[1] JAMWiki. [software], http://jamwiki.org/, Version
0.8.0, December 2009.
[2] CherryPy - Lightweight, pythonic web framework.
[software], http://www.cherrypy.org/, April 2010.
[3] URLlib2 - Python HTTP URL opener library.
[software],
http://docs.python.org/library/urllib2.html,
April 2010.
[4] W. Alcorn. Inter-Protocol Exploitation. Whitepaper,
NGSSoftware Insight Security Research (NISR),
http://www.ngssoftware.com/research/papers/
InterProtocolExploitation.pdf, March 2007.
[5] D. Endler. The Evolution of Cross-Site Scripting
Attacks. Whitepaper, iDefense Inc.,
http://www.cgisecurity.com/lib/XSS.pdf, May
2002.
[6] R. Fielding, J. Gettys, J. Mogul, H. Frystyk,
L. Masinter, P. Leach, and T. Berners-Lee. Hypertext
transfer protocol { http/1.1. RFC 2616, http:
//www.w3.org/Protocols/rfc2616/rfc2616.html,
June 1999.
[7] M. Johns. SessionSafe: Implementing XSS Immune
Session Handling. In European Symposium on
Research in Computer Security (ESORICS 2006),
volume 4189 of LNCS. Springer, September 2006.
[8] M. Johns and J. Winter. RequestRodeo: Client Side
Protection against Session Riding. In F. Piessens,
editor, OWASP Europe 2006, May 2006.
[9] N. Jovanovic, C. Kruegel, and E. Kirda. Preventing
cross site request forgery attacks. In Proceedings of the
IEEE International Conference on Security and
Privacy for Emerging Areas in Communication
Networks (Securecomm 2006), 2006.
[10] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic.
Noxes: A Client-Side Solution for Mitigating Cross
Site Scripting Attacks. In 21st ACM Symposium on
Applied Computing (SAC 2006), April 2006.
[11] A. Klein. "Divide and Conquer" - HTTP Response
Splitting, Web Cache Poisoning Attacks, and Related
Topics. Whitepaper, Sanctum Inc.,
http://packetstormsecurity.org/papers/general/
whitepaper_httpresponse.pdf, March 2004.
[12] M. Kolsek. Session Fixation Vulnerability in
Web-based Applications. Whitepaper, Acros Security,
http://www.acrossecurity.com/papers/session_
fixation.pdf, December 2002.
[13] D. Kristol and L. Montulli. HTTP State Management
Mechanism. RFC 2965,
http://www.ietf.org/rfc/rfc2965.txt, October
2000.
[14] N. Nikiforakis, Y. Younan, and W. Joosen. Hproxy:
Client-side detection of ssl stripping attacks. In
Seventh Conference on Detection of Intrusions and
Malware & Vulnerability Assessment (DIMVA'10),
2010.
[15] OWASP German Chapter. OWASP Best Practices:
Use of Web Application Firewalls. [whitepaper],
http://www.owasp.org/index.php/Category:
OWASP_Best_Practices:
_Use_of_Web_Application_Firewalls, July 2008.
[16] PHP Group. session regenerate id(). PHP
documentation, [online], http://www.php.net/
manual/de/function.session-regenerate-id.php
(4/4/10), June 2010.
[17] J. Ruderman. The Same Origin Policy. [online],
http://www.mozilla.org/projects/security/
components/same-origin.html (01/10/06), August
2001.
[18] M. Schrank, B. Braun, M. Johns, and J. Posegga.
Session Fixation - the Forgotten Vulnerability? In
Proceedings of GI Sicherheit 2010, Lecture Notes in
Informatics (LNI), 2010.
[19] Sun Microsystems Inc. J2EE - Java Platform
Enterprise Edition 5. [online], http:
//java.sun.com/javaee/technologies/javaee5.jsp,
(05/05/07), 2007.
[20] The Open Web Application Security Project
(OWASP). Session Fixation. [online], http:
//www.owasp.org/index.php/Session_Fixation,
February 2009.
[21] The Web Application Security Consortium (WASC).
Session Fixation. [online],
http://projects.webappsec.org/Session-Fixation,
January 2010.
[22] J. Topf. The html form protocol attack. TechNote,
http://www.remote.org/jochen/sec/hfpa/hfpa.pdf,
August 2001.
[23] M. Zalewski. Cross Site Cooking. Whitepaper,
http://www.securiteam.com/secur
0.8.0, December 2009.
