References2

Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante:

End-to-End Containment of Internet Worms. In: Proceedings of the Symposium on

Systems and Operating Systems Principles, pp. 133–147 (2005)

Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from

zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM

conference on Computer and communications security, pp. 235–248. ACM Press, New

York (2005)

Edwards, D.: Dean Edwards Javascript packer,

http://dean.edwards.name/packer/

Firebug, http://getfirebug.com/

 Gundy, M.V., Chen, H.: Noncespaces: using randomization to enforce information flow

tracking and thwart cross-site scripting attacks. In: Proceedings of the 16th Annual Network

and Distributed System Security Symposium (2009)

Hansen, R.: XSS cheat sheet, http://ha.ckers.org/xss.html

Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with Browser-Enforced

Embedded Policies. In: WWW, pp. 601–610 (2007)

 Kamkar, S.: The Samy worm (2005), http://namb.la/popular/tech.html

Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A client-side solution for mitigating

cross-site scripting attacks. In: SAC, pp. 330–337 (2006)

[15] Li, Z., Sanghi, M., Chen, Y., Kao, M.-y., Chavez, B.: Hamsa: fast signature generation for

zero-day polymorphic worms with provable attack resilience. In: Proceedings of the 2006

IEEE Symposium on Security and Privacy, pp. 32–47. IEEE Computer Society Press, Los

Alamitos (2006)

 Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: A basis for building

self-protecting servers. In: Proceedings of the 12th ACM conference on Computer and

communications security (2005)

 Livshits, B., Cui, W.: Spectator: detection and containment of JavaScript worms. In:

USENIX 2008 Annual Technical Conference on Annual Technical Conference, pp. 335–

348. USENIX Association (2008)

 Diminutive XSS worm replication contest (2008)

http://sla.ckers.org/forum/read.php?2,18790,page=19

 Ahmed, T.: The trigram algorithm,

http://search.cpan.org/dist/String-Trigram/Trigram.pm

 Alexa. Top sites in United States, http://www.alexa.com/topsites

 Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.:

Saner: Composing static and dynamic analysis to validate sanitization inWeb applications.

In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 387–401. IEEE Computer

Society Press, Los Alamitos (2008)

Chang, W., Streiff, B., Lin, C.: Efficient and extensible security enforcement using dynamic

data flow analysis. In: Proceedings of the 15th ACM conference on Computer and

communications security, pp. 39–50. ACM Press, New York (2008)

Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting

attacks for existing browsers. In: Proceedings of the 30th IEEE Symposium on Security

and Privacy (2009)

554 F. Sun, L. Xu, and Z. Su

Mozilla Corporation. Same origin policy for JavaScript, https://developer.

mozilla.org/En/Same origin policy for JavaScript

Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site

scripting defense. In: Proceedings of the 16th Annual Network and Distributed System

Security Symposium (2009)

Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature

generation of exploits on commodity software. In: Proceedings of the 12th Annual

Network and Distributed System Security Symposium (2005)

 OWASP, http://www.owasp.org

 Sekar, R.: An efficient black-box technique for defeating Web application attacks. In: Proceedings

of the 16th Annual Network and Distributed System Security Symposium (2009)

 Su, Z.,Wassermann, G.: The essence of command injection attacks in web applications. In:

Proceedings of the 33rd Annual Symposium on Principles of Programming Languages, pp.

372–382. ACM Press, New York (2006)

 Symantec Corporation. Symantec Global Internet Security Threat Report, vol. XIII (2008)

 W3C, http://www.w3.org/

Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature

generation. In: Proceedings of the 8th International Symposium on Recent Advances in

Intrusion Detection, pp. 227–246 (2005)

Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to

mimicry attack. In: Proceedings of the 9th International Symposium on Recent Advances

in Intrusion Detection, pp. 226–248 (2006)

 Wassermann, G., Su, Z.: Static detection of cross-site scripting vulnerabilities. In: Proceedings

of the 30th International Conference on Software Engineering, pp. 171–180. ACM

Press, New York (2008)

 Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In:

Proceedings of the 15th conference on USENIX Security Symposium, USENIX Association

(2006)