsec.com/home/assets/WPstats0808.pdf,

August 2008.

[7] M. V. Gundy and H. Chen. Noncespaces: Using

randomization to enforce information flow tracking

and thwart cross-site scripting attacks. In Proceedings

of the 16th Annual Network and Distributed System

Security Symposium (NDSS), San Diego, CA,

Feb. 8-11, 2009.

[8] C. Jackson, A. Barth, A. Bortz, W. Shao, and

D. Boneh. Protecting browsers from dns rebinding

attacks. In CCS ’07: Proceedings of the 14th ACM

conference on Computer and communications security,

pages 421–431, New York, NY, USA, 2007. ACM.

[9] C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell.

Stanford safecache. http://www.safecache.com.

[10] C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell.

Stanford safehistory. http://www.safehistory.com.

[11] C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell.

Protecting browser state from web privacy attacks. In

WWW ’06: Proceedings of the 15th international

conference on World Wide Web, pages 737–744, New

York, NY, USA, 2006. ACM.

[12] M. Jakobsson and S. Stamm. Invasive browser sniffing

and countermeasures. In WWW ’06: Proceedings of

the 15th international conference on World Wide Web,

pages 523–532, New York, NY, USA, 2006. ACM.

[13] T. Jim, N. Swamy, and M. Hicks. Defeating script

injection attacks with browser-enforced embedded

policies. In WWW ’07: Proceedings of the 16th

international conference on World Wide Web, pages

601–610, New York, NY, USA, 2007. ACM.

[14] N. Jovanovic, E. Kirda, and C. Kruegel. Preventing

cross site request forgery attacks. In the IEEE

International Conference on Security and Privacy for

Emerging Areas in Communication Networks

(Securecomm), pages 1–10, September 2006.

[15] Z. Mao, N. Li, and I. Molloy. Defeating cross-site

request forgery attacks with browser-enforced

authenticity protection. In Financial Cryptography

and Data Security: 13th International Conference, FC

2009, Accra Beach, Barbados, February 23-26, 2009.

Revised Selected Papers, pages 238–255, Berlin,

Heidelberg, 2009. Springer-Verlag.

[16] A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble,

and H. M. Levy. Spyproxy: execution-based detection

of malicious web content. In SS’07: Proceedings of

16th USENIX Security Symposium on USENIX

Security Symposium, pages 1–16, Berkeley, CA, USA,

2007. USENIX Association.

[17] T. Oda, G. Wurster, P. V. Oorschot, and A. Somayaji.

Soma: Mutual approval for included content in web

pages. In CCS’08: ACM Computer and

Communications Security, October 2008.

[18] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and

S. Esmeir. Browsershield: vulnerability-driven filtering

of dynamic html. In OSDI ’06: Proceedings of the 7th

symposium on Operating systems design and

implementation, pages 61–74, Berkeley, CA, USA,

2006. USENIX Association.

[19] C. Reis, S. D. Gribble, and H. M. Levy. Architectural

principles for safe web programs. In Sixth Workshop

on Hot Topics in Networks (HotNets) 2007, Atlanta,

Georgia, November 2007.

[20] J. Ruderman. In Mozilla Documentation, August

2001. URL: http://www.mozilla.org/projects/

security/components/same-origin.html.

[21] W3C. Access control for cross-site requests. Technical

report, February 2008.

http://www.w3.org/TR/access-control/.

[22] H. J. Wang, X. Fan, J. Howell, and C. Jackson.

Protection and communication abstractions for web

browsers in mashupos. In SOSP ’07: Proceedings of

twenty-first ACM SIGOPS symposium on Operating

systems principles, pages 1–16, New York, NY, USA,

2007. ACM.

References10

[1] Phishmarkt :: de. http://baseportal.com/

baseportal/phishmarkt/de, 2006.

[2] Phishmarkt :: at. http://baseportal.com/

baseportal/phishmarkt/at, 2007.

