A survey on server-side approaches to securing web applications

ACM Computing Surveys

Volumn 46, Issue 4, 2013, Pages

  Li, Xiaowei ^a   Xue, Yuan ^a  

^a VANDERBILT UNIVERSITY   (United States)

Author keywords

Application logic vulnerability; Input validation vulnerability; Session management vulnerability; Web application security

Indexed keywords

COMPUTER CIRCUITS; SECURITY OF DATA; WEB SERVICES;

APPLICATION LOGIC; APPLICATION LOGIC VULNERABILITY; INPUT VALIDATION; INPUT VALIDATION VULNERABILITY; LOGIC VULNERABILITIES; SESSION MANAGEMENT; SESSION MANAGEMENT VULNERABILITY; WEB APPLICATION; WEB APPLICATION SECURITY; WEB APPLICATIONS;

SURVEYS;

EID: 84901229096     PISSN: 03600300     EISSN: 15577341     Source Type: Journal    
DOI: 10.1145/2541315     Document Type: Review

References (112)

1. MySpace. 2005. MySpace Samy Worm. http://namb.la/popular/tech.html.
2. Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In NDSS'11: Proceedings of the 8th Annual Network and Distributed System Security Symposium.
3. Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 387-401.
4. Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, and Giovanni Vigna. 2007. Multi-module vulnerability analysis of web-based applications. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 25-35.
5. Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2007. CANDID: Preventing SQL injection attacks using dynamic candidate evaluations. In CCS'07: Proceedings of the 14th ACM Conference on Computer and Communications Security. 12-24.
6. Adam Barth, Juan Caballero, and Dawn Song. 2009. Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy. 360-371.
7. Adam Barth, Collin Jackson, and John C. Mitchell. 2008. Robust defenses for cross-site request forgery. In CCS'08: Proceedings of the 15th ACM Conference on Computer and Communications Security. 75-88.
8. Jason Bau, Elie Bursztein, Divij Gupta, and John Mitchell. 2010. State of the art: Automated black-box web application vulnerability testing. In Oakland'10: Proceedings of the 31st IEEE Symposium on Security and Privacy. 332-345.
9. Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, and V. N. Venkatakrishnan. 2010a. NoTamper: Automatic blackbox detection of parameter tampering opportunities in web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security.
10. Prithvi Bisht, A. Prasad Sistla, and V. N. Venkatakrishnan. 2010b. Automatically Preparing Safe SQL Queries. In FC'10: Proceedings of the 14th International Conference on Financial Cryptography and Data Security.
11. Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, and V. N. Venkatakrishnan. 2011. WAPTEC: Whitebox analysis of web applications for parameter tampering exploit construction. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 575-586.
12. Prithvi Bisht and V. N. Venkatakrishnan. 2008. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In DIMVA'08: Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment.
13. StephenW. Boyd and Angelos D. Keromytis. 2004. SQLrand: Preventing SQL injection attacks. In ACNS'04: Proceedings of the 2nd Applied Cryptography and Network Security Conference. 292-302.
14. Avik Chaudhuri and Jeffrey S. Foster. 2010. Symbolic security analysis of ruby-on-rails web applications. In CCS'10: Proceedings of the 17th ACM Conference on Computer and Communications Security.
15. Erika Chin and David Wagner. 2009. Efficient character-level taint tracking for Java. In Proceedings of the 2009 ACM Workshop on Secure Web Services (SWS'09). 3-12.
16. Adam Chlipala. 2010. Static checking of dynamically-varying security policies in database-backed applications. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation.
17. Stephen Chong, K. Vikram, and and rew C. Myers. 2007a. SIF: Enforcing confidentiality and integrity in web applications. In USENIX'07: Proceedings of the 16th Conference on USENIX Security Symposium.
18. Stephen Chong, Jed Liu, and rew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. 2007b. Secure web applications via automatic partitioning. In SOSP'07: Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles. 31-44.
19. Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. 2009. Cross-tier, label-based security enforcement for web applications. In SIGMOD'09: Proceedings of the 35th SIGMOD International Conference on Management of Data. 269-282.
20. Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and Giovanni Vigna. 2007a. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In RAID'07: Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection. 63-86.
