Tuesday, 29 May 2012


REFERENCES12

[1] “Web application security trends report – q3-q4, 2009,”
Cenzic Inc., 2009.
[2] “UK security breach investigations report: An analysis of data
compromise cases security breach investigations report: An
analysis of data compromise cases,” 7safe, 2010.
[3] “Fall 09 website security statistics report,” WhiteHat Security,
Tech. Rep., 2009.
[4] A List Apart, “Findings from the a list apart survey for
people who make websites, 2008,” 2008. [Online]. Available:
http://aneventapart.com/alasurvey2008/
[5] “2010 CWE/SANS top 25 most dangerous programming
errors,” The MITRE Corporation, Tech. Rep., Feb 25 2010.
[Online]. Available: http://cwe.mitre.org/top25/
[6] “OWASP top 10,” OWASP, Tech. Rep., 2007. [Online].
Available: http://www.owasp.org/index.php/Top 10 2007
[7] “XSS (cross site scripting) prevention cheat sheet,” OWASP,
Jan 16 2010, available from http://www.owasp.org/.
[8] C. Jackson and H. J. Wang, “Subspace: Secure cross-domain
communication for web mashups,” in Proc. of the 16th International
World Wide Web Conference (WWW2007), Banff,
Alberta, May 8-12 2007.
[9] “Wordpress.” [Online]. Available: http://wordpress.com
[10] “phpbb.” [Online]. Available: http://www.phpbb.com
[11] “Half-million sites mostly running phpbb forum software
hacked in latest attack,” CyberInsecure.com, May 12 2008.
[12] “The web hacking incidents database 2009: Bi-annual report,”
Breach Security, Aug 2009.
[13] “IBM Internet Security Systems X-ForceR 2008 mid-year
trend statistics,” IBM Global Technology Services, Tech.
Rep., Jul 2008.
[14] “X-forceR 2009 trend and risk report: Annual review of
2009,” IBM Security Solutions, Tech. Rep., 2009.
[15] F. Howard, “Wordpress injection attack and “affiliate pingpong”,”
SophosLabs blog, 2010.
[16] C. Herley, “So long, and no thanks for the externalities:
The rational rejection of security advice by users,” Proc. of
The 2009 New Security Paradigms Workshop (NSPW’09), pp.
133—144, Sep 8-11 2009.
[17] A. Adams and M. A. Sasse, “Users are not the enemy,”
Communications of the ACM, vol. 42, no. 12, pp. 41–46,
1999.
[18] G. Wurster and P. C. van Oorschot, “The developer is the
enemy,” New Security Paradigms Workshop (NSPW’08), Sep
2008.
[19] A. Barth, C. Jackson, and J. C. Mitchell, “Robust defenses
for cross-site request forgery,” in Proc. of ACM Computer and
Communications Security (CCS’08), 2008.
[20] B. Sterne, “Security/csp/spec,” Mozilla Corporation, Tech.
Rep., 2009. [Online]. Available: https://wiki.mozilla.org/
Security/CSP
[21] T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji,
“SOMA: Mutual approval for included content in web pages,”
in Proc. of ACM Computer and Communications Security
(CCS’08), Oct 27-31 2008, pp. 89–98.
[22] P. Smith, “Top 10 firefox extensions to avoid,” Computerworld,
Apr 2007.

REFERENCES11
[1] J. Burke. Jsonrequest, part 2 (cross domain policy for
all). Blog, March 2006. URL:
http://tagneto.blogspot.com/2006/03/
jsonrequest-part-2-cross-domain-policy.html.
[2] S. Cook. A web developer’s guide to cross-site
scripting, January 2003.
http://www.giac.org/practical/GSEC/Steve_Cook_GSEC.
[3] M. Corporation. Bug 493857: Implement content
security policy.
https://bugzilla.mozilla.org/show bug.cgi?id=csp,
May 2009.
[4] M. Corporation. Content security policy formal
specification.
https://wiki.mozilla.org/Security/CSP/Spec, May
2009.
