[1] D. Balzarotti, M. Cova, V. V. Felmetsger, N. Jovanovic,
E. Kirda, C. Kruegel, and G. Vigna. Saner:
Composing Static and Dynamic Analysis to Validate
Sanitization in Web Applications. In Proceedings
of the 2008 IEEE Symposium on Security
and Privacy (S&P 2008), Oakland, CA, USA, May
2008.
[2] D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna.
Multi-module Vulnerability Analysis of Webbased
Applications. In Proceedings of the 2007
ACM Conference on Computer and Communications
Security (CCS 2007), Alexandria, VA, USA,
October 2007.
[3] D. Balzarotti,W. Robertson, C. Kruegel, and G. Vigna.
Improving Signature Testing Through Dynamic
Data Flow Analysis. In Proceedings of
the Annual Computer Security Applications Conference
(ACSAC 2007), Miami Beach, FL, USA,
December 2007.
[4] B. Bangert and J. Gardner. PylonsHQ. http://
pylonshq.com/, February 2009.
[5] A. Barth, J. Caballero, and D. Song. Secure Content
Sniffing forWeb Browsers, or How to Stop Papers
from Reviewing Themselves. In Proceedings
of the IEEE Symposium on Security and Privacy,
Oakland, CA, USA, May 2009. IEEE Computer
Society.
[6] Breach Security, Inc. Breach WebDefend.
http://www.breach.com/products/
webdefend.html, January 2009.
[7] S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing
Confidentiality and Integrity in Web Applications.
In Proceedings of the 2007 USENIX
Security Symposium, Boston, MA, USA, 2007.
USENIX Association.
[8] Citrix Systems, Inc. Citrix Application Firewall.
http://www.citrix.com/English/PS2/
products/product.asp?contentID=25636,
January 2009.
[9] K. Claessen and J. Hughes. Testing Monadic
Code with QuickCheck. ACM SIGPLAN Notices,
37(12):47–59, 2002.
[10] M. de Kunder. The Size of the World Wide Web.
http://www.worldwidewebsize.com/, May 2008.
[11] Django Software Foundation. Django
Web Application Framework. http:
//www.djangoproject.com/, June 2009.
[12] M. Elsman and K. F. Larsen. Typing XHTML
Web Applications in ML. In Proceedings of the 6th
International Symposium on Practical Aspects of
Declarative Languages, pages 224–238. Springer-
Verlag, 2004.
[13] U. Erlingsson, B. Livshits, and Y. Xie. End-to-end
Web Application Security. In Proceedings of the
11th USENIX Workshop on Hot Topics in Operating
Systems, San Diego, CA, USA, 2007. USENIX
Association.
[14] F5 Networks, Inc. BIG-IP Application Security
Manager. http://www.f5.com/
products/big-ip/product-modules/
application-security-manager.html,
January 2009.
[15] Ferruh Mavituna. SQL Injection Cheat
Sheet. http://ferruh.mavituna.com/
sql-injection-cheatsheet-oku/, June 2009.
[16] M. Finifter, A. Mettler, N. Sastry, and D. Wagner.
Verifiable Functional Purity in Java. In Proceedings
of the 15th ACM Conference on Computer and
Communications Security, pages 161–174, Alexandria,
VA, USA, October 2008. ACM.
[17] Google, Inc. ctemplate. http://code.google.
com/p/google-ctemplate/, June 2009.
[18] D. H. Hansson. Ruby on Rails. http://
rubyonrails.org/, February 2009.
[19] HAppS LLC. HAppS – The Haskell Application
Server. http://happs.org/, February 2009.
[20] Hewlett Packard Development Company, L.P.
httperf. http://www.hpl.hp.com/research/
linux/httperf/, February 2009.
[21] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee,
and S.-Y. Kuo. Securing Web Application Code by
Static Analysis and Runtime Protection. In Proceedings
of the 13th International Conference on
the World Wide Web, pages 40–52, New York, NY,
USA, 2004. ACM.
[22] T. Jim, N. Swamy, and M. Hicks. Defeating Script
Injection Attacks with Browser-Enforced Emdedded
Policies. In Proceedings of the 16th International
Conference on the World Wide Web, Banff,
Alberta, Canada, May 2007. ACM.