[3] A. Soulard, P. Gieling, M. Hercelin and J. Boulmont.

@lex Guestbook. http://www.alexguestbook.

net, 2008.

[4] Acunetix. Acunetix Web Vulnerability Scanner. http:

//www.acunetix.com/, 2008.

[5] B. (BK) Rios. Google XSS. http://xs-sniper.com/

blog/2008/04/14/google-xss/, 2008.

[6] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic,

E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing

Static and Dynamic Analysis to Validate Sanitization inWeb

Applications. In IEEE Security and Privacy Symposium,

2008.

[7] CERT. Advisory CA-2000-02: Malicious HTML Tags Embedded

in Client Web Requests. http://www.cert.

org/advisories/CA-2000-02.html, 2000.

[8] D. Endler. The Evolution of Cross Site Scripting Attacks.

Technical report, iDEFENSE Labs, 2002.

[9] M. V. Gundy and H. Chen. Noncespaces: Using randomization

to enforce information flow tracking and thwart crosssite

scripting attacks. In Proceedings of the 16th Annual Network

and Distributed System Security Symposium (NDSS),

2009.

[10] O. Hallaraker and G. Vigna. Detecting Malicious JavaScript

Code in Mozilla. In Proceedings of the IEEE International

Conference on Engineering of Complex Computer Systems

(ICECCS), 2005.

[11] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static

Analysis Tool for DetectingWeb Application Vulnerabilities

(Short Paper). In IEEE Symposium on Security and Privacy,

2006.

[12] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. SecuBat: A

Web Vulnerability Scanner. In World Wide Web Conference,

2006.

[13] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes:

A client-side solution for mitigating cross-site scripting attacks.

In 21st ACM Symposium on Applied Computing

(SAC), 2006.

[14] G. D. Lucca, A. Fasolino, M. Mastoianni, and P. Tramontana.

Identifying cross site scripting vulnerabilities in web

applications. In Sixth IEEE International Workshop on Web

Site Evolution (WSE), 2004.

[15] M. Wagner. phpstats 0.1 alpha. http://www.

michael-wagner.de/software/phpstats/,

2008.

[16] S. McAllister, E. Kirda, and C. Kruegel. Expanding human

interactions for in-depth testing of web applications. In

11th Symposium on Recent Advances in Intrusion Detection

(RAID), 2008.

[17] NIST National Vulnerability Database. CVE-2002-

0902: Cross-site scripting vulnerability in phpBB 2.0.0.

http://nvd.nist.gov/nvd.cfm?cvename=

CVE-2002-0902, 2002.

[18] NIST National Vulnerability Database. CVE-2008-0125:

Cross-site scripting (XSS) vulnerability in phpstats.php.

http://nvd.nist.gov/nvd.cfm?cvename=

CVE-2008-0125, 2008.

[19] OWASP. OWASP Top Ten. http://www.owasp.

org/index.php/Category:OWASP_Top_Ten_

Project, 2007.

[20] phpBB. phpBB web forum software. http://www.

phpbb.com, 2008.

[21] PortSwigger. Burp Suite. http://portswigger.

net/suite/, 2008.

[22] RSnake. XSS Cheat Sheet. http://ha.ckers.org/

xss.html, 2008.

[23] D. Scott and R. Sharp. Abstracting Application-level Web

Security. In 11th World Wide Web Conference, 2002.

[24] SecurityFocus. @lex Guestbook Multiple Cross-Site Scripting

Vulnerabilities. http://www.securityfocus.

com/bid/28519/, 2008.

[25] Z. Su and G.Wassermann. The Essence of Command Injection

Attacks in Web Applications. In Symposium on Principles

of Programming Languages, 2006.

[26] T. Jim and N. Swamy and M. Hicks. BEEP: Browser-

Enforced Embedded Policies. In 16th International World

Wide Web Conference (WWW2007), Banff, 2007.

