{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,16]],"date-time":"2025-10-16T03:49:01Z","timestamp":1760586541855,"version":"3.38.0"},"publisher-location":"Berlin, Heidelberg","reference-count":63,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783642177132"},{"type":"electronic","value":"9783642177149"}],"license":[{"start":{"date-parts":[[2010,1,1]],"date-time":"2010-01-01T00:00:00Z","timestamp":1262304000000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010]]},"DOI":"10.1007\/978-3-642-17714-9_2","type":"book-chapter","created":{"date-parts":[[2010,12,7]],"date-time":"2010-12-07T13:27:24Z","timestamp":1291728444000},"page":"3-26","source":"Crossref","is-referenced-by-count":1,"title":["WebAppArmor: A Framework for Robust Prevention of Attacks on Web Applications (Invited Paper)"],"prefix":"10.1007","author":[{"given":"V. N.","family":"Venkatakrishnan","sequence":"first","affiliation":[]},{"given":"Prithvi","family":"Bisht","sequence":"additional","affiliation":[]},{"given":"Mike","family":"Ter Louw","sequence":"additional","affiliation":[]},{"given":"Michelle","family":"Zhou","sequence":"additional","affiliation":[]},{"given":"Kalpana","family":"Gondi","sequence":"additional","affiliation":[]},{"given":"Karthik Thotta","family":"Ganesh","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"2_CR1","unstructured":"htmLawed: PHP Code to Purify & Filter HTML, http:\/\/www.bioinformatics.org\/phplabware\/internal_utilities\/htmLawed\/ (retrieved on October 10, 2010)"},{"key":"2_CR2","unstructured":"kses - PHP HTML\/XHTML filter, http:\/\/sourceforge.net\/projects\/kses\/ (retrieved on October 10, 2010)"},{"key":"2_CR3","unstructured":"PHP Input Filter, http:\/\/sourceforge.net\/projects\/phpinputfilter\/ (retrieved on October 10, 2010)"},{"key":"2_CR4","unstructured":"XSS (Cross Site Scripting) Cheat Sheet. Esp: for filter evasion, http:\/\/ha.ckers.org\/xss.html (retrieved on October 10, 2010)"},{"key":"2_CR5","unstructured":"DOM mutation events. W3C draft (November 2003)"},{"key":"2_CR6","unstructured":"16th Annual Network & Distributed System Security Symposium, San Diego, California, USA (February 2009)"},{"key":"2_CR7","unstructured":"TJX Hacker Charged With Heartland, Hannaford Breaches (August 2009), http:\/\/www.wired.com\/threatlevel\/2009\/08\/tjx-hacker-charged-with-heartland (retrieved on October 10, 2010)"},{"key":"2_CR8","doi-asserted-by":"crossref","unstructured":"Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In: Proceedings of the 29th IEEE Symposium on Security and Privacy, SP 2008, Oakland, California, USA (2008)","DOI":"10.1109\/SP.2008.22"},{"key":"2_CR9","unstructured":"Barth, A., Jackson, C., Mitchell, J.C.: Securing Frame Communication in Browsers. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, San Jose, California, USA (2008)"},{"key":"2_CR10","doi-asserted-by":"crossref","unstructured":"Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA (2010)","DOI":"10.1145\/1866307.1866375"},{"issue":"2","key":"2_CR11","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1698750.1698754","volume":"13","author":"P. Bisht","year":"2010","unstructured":"Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur.\u00a013(2), 1\u201339 (2010)","journal-title":"ACM Trans. Inf. Syst. Secur."},{"key":"2_CR12","doi-asserted-by":"crossref","unstructured":"Bisht, P., Prasad Sistla, A., Venkatakrishnan, V.N.: Automatically Preparing Safe SQL Queries. In: Proceedings of the 14th International Conference on Financial Cryptography and Data Security, FC 2010, Tenerife, Canary Islands, Spain (2010)","DOI":"10.1007\/978-3-642-14577-3_21"},{"key":"2_CR13","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/978-3-540-70542-0_2","volume-title":"Detection of Intrusions and Malware, and Vulnerability Assessment","author":"P. Bisht","year":"2008","unstructured":"Bisht, P., Venkatakrishnan, V.N.: XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol.\u00a05137, pp. 23\u201343. Springer, Heidelberg (2008)"},{"key":"2_CR14","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"292","DOI":"10.1007\/978-3-540-24852-1_21","volume-title":"Applied Cryptography and Network Security","author":"S.W. Boyd","year":"2004","unstructured":"Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL Injection Attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol.\u00a03089, pp. 292\u2013302. Springer, Heidelberg (2004)"},{"key":"2_CR15","doi-asserted-by":"crossref","unstructured":"Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: Proceedings of the 5th International Workshop on Software Engineering and Middleware, SEM 2005, Lisbon, Portugal (2005)","DOI":"10.1145\/1108473.1108496"},{"key":"2_CR16","unstructured":"Symantec Corporation. Symantec internet security threat report. Technical report, Symantec Corporation (March 2008)"},{"key":"2_CR17","unstructured":"Crockford, D.: ADsafe, http:\/\/www.adsafe.org\/ (retrieved on October 10, 2010)"},{"key":"2_CR18","unstructured":"Facebook Developers. Facebook JavaScript, http:\/\/wiki.developers.facebook.com\/index.php\/FBJS (retrieved on October 10, 2010)"},{"key":"2_CR19","doi-asserted-by":"crossref","unstructured":"Felt, A., Hooimeijer, P., Evans, D., Weimer, W.: Talking to Strangers Without Taking Their Candy: Isolating Proxied Content. In: Proceedings of the 1st Workshop on Social Network Systems, SNS 2008, Glasgow, Scotland (2008)","DOI":"10.1145\/1435497.1435502"},{"key":"2_CR20","unstructured":"Finifter, M., Weinberger, J., Barth, A.: Preventing Capability Leaks in Secure JavaScript Subsets. In: Proceedings of the 17th Network and Distributed System Security Symposium, NDSS 2010, San Diego, California, USA (2010)"},{"key":"2_CR21","unstructured":"Fisher, D.: Hackers broaden reach of cross-site scripting attacks (March 2007), ComputerWeekly.com"},{"key":"2_CR22","unstructured":"Caja, G.: A source-to-source translator for securing JavaScript-based web content, http:\/\/code.google.com\/p\/google-caja\/ (retrieved on October 10, 2010)"},{"key":"2_CR23","unstructured":"Grossman, J.: Cross site scripting worms and viruses. Technical report, WhiteHat Security Inc. (June 2007)"},{"key":"2_CR24","unstructured":"Guha, S., Cheng, B., Reznichenko, A., Haddadi, H., Francis, P.: Privad: Rearchitecting online advertising for privacy. Technical Report MPI-SWS-2009-004, Max Planck Institute for Software Systems, Kaiserslautern-Saarbruecken, Germany (October 2009)"},{"key":"2_CR25","doi-asserted-by":"crossref","unstructured":"Halfond, W.G.J., Orso, A., Manolios, P.: Using Positive Tainting and Syntax-aware Evaluation to Counter SQL Injection Attacks. In: Proceedings of the 14th ACM SIGSOFT International Symposium on Foundations of Software Engineering, FSE 2006, Portland, Oregon, USA (2006)","DOI":"10.1145\/1181775.1181797"},{"key":"2_CR26","unstructured":"Hansen, R.: XSS cheat sheet, http:\/\/ha.ckers.org\/xss.html (retrieved on October 10, 2010)"},{"key":"2_CR27","doi-asserted-by":"crossref","unstructured":"Jackson, C., Wang, H.J.: Subspace: Secure cross-domain communication for web mashups. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)","DOI":"10.1145\/1242572.1242655"},{"key":"2_CR28","doi-asserted-by":"crossref","unstructured":"Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-enforced Embedded Policies. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007, Banff, Alberta, Canada (2007)","DOI":"10.1145\/1242572.1242654"},{"key":"2_CR29","unstructured":"Johns, M., Winter, J.: RequestRodeo: Client Side Protection against Session Riding. In: Proceedings of the OWASP Europe 2006 Conference, OWASP-APPSEC 2006, Leuven, Belgium (2006)"},{"key":"2_CR30","doi-asserted-by":"crossref","unstructured":"Jovanovic, N., Kirda, E., Kruegel, C.: Preventing Cross Site Request Forgery Attacks. In: Proceedings of the 2nd IEEE Communications Society International Conference on Security and Privacy in Communication Networks, SecureComm 2006, Baltimore, Maryland, USA (2006)","DOI":"10.1109\/SECCOMW.2006.359531"},{"key":"2_CR31","doi-asserted-by":"crossref","unstructured":"Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In: Proceedings of the 2006 IEEE Symposium on Security and Privacy, SP 2006, Oakland, California, USA (2006)","DOI":"10.1109\/SP.2006.29"},{"key":"2_CR32","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"326","DOI":"10.1007\/978-3-540-89330-1_23","volume-title":"Programming Languages and Systems","author":"H. Kikuchi","year":"2008","unstructured":"Kikuchi, H., Yu, D., Chander, A., Inamura, H., Serikov, I.: JavaScript Instrumentation in Practice. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol.\u00a05356, pp. 326\u2013341. Springer, Heidelberg (2008)"},{"key":"2_CR33","doi-asserted-by":"crossref","unstructured":"Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: A Client-side Solution for Mitigating Cross-site Scripting Attacks. In: Proceedings of the 21st ACM Symposium on Applied Computing, SAC 2006, Dijon, France (2006)","DOI":"10.1145\/1141277.1141357"},{"key":"2_CR34","unstructured":"Benjamin Livshits, V., Guarnieri, S.: Gatekeeper: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code. In: Proceedings of the 18th USENIX Security Symposium, SS 2009, Montreal, Canada (2009)"},{"key":"2_CR35","unstructured":"Benjamin Livshits, V., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proceedings of the 14th USENIX Security Symposium, SS 2005, Baltimore, Maryland, USA (2005)"},{"key":"2_CR36","unstructured":"Louw, M.T., Bisht, P., Venkatakrishnan, V.N.: Analysis of Hypertext Markup Isolation Techniques for XSS Prevention. In: Workshop on Web 2.0 Security and Privacy (W2SP), W2SP 2008, Oakland, California, USA (2008)"},{"key":"2_CR37","doi-asserted-by":"crossref","unstructured":"Maffeis, S., Mitchell, J.C., Taly, A.: Language-Based Isolation of Untrusted JavaScript. In: Proceedings of the 22nd IEEE Computer Security Foundations Symposium, CSF 2009, Port Jefferson, New York, USA (2009)","DOI":"10.1109\/CSF.2009.11"},{"key":"2_CR38","unstructured":"Maffeis, S., Mitchell, J.C., Taly, A.: Run-Time Enforcement of Secure JavaScript Subsets. In: Web 2.0 Security and Privacy, W2SP 2009, Oakland, California, USA (2009)"},{"key":"2_CR39","unstructured":"McFeters, N.: Multiple facebook vulnerabilities reported on full-disclosure. Zero-Day Vulnerabilities blog (July 2008)"},{"key":"2_CR40","unstructured":"Microsoft Live Labs. Web Sandbox, http:\/\/websandbox.livelabs.com (retrieved on October 10, 2010)"},{"key":"2_CR41","doi-asserted-by":"crossref","unstructured":"Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically Hardening Web Applications using Precise Tainting. In: Proceedings of the 20th IFIP Conference on Information Security, SEC 2005, Makuhari-Messe, Chiba, Japan (2005)","DOI":"10.1007\/0-387-25660-1_20"},{"key":"2_CR42","unstructured":"Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In: Proceedings of the 14th Annual Network & Distributed System Security Symposium, NDSS 2007, San Diego, CA, USA (2007)"},{"key":"2_CR43","doi-asserted-by":"crossref","unstructured":"Phung, P.H., Sands, D., Chudnov, A.: Lightweight self-protecting JavaScript. In: Proceedings of the 4th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Novotel Rockford Darling Harbour, Sydney, Australia (2009)","DOI":"10.1145\/1533057.1533067"},{"key":"2_CR44","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1007\/11663812_7","volume-title":"Recent Advances in Intrusion Detection","author":"T. Pietraszek","year":"2006","unstructured":"Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 124\u2013145. Springer, Heidelberg (2006)"},{"key":"2_CR45","unstructured":"Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: BrowserShield: Vulnerability-driven filtering of dynamic HTML. In: Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2006, Seattle, Washington, USA (2006)"},{"key":"2_CR46","unstructured":"Samy. I\u2019m popular. Description of the MySpace worm by the author, including a technical exaplanation (2005), http:\/\/namb.la\/popular (retrieved on October 10, 2010)"},{"key":"2_CR47","unstructured":"Saxena, P., Song, D., Nadji, Y.: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In: Proceedings of 