[23] M. Johns and C. Beyerlein. SMask: Preventing Injection
Attacks in Web Applications by Approximating
Automatic Data/Code Separation. In Proceedings
of ACM Symposium on Applied Computing,
Seoul, Korea, March 2007. ACM.
[24] N. D. Jones and N. Andersen. Flow analysis of
lazy higher-order functional programs. Theoretical
Computer Science, 375(1–3):120–136, 2007.
[25] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A
Static Analysis Tool for Detecting Web Application
Vulnerabilities. In Proceedings of the IEEE
Symposium on Security and Privacy (S&P 2006),
pages 258–263, Oakland, CA, USA, May 2006.
IEEE Computer Society.
[26] N. Jovanovic, C. Kruegel, and E. Kirda. Precise
Alias Analysis for Static Detection of Web Application
Vulnerabilities. In Proceedings of the 2006
Workshop on Programming Languages and Analysis
for Security, pages 27–36, Ottawa, Ontario,
Canada, 2006. ACM.
[27] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic.
Noxes: A Client-side Solution for Mitigating
Cross-Site Scripting Attacks. In Proceedings of
the 2006 ACM Symposium on Applied Computing
(SAC 2006), Dijon, France, April 2006. ACM.
[28] A. Klein. DOM Based Cross Site Scripting or
XSS of the Third Kind. http://www.webappsec.
org/projects/articles/071105.shtml, July
2005.
[29] C. Kruegel, W. Robertson, and G. Vigna. A Multimodel
Approach to the Detection ofWeb-based Attacks.
Journal of Computer Networks, 48(5):717–
738, July 2005.
[30] M. S. Lam, M. Martin, B. Livshits, and J. Whaley.
SecuringWeb Applications with Static and Dynamic
Information Flow Tracking. In Proceedings
of the 2008 ACM SIGPLAN Symposium on Partial
Evaluation and Semantics-based Program Manipulation,
pages 3–12, San Francisco, CA, USA, 2008.
ACM.
[31] P. Li and S. Zdancewic. Encoding Information
Flow in Haskell. In Proceedings of the 19th IEEE
Computer Security Foundations Workshop. IEEE
Computer Society, 2006.
[32] B. Livshits and U. Erlingsson. Using Web Application
Construction Frameworks to Protect Against
Code Injection Attacks. In Proceedings of the 2007
Workshop on Programming Languages and Analysis
for Security, pages 95–104, San Diego, CA,
USA, 2007. ACM.
[33] B. Livshits and M. Lam. Finding Security Errors in
Java Programs with Static Analysis. In Proceedings
of the 14th USENIX Security Symposium (USENIX
Security 2005), pages 271–286. USENIX Association,
August 2005.
[34] A. Madhavapeddy, A. Ho, T. Deegan, D. Scott, and
R. Sohan. Melange: Creating a “Functional Internet”.
In Proceedings of the 2nd ACM European
Conference on Computer Systems, pages 101–114,
Lisbon, Portugal, April 2007. ACM.
[35] Microsoft, Inc. LINQ. http://msdn.
microsoft.com/en-us/netframework/
aa904594.aspx, June 2009.
[36] Miniwatts Marketing Group.
World Internet Usage Statistics.
http://www.internetworldstats.com/stats.htm,
May 2008.
[37] E. Moggi. Notions of Computation and Monads.
Information and Computation, 93(1):55–92, 1991.
[38] Y. Nadji, P. Saxena, and D. Song. Document Structure
Integrity: A Robust Basis for Cross-site Scripting
Defense. In Proceedings of the Network and
Distributed System Security Symposium, February
2009.
[39] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shifley,
and D. Evans. Automatically Hardening Web
Applications Using Precise Tainting. In Proceedings
of the 2005 International Information Security
Conference, pages 372–382, 2005.
[40] Ofer Shezaf and Jeremiah Grossman and Robert
Auger. Web Hacking Incidents Database. http:
//www.xiom.com/whid-about, January 2009.
[41] Open Security Foundation. DLDOS: Data Loss
Database – Open Source. http://datalossdb.
org/, January 2009.
[42] Open Web Application Security Project (OWASP).
OWASP Top 10 2007. http://www.owasp.org/
index.php/Top 10 2007, February 2009.
[43] C. Reis, J. Dunagan, H. J.Wang, and O. Dubrovsky.