[5] D. Danchev. Mass iframe injectable attacks, March
2008.
http://ddanchev.blogspot.com/2008/03/
massive-iframe-seo-poisoning-attack.html.
[6] J. Grossman. Whitehat website security statistics
report. Whitepaper, WhiteHat,
http://www.whitehatsec.com/home/assets/WPstats0808.pdf,
August 2008.
[7] M. V. Gundy and H. Chen. Noncespaces: Using
randomization to enforce information flow tracking
and thwart cross-site scripting attacks. In Proceedings
of the 16th Annual Network and Distributed System
Security Symposium (NDSS), San Diego, CA,
Feb. 8-11, 2009.
[8] C. Jackson, A. Barth, A. Bortz, W. Shao, and
D. Boneh. Protecting browsers from dns rebinding
attacks. In CCS ’07: Proceedings of the 14th ACM
conference on Computer and communications security,
pages 421–431, New York, NY, USA, 2007. ACM.
[9] C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell.
Stanford safecache. http://www.safecache.com.
[10] C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell.
Stanford safehistory. http://www.safehistory.com.
[11] C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell.
Protecting browser state from web privacy attacks. In
WWW ’06: Proceedings of the 15th international
conference on World Wide Web, pages 737–744, New
York, NY, USA, 2006. ACM.
[12] M. Jakobsson and S. Stamm. Invasive browser sniffing
and countermeasures. In WWW ’06: Proceedings of
the 15th international conference on World Wide Web,
pages 523–532, New York, NY, USA, 2006. ACM.
[13] T. Jim, N. Swamy, and M. Hicks. Defeating script
injection attacks with browser-enforced embedded
policies. In WWW ’07: Proceedings of the 16th
international conference on World Wide Web, pages
601–610, New York, NY, USA, 2007. ACM.
[14] N. Jovanovic, E. Kirda, and C. Kruegel. Preventing
cross site request forgery attacks. In the IEEE
International Conference on Security and Privacy for
Emerging Areas in Communication Networks
(Securecomm), pages 1–10, September 2006.
[15] Z. Mao, N. Li, and I. Molloy. Defeating cross-site
request forgery attacks with browser-enforced
authenticity protection. In Financial Cryptography
and Data Security: 13th International Conference, FC
2009, Accra Beach, Barbados, February 23-26, 2009.
Revised Selected Papers, pages 238–255, Berlin,
Heidelberg, 2009. Springer-Verlag.
[16] A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble,
and H. M. Levy. Spyproxy: execution-based detection
of malicious web content. In SS’07: Proceedings of
16th USENIX Security Symposium on USENIX
Security Symposium, pages 1–16, Berkeley, CA, USA,
2007. USENIX Association.
[17] T. Oda, G. Wurster, P. V. Oorschot, and A. Somayaji.
Soma: Mutual approval for included content in web
pages. In CCS’08: ACM Computer and
Communications Security, October 2008.
[18] C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and
S. Esmeir. Browsershield: vulnerability-driven filtering
of dynamic html. In OSDI ’06: Proceedings of the 7th
symposium on Operating systems design and
implementation, pages 61–74, Berkeley, CA, USA,
2006. USENIX Association.
[19] C. Reis, S. D. Gribble, and H. M. Levy. Architectural
principles for safe web programs. In Sixth Workshop
on Hot Topics in Networks (HotNets) 2007, Atlanta,
Georgia, November 2007.
[20] J. Ruderman. In Mozilla Documentation, August
2001. URL: http://www.mozilla.org/projects/
security/components/same-origin.html.
[21] W3C. Access control for cross-site requests. Technical
report, February 2008.
http://www.w3.org/TR/access-control/.
[22] H. J. Wang, X. Fan, J. Howell, and C. Jackson.
Protection and communication abstractions for web
browsers in mashupos. In SOSP ’07: Proceedings of
twenty-first ACM SIGOPS symposium on Operating
systems principles, pages 1–16, New York, NY, USA,
2007. ACM.

References10
[1] Phishmarkt :: de. http://baseportal.com/
baseportal/phishmarkt/de, 2006.
