[1] addmimistrator@gmail.com. MyBB 1.0.2 XSS Attack
in search.php Redirection. http://www.
securityfocus.com/archive/1/423135,
January 2006.
[2] A. Aho, R. Sethi, and J. Ullman. Compilers: Principles,
Techniques, and Tools. Addison-Wesley Longman Publishing
Co., Inc., Boston, MA, USA, 1986.
[3] J. Allen. Perl Version 5.8.8 Documentation - Perlsec.
http://perldoc.perl.org/perlsec.pdf, 2006.
[4] M. Arciemowicz. phpBB 2.0.18 XSS and Full Path
Disclosure. http://archives.neohapsis.com/
archives/fulldisclosure/2005-12/0829.
html, December 2005.
[5] S. Bubrouski. Advisory: XSS in WebCal (v1.11-v3.04).
http://archives.neohapsis.com/archives/
fulldisclosure/2005-12/0810.html, December
2005.
[6] S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. Iyer. Defeating
Memory Corruption Attacks via Pointer Taintedness
Detection. In IEEE International Conference on Dependable
Systems and Networks (DSN), 2004.
[7] D. E. Denning. A Lattice Model of Secure Information
Flow. In Communications of the ACM, 1976.
[8] J. Goguen and J. Meseguer. Security Policies and Security
Models. In IEEE Symposium on Security and Privacy, 1982.
[9] M. Group. MyBB - Home. http://www.mybboard.
com/, 2006.
[10] V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation
for Java. In Twenty-First Annual Computer Security
Applications Conference (ACSAC), 2005.
[11] O. Hallaraker and G. Vigna. Detecting Malicious JavaScript
Code in Mozilla. In 10th IEEE International Conference
on Engineering of Complex Computer Systems (ICECCS05),
2005.
[12] O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi. A
Proposal and Implementation of Automatic Detection/Collection
System for Cross-Site Scripting Vulnerability. In
Proceedings of the 18th International Conference on Advanced
Information Networking and Application (AINA04),
March 2004.
[13] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static
Analysis Tool for DetectingWeb Application Vulnerabilities
(Short Paper). In IEEE Symposium on Security and Privacy,
2006.
[14] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A
Client-Side Solution for Mitigating Cross-Site Scripting Attacks.
In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006.
[15] C. Kruegel and G. Vigna. Anomaly Detection ofWeb-based
Attacks. In 10th ACM Conference on Computer and Communication
Security (CCS-03) Washington, DC, USA, October
27-31, pages 251 – 261, October 2003.
[16] G. D. Lucca, A. Fasolino, M. Mastroianni, and P. Tramontana.
Identifying Cross Site Scripting Vulnerabilities inWeb
Applications. In Sixth IEEE International Workshop on Web
Site Evolution (WSE’04), pages 71 – 80, September 2004.
[17] marndt@bulldog.tzo.org. WebCal - A Web Based Calendar
Program. http://bulldog.tzo.org/webcal/
webcal.html, May 2003.
[18] Mozilla Foundation. SpiderMonkey - MDC.
http://developer.mozilla.org/en/docs/
SpiderMonkey, December 2005.
[19] Mozilla Foundation. JavaScript Security: Same Origin.
http://www.mozilla.org/projects/
security/components/same-origin.html,
February 2006.
[20] Mozilla Foundation. Mozilla.org - Home of the Mozilla
Project. http://www.mozilla.org, 2006.
[21] Netscape. Using data tainting for security.
http://wp.netscape.com/eng/mozilla/3.
0/handbook/javascript/advtopic.htm, 2006.
[22] J. Newsome and D. Song. Dynamic Taint Analysis for Automatic
Detection, Analysis, and Signature Generation of Exploits
on Commodity Software. In Network and Distributed
System Security Symposium (NDSS), 2005.
[23] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and
D. Evans. Automatically Hardening Web Applications Using
Precise Tainting. In 20th IFIP International Information
Security Conference, Makuhari-Messe, Chiba, Japan, 05 06
2005.
[24] F. Nielson, H. Nielson, and C. Hankin. Principles of Program
Analysis. Springer-Verlag New York, Inc., Secaucus,
NJ, USA, 1999.
[25] phpBB Group. phpBB.com :: Creating Communities.
http://www.phpbb.com, 2006.
[26] T. Pietraszek and C. Berghe. Defending against Injection
Attacks through Context-Sensitive String Evaluation. In Recent
Advances in Intrusion Detection (RAID), 2005.
[27] A. Sabelfeld and A. Myers. Language-Based Information-
Flow Security. In IEEE Journal on Selected Areas in Communications,
pages 5 – 19, January 2003.
[28] G. Suh, J. Lee, and S. Devadas. Secure Program Execution
via Dynamic Information Flow Tracking. In International
Conference on Architectural Support for Programming Languages
and Operating Systems, 2004.
[29] W3C - World Wide Web Consortium. Document
Object Model (DOM) Level 3 Core Specification.
http://www.w3.org/TR/2004/
REC-DOM-Level-3-Core-20040407/
DOM3-Core.pdf, April 2004.
[30] W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy
Enforcement: A Practical Approach to Defeat aWide Range
of Attacks. In 15th Usenix Security Symposium, 2006.
in search.php Redirection. http://www.
securityfocus.com/archive/1/423135,
January 2006.