[2] CherryPy - Lightweight, pythonic web framework.
[software], http://www.cherrypy.org/, April 2010.
[3] URLlib2 - Python HTTP URL opener library.
[software],
http://docs.python.org/library/urllib2.html,
April 2010.
[4] W. Alcorn. Inter-Protocol Exploitation. Whitepaper,
NGSSoftware Insight Security Research (NISR),
http://www.ngssoftware.com/research/papers/
InterProtocolExploitation.pdf, March 2007.
[5] D. Endler. The Evolution of Cross-Site Scripting
Attacks. Whitepaper, iDefense Inc.,
http://www.cgisecurity.com/lib/XSS.pdf, May
2002.
[6] R. Fielding, J. Gettys, J. Mogul, H. Frystyk,
L. Masinter, P. Leach, and T. Berners-Lee. Hypertext
transfer protocol { http/1.1. RFC 2616, http:
//www.w3.org/Protocols/rfc2616/rfc2616.html,
June 1999.
[7] M. Johns. SessionSafe: Implementing XSS Immune
Session Handling. In European Symposium on
Research in Computer Security (ESORICS 2006),
volume 4189 of LNCS. Springer, September 2006.
[8] M. Johns and J. Winter. RequestRodeo: Client Side
Protection against Session Riding. In F. Piessens,
editor, OWASP Europe 2006, May 2006.
[9] N. Jovanovic, C. Kruegel, and E. Kirda. Preventing
cross site request forgery attacks. In Proceedings of the
IEEE International Conference on Security and
Privacy for Emerging Areas in Communication
Networks (Securecomm 2006), 2006.
[10] E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic.
Noxes: A Client-Side Solution for Mitigating Cross
Site Scripting Attacks. In 21st ACM Symposium on
Applied Computing (SAC 2006), April 2006.
[11] A. Klein. "Divide and Conquer" - HTTP Response
Splitting, Web Cache Poisoning Attacks, and Related
Topics. Whitepaper, Sanctum Inc.,
http://packetstormsecurity.org/papers/general/
whitepaper_httpresponse.pdf, March 2004.
[12] M. Kolsek. Session Fixation Vulnerability in
Web-based Applications. Whitepaper, Acros Security,
http://www.acrossecurity.com/papers/session_
fixation.pdf, December 2002.
[13] D. Kristol and L. Montulli. HTTP State Management
Mechanism. RFC 2965,
http://www.ietf.org/rfc/rfc2965.txt, October
2000.
[14] N. Nikiforakis, Y. Younan, and W. Joosen. Hproxy:
Client-side detection of ssl stripping attacks. In
Seventh Conference on Detection of Intrusions and
Malware & Vulnerability Assessment (DIMVA'10),
2010.
[15] OWASP German Chapter. OWASP Best Practices:
Use of Web Application Firewalls. [whitepaper],
http://www.owasp.org/index.php/Category:
OWASP_Best_Practices:
_Use_of_Web_Application_Firewalls, July 2008.
[16] PHP Group. session regenerate id(). PHP
documentation, [online], http://www.php.net/
manual/de/function.session-regenerate-id.php
(4/4/10), June 2010.
[17] J. Ruderman. The Same Origin Policy. [online],
http://www.mozilla.org/projects/security/
components/same-origin.html (01/10/06), August
2001.
[18] M. Schrank, B. Braun, M. Johns, and J. Posegga.
Session Fixation - the Forgotten Vulnerability? In
Proceedings of GI Sicherheit 2010, Lecture Notes in
Informatics (LNI), 2010.
[19] Sun Microsystems Inc. J2EE - Java Platform
Enterprise Edition 5. [online], http:
//java.sun.com/javaee/technologies/javaee5.jsp,
(05/05/07), 2007.
[20] The Open Web Application Security Project
(OWASP). Session Fixation. [online], http:
//www.owasp.org/index.php/Session_Fixation,
February 2009.
[21] The Web Application Security Consortium (WASC).
Session Fixation. [online],
http://projects.webappsec.org/Session-Fixation,
January 2010.
[22] J. Topf. The html form protocol attack. TechNote,
http://www.remote.org/jochen/sec/hfpa/hfpa.pdf,
August 2001.
[23] M. Zalewski. Cross Site Cooking. Whitepaper,
http://www.securiteam.com/secur
No comments:
Post a Comment