[2] Phishmarkt :: at. http://baseportal.com/
baseportal/phishmarkt/at, 2007.
[3] A. Soulard, P. Gieling, M. Hercelin and J. Boulmont.
@lex Guestbook. http://www.alexguestbook.
net, 2008.
[4] Acunetix. Acunetix Web Vulnerability Scanner. http:
//www.acunetix.com/, 2008.
[5] B. (BK) Rios. Google XSS. http://xs-sniper.com/
blog/2008/04/14/google-xss/, 2008.
[6] D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic,
E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing
Static and Dynamic Analysis to Validate Sanitization inWeb
Applications. In IEEE Security and Privacy Symposium,
2008.
[7] CERT. Advisory CA-2000-02: Malicious HTML Tags Embedded
in Client Web Requests. http://www.cert.
org/advisories/CA-2000-02.html, 2000.
[8] D. Endler. The Evolution of Cross Site Scripting Attacks.
Technical report, iDEFENSE Labs, 2002.
[9] M. V. Gundy and H. Chen. Noncespaces: Using randomization
to enforce information flow tracking and thwart crosssite
scripting attacks. In Proceedings of the 16th Annual Network
and Distributed System Security Symposium (NDSS),
2009.
[10] O. Hallaraker and G. Vigna. Detecting Malicious JavaScript
Code in Mozilla. In Proceedings of the IEEE International
Conference on Engineering of Complex Computer Systems
(ICECCS), 2005.
[11] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static
Analysis Tool for DetectingWeb Application Vulnerabilities
(Short Paper). In IEEE Symposium on Security and Privacy,
2006.
[12] S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic. SecuBat: A
Web Vulnerability Scanner. In World Wide Web Conference,
2006.
[13] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes:
A client-side solution for mitigating cross-site scripting attacks.
In 21st ACM Symposium on Applied Computing
(SAC), 2006.
[14] G. D. Lucca, A. Fasolino, M. Mastoianni, and P. Tramontana.
Identifying cross site scripting vulnerabilities in web
applications. In Sixth IEEE International Workshop on Web
Site Evolution (WSE), 2004.
[15] M. Wagner. phpstats 0.1 alpha. http://www.
michael-wagner.de/software/phpstats/,
2008.
[16] S. McAllister, E. Kirda, and C. Kruegel. Expanding human
interactions for in-depth testing of web applications. In
11th Symposium on Recent Advances in Intrusion Detection
(RAID), 2008.
[17] NIST National Vulnerability Database. CVE-2002-
0902: Cross-site scripting vulnerability in phpBB 2.0.0.
http://nvd.nist.gov/nvd.cfm?cvename=
CVE-2002-0902, 2002.
[18] NIST National Vulnerability Database. CVE-2008-0125:
Cross-site scripting (XSS) vulnerability in phpstats.php.
http://nvd.nist.gov/nvd.cfm?cvename=
CVE-2008-0125, 2008.
[19] OWASP. OWASP Top Ten. http://www.owasp.
org/index.php/Category:OWASP_Top_Ten_
Project, 2007.
[20] phpBB. phpBB web forum software. http://www.
phpbb.com, 2008.
[21] PortSwigger. Burp Suite. http://portswigger.
net/suite/, 2008.
[22] RSnake. XSS Cheat Sheet. http://ha.ckers.org/
xss.html, 2008.
[23] D. Scott and R. Sharp. Abstracting Application-level Web
Security. In 11th World Wide Web Conference, 2002.
[24] SecurityFocus. @lex Guestbook Multiple Cross-Site Scripting
Vulnerabilities. http://www.securityfocus.
com/bid/28519/, 2008.
[25] Z. Su and G.Wassermann. The Essence of Command Injection
Attacks in Web Applications. In Symposium on Principles
of Programming Languages, 2006.
[26] T. Jim and N. Swamy and M. Hicks. BEEP: Browser-
Enforced Embedded Policies. In 16th International World
Wide Web Conference (WWW2007), Banff, 2007.