[2] A. Aho, R. Sethi, and J. Ullman. Compilers: Principles,
Techniques, and Tools. Addison-Wesley Longman Publishing
Co., Inc., Boston, MA, USA, 1986.
[3] J. Allen. Perl Version 5.8.8 Documentation - Perlsec.
http://perldoc.perl.org/perlsec.pdf, 2006.
[4] M. Arciemowicz. phpBB 2.0.18 XSS and Full Path
Disclosure. http://archives.neohapsis.com/
archives/fulldisclosure/2005-12/0829.
html, December 2005.
[5] S. Bubrouski. Advisory: XSS in WebCal (v1.11-v3.04).
http://archives.neohapsis.com/archives/
fulldisclosure/2005-12/0810.html, December
2005.
[6] S. Chen, J. Xu, N. Nakka, Z. Kalbarczyk, and R. Iyer. Defeating
Memory Corruption Attacks via Pointer Taintedness
Detection. In IEEE International Conference on Dependable
Systems and Networks (DSN), 2004.
[7] D. E. Denning. A Lattice Model of Secure Information
Flow. In Communications of the ACM, 1976.
[8] J. Goguen and J. Meseguer. Security Policies and Security
Models. In IEEE Symposium on Security and Privacy, 1982.
[9] M. Group. MyBB - Home. http://www.mybboard.
com/, 2006.
[10] V. Haldar, D. Chandra, and M. Franz. Dynamic Taint Propagation
for Java. In Twenty-First Annual Computer Security
Applications Conference (ACSAC), 2005.
[11] O. Hallaraker and G. Vigna. Detecting Malicious JavaScript
Code in Mozilla. In 10th IEEE International Conference
on Engineering of Complex Computer Systems (ICECCS05),
2005.
[12] O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi. A
Proposal and Implementation of Automatic Detection/Collection
System for Cross-Site Scripting Vulnerability. In
Proceedings of the 18th International Conference on Advanced
Information Networking and Application (AINA04),
March 2004.
[13] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static
Analysis Tool for DetectingWeb Application Vulnerabilities
(Short Paper). In IEEE Symposium on Security and Privacy,
2006.
[14] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: A
Client-Side Solution for Mitigating Cross-Site Scripting Attacks.
In The 21st ACM Symposium on Applied Computing
(SAC 2006), 2006.
[15] C. Kruegel and G. Vigna. Anomaly Detection ofWeb-based
Attacks. In 10th ACM Conference on Computer and Communication
Security (CCS-03) Washington, DC, USA, October
27-31, pages 251 – 261, October 2003.
[16] G. D. Lucca, A. Fasolino, M. Mastroianni, and P. Tramontana.
Identifying Cross Site Scripting Vulnerabilities inWeb
Applications. In Sixth IEEE International Workshop on Web
Site Evolution (WSE’04), pages 71 – 80, September 2004.
[17] marndt@bulldog.tzo.org. WebCal - A Web Based Calendar
Program. http://bulldog.tzo.org/webcal/
webcal.html, May 2003.
[18] Mozilla Foundation. SpiderMonkey - MDC.
http://developer.mozilla.org/en/docs/
SpiderMonkey, December 2005.
[19] Mozilla Foundation. JavaScript Security: Same Origin.
http://www.mozilla.org/projects/
security/components/same-origin.html,
February 2006.
[20] Mozilla Foundation. Mozilla.org - Home of the Mozilla
Project. http://www.mozilla.org, 2006.
[21] Netscape. Using data tainting for security.
http://wp.netscape.com/eng/mozilla/3.
0/handbook/javascript/advtopic.htm, 2006.
[22] J. Newsome and D. Song. Dynamic Taint Analysis for Automatic
Detection, Analysis, and Signature Generation of Exploits
on Commodity Software. In Network and Distributed
System Security Symposium (NDSS), 2005.
[23] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and
D. Evans. Automatically Hardening Web Applications Using
Precise Tainting. In 20th IFIP International Information
Security Conference, Makuhari-Messe, Chiba, Japan, 05 06
2005.
[24] F. Nielson, H. Nielson, and C. Hankin. Principles of Program
Analysis. Springer-Verlag New York, Inc., Secaucus,
NJ, USA, 1999.
[25] phpBB Group. phpBB.com :: Creating Communities.
http://www.phpbb.com, 2006.
[26] T. Pietraszek and C. Berghe. Defending against Injection
Attacks through Context-Sensitive String Evaluation. In Recent
Advances in Intrusion Detection (RAID), 2005.
[27] A. Sabelfeld and A. Myers. Language-Based Information-
Flow Security. In IEEE Journal on Selected Areas in Communications,
pages 5 – 19, January 2003.
[28] G. Suh, J. Lee, and S. Devadas. Secure Program Execution
via Dynamic Information Flow Tracking. In International
Conference on Architectural Support for Programming Languages
and Operating Systems, 2004.
[29] W3C - World Wide Web Consortium. Document
Object Model (DOM) Level 3 Core Specification.
http://www.w3.org/TR/2004/
REC-DOM-Level-3-Core-20040407/
DOM3-Core.pdf, April 2004.
[30] W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy
Enforcement: A Practical Approach to Defeat aWide Range
of Attacks. In 15th Usenix Security Symposium, 2006.
No comments:
Post a Comment