[27] P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda,

and G. Vigna. Cross site scripting prevention with dynamic

data tainting and static analysis. In 14th Annual Network

and Distributed System Security Symposium (NDSS), 2007.

[28] Web Application Attack and Audit Framework. http://

w3af.sourceforge.net/.

[29] WhiteHat Security. Website Security Statistics Report.

http://www.whitehatsec.com/home/

resource/stats.html, 2008.

[30] Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities

in Scripting Languages. In 15th USENIX Security

Symposium, 2006.

References9

[1] Bugzilla. http://www.bugzilla,org/.

[2] HotCRP. http://www.cs.ucla.edu/˜kohler/hotcrp/

index.html/.

[3] OWASP: Top 10 2007. http://www.owasp.org/index.php/

Top_10_2007.

[4] E. Athanasopoulos, V. Pappas, and E. Markatos. Code injection attacks

in browsers supporting policies. In Proceedings of Web 2.0 Security and

Privacy 2009, 2009.

[5] P. Bisht and V. N. Venkatakrishnan. Xss-guard: Precise dynamic prevention

of cross-site scripting attacks. In Proceedings of the 5th international

conference on Detection of Intrusions and Malware, and Vulnerability Assessment,

DIMVA ’08, pages 23–43, Berlin, Heidelberg, 2008. Springer-

Verlag.

[6] F. Buclin. Bugzilla usage world wide. http://lpsolit.

wordpress.com/bugzilla-usage-worldwide/.

[7] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing

web application code by static analysis and runtime protection. In Proceedings

of the 13th international conference on World Wide Web, WWW

’04, pages 40–52, New York, NY, USA, 2004. ACM.

[8] T. Jim, N. Swamy, and M. Hicks. Beep: Browser-enforced embedded policies.

16th International World World Web Conference, 2007.

[9] B. Livshits and M. S. Lam. Finding security errors in Java programs with

static analysis. In Proceedings of the Usenix Security Symposium, 2005.

[10] B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and

recovery from Web application vulnerabilities. Technical report, Stanford

University, Sept. 2006.

[11] B. Livshits and U´ lfar Erlingsson. Using web application construction

frameworks to protect against code injection attacks. In Proceedings of

the 2007 workshop on Programming languages and analysis for security.

[12] L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing finegrained

security policies for JavaScript in the browser. In IEEE Symposium

on Security and Privacy, May 2010.

[13] Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust

basis for cross-site scripting defense. Proceedings of the 16th Network and

Distributed System Security Symposium, 2009.

[14] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A

symbolic execution framework for javascript. In Proceedings of the 2010

IEEE Symposium on Security and Privacy, SP ’10, pages 513–528, Washington,

DC, USA, 2010. IEEE Computer Society.

[15] P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery

of client-side validation vulnerabilities in rich web applications. In

Network & Distributed System Security Symposium, (NDSS), 2010.

[16] P. Saxena, D. Molnar, and B. Livshits. Scriptgard: Preventing script injection

attacks in legacy web applications with automatic sanitization. Technical

report, Microsoft Research, September 2010.

[17] S. Stamm. Content security policy, 2009.

[18] S. Stamm, B. Sterne, and G. Markham. Reining in the web with content

security policy. In Proceedings of the 19th international conference on

World wide web, WWW ’10, pages 921–930, New York, NY, USA, 2010.

ACM.

[19] Z. Su and G. Wassermann. The essence of command injection attacks in

web applications. 2006.

[20] Template Toolkit. http://template-toolkit.org.

[21] Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention

of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of

the IEEE Symposium on Security and Privacy, 2009.

[22] TNW: The Next Web. YouTube hacked, Justin Bieber videos targeted.

http://thenextweb.com/socialmedia/2010/07/04/

youtube-hacked-justin-bieber-videos-targeted/.