[27] P. Vogt, F. Nentwich, N. Jovanovic, C. Kruegel, E. Kirda,
and G. Vigna. Cross site scripting prevention with dynamic
data tainting and static analysis. In 14th Annual Network
and Distributed System Security Symposium (NDSS), 2007.
[28] Web Application Attack and Audit Framework. http://
w3af.sourceforge.net/.
[29] WhiteHat Security. Website Security Statistics Report.
http://www.whitehatsec.com/home/
resource/stats.html, 2008.
[30] Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities
in Scripting Languages. In 15th USENIX Security
Symposium, 2006.
References9
[1] Bugzilla. http://www.bugzilla,org/.
[2] HotCRP. http://www.cs.ucla.edu/˜kohler/hotcrp/
index.html/.
[3] OWASP: Top 10 2007. http://www.owasp.org/index.php/
Top_10_2007.
[4] E. Athanasopoulos, V. Pappas, and E. Markatos. Code injection attacks
in browsers supporting policies. In Proceedings of Web 2.0 Security and
Privacy 2009, 2009.
[5] P. Bisht and V. N. Venkatakrishnan. Xss-guard: Precise dynamic prevention
of cross-site scripting attacks. In Proceedings of the 5th international
conference on Detection of Intrusions and Malware, and Vulnerability Assessment,
DIMVA ’08, pages 23–43, Berlin, Heidelberg, 2008. Springer-
Verlag.
[6] F. Buclin. Bugzilla usage world wide. http://lpsolit.
wordpress.com/bugzilla-usage-worldwide/.
[7] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing
web application code by static analysis and runtime protection. In Proceedings
of the 13th international conference on World Wide Web, WWW
’04, pages 40–52, New York, NY, USA, 2004. ACM.
[8] T. Jim, N. Swamy, and M. Hicks. Beep: Browser-enforced embedded policies.
16th International World World Web Conference, 2007.
[9] B. Livshits and M. S. Lam. Finding security errors in Java programs with
static analysis. In Proceedings of the Usenix Security Symposium, 2005.
[10] B. Livshits, M. Martin, and M. S. Lam. SecuriFly: Runtime protection and
recovery from Web application vulnerabilities. Technical report, Stanford
University, Sept. 2006.
[11] B. Livshits and U´ lfar Erlingsson. Using web application construction
frameworks to protect against code injection attacks. In Proceedings of
the 2007 workshop on Programming languages and analysis for security.
[12] L. Meyerovich and B. Livshits. ConScript: Specifying and enforcing finegrained
security policies for JavaScript in the browser. In IEEE Symposium
on Security and Privacy, May 2010.
[13] Y. Nadji, P. Saxena, and D. Song. Document structure integrity: A robust
basis for cross-site scripting defense. Proceedings of the 16th Network and
Distributed System Security Symposium, 2009.
[14] P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A
symbolic execution framework for javascript. In Proceedings of the 2010
IEEE Symposium on Security and Privacy, SP ’10, pages 513–528, Washington,
DC, USA, 2010. IEEE Computer Society.
[15] P. Saxena, S. Hanna, P. Poosankam, and D. Song. FLAX: Systematic discovery
of client-side validation vulnerabilities in rich web applications. In
Network & Distributed System Security Symposium, (NDSS), 2010.
[16] P. Saxena, D. Molnar, and B. Livshits. Scriptgard: Preventing script injection
attacks in legacy web applications with automatic sanitization. Technical
report, Microsoft Research, September 2010.
[17] S. Stamm. Content security policy, 2009.
[18] S. Stamm, B. Sterne, and G. Markham. Reining in the web with content
security policy. In Proceedings of the 19th international conference on
World wide web, WWW ’10, pages 921–930, New York, NY, USA, 2010.
ACM.
[19] Z. Su and G. Wassermann. The essence of command injection attacks in
web applications. 2006.
[20] Template Toolkit. http://template-toolkit.org.
[21] Ter Louw, Mike and V.N. Venkatakrishnan. BluePrint: Robust Prevention
of Cross-site Scripting Attacks for Existing Browsers. In Proceedings of
the IEEE Symposium on Security and Privacy, 2009.
