1. Alcorna, W. Cross-site scripting viruses and worms – a new attack vector. Journal of Network
Security, 2006(7):7–8, Elsevier, July 2006.
2. Anderson, A. and Lockhart, H. SAML 2.0 profile of XACML v2.0. Standard, OASIS. February
2005.
3. Amit, Y. XSS vulnerabilities in Google.com. November 2005. http://www.watchfire.
com/securityzone/advisories/12-21-05.aspx
4. Anupam, V. and Mayer, A. Secure Web scripting. IEEE Journal of Internet Computing,
2(6):46–55, IEEE, 1998.
5. Ashcraft, K. and Engler, D. Using programmer-written compiler extensions to catch security
holes. IEEE Symposium on Security and Privacy, pp. 143–159, 2002.
6. Cary, C., Wen, H. J., and Mahatanankoon, P. A viable solution to enterprise development
and systems integration: a case study of web services implementation. International Journal
of Management and Enterprise Development, 1(2):164–175, Inderscience, 2004.
7. Crane, D., Pascarello, E., and James, D. Ajax in Action. Manning Publications, 2005.
8. Forrest, S., Hofmeyr, A., Somayaji, A., and Longstaff, T. A sense of self for unix processes.
IEEE Symposium on Security and Privacy, pp. 120–129, 1996.
9. Ginda, R. Writing a Mozilla Application with XUL and Javascript. O’Reilly Open Source
Software Convention, USA, 2000.
10. Godik, S., Moses, T., and et al. eXtensible Access Control Markup Language (XACML)
Version 2. Standard, OASIS. February 2005.
11. Google. Docs & Spreadsheets. http://docs.google.com/
12. Google. Orkut: Internet social network service. http://www.orkut.com/
13. Grossman, J., Hansen, R., Petkov, P., Rager, A., and Fogie, S. Cross site scripting attacks:
XSS Exploits and defense.. Syngress, Elsevier, 2007.
14. Hallaraker, O. and Vigna, G. DetectingMalicious JavaScript Code inMozilla. 10th IEEE International
Conference on Engineering of Complex Computer Systems (ICECCS’05), pp.85–
94, 2005.
15. Hansen, R. Cross Site Scripting Vulnerability in Google. July 2006. http://ha-
.ckers.org/blog/20060704/cross-site-scripting-vulnerability-
in-google/
16. Hansen, R. XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html
17. Howard, M. and LeBlanc, D. Writing secure code. Microsoft Press, Redmond, 2nd ed.,
2003.
18. InformAction. Noscript firefox extension. Software. http://www.noscript.net/,
2006.
19. Ismail, O., Etoh, M., Kadobayashi, Y., and Yamaguchi, S. A Proposal and Implementation
of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. 18th Int.
Conf. on Advanced Information Networking and Applications (AINA 2004), 2004.
20. Jagatic, T., Johnson, N., Jakobsson, M., and Menczer, F. Social Phishing. To appear in
Communications of the ACM.
21. Jim, T., Swamy, N., Hicks M. Defeating Script Injection Attacks with Browser-Enforced
Embedded Policies. International World Wide Web Conferencem, WWW2007, May 2007.
22. Jovanovic, N., Kruegel, C., and Kirda, E. Precise alias analysis for static detection of web
application vulnerabilities. 2006 Workshop on Programming Languages and Analysis for
Security, pp. 27–36, USA, 2006.
23. Kirda, E., Kruegel, C., Vigna, G., and Jovanovic, N. Noxes: A client-side solution for mitigating
cross-site scripting attacks. 21st ACM Symposium on Applied Computing, 2006.
24. Larson, E. and Austin, T. High coverage detection of input-related security faults. 12
USENIX Security Simposium, pp. 121–136, 2003.
25. Livshits, B. and Erlingsson, U. Using web application construction frameworks to protect
against code injection attacks. 2007 workshop on Programming languages and analysis for
security, pp. 95–104, 2007.