21. Marco Cova, Viktoria Felmetsger, and Giovanni Vigna. 2007b. Vulnerability analysis of web applications. In Testing and Analysis of Web Services, L. Baresi and E. Dinitto (Eds.). Springer.
22. Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich. 2009. Nemesis: Preventing authentication and access control vulnerabilities in web applications. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 267-282.
23. Adam Doupe, Bryce Boe, Christopher Kruegel, and Giovanni Vigna. 2011. Fear the EAR: Discovering and mitigating execution after redirect vulnerabilities. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security.
24. Adam Doupe, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2012. Enemy of the state: A state-aware black-box vulnerability scanner. In USENIX'12: Proceedings of the USENIX Security Symposium. Bellevue, WA.
25. Adam Doupe, Marco Cova, and Giovanni Vigna. 2010. Why Johnny can't pentest: An analysis of black-box web vulnerability scanners. In DIMVA'10: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment.
26. Facebook. Facebook Bounty Program. https://www.facebook.com/whitehat.
27. Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. 2010. Toward automated detection of logic vulnerabilities in web applications. In USENIX'10: Proceedings of the 19th USENIX Security Symposium.
28. Harrison Fisk. 2004. Prepared Statements. http://en.wikipedia.org/wiki/ Prepared-statement.
29. Joaquin Garcia-Alfaro and Guillermo Navarro-Arribas. 2008. A survey on detection techniques to prevent cross-site scripting attacks on current web applications. In CRITIS'07: Proceedings of the Second International Conference on Critical Information Infrastructures Security. 287-298.
30. Joaqu?n Garc?a-Alfaro and Guillermo Navarro-Arribas. 2009. A survey on cross-site scripting attacks. CoRR: Computing Research Repository. http://arxiv.org/abs/0905.4850.
31. Gmail CSRF Security Flaw. 2007. http://ajaxian.com/archives/gmail-csrf- security-flaw.
32. Google. Google Bounty Program. http://www.google.com/about/appsecurity/ reward-program/.
33. Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. 2009. Using static analysis for Ajax intrusion detection. In WWW'09: Proceedings of the 18th International Conference on World Wide Web. 561-570.
34. Matthew Van Gundy and Hao Chen. 2009. Noncespaces: Using randomization to enforce information flow tracking and thwart XSS attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.
35. VivekHaldar, Deepak Chandra, and Michael Franz. 2005. Dynamic taint propagation for Java. In ACSAC'05: Proceedings of the 21st Annual Computer Security Applications Conference. 303-311.
36. William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: Analysis and Monitoring for Neutralizing SQL-Injection Attacks. In ASE'05: Proceedings of the 20th IEEE and ACM International Conference on Automated Software Engineering.
37. William G. J. Halfond, Jeremy Viegas, and Alessandro Orso. 2006a. A cassification of SQL-injection attacks and countermeasures. In Proceedings of the International Symposium on Secure Software Engineering.
38. William G. J. Halfond, Alessandro Orso, and Panagiotis Manolios. 2006b. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In SIGSOFT'06/FSE-14: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 175-185.
39. Pieter Hooimeijer, Benjamin Livshits, David Molnar, Prateek Saxena, and Margus Veanes. 2011. Fast and precise sanitizer analysis with BEK. In Proceedings of the 20th USENIX Conference on Security (SEC'11).
40. Yao-Wen Huang, Shih-Kun Huang, Tsung-Po Lin, and Chung-Hung Tsai. 2003. Web application security assessment by fault injection and behavior monitoring. In WWW'03: Proceedings of the 12th International Conference on World Wide Web. 148-159.
41. Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. 2004. Securing web application code by static analysis and runtime protection. In WWW'04: Proceedings of the 13th International Conference on World Wide Web. 40-52.
42. Kenneth L. Ingham and Hajime Inoue. 2007. Comparing anomaly detection techniques for HTTP. In RAID'07: Proceedings of the 10th International Conference on Recent Advances in IntrusionDetection. 42-62.
43. Kenneth L. Ingham, Anil Somayaji, John Burge, and Stephanie Forrest. 2007. Learning DFA representations of HTTP for protecting web applications. Computer Networks 51, 1239-1255.