[22] TNW: The Next Web. YouTube hacked, Justin Bieber videos targeted.
http://thenextweb.com/socialmedia/2010/07/04/
youtube-hacked-justin-bieber-videos-targeted/.
[23] G. Wassermann and Z. Su. Sound and precise analysis of web applications
for injection vulnerabilities. In Proceedings of the ACM SIGPLAN conference
on Programming language design and implementation, pages 32–41,
New York, NY, USA, 2007. ACM.
[24] G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su.
Dynamic test input generation for web applications. In Proceedings of the
International symposium on Software testing and analysis, 2008.
[25] J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A
systematic analysis of xss sanitization in web application frameworks. In
Proceedings of 16th European Symposium on Research in Computer Security
(ESORICS), 2011.
[26] WhiteHat Security. WhiteHat Webinar: Fall 2010 Website Statistics
Report. http://www.whitehatsec.com/home/resource/
presentation.html.
[27] Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting
languages. In Proceedings of the Usenix Security Symposium, 2006.
[28] W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A
practical approach to defeat a wide range of attacks. In Proceedings of the
15th USENIX Security Symposium, pages 121–136, 2006.


REFERENCES8
[1] S. Cook. A Web Developers Guide to Cross-Site Scripting. Technical
Report, SANS Institute, 2003.
[2] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and
T. Berners-Lee. Hypertext Transfer Protocol – HTTP/1.1, IETF RFC
2616, 1999.
[3] O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi. A Proposal and
Implementation of Automatic Detection/Collection System for Cross-
Site Scripting Vulnerability. Proceedings of the International Conference
on Advanced Information Networking and Application, 2004.
[4] D. Jackson. Automating First-Order Relational Logic. Proceedings of
ACM Conference on Foundations of Software Engineering, 2000.
[5] D. Jackson. Alloy: A Lightweight Object Modelling Notation. Technical
Report, MIT Laboratory for Computer Science, 2000.
[6] M. Johns. SessionSafe: Implementing XSS Immune Session Handling.
Proceedings of European Symposium on Research in Computer Security,
2006.
[7] N. Jovanovic, E. Kirda, and C. Kruegel. Preventing Cross Site Request
Forgery Attacks. Proceedings of IEEE International Conference on
Security and Privacy in Communication Networks, 2006.
[8] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A Client-Side
Solution for Mitigating Cross Site Scripting Attacks. Proceedings of the
21st ACM Symposium on Applied Computing, 2006.
[9] T. Pietraszek, and C. Vanden Berghe. Defending against Injection
Attacks through Context-Sensitive String Evaluation. Proceedings of
Recent Advances in Intrusion Detection, 2005.
[10] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, G. Vigna.
Cross-Site Scripting Prevention with Dynamic Data Tainting and Static
Analysis. Proceedings of the Network and Distributed System Security
Symposium, 2007.
[11] L. Wall, T. Christiansen, R. Schwartz, and S. Potter. Programming Perl.
OReilly, 1996.

REFERENCES7
[1] Tim Berners-Lee and Dan Connolly. Hypertext
Markup Language - 2.0. IETF RFC 1866, November
1995.
[2] Steve Christey and Robert A. Martin. Vulnerability
type distributions in cve, 2007.
http://cwe.mitre.org/documents/vuln-trends/.
[3] Douglas Crockford. ADsafe.
[4] Facebook. Fbjs. http:
//wiki.developers.facebook.com/index.php/FBJS.
[5] David Flanagan. JavaScript: The De_nitive Guide,
chapter 20.4 The Data-Tainting Security Model.
O'Reilly & Associates, Inc., second edition, January
1997.
[6] Google. Caja: A source-to-source translator for
securing JavaScript-based web content.
http://code.google.com/p/google-caja/.
[7] Google. V8 benchmark suite. http://v8.googlecode.
com/svn/data/benchmarks/v5/run.html.