BrowserShield: Vulnerability-Driven Filtering of
Dynamic HTML. ACM Transactions on the Web,
1(3):11, 2007.
[44] Robert Hansen (RSnake). XSS (Cross Site Scripting)
Cheat Sheet. http://ha.ckers.org/xss.
html, June 2009.
[45] W. Robertson, G. Vigna, C. Kruegel, and R. A.
Kemmerer. Using Generalization and Characterization
Techniques in the Anomaly-based Detection
of Web Attacks. In Proceedings of the Network
and Distributed System Security Symposium (NDSS
2006), San Diego, CA, USA, February 2006.
[46] Symantec, Inc. Symantec Report on
the Underground Economy – July 07 –
June 08. http://eval.symantec.com/
mktginfo/enterprise/white papers/
b-whitepaper underground economy
report 11-2008-14525717.en-us.pdf,
November 2008.
[47] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda,
C. Kruegel, and G. Vigna. Cross Site Scripting
Prevention with Dynamic Data Tainting and Static
Analysis. In Proceedings of the Network and Distributed
System Security Symposium (NDSS 2007),
February 2007.
[48] P. Wadler. The Essence of Functional Programming.
In Proceedings of the 19th Annual Symposium
on Principles of Programming Languages,
pages 1–14, Albuquerque, NM, USA, 1992. ACM.
[49] G.Wassermann and Z. Su. Sound and Precise Analysis
of Web Applications for Injection Vulnerabilities.
ACM SIGPLAN Notices, 42(6):32–41, April
2007.
[50] G. Wassermann and Z. Su. Static Detection of
Cross-Site Scripting Vulnerabilities. In Proceedings
of the 2008 International Conference on Software
Engineering (ICSE 2008), pages 171–180,
Leipzig, Germany, 2008. ACM.
[51] D. N. Xu. Extended Static Checking for Haskell.
In Proceedings of the 2006 ACM SIGPLAN Workshop
on Haskell, pages 48–59, Portland, OR, USA,
2006. ACM.
[52] D. N. Xu, S. P. Jones, and K. Claessen. Static Contract
Checking for Haskell. In Proceedings of the
36th Annual ACM Symposium on the Principles of
Programming Languages,
E. Kirda, C. Kruegel, and G. Vigna. Saner:
Composing Static and Dynamic Analysis to Validate
Sanitization in Web Applications. In Proceedings
of the 2008 IEEE Symposium on Security
and Privacy (S&P 2008), Oakland, CA, USA, May
2008.
[2] D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna.
Multi-module Vulnerability Analysis of Webbased
Applications. In Proceedings of the 2007
ACM Conference on Computer and Communications
Security (CCS 2007), Alexandria, VA, USA,
October 2007.
[3] D. Balzarotti,W. Robertson, C. Kruegel, and G. Vigna.
Improving Signature Testing Through Dynamic
Data Flow Analysis. In Proceedings of
the Annual Computer Security Applications Conference
(ACSAC 2007), Miami Beach, FL, USA,
December 2007.
[4] B. Bangert and J. Gardner. PylonsHQ. http://
pylonshq.com/, February 2009.
[5] A. Barth, J. Caballero, and D. Song. Secure Content
Sniffing forWeb Browsers, or How to Stop Papers
from Reviewing Themselves. In Proceedings
of the IEEE Symposium on Security and Privacy,
Oakland, CA, USA, May 2009. IEEE Computer
Society.
[6] Breach Security, Inc. Breach WebDefend.
http://www.breach.com/products/
webdefend.html, January 2009.
[7] S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing
Confidentiality and Integrity in Web Applications.
In Proceedings of the 2007 USENIX
Security Symposium, Boston, MA, USA, 2007.
USENIX Association.
[8] Citrix Systems, Inc. Citrix Application Firewall.
http://www.citrix.com/English/PS2/
products/product.asp?contentID=25636,
January 2009.
[9] K. Claessen and J. Hughes. Testing Monadic
Code with QuickCheck. ACM SIGPLAN Notices,
37(12):47–59, 2002.
[10] M. de Kunder. The Size of the World Wide Web.
http://www.worldwidewebsize.com/, May 2008.
[11] Django Software Foundation. Django
Web Application Framework. http:
//www.djangoproject.com/, June 2009.