26. Mcfarlane, N. Rapid Application Development with Mozilla. Prentice Hall PTR., 2004.
27. Microsoft. HotMail: The World’s FREE Web-based E-mail. http://hotmail.com/
28. MySpace. Online Community. http://www.myspace.com/
29. Mutton, P. PayPal Security Flaw allows Identity Theft. June 2006. http://news.netcraft.
com/archives/2006/06/16/paypal_security_flaw_allows_identity_
theft.html
30. Mutton, P. PayPal XSS Exploit available for two years? July 2006. http://news.netcraft.
com/archives/2006/07/20/paypal_xss_exploit_available-
_for_two_years.html
31. Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., and Evans, D. Automatically hardering
web applications using precise tainting. 20th IFIP International Information Security
Conference, 2005.
32. Obscure. Bypassing JavaScript Filters – the Flash! Attack, 2002. http://www.cgisecurity.
com/lib/flash-xss.htm
33. PayPal Inc. PayPal Web Site. http://paypal.com
34. Pietraszeck, T. and Vanden-Berghe, C. Defending against injection attacks through contextsensitive
string evaluation. Recent Advances in Intrusion Detection (RAID 2005), pp.124–
145, 2005.
35. Ruderman, J. The same origin policy. http://www.mozilla.org/projects/security/
components/same-origin.html
36. Samy. Technical explanation of The MySpace Worm. http://namb.la/popular/
tech.html
37. Sethumadhavan, R. Orkut Vulnerabilities. http://xdisclose.com/XD100092.txt
38. Scott, D. and Sharp, R. Abstracting application-level web security. 11th Internation Conference
on the World Wide Web, pp. 396–407, 2002.
39. Su, Z. and Wasserman, G. The essence of command injections attacks in web applications.
33rd ACM Symposium on Principles of Programming Languages, pp. 372–382, 2006.
40. Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing
Web Services. White Paper, Computer Associates, 2005.
41. Wordpress. Blog Tool and Weblog Platform. http://wordpress.org/
42. Xie, Y., and Aiken, A. Static detection of security vulnerabilities in scripting languages. 15th
USENIX Security Symposium, 2006.
43. Zero. Historic Lessons From Marc Slemko – Exploit number 3: Steal hotmail account.
http://0x000000.com/index.php?i=270&bin=100001110
Security, 2006(7):7–8, Elsevier, July 2006.
2. Anderson, A. and Lockhart, H. SAML 2.0 profile of XACML v2.0. Standard, OASIS. February
2005.
3. Amit, Y. XSS vulnerabilities in Google.com. November 2005. http://www.watchfire.
com/securityzone/advisories/12-21-05.aspx
4. Anupam, V. and Mayer, A. Secure Web scripting. IEEE Journal of Internet Computing,
2(6):46–55, IEEE, 1998.
5. Ashcraft, K. and Engler, D. Using programmer-written compiler extensions to catch security
holes. IEEE Symposium on Security and Privacy, pp. 143–159, 2002.
6. Cary, C., Wen, H. J., and Mahatanankoon, P. A viable solution to enterprise development
and systems integration: a case study of web services implementation. International Journal
of Management and Enterprise Development, 1(2):164–175, Inderscience, 2004.
7. Crane, D., Pascarello, E., and James, D. Ajax in Action. Manning Publications, 2005.
8. Forrest, S., Hofmeyr, A., Somayaji, A., and Longstaff, T. A sense of self for unix processes.
IEEE Symposium on Security and Privacy, pp. 120–129, 1996.
9. Ginda, R. Writing a Mozilla Application with XUL and Javascript. O’Reilly Open Source
Software Convention, USA, 2000.
10. Godik, S., Moses, T., and et al. eXtensible Access Control Markup Language (XACML)
Version 2. Standard, OASIS. February 2005.
11. Google. Docs & Spreadsheets. http://docs.google.com/
12. Google. Orkut: Internet social network service. http://www.orkut.com/
13. Grossman, J., Hansen, R., Petkov, P., Rager, A., and Fogie, S. Cross site scripting attacks:
XSS Exploits and defense.. Syngress, Elsevier, 2007.
14. Hallaraker, O. and Vigna, G. DetectingMalicious JavaScript Code inMozilla. 10th IEEE International
Conference on Engineering of Complex Computer Systems (ICECCS’05), pp.85–
94, 2005.