[8] Robert Hansen. XSS (cross site scripting) cheat sheet.
http://ha.ckers.org/xss.html.
[9] Apple Inc. Sunspider. http://www2.webkit.org/
perf/sunspider-0.9/sunspider.html.
[10] Inferno. Exploiting IE8 UTF-7 XSS vulnerability
using local redirection, May 2009.
http://securethoughts.com/2009/05/
exploiting-ie8-utf-7-xss-vulnerability-using-
local-redirection/.
[11] Engin Kirda, Christopher Kruegel, Giovanni Vigna,
and Nenad Jovanovic. Noxes: A client-side solution for
mitigating cross site scripting attacks. In Proceedings
of the 21st ACM Symposium on Applied Computing
(SAC), 2006.
[12] Eric Lawrence. IE8 security part VII: Clickjacking
defenses.
http://blogs.msdn.com/ie/archive/2009/01/27/
ie8-security-part-vii-clickjacking-defenses.
aspx.
[13] David Lindsay et al. Chrome gets XSS _lters,
September 2009.
http://sla.ckers.org/forum/read.php?13,31377.
[14] Giorgio Maone. NoScript. http://www.noscript.net.
[15] Larry Masinter. The \data" URL scheme. IETF RFC
2397, August 1998.
[16] Microsoft. About dynamic properties.
http://msdn.microsoft.com/en-us/library/
ms537634(VS.85).aspx.
[17] Mitre. CVE-2009-4074.
[18] Eduardo Vela Nava and David Lindsay. Our favorite
XSS _lters/IDS and how to attack them, 2009. Black
Hat USA presentation.
[19] Jeremias Reith. Internals of noXSS, October 2008.
http://www.noxss.org/wiki/Internals.
[20] David Ross. IE 8 XSS _lter
architecture/implementation, August 2008. http:
//blogs.technet.com/srd/archive/2008/08/18/
ie-8-xss-filter-architecture-implementation.
aspx.
[21] Steve. Preventing frame busting and click jacking,
Februrary 2009.
http://coderrr.wordpress.com/2009/02/13/
preventing-frame-busting-and-click-jacking-
ui-redressing/.
[22] Andrew van der Stock, Je_ Williams, and Dave
Wichers. OWASP top 10, 2007.
http://www.owasp.org/index.php/Top_10_2007.
[23] Philipp Vogt, Florian Nentwich, Nenad Jovanovic,
Engin Kirda, Christopher Kruegel, and Giovanni
Vigna. Cross site scripting prevention with dynamic
data tainting and static analysis. In Proceedings of the
Network and Distributed System Security Symposium
(NDSS), 2007.
[24] Michal Zalewski. Browser Security Handbook,
volume 2.
http://code.google.com/p/browsersec/wiki/
Part2#Arbitrary_page_mashups_(UI_redressing).


References5
1. Dabirsiaghi, A. January 5, 2008. HTML/CSS Injections – Primitive Malicious
Code. omg.wtf.bbq. Retrieved February 25, 2008 from http://i8jesus.com/?p=10.
2. Dabirsiaghi, A. February 25, 2008. Improving Hackvertor: Polymorphic
JavaScript Payloads. omg.wtf.bbq. Retrieved February 26, 2008 from
http://i8jesus.com/?p=15.
3. F-Secure Corporation, December, 2003. F-Secure Corporation's Data Security
Summary for 2003. Retrieved February 25, 2008 from http://www.fsecure.
com/2003/.
4. Gong, F. March, 2003. Deciphering Detection Techniques. Anomaly-Based
Intrusion Detection. Retrieved February 25, 2008 from
http://www.mcafee.com/us/local_content/white_papers/wp_ddt_anomaly.pdf.
5. Grossman, J. April, 2006. Cross-Site Scripting Worms and Viruses. WhiteHat.
Retrieved February 25, 2008, from http://www.netsecurity.
org/dl/articles/WHXSSThreats.pdf.
6. Grossman, J. November 27, 2007. Inconvenient Truth blog, SE0wN3d!!1.
Retrieved February 27, 2008 from
http://jeremiahgrossman.blogspot.com/2007/11/inconvenient-truth-blogse0wn3d1.
html.