[23] G. Wassermann and Z. Su. Sound and precise analysis of web applications

for injection vulnerabilities. In Proceedings of the ACM SIGPLAN conference

on Programming language design and implementation, pages 32–41,

New York, NY, USA, 2007. ACM.

[24] G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su.

Dynamic test input generation for web applications. In Proceedings of the

International symposium on Software testing and analysis, 2008.

[25] J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A

systematic analysis of xss sanitization in web application frameworks. In

Proceedings of 16th European Symposium on Research in Computer Security

(ESORICS), 2011.

[26] WhiteHat Security. WhiteHat Webinar: Fall 2010 Website Statistics

Report. http://www.whitehatsec.com/home/resource/

presentation.html.

[27] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting

languages. In Proceedings of the Usenix Security Symposium, 2006.

[28] W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A

practical approach to defeat a wide range of attacks. In Proceedings of the

15th USENIX Security Symposium, pages 121–136, 2006.

REFERENCES8

[1] S. Cook. A Web Developers Guide to Cross-Site Scripting. Technical

Report, SANS Institute, 2003.

[2] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and

T. Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1, IETF RFC

2616, 1999.

[3] O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi. A Proposal and

Implementation of Automatic Detection/Collection System for Cross-

Site Scripting Vulnerability. Proceedings of the International Conference

on Advanced Information Networking and Application, 2004.

[4] D. Jackson. Automating First-Order Relational Logic. Proceedings of

ACM Conference on Foundations of Software Engineering, 2000.

[5] D. Jackson. Alloy: A Lightweight Object Modelling Notation. Technical

Report, MIT Laboratory for Computer Science, 2000.

[6] M. Johns. SessionSafe: Implementing XSS Immune Session Handling.

Proceedings of European Symposium on Research in Computer Security,

2006.

[7] N. Jovanovic, E. Kirda, and C. Kruegel. Preventing Cross Site Request

Forgery Attacks. Proceedings of IEEE International Conference on

Security and Privacy in Communication Networks, 2006.

[8] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A Client-Side

Solution for Mitigating Cross Site Scripting Attacks. Proceedings of the

21st ACM Symposium on Applied Computing, 2006.

[9] T. Pietraszek, and C. Vanden Berghe. Defending against Injection

Attacks through Context-Sensitive String Evaluation. Proceedings of

Recent Advances in Intrusion Detection, 2005.

[10] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, G. Vigna.

Cross-Site Scripting Prevention with Dynamic Data Tainting and Static

Analysis. Proceedings of the Network and Distributed System Security

Symposium, 2007.

[11] L. Wall, T. Christiansen, R. Schwartz, and S. Potter. Programming Perl.

OReilly, 1996.

REFERENCES7

[1] Tim Berners-Lee and Dan Connolly. Hypertext

Markup Language - 2.0. IETF RFC 1866, November

1995.

[2] Steve Christey and Robert A. Martin. Vulnerability

type distributions in cve, 2007.

http://cwe.mitre.org/documents/vuln-trends/.

[3] Douglas Crockford. ADsafe.

[4] Facebook. Fbjs. http:

//wiki.developers.facebook.com/index.php/FBJS.

[5] David Flanagan. JavaScript: The De_nitive Guide,

chapter 20.4 The Data-Tainting Security Model.

O'Reilly & Associates, Inc., second edition, January

1997.

[6] Google. Caja: A source-to-source translator for

securing JavaScript-based web content.

http://code.google.com/p/google-caja/.

[7] Google. V8 benchmark suite. http://v8.googlecode.

com/svn/data/benchmarks/v5/run.html.

[8] Robert Hansen. XSS (cross site scripting) cheat sheet.

http://ha.ckers.org/xss.html.

[9] Apple Inc. Sunspider. http://www2.webkit.org/

perf/sunspider-0.9/sunspider.html.

[10] Inferno. Exploiting IE8 UTF-7 XSS vulnerability

using local redirection, May 2009.

http://securethoughts.com/2009/05/

exploiting-ie8-utf-7-xss-vulnerability-using-

local-redirection/.