[12] M. Elsman and K. F. Larsen. Typing XHTML
Web Applications in ML. In Proceedings of the 6th
International Symposium on Practical Aspects of
Declarative Languages, pages 224–238. Springer-
Verlag, 2004.
[13] U. Erlingsson, B. Livshits, and Y. Xie. End-to-end
Web Application Security. In Proceedings of the
11th USENIX Workshop on Hot Topics in Operating
Systems, San Diego, CA, USA, 2007. USENIX
Association.
[14] F5 Networks, Inc. BIG-IP Application Security
Manager. http://www.f5.com/
products/big-ip/product-modules/
application-security-manager.html,
January 2009.
[15] Ferruh Mavituna. SQL Injection Cheat
Sheet. http://ferruh.mavituna.com/
sql-injection-cheatsheet-oku/, June 2009.
[16] M. Finifter, A. Mettler, N. Sastry, and D. Wagner.
Verifiable Functional Purity in Java. In Proceedings
of the 15th ACM Conference on Computer and
Communications Security, pages 161–174, Alexandria,
VA, USA, October 2008. ACM.
[17] Google, Inc. ctemplate. http://code.google.
com/p/google-ctemplate/, June 2009.
[18] D. H. Hansson. Ruby on Rails. http://
rubyonrails.org/, February 2009.
[19] HAppS LLC. HAppS – The Haskell Application
Server. http://happs.org/, February 2009.
[20] Hewlett Packard Development Company, L.P.
httperf. http://www.hpl.hp.com/research/
linux/httperf/, February 2009.
[21] Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D. Lee,
and S.-Y. Kuo. Securing Web Application Code by
Static Analysis and Runtime Protection. In Proceedings
of the 13th International Conference on
the World Wide Web, pages 40–52, New York, NY,
USA, 2004. ACM.
[22] T. Jim, N. Swamy, and M. Hicks. Defeating Script
Injection Attacks with Browser-Enforced Emdedded
Policies. In Proceedings of the 16th International
Conference on the World Wide Web, Banff,
Alberta, Canada, May 2007. ACM.
[23] M. Johns and C. Beyerlein. SMask: Preventing Injection
Attacks in Web Applications by Approximating
Automatic Data/Code Separation. In Proceedings
of ACM Symposium on Applied Computing,
Seoul, Korea, March 2007. ACM.
[24] N. D. Jones and N. Andersen. Flow analysis of
lazy higher-order functional programs. Theoretical
Computer Science, 375(1–3):120–136, 2007.
[25] N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A
Static Analysis Tool for Detecting Web Application
Vulnerabilities. In Proceedings of the IEEE
Symposium on Security and Privacy (S&P 2006),
pages 258–263, Oakland, CA, USA, May 2006.
IEEE Computer Society.
[26] N. Jovanovic, C. Kruegel, and E. Kirda. Precise
Alias Analysis for Static Detection of Web Application
Vulnerabilities. In Proceedings of the 2006
Workshop on Programming Languages and Analysis
for Security, pages 27–36, Ottawa, Ontario,
Canada, 2006. ACM.
[27] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic.
Noxes: A Client-side Solution for Mitigating
Cross-Site Scripting Attacks. In Proceedings of
the 2006 ACM Symposium on Applied Computing
(SAC 2006), Dijon, France, April 2006. ACM.
[28] A. Klein. DOM Based Cross Site Scripting or
XSS of the Third Kind. http://www.webappsec.
org/projects/articles/071105.shtml, July
2005.
[29] C. Kruegel, W. Robertson, and G. Vigna. A Multimodel
Approach to the Detection ofWeb-based Attacks.
Journal of Computer Networks, 48(5):717–
738, July 2005.
[30] M. S. Lam, M. Martin, B. Livshits, and J. Whaley.
SecuringWeb Applications with Static and Dynamic
Information Flow Tracking. In Proceedings
of the 2008 ACM SIGPLAN Symposium on Partial
Evaluation and Semantics-based Program Manipulation,
pages 3–12, San Francisco, CA, USA, 2008.
ACM.
[31] P. Li and S. Zdancewic. Encoding Information
Flow in Haskell. In Proceedings of the 19th IEEE
Computer Security Foundations Workshop. IEEE
Computer Society, 2006.