7. Hansen, R. XSS Worm Analysis and Defense. ha.ckers.org. Retrieved February
25, 2008, from http://ha.ckers.org/xss-worms/.
8. Hansen, R. et. al. Creating and Combating the Ultimate XSS Worm.
sla.ckers.org. Retrieved February 25, 2008 from
http://sla.ckers.org/forum/read.php?2,19143.
9. Hansen, R. June 1, 2006. Content restrictions and XSS. ha.ckers.org. Retrieved
February 29, 2008 from http://ha.ckers.org/blog/20060601/content-restrictionsand-
xss/.
10. Heyes, G. January 21, 2008. Code Morphing. The Spanner. Retrieved February
25, 2008 from http://www.businessinfo.co.uk/labs/morph/morph.php.
11. Higgins, K. December 19, 2007. Google's Orkut Social Network Hacked. Dark
Reading. Retrieved February 25, 2008 from
http://www.darkreading.com/document.asp?doc_id=141761&WT.svl=news1_2.
12. Hoffman, B. and Sullivan, B. Ajax Security. Addison-Wesley, 2007.
13. Hoffman, B. April 2, 2007. Jikto in the wild. The HP Security Laboratory.
Retrieved February 27 from
http://portal.spidynamics.com/blogs/spilabs/archive/2007/04/02/Jikto-in-thewild.
aspx.
14. Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D. Protecting Browsers from
DNS Rebinding Attacks. Retrieved February 25, 2008 from
http://crypto.stanford.edu/dns/dns-rebinding.pdf.
15. Kaplan, D. December 5, 2007. Duke University Law School Infiltrated by
Hackers. SC Magazine. Retrieved February 25, 2008 from
http://www.scmagazineus.com/Duke-University-Law-School-website-infiltratedby-
hackers/article/99613/.
16. Kerckhoffs, A. 1883. La Cryptographie Militaire. Journal Des Sciences
Militaires, IX, 5-83, 161-191.
17. Maone, G. NoScript – JavaScript/Java/Flash blocker for a safer Firefox
experience! Retrieved February 25, 2008 from http://noscript.net/.
18. Markham, G. February 24, 2005. Auto-Sizing IFRAMEs? Hacking for Christ.
Retrieved February 25, 2008 from
http://weblogs.mozillazine.org/gerv/archives/007610.html.
19. Rhodes, K. August 29, 2001. Code Red, Code Red II, and SirCam Attacks
Highlight Need for Proactive Measures. United States General Accounting
Office. Retrieved February 25, 2008 from
http://www.gao.gov/new.items/d011073t.pdf.
20. Sirdarkcat. November 8, 2007. Inside History of hacking rsnake for fun and
pagerank. SIRDARKCAT: Security and Programming Blog. Retrieved February
25, 2008 from http://sirdarckcat.blogspot.com/2007/11/inside-history-of-hackingrsnake-
for.html.
21. Sutton, Michael. December 31, 2006. Web Application Security Statistics. Web
Application Security Consortium. Retrieved February 25, 2008 from
http://www.webappsec.org/projects/statistics.
22. Unknown. Spam Mimic .Retrieved February 25, 2008, from
http://www.spammimic.com.
23. Valotta, R. Nduja Connection. Retrieved February 25, 2008 from
http://rosario.valotta.googlepages.com/home.
24. Veness, C. SHA-1 Cryptographic Hash Algorithm. Movable Type Scripts.
Retrieved February 25, 2008 from http://www.movabletype.
co.uk/scripts/sha1.html.
25. Zhou, Y., Cui X., Wu, B. Worm Poisoning Technology and Application.
CNCERT/CC. Retrieved February 27, 2008 from
http://www.first.org/conference/2006/papers/xiang-cui-papers.pdf.
26. Spafford, E. The Internet Worm Program: An Analysis. Purdue Technical Report
CSD-TR-823. Department of Computer Sciences, Purdue University. Retrieved