[11] Engin Kirda, Christopher Kruegel, Giovanni Vigna,

and Nenad Jovanovic. Noxes: A client-side solution for

mitigating cross site scripting attacks. In Proceedings

of the 21st ACM Symposium on Applied Computing

(SAC), 2006.

[12] Eric Lawrence. IE8 security part VII: Clickjacking

defenses.

http://blogs.msdn.com/ie/archive/2009/01/27/

ie8-security-part-vii-clickjacking-defenses.

aspx.

[13] David Lindsay et al. Chrome gets XSS _lters,

September 2009.

http://sla.ckers.org/forum/read.php?13,31377.

[14] Giorgio Maone. NoScript. http://www.noscript.net.

[15] Larry Masinter. The \data" URL scheme. IETF RFC

2397, August 1998.

[16] Microsoft. About dynamic properties.

http://msdn.microsoft.com/en-us/library/

ms537634(VS.85).aspx.

[17] Mitre. CVE-2009-4074.

[18] Eduardo Vela Nava and David Lindsay. Our favorite

XSS _lters/IDS and how to attack them, 2009. Black

Hat USA presentation.

[19] Jeremias Reith. Internals of noXSS, October 2008.

http://www.noxss.org/wiki/Internals.

[20] David Ross. IE 8 XSS _lter

architecture/implementation, August 2008. http:

//blogs.technet.com/srd/archive/2008/08/18/

ie-8-xss-filter-architecture-implementation.

aspx.

[21] Steve. Preventing frame busting and click jacking,

Februrary 2009.

http://coderrr.wordpress.com/2009/02/13/

preventing-frame-busting-and-click-jacking-

ui-redressing/.

[22] Andrew van der Stock, Je_ Williams, and Dave

Wichers. OWASP top 10, 2007.

http://www.owasp.org/index.php/Top_10_2007.

[23] Philipp Vogt, Florian Nentwich, Nenad Jovanovic,

Engin Kirda, Christopher Kruegel, and Giovanni

Vigna. Cross site scripting prevention with dynamic

data tainting and static analysis. In Proceedings of the

Network and Distributed System Security Symposium

(NDSS), 2007.

[24] Michal Zalewski. Browser Security Handbook,

volume 2.

http://code.google.com/p/browsersec/wiki/

Part2#Arbitrary_page_mashups_(UI_redressing).

References5

1. Dabirsiaghi, A. January 5, 2008. HTML/CSS Injections – Primitive Malicious

Code. omg.wtf.bbq. Retrieved February 25, 2008 from http://i8jesus.com/?p=10.

2. Dabirsiaghi, A. February 25, 2008. Improving Hackvertor: Polymorphic

JavaScript Payloads. omg.wtf.bbq. Retrieved February 26, 2008 from

http://i8jesus.com/?p=15.

3. F-Secure Corporation, December, 2003. F-Secure Corporation's Data Security

Summary for 2003. Retrieved February 25, 2008 from http://www.fsecure.

com/2003/.

4. Gong, F. March, 2003. Deciphering Detection Techniques. Anomaly-Based

Intrusion Detection. Retrieved February 25, 2008 from

http://www.mcafee.com/us/local_content/white_papers/wp_ddt_anomaly.pdf.

5. Grossman, J. April, 2006. Cross-Site Scripting Worms and Viruses. WhiteHat.

Retrieved February 25, 2008, from http://www.netsecurity.

org/dl/articles/WHXSSThreats.pdf.

6. Grossman, J. November 27, 2007. Inconvenient Truth blog, SE0wN3d!!1.

Retrieved February 27, 2008 from

http://jeremiahgrossman.blogspot.com/2007/11/inconvenient-truth-blogse0wn3d1.

html.

7. Hansen, R. XSS Worm Analysis and Defense. ha.ckers.org. Retrieved February

25, 2008, from http://ha.ckers.org/xss-worms/.

