A survey on detection techniques to prevent cross-site scripting attacks on current web applications

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5141 LNCS, Issue , 2008, Pages 287-298

  Garcia Alfaro, Joaquin ^a   Navarro Arribas, Guillermo ^b  

^a UNIVERSITAT OBERTA DE CATALUNYA   (Spain)

^b UNIVERSITAT AUTÒNOMA DE BARCELONA   (Spain)

Author keywords

Injection Attacks; Network Security; Software Protection

Indexed keywords

BUSINESS MODELS; CRITICAL SYSTEMS; CROSS SITE SCRIPTING; DETECTION TECHNIQUE; EMERGENCY RESPONSE; EXPECTED VALUES; INJECTION ATTACKS; INTERNET-BASED SERVICES; ON CURRENTS; SPECIFIC PROBLEMS; WEB APPLICATION;

COMPUTER SOFTWARE; HEALTH CARE; SURVEYS; WORLD WIDE WEB;

NETWORK SECURITY;

EID: 77953704942     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-89173-4_24     Document Type: Conference Paper

References (39)

1. Alcorna, W.: Cross-site scripting viruses and worms - a new attack vector. Journal of Network Security 2006(7), 7-8 (2006)
2. Amit, Y.: XSS vulnerabilities in Google.com (November 2005), http://seclists.org/fulldisclosure/2005/Dec/1107.html
3. Anupam, V., Mayer, A.: Secure Web scripting. IEEE Journal of Internet Computing 2(6), 46-55 (1998)
4. Ashcraft, K., Engler, D.: Using programmer-written compiler extensions to catch security holes. In: IEEE Symposium on Security and Privacy, pp. 143-159 (2002) (Pubitemid 34648110)
5. Cary, C., Wen, H.J., Mahatanankoon, P.: A viable solution to enterprise development and systems integration: a case study of web services implementation. International Journal of Management and Enterprise Development 1(2), 164-175 (2004) (Pubitemid 38940029)
6. Crane, D., Pascarello, E., James, D.: Ajax in Action. Manning Publications (2005)
7. Forrest, S., Hofmeyr, A., Somayaji, A., Longstaff, T.: A sense of self for unix processes. In: IEEE Symposium on Security and Privacy, pp. 120-129 (1996)
8. Google. Docs & Spreadsheets, http://docs.google.com/
9. Google. Orkut: Internet social network service, http://www.orkut.com/
10. Grossman, J., Hansen, R., Petkov, P., Rager, A., Fogie, S.: Cross site scripting attacks: XSS Exploits and defense. In: Syngress. Elsevier, Amsterdam (2007)
11. Hallaraker, O., Vigna, G.: Detecting Malicious JavaScript Code in Mozilla. In: 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS 2005), pp. 85-94 (2005)
12. Hansen, R.: Cross Site Scripting Vulnerability in Google (July 2006), http://ha.ckers.org/blog/20060704/cross-site-scripting-vulnerability-in-google/
13. Hansen, R.: XSS cheat sheet for filter evasion, http://ha.ckers.org/xss. html
14. Howard, M., LeBlanc, D.: Writing secure code, 2nd edn. Microsoft Press, Redmond (2003)
15. Ismail, O., Etoh, M., Kadobayashi, Y., Yamaguchi, S.: A Proposal and Implementation of Automatic Detection/Collection System for Cross-Site Scripting Vulnerability. In: 18th Int. Conf. on Advanced Information Networking and Applications (AINA 2004) (2004)
16. Jagatic, T., Johnson, N., Jakobsson, M., Menczer, F.: Social Phishing. Communications of the ACM (to appear)
17. Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. International World Wide Web Conferencem, WWW2007 (May 2007)
18. Jovanovic, N., Kruegel, C., Kirda, E.: Precise alias analysis for static detection of web application vulnerabilities. In: 2006 Workshop on Programming Languages and Analysis for Security, USA, pp. 27-36 (2006)
19. Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.N.: A client-side solution for mitigating cross-site scripting attacks. In: 21st ACM Symposium on Applied Computing (2006)
20. Larson, E., Austin, T.: High coverage detection of input-related security faults. In: 12 USENIX Security Simposium, pp. 121-136 (2003)
21. Livshits, B., Erlingsson, U.: Using web application construction frameworks to protect against code injection attacks. In: 2007 workshop on Programming languages and analysis for security, pp. 95-104 (2007)
22. Microsoft. HotMail: The World's FREEWeb-based E-mail, http://hotmail.com/
23. MySpace. Online Community, http://www.myspace.com/
24. Mutton, P.: PayPal Security Flaw allows Identity Theft (June 2006), http://news.netcraft.com/archives/2006/06/16/paypal-security-flaw-allows- identity-theft.html
25. Mutton, P.: PayPal XSS Exploit available for two years? (July 2006), http://news.netcraft.com/archives/2006/07/20/paypal-xss-exploit-available-for- two-years.html
26. Nguyen-Tuong, A., Guarnieri, S., Green, D., Shirley, J., Evans, D.: Automatically hardering web applications using precise tainting. 20th IFIP International Information Security Conference (2005)
27. Obscure. Bypassing JavaScript Filters - the Flash! Attack (2002), http://www.cgi-security.com/lib/flash-xss.htm
28. PayPal Inc. PayPal Web Site, http://paypal.com
29. Pietraszeck, T., Vanden-Berghe, C.: Defending against injection attacks through contextsensitive string evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 124-145. Springer, Heidelberg (2006)
30. Ruderman, J.: The same origin policy, http://www.mozilla.org/projects/ security/components/same-origin.html
31. Samy. Technical explanation of The MySpace Worm, http://namb.la/popular/ tech.html
32. Sethumadhavan, R.: Orkut Vulnerabilities, http://xdisclose.com/XD100092. txt
33. Scott, D., Sharp, R.: Abstracting application-level web security. In: 11th Internation Conference on the World Wide Web, pp. 396-407 (2002)
34. Su, Z., Wasserman, G.: The essence of command injections attacks in web applications. In: 33rd ACM Symposium on Principles of Programming Languages, pp. 372-382 (2006)
35. Web Services Security: Key Industry Standards and Emerging Specifications Used for Securing Web Services. White Paper, Computer Associates (2005)
36. Wikimedia Project. Wikipedia: The Free Encyclopedia, http://wikipedia. org/
37. Wordpress. Blog Tool and Weblog Platform, http://wordpress.org/
38. Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: 15th USENIX Security Symposium (2006)
39. Slemko, M.: Microsoft Passport to Trouble, http://www.znep.com/~marcs/ passport/