44. Trevor Jim, Nikhil Swamy, and Michael Hicks. 2007. Defeating script injection attacks with browser-enforced embedded policies. In WWW'07: Proceedings of the 16th International Conference on World Wide Web. 601-610.
45. Martin Johns, Bjorn Engelmann, and Joachim Posegga. 2008. XSSDS: Server-side detection of cross-site scripting attacks. In ACSAC'08: Proceedings of the 24th Annual Computer Security Applications Conference. 335-344.
46. Paul Johnston. 2004. Authentication and Session Management on the Web. http://www.sans.org/reading-room/whitepapers/webservers/authent ication-session-management-web-1545.
47. Martin Johns and Justus Winter. 2006. RequestRodeo: Client-side protection against session riding. In OWASP AppSec Europe.
48. Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006a. Preventing Cross Site Request Forgery Attacks. In SecureComm'06: 2nd International Conference on Security and Privacy in Communication Networks. 1-10.
49. Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006b. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In Oakland'06: Proceedings of the 27th IEEE Symposium on Security and Privacy. 258-263.
50. Nenad Jovanovic, Engin Kirda, and Christopher Kruegel. 2006c. Precise Alias Analysis for Syntactic Detection of Web Application Vulnerabilities. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security.
51. Gaurav S. Kc, Angelos D. Keromytis, and Vassilis Prevelakis. 2003. Countering code-injection attacks with instruction-set randomization. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communications Security. 272-280.
52. Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. 2009. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE'09: Proceedings of the 31st International Conference on Software Engineering. 199-209.
53. Engin Kirda, Christopher Kruegel, Giovanni Vigna, and Nenad Jovanovic. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In SAC'06: Proceedings of the 2006 ACM Symposium on Applied Computing. 330-337.
54. Akshay Krishnamurthy, Adrian Mettler, and David Wagner. 2010. Fine-grained privilege separation for web applications. In WWW'10: Proceedings of the 19th International Conference on World Wide Web. 551-560.
55. Christopher Kruegel and Giovanni Vigna. 2003. Anomaly detection of web-based attacks. In CCS'03: Proceedings of the 10th ACM Conference on Computer and Communication Security. 251-261.
56. Christopher Kruegel, Giovanni Vigna, and William Robertson. 2005. Amulti-model approach to the detection of web-based attacks. Computer Networks 48, 5 (August 2005), 717-738.
57. Monica S. Lam, Michael Martin, Benjamin Livshits, and JohnWhaley. 2008. Securing web applications with static and dynamic information flow tracking. In PEPM'08: Proceedings of the 2008 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation. 3-12.
58. Xiaowei Li and Yuan Xue. 2011. BLOCK: A black-box approach for detection of state violation attacks towards web applications. In ACSAC'11: Proceedings of the 27th Annual Computer Security Applications Conference.
59. Xiaowei Li and Yuan Xue. 2013. LogicScope: Automatic discovery of logic vulnerabilities within web applications. In ASIACCS'13: Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security.
60. Xiaowei Li, Wei Yan, and Yuan Xue. 2012. SENTINEL: Securing database from logic flaws in web applications. In CODASPY'12: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy. 25-36.
61. V. Benjamin Livshits and Monica S. Lam. 2005. Finding security vulnerabilities in Java applications with static analysis. In USENIX'05: Proceedings of the 14th Conference on USENIX Security Symposium. 18.
62. Federico Maggi, William Robertson, Christopher Kruegel, and Giovanni Vigna. 2009. Protecting a moving target: Addressing web application concept drift. In RAID'09: Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection. 21-40.
63. Ziqing Mao, Ninghui Li, and Ian Molloy. 2009. Defeating cross-site request forgery attacks with browserenforced authenticity protection. In FC'09: Proceedings of the 13th International Conference on Financial Cryptography and Data Security. 238-255.
64. Gervase Markham. 2006. Content Restrictions. http://www.gerv.net/ security/content-restrictions/.
65. Michael Martin and Monica S. Lam. 2008. Automatic generation of XSS and SQL injection attacks with goal-directed model checking. In USENIX'08: Proceedings of the 17th Conference on USENIX Security Symposium. 31-43.