[32] B. Livshits and U. Erlingsson. Using Web Application
Construction Frameworks to Protect Against
Code Injection Attacks. In Proceedings of the 2007
Workshop on Programming Languages and Analysis
for Security, pages 95–104, San Diego, CA,
USA, 2007. ACM.
[33] B. Livshits and M. Lam. Finding Security Errors in
Java Programs with Static Analysis. In Proceedings
of the 14th USENIX Security Symposium (USENIX
Security 2005), pages 271–286. USENIX Association,
August 2005.
[34] A. Madhavapeddy, A. Ho, T. Deegan, D. Scott, and
R. Sohan. Melange: Creating a “Functional Internet”.
In Proceedings of the 2nd ACM European
Conference on Computer Systems, pages 101–114,
Lisbon, Portugal, April 2007. ACM.
[35] Microsoft, Inc. LINQ. http://msdn.
microsoft.com/en-us/netframework/
aa904594.aspx, June 2009.
[36] Miniwatts Marketing Group.
World Internet Usage Statistics.
http://www.internetworldstats.com/stats.htm,
May 2008.
[37] E. Moggi. Notions of Computation and Monads.
Information and Computation, 93(1):55–92, 1991.
[38] Y. Nadji, P. Saxena, and D. Song. Document Structure
Integrity: A Robust Basis for Cross-site Scripting
Defense. In Proceedings of the Network and
Distributed System Security Symposium, February
2009.
[39] A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shifley,
and D. Evans. Automatically Hardening Web
Applications Using Precise Tainting. In Proceedings
of the 2005 International Information Security
Conference, pages 372–382, 2005.
[40] Ofer Shezaf and Jeremiah Grossman and Robert
Auger. Web Hacking Incidents Database. http:
//www.xiom.com/whid-about, January 2009.
[41] Open Security Foundation. DLDOS: Data Loss
Database – Open Source. http://datalossdb.
org/, January 2009.
[42] Open Web Application Security Project (OWASP).
OWASP Top 10 2007. http://www.owasp.org/
index.php/Top 10 2007, February 2009.
[43] C. Reis, J. Dunagan, H. J.Wang, and O. Dubrovsky.
BrowserShield: Vulnerability-Driven Filtering of
Dynamic HTML. ACM Transactions on the Web,
1(3):11, 2007.
[44] Robert Hansen (RSnake). XSS (Cross Site Scripting)
Cheat Sheet. http://ha.ckers.org/xss.
html, June 2009.
[45] W. Robertson, G. Vigna, C. Kruegel, and R. A.
Kemmerer. Using Generalization and Characterization
Techniques in the Anomaly-based Detection
of Web Attacks. In Proceedings of the Network
and Distributed System Security Symposium (NDSS
2006), San Diego, CA, USA, February 2006.
[46] Symantec, Inc. Symantec Report on
the Underground Economy – July 07 –
June 08. http://eval.symantec.com/
mktginfo/enterprise/white papers/
b-whitepaper underground economy
report 11-2008-14525717.en-us.pdf,
November 2008.
[47] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda,
C. Kruegel, and G. Vigna. Cross Site Scripting
Prevention with Dynamic Data Tainting and Static
Analysis. In Proceedings of the Network and Distributed
System Security Symposium (NDSS 2007),
February 2007.
[48] P. Wadler. The Essence of Functional Programming.
In Proceedings of the 19th Annual Symposium
on Principles of Programming Languages,
pages 1–14, Albuquerque, NM, USA, 1992. ACM.
[49] G.Wassermann and Z. Su. Sound and Precise Analysis
of Web Applications for Injection Vulnerabilities.
ACM SIGPLAN Notices, 42(6):32–41, April
2007.
[50] G. Wassermann and Z. Su. Static Detection of
Cross-Site Scripting Vulnerabilities. In Proceedings
of the 2008 International Conference on Software
Engineering (ICSE 2008), pages 171–180,
Leipzig, Germany, 2008. ACM.
[51] D. N. Xu. Extended Static Checking for Haskell.
In Proceedings of the 2006 ACM SIGPLAN Workshop
on Haskell, pages 48–59, Portland, OR, USA,
2006. ACM.
[52] D. N. Xu, S. P. Jones, and K. Claessen. Static Contract
Checking for Haskell. In Proceedings of the
36th Annual ACM Symposium on the Principles of
Programming Languages,
 
No comments:
Post a Comment