8. Hansen, R. et. al. Creating and Combating the Ultimate XSS Worm.

sla.ckers.org. Retrieved February 25, 2008 from

http://sla.ckers.org/forum/read.php?2,19143.

9. Hansen, R. June 1, 2006. Content restrictions and XSS. ha.ckers.org. Retrieved

February 29, 2008 from http://ha.ckers.org/blog/20060601/content-restrictionsand-

xss/.

10. Heyes, G. January 21, 2008. Code Morphing. The Spanner. Retrieved February

25, 2008 from http://www.businessinfo.co.uk/labs/morph/morph.php.

11. Higgins, K. December 19, 2007. Google's Orkut Social Network Hacked. Dark

Reading. Retrieved February 25, 2008 from

http://www.darkreading.com/document.asp?doc_id=141761&WT.svl=news1_2.

12. Hoffman, B. and Sullivan, B. Ajax Security. Addison-Wesley, 2007.

13. Hoffman, B. April 2, 2007. Jikto in the wild. The HP Security Laboratory.

Retrieved February 27 from

http://portal.spidynamics.com/blogs/spilabs/archive/2007/04/02/Jikto-in-thewild.

aspx.

14. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D. Protecting Browsers from

DNS Rebinding Attacks. Retrieved February 25, 2008 from

http://crypto.stanford.edu/dns/dns-rebinding.pdf.

15. Kaplan, D. December 5, 2007. Duke University Law School Infiltrated by

Hackers. SC Magazine. Retrieved February 25, 2008 from

http://www.scmagazineus.com/Duke-University-Law-School-website-infiltratedby-

hackers/article/99613/.

16. Kerckhoffs, A. 1883. La Cryptographie Militaire. Journal Des Sciences

Militaires, IX, 5-83, 161-191.

17. Maone, G. NoScript – JavaScript/Java/Flash blocker for a safer Firefox

experience! Retrieved February 25, 2008 from http://noscript.net/.

18. Markham, G. February 24, 2005. Auto-Sizing IFRAMEs? Hacking for Christ.

Retrieved February 25, 2008 from

http://weblogs.mozillazine.org/gerv/archives/007610.html.

19. Rhodes, K. August 29, 2001. Code Red, Code Red II, and SirCam Attacks

Highlight Need for Proactive Measures. United States General Accounting

Office. Retrieved February 25, 2008 from

http://www.gao.gov/new.items/d011073t.pdf.

20. Sirdarkcat. November 8, 2007. Inside History of hacking rsnake for fun and

pagerank. SIRDARKCAT: Security and Programming Blog. Retrieved February

25, 2008 from http://sirdarckcat.blogspot.com/2007/11/inside-history-of-hackingrsnake-

for.html.

21. Sutton, Michael. December 31, 2006. Web Application Security Statistics. Web

Application Security Consortium. Retrieved February 25, 2008 from

http://www.webappsec.org/projects/statistics.

22. Unknown. Spam Mimic .Retrieved February 25, 2008, from

http://www.spammimic.com.

23. Valotta, R. Nduja Connection. Retrieved February 25, 2008 from

http://rosario.valotta.googlepages.com/home.

24. Veness, C. SHA-1 Cryptographic Hash Algorithm. Movable Type Scripts.

Retrieved February 25, 2008 from http://www.movabletype.

co.uk/scripts/sha1.html.

25. Zhou, Y., Cui X., Wu, B. Worm Poisoning Technology and Application.

CNCERT/CC. Retrieved February 27, 2008 from

http://www.first.org/conference/2006/papers/xiang-cui-papers.pdf.

26. Spafford, E. The Internet Worm Program: An Analysis. Purdue Technical Report

CSD-TR-823. Department of Computer Sciences, Purdue University. Retrieved

February 27, 2008 from http://homes.cerias.purdue.edu/~spaf/tech-reps/823.pdf.