66. Sean Mcallister, Engin Kirda, and Christopher Kruegel. 2008. Leveraging user interactions for in-depth testing of web applications. In RAID'08: Proceedings of the 11th International Symposium on Recent Advances in Intrusion Detection. 191-210.
67. Russell A. McClure and Ingolf H. Kruger. 2005. SQL DOM: Compile time checking of dynamic SQL statements. In ICSE'05: Proceedings of the 27th International Conference on Software Engineering. 88-96.
68. Adrian Mettler, DavidWagner, and Tyler Close. 2010. Joe-E: A security-oriented subset of Java. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium. 357-374.
69. Yasuhiko Minamide. 2005. Static approximation of dynamically generated web pages. In WWW'05: Proceedings of the 14th International Conference on World Wide Web. 432-441.
70. and rew C. Myers, Lantian Zheng, Steve Zdancewic, Stephen Chong, and Nathaniel Nystrom. n.d. Jif: Java Information Flow. http://www.cs.cornell.edu/ jif.
71. Yacin Nadji, Prateek Saxena, and Dawn Song. 2009. Document structure integrity: A robust basis for crosssite scripting defense. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.
72. Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna. 2007. Crosssite scripting prevention with dynamic data tainting and static analysis. In NDSS'07: Proceedings of the 14th Network and Distributed System Security Symposium.
73. Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. 2005. Automatically hardening web applications using precise tainting. In Proceedings of the 20th IFIP International Information Security Conference. 372-382.
74. NoScript. NoScript Features: Anti-XSS Protection. http://noscript.net/.
75. OWASP Top 10. 2013. Open Web Application Security Project Top Ten Security Risk (Feburary 2013). http://www.owasp.org/index.php/Top-10-2013
76. Chris Palmer. 2008. Secure Session Management with Cookies for Web Applications. https://www.isecpartners.com/media/12009/web-session-management. pdf.
77. Bryan Parno, Jonathan M. McCune, Dan Wendlandt, David G. and ersen, and Adrian Perrig. 2009. CLAMP: Practical prevention of large-scale data leaks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy.
78. Tadeusz Pietraszek and Chris Vanden Berghe. 2005. Defending against injection attacks through contextsensitive string evaluation. In RAID'05: Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection.
79. Rails. Ruby-on-Rails Security Guide. http://guides.rubyonrails.org/ security.html.
80. Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. 2006. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In OSDI'06: Proceedings of the 7th Symposium on Operating Systems Design and Implementation. 61-74.
81. William Robertson and Giovanni Vigna. 2009. Static enforcement of web application integrity through strong typing. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 283-298.
82. William Robertson, Giovanni Vigna, Christopher Kruegel, and Richard Kemmerer. 2006. Using generalization and characterization techniques in the anomaly-based detection of web attacks. In NDSS'06: Proceedings of the 13th Network and Distributed System Security Symposium.
83. David Ross. 2008. IE 8 XSS Filter Architecture. http://blogs.technet.com/ swi/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx.
84. Mike Samuel, Prateek Saxena, and Dawn Song. 2011. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 587-600.
85. Prateek Saxena, Steve Hanna, Pongsin Poosankam, and Dawn Song. 2010a. FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. In NDSS'10: Proceedings of the 17th Annual Network and Distributed System Security Symposium.
86. Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, and Dawn Song. 2010b. A Symbolic Execution Framework for JavaScript. In SP'10: Proceedings of the 2010 IEEE Symposium on Security and Privacy. 513-528.
87. Prateek Saxena, David Molnar, and Benjamin Livshits. 2011. SCRIPTGUARD: Automatic context-sensitive sanitization for large-scale legacy web applications. In CCS'11: Proceedings of the 18th ACM Conference on Computer and Communications Security. 601-614.
88. Theodoor Scholte,William Robertson, Davide Balzarotti, and Engin Kirda. 2012. Preventing input validation vulnerabilities in web applications through automated type analysis. In COMPSAC'12: Proceedings of the IEEE 36th Annual Computer Software and Applications Conference.
89. David Scott and Richard Sharp. 2002. Abstracting application-level web security. In WWW'02: Proceedings of the 11th International Conference on World Wide Web. 396-407.
