REFERENCES1

 S. M. Metev, and V. P. Veiko, “Laser Assisted Microtechnology,” 2nd

ed., R. M. Osgood, Jr., Ed. Berlin, Germany: Springer-Verlag, 1998.

 Z. Su and G. Wassermann, “The essence of command Injection Attacks

in Web Applications,” In Proceeding of the 33rd Annual Symposium on

Principles of Programming Languages, USA: ACM, January 2006, pp.

372-382.

 C. Yue and H. Wang, “Charactering Insecure JavaScript Practice on the

Web,” In Proceedings of the 18th International Conference on the World

Wide Web, Madrid, Spain: ACM, April 20-24, 2005.

Y. Xie, and A. Aiken, “Static detection of security vulnerabilities in

scripting languages,” In Proceeding of the 15th USENIX Security

Symposium, July 2006, pp. 179-192.

[5] Y. Minamide, “Static Approximation of Dynamically Generated Web

Pages,” In Proceedings of the 14th International Conference on the World

Wide Web, 2005, pp. 432-441.

 Y.-W. Huang, F. Yu, C. Hang, C. H. Tsai, D. Lee, and S.Y. Kuo,

“Securing web application code by static analysis and runtime

protection,” In Proceedings of the 13th International World Wide Web

Conference, 2004.

 A.S. Christensen, A. Mǿller, and M.I. Schwartzbach, “Precise analysis

of string expression,” In proceedings of the 10th international static

analysis symposium, vol. 2694 of LNCS, Springer-Verlag, pp. 1-18.

Wikipedia, http://wikipedia.org.

 V.B. Livshits, and M.S. Lam, “Finding security errors in Java programs

with static analysis,” In proceedings of the 14th Usenix security

symposium, August 2005, pp. 271-286.

 T. Jim, N. Swamy, and M. Hicks, “BEEP: Browser-Enforced Embedded

Policies,” In Proceedings of the 16th International World Wide Web

Conference, ACM, 2007, pp. 601-610.

 P. Bisht, and V.N. Venkatakrishnan, “XSS-GUARD: Precise dynamic

prevention of Cross-Site Scripting Attacks,” In Proceeding of 5th

Conference on Detection of Intrusions and Malware & Vulnerability

Assessment, LNCS 5137, 2008, pp. 23-43.

 N. Jovanovic, C. Kruegel, and E. Kirda, “Pixy: A static analysis tool for

detecting web application vulnerabilities (short paper),” In 2006 IEEE

Symposium on Security and Privacy, Oakland, CA: May 2006.

 E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic, “Noxes: A client-side

solution for mitigating cross site scripting attacks,” In Proceedings of the

21st ACM symposium on Applied computing, ACM, 2006, pp. 330-337.

 Grossman, RSNAKE, PDP, Rager, and Fogie, “XSS Attacks: Cross-site

Scripting Exploits and Defense,” Syngress Publishing Inc, 2007.

 Y.-W. Huang, S.-K. Huang, T.-P. Lin, and C.-H. Tsai, “Web application

security assessment by fault injection and Behavior Monitoring,” In

Proceeding of the 12th international conference on World Wide Web,

ACM, New York, NY, USA: 2003, pp.148-159.

[16] A. Klein, “DOM Based Cross Site Scripting or XSS of the Third Kind,”

http://www.webappsec.org/projects/articles/071105.html, July 2005.

 “OWASP Document for top 10 2007- cross Site Scripting,”

http://www.owasp.org/index.php/Top_10_2007-Cross_Site_Scripting.

T. Pietraszek, and C. V. Berghe, “Defending against Injection Attacks

through Context-Sensitive String Evaluation,” In Proceeding of the 8th

International Symposium on Recent Advance in Intrusion Detection

(RAID), September 2005.

 D. Balzarotti, M. Cova, V. Felmetsger, N.Jovanovic, E. Kirda, C.

Kruegel, and G. Vigna, “Saner: Composing Static and Dynamic

Analysis to Validate Sanitization in Web Applications,” In IEEE

symposium on Security and Privacy, 2008.

“Web Application Security Assessment,” SPI Dynamics Whitepaper,

SPI Dynamics, 2003.

“Web Application Security Testing – AppScan 3.5,” Sanctum Inc.,

http://www.sanctuminc.com.

 “JavaScript Security: Same origin,” Mozilla Foundation,

http://www.mozilla.org/projects/security/components/same-origin.html,

February 2006.

 “InterDo Version 3.0,” Kavado Whitepaper, Kavado Inc. , 2003.

 “AppShield,” Sanctum Inc. http://sanctuminc.com, 2005.

 D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna, “Multi-Module

Vulnerability Analysis of Web-based Applications,” In proceeding of

14th ACM Conference on Computer and Communications Security,

Alexandria, Virginia, USA: October 2007.

N. Jovanovic, C. Kruegel, and E. Kirda, “Precise alias analysis for

syntactic detection of web application vulnerabilities,” In ACM

SIGPLAN Workshop on Programming Languages and Analysis for

security, Ottowa, Canada: June 2006.

 D. Scott, and R. Sharp, “Abstracting Application-Level Web Security,”

In Proceeding 11th international World Wide Web Conference,

Honolulu, Hawaii: 2002, pp. 396-407.

[28] Y.-W Huang, F. Yu, C. Hang, C. –H. Tsai, D. Lee, and S. –Y. Kuo.

“Verifying Web Application using BoundedModel Checking,” In

Proceedings of the International Conference on Dependable Systems and

Networks, 2004.

 G. Wassermann, and Z. Su, “Static detection of cross-site Scripting

vulnerabilities,” In Proceeding of the 30th International Conference on

Software Engineering, May 2008.

S. Christey, “Vulnerability type distributions in CVE,”

http://cwe.mitre.org/documents/vuln-trends.html, October 2006.

H. Hosoya, B. C. Pierce, “Xduce: A typed xml processing language

(preliminary report),” In Proceeding of the 3rd International Workshop

on World Wide Web and Databases, Springer-Verlag, London, UK:

2001, pp. 226—244.

 M. Mohri, M. Nederhof, “Regular approximation of context-free

grammars through transformation,” Robustness in Language and Speech

Technology, 1996, pp. 231-238

 “LogiCampus Educational Platform,”

http://sourceforge.net/projects/logicampus

 “Testing for DOM-based cross-site scripting (OWASP-DV-003),”

http://www.owasp.org/index.php/Testing_for_DOMbased_

Cross_site_scripting_(OWASP-DV-003)