15. Hansen, R. Cross Site Scripting Vulnerability in Google. July 2006. http://ha-
.ckers.org/blog/20060704/cross-site-scripting-vulnerability-
in-google/
16. Hansen, R. XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html
17. Howard, M. and LeBlanc, D. Writing secure code. Microsoft Press, Redmond, 2nd ed.,
2003.
18. InformAction. Noscript firefox extension. Software. http://www.noscript.net/,
2006.
19. Ismail, O., Etoh, M., Kadobayashi, Y., and Yamaguchi, S. A Proposal and Implementation
of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. 18th Int.
Conf. on Advanced Information Networking and Applications (AINA 2004), 2004.
20. Jagatic, T., Johnson, N., Jakobsson, M., and Menczer, F. Social Phishing. To appear in
Communications of the ACM.
21. Jim, T., Swamy, N., Hicks M. Defeating Script Injection Attacks with Browser-Enforced
Embedded Policies. International World Wide Web Conferencem, WWW2007, May 2007.
22. Jovanovic, N., Kruegel, C., and Kirda, E. Precise alias analysis for static detection of web
application vulnerabilities. 2006 Workshop on Programming Languages and Analysis for
Security, pp. 27–36, USA, 2006.
23. Kirda, E., Kruegel, C., Vigna, G., and Jovanovic, N. Noxes: A client-side solution for mitigating
cross-site scripting attacks. 21st ACM Symposium on Applied Computing, 2006.
24. Larson, E. and Austin, T. High coverage detection of input-related security faults. 12
USENIX Security Simposium, pp. 121–136, 2003.
25. Livshits, B. and Erlingsson, U. Using web application construction frameworks to protect
against code injection attacks. 2007 workshop on Programming languages and analysis for
security, pp. 95–104, 2007.
26. Mcfarlane, N. Rapid Application Development with Mozilla. Prentice Hall PTR., 2004.
27. Microsoft. HotMail: The World’s FREE Web-based E-mail. http://hotmail.com/
28. MySpace. Online Community. http://www.myspace.com/
29. Mutton, P. PayPal Security Flaw allows Identity Theft. June 2006. http://news.netcraft.
com/archives/2006/06/16/paypal_security_flaw_allows_identity_
theft.html
30. Mutton, P. PayPal XSS Exploit available for two years? July 2006. http://news.netcraft.
com/archives/2006/07/20/paypal_xss_exploit_available-
_for_two_years.html
31. Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., and Evans, D. Automatically hardering
web applications using precise tainting. 20th IFIP International Information Security
Conference, 2005.
32. Obscure. Bypassing JavaScript Filters – the Flash! Attack, 2002. http://www.cgisecurity.
com/lib/flash-xss.htm
33. PayPal Inc. PayPal Web Site. http://paypal.com
34. Pietraszeck, T. and Vanden-Berghe, C. Defending against injection attacks through contextsensitive
string evaluation. Recent Advances in Intrusion Detection (RAID 2005), pp.124–
145, 2005.
35. Ruderman, J. The same origin policy. http://www.mozilla.org/projects/security/
components/same-origin.html
36. Samy. Technical explanation of The MySpace Worm. http://namb.la/popular/
tech.html
37. Sethumadhavan, R. Orkut Vulnerabilities. http://xdisclose.com/XD100092.txt
38. Scott, D. and Sharp, R. Abstracting application-level web security. 11th Internation Conference
on the World Wide Web, pp. 396–407, 2002.
39. Su, Z. and Wasserman, G. The essence of command injections attacks in web applications.
33rd ACM Symposium on Principles of Programming Languages, pp. 372–382, 2006.
40. Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing
Web Services. White Paper, Computer Associates, 2005.
41. Wordpress. Blog Tool and Weblog Platform. http://wordpress.org/
42. Xie, Y., and Aiken, A. Static detection of security vulnerabilities in scripting languages. 15th
USENIX Security Symposium, 2006.
43. Zero. Historic Lessons From Marc Slemko – Exploit number 3: Steal hotmail account.
http://0x000000.com/index.php?i=270&bin=100001110
No comments:
Post a Comment