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)"},{"key":"2_CR48","unstructured":"Sekar, R.: An Efficient Black-box Technique for Defeating Web Application Attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)"},{"key":"2_CR49","doi-asserted-by":"crossref","unstructured":"Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Proceedings of the 33rd Symposium on Principles of Programming Languages, POPL 2006, Charleston, South Carolina, USA (2006)","DOI":"10.1145\/1111037.1111070"},{"key":"2_CR50","unstructured":"Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In: Proceedings of the 19th USENIX Security Symposium, SS 2010, Washington, DC, USA (2010)"},{"key":"2_CR51","doi-asserted-by":"crossref","unstructured":"Louw, M.T., Venkatakrishnan, V.N.: Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers. In: Proceedings of the 30th IEEE Symposium on Security and Privacy, SP 2009, Oakland, California, USA (2009)","DOI":"10.1109\/SP.2009.33"},{"key":"2_CR52","unstructured":"Toubiana, V., Narayanan, A., Boneh, D., Nissenbaum, H., Barocas, S.: Adnostic: Privacy Preserving Targeted Advertising. Technical report"},{"key":"2_CR53","unstructured":"Van Gundy, M., Chen, H.: Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-site Scripting Attacks. In: Proceedings of the 16th Annual Network & Distributed System Security Symposium, NDSS 2009, San Diego, California, USA (2009)"},{"key":"2_CR54","unstructured":"Vance, A.: Times Web Ads Show Security Breach. NY Times (September 2009) (retrieved on October 10, 2010)"},{"key":"2_CR55","unstructured":"World Wide Web Consortium (W3C). HTML 5: A vocabulary and associated APIs for HTML and XHTML (working draft) (January 2008), http:\/\/www.w3.org\/TR\/2008\/WD-html5-20080122\/"},{"key":"2_CR56","doi-asserted-by":"crossref","unstructured":"Wassermann, G., Su, Z.: Static Detection of Cross-site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, ICSE 2008, Leipzig, Germany (2008)","DOI":"10.1145\/1368088.1368112"},{"key":"2_CR57","unstructured":"Wikipedia contributors. Same origin policy (February 2008), http:\/\/en.wikipedia.org\/w\/index.php?title=Same_origin_policy&oldid=190222964"},{"key":"2_CR58","unstructured":"World Internet Usage Statistics. Internet bulletin (March 2008), http:\/\/www.internetworldstats.com\/stats.htm"},{"key":"2_CR59","unstructured":"Xie, Y., Aiken, A.: Static Detection of Security Vulnerabilities in Scripting Languages. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)"},{"key":"2_CR60","doi-asserted-by":"crossref","unstructured":"Xu, W., Bhatkar, S., Sekar, R.: Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In: Proceedings of the 15th USENIX Security Symposium, SS 2006, Vancouver, BC, Canada (2006)","DOI":"10.1109\/SP.2006.12"},{"key":"2_CR61","doi-asserted-by":"crossref","unstructured":"Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: Proceedings of the 34th Annual ACM Symposium on Principles of Programming Languages, POPL 2007, Nice, France (2007)","DOI":"10.1145\/1190216.1190252"},{"key":"2_CR62","unstructured":"Zeller, W., Felten, E.W.: Cross-site request forgeries: Exploitation and prevention. Technical report, Princeton University (Fall 2008)"},{"key":"2_CR63","doi-asserted-by":"crossref","unstructured":"Zhou, M., Bisht, P., Venkatakrishnan, V.N.: Strengthening XSRF Defenses for Legacy Web Applications Using White-box Analysis and Transformation. In: 6th International Conference on Information Systems Security, ICISS 2010 (December 2010) (to appear)","DOI":"10.1007\/978-3-642-17714-9_8"}],"container-title":["Lecture Notes in Computer Science","Information Systems Security"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-17714-9_2","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,2,28]],"date-time":"2025-02-28T14:51:31Z","timestamp":1740754291000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-17714-9_2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2010]]},"ISBN":["9783642177132","9783642177149"],"references-count":63,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-17714-9_2","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2010]]}}}