90. R. Sekar. 2009. An efficient black-box technique for defeating web application attacks. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.
91. Eric Sheridan. 2008. OWASP CSRFGuard Project. http://www.owasp.org/index. php/CSRF-Guard.
92. Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2011. RoleCast: Finding missing security checks when you do not know what checks are. In OOPSLA'11: Proceedings of the 26th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications. 1069-1084.
93. Yingbo Song, Angelos D. Keromytis, and Salvatore J. Stolfo. 2009. Spectrogram: Amixture-of-Markov-chains model for anomaly detection in web traffic. In NDSS'09: Proceedings of the 16th Annual Network and Distributed System Security Symposium.
94. Sid Stamm, Brandon Sterne, and Gervase Markham. 2010. Reining in the web with content security policy. In Proceedings of the 19th International Conference on World Wide Web(WWW'10). 921-930.
95. Zhendong Su and Gary Wassermann. 2006. The essence of command injection attacks in web applications. In POPL'06: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 372-382.
96. Fangqi Sun, Liang Xu, and Zhendong Su. 2011. Static detection of access control vulnerabilities in web applications. In USENIX'11: Proceedings of the 20th USENIX Security Symposium.
97. Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. 2008. Fable: A language for enforcing user-defined security policies. In Oakland'08: Proceedings of the 29th IEEE Symposium on Security and Privacy. 369-383.
98. Shuo Tang, Haohui Mai, and Samuel T. King. 2010. Trust and protection in the Illinois browser operating system. In OSDI'10: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. 1-8.
99. Mike Ter Louw and V. N. Venkatakrishnan. 2009. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In Oakland'09: Proceedings of the 30th IEEE Symposium on Security and Privacy.
100. Fredrik Valeur, Darren Mutz, and Giovanni Vigna. 2005. A learning-based approach to the detection of SQL attacks. In DIMVA'05: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment. 123-140.
101. Verizon. 2010. Verizon 2010 Data Breach Investigations Report. http://www.verizonbusiness.com/resources/reports/rp-2010-data-breach-report-en- xg.pdf.
102. K. Vikram, Abhishek Prateek, and Benjamin Livshits. 2009. Ripley: Automatically securing web 2.0 applications through replicated execution. In CCS'09: Proceedings of the 16th ACM Conference on Computer and Communications Security. 173-186.
103. Helen J. Wang, Chris Grier, Alexander Moshchuk, Samuel T. King, Piali Choudhury, and Herman Venter. 2009. The multi-principal OS construction of the gazelle web browser. In USENIX'09: Proceedings of the 18th Conference on USENIX Security Symposium. 417-432.
104. RuiWang, Shuo Chen, XiaoFengWang, and ShazQadeer. 2011. How to shop for free online-security analysis of cashier-as-a-service based web stores. In Oakland'11: Proceedings of the 32nd IEEE Symposium on Security and Privacy.
105. WASS. 2007. 2007 Web Application Security Statistics. http://projects.webappsec.org/w/page/13246989/WebApplication/SecurityStatistics.
106. Gary Wassermann and Zhendong Su. 2007. Sound and precise analysis of web applications for injection vulnerabilities. In PLDI'07: Proceedings of the 2007 ACMSIGPLAN Conference on Programming Language Design and Implementation. 32-41.
107. GaryWassermann and Zhendong Su. 2008. Static detection of cross-site scripting vulnerabilities. In ICSE'08: Proceedings of the ACM/IEEE 30th International Conference on Software Engineering.
108. Joel Weinberger, Prateek Saxena, Devdatta Akhawe,Matthew Finifter, Richard Shin, and Dawn Song. 2011. A systematic analysis of XSS sanitization in web application frameworks. In ESORICS'11: Proceedings of the 16th European Symposium on Research in Computer Security.
109. White Hat. 2010. WhiteHat Website Security Statistic Report 2010. https://www.whitehatsec.com/resource/stats.html.
110. Yichen Xie and Alex Aiken. 2006. Static detection of security vulnerabilities in scripting languages. In USENIX'06: Proceedings of the 15th Conference on USENIX Security Symposium.
111. Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. 2009. Improving application security with data flow assertions. In SOSP'09: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. 291-304.
112. Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov. 2007. JavaScript instrumentation for browser security. In POPL'07: Proceedings of the 34th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. 237-249.