A Study of Gaps in Defensive Countermeasures for Web Security

[1]  Vinod Yegneswaran,et al.  PathCutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks , 2012, NDSS.

[2]  Vitaly Shmatikov,et al.  The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites , 2013, NDSS.

[3]  Prasad Naldurg,et al.  MACE: Detecting Privilege Escalation Vulnerabilities in Web Applications , 2014, CCS.

[4]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.

[5]  Joachim Posegga,et al.  Reliable protection against session fixation attacks , 2011, SAC.

[6]  Dawn Xiaodong Song,et al.  Clickjacking Revisited: A Perceptual View of UI Security , 2014, WOOT.

[7]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[8]  R. Sekar,et al.  Eternal War in Memory , 2014, IEEE Security & Privacy.

[9]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[10]  Sebastian Lekies A tale of the weaknesses of current client-side XSS filtering , 2014 .

[11]  Vitaly Shmatikov,et al.  Diglossia: detecting code injection attacks with precision and efficiency , 2013, CCS.

[12]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[13]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[14]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[15]  Benjamin G. Zorn,et al.  Zozzle: Low-overhead Mostly Static JavaScript Malware Detection , 2010 .

[16]  Jörg Schwenk,et al.  mXSS attacks: attacking well-secured web-applications by using innerHTML mutations , 2013, CCS.

[17]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Michael J. Freedman,et al.  Automating Isolation and Least Privilege in Web Services , 2014, 2014 IEEE Symposium on Security and Privacy.

[19]  Thorsten Holz,et al.  Static Detection of Second-Order Vulnerabilities in Web Applications , 2014, USENIX Security Symposium.

[20]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[21]  Baptiste Gourdin Framing Attacks on Smart Phones and Dumb Routers: Tap-jacking and Geo-localization Attacks , 2010, WOOT.

[22]  Dawn Xiaodong Song,et al.  SoK: Eternal War in Memory , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[24]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[25]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[26]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[27]  Ben Stock,et al.  25 million flows later: large-scale detection of DOM-based XSS , 2013, CCS.

[28]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[29]  Dan Boneh,et al.  XCS: cross channel scripting and its impact on web applications , 2009, CCS.

[30]  Christopher Krügel,et al.  Hulk: Eliciting Malicious Behavior in Browser Extensions , 2014, USENIX Security Symposium.

[31]  Kenji Kono,et al.  Automated detection of session fixation vulnerabilities , 2010, WWW '10.

[32]  Lei Liu,et al.  Chrome Extensions: Threat Analysis and Countermeasures , 2012, NDSS.

[33]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[34]  Christopher Krügel,et al.  deDacota: toward preventing server-side XSS via automatic code and data separation , 2013, CCS.

[35]  Thorsten Holz,et al.  Code Reuse Attacks in PHP: Automated POP Chain Generation , 2014, CCS.

[36]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[37]  Giovanni Vigna,et al.  Multi-module vulnerability analysis of web-based applications , 2007, CCS '07.

[38]  Davide Balzarotti,et al.  Toward Black-Box Detection of Logic Flaws in Web Applications , 2014, NDSS.

[39]  Tobias Lauinger,et al.  Why Is CSP Failing? Trends and Challenges in CSP Adoption , 2014, RAID.

[40]  V. N. Venkatakrishnan,et al.  Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[41]  Ben Stock,et al.  Precise Client-side Protection against DOM-based Cross-Site Scripting , 2014, USENIX Security Symposium.

[42]  Adrian Perrig,et al.  CLAMP: Practical Prevention of Large-Scale Data Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.