{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,28]],"date-time":"2025-08-28T12:02:31Z","timestamp":1756382551209},"publisher-location":"Berlin, Heidelberg","reference-count":36,"publisher":"Springer Berlin Heidelberg","isbn-type":[{"type":"print","value":"9783642275753"},{"type":"electronic","value":"9783642275760"}],"license":[{"start":{"date-parts":[[2012,1,1]],"date-time":"2012-01-01T00:00:00Z","timestamp":1325376000000},"content-version":"unspecified","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012]]},"DOI":"10.1007\/978-3-642-27576-0_24","type":"book-chapter","created":{"date-parts":[[2012,2,2]],"date-time":"2012-02-02T08:45:35Z","timestamp":1328172335000},"page":"284-298","source":"Crossref","is-referenced-by-count":19,"title":["Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications"],"prefix":"10.1007","author":[{"given":"Theodoor","family":"Scholte","sequence":"first","affiliation":[]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[]},{"given":"Engin","family":"Kirda","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"24_CR1","doi-asserted-by":"crossref","first-page":"91","DOI":"10.1145\/1772690.1772701","volume-title":"WWW 2010: Proceedings of the 19th International Conference on World Wide Web","author":"D. Bates","year":"2010","unstructured":"Bates, D., Barth, A., Jackson, C.: Regular expressions considered harmful in client-side xss filters. In: WWW 2010: Proceedings of the 19th International Conference on World Wide Web, pp. 91\u2013100. ACM, New York (2010)"},{"unstructured":"Christey, S.M., Martin, R.A.: Vulnerability type distributions in cve (2007), http:\/\/cwe.mitre.org\/documents\/vuln-trends\/index.html","key":"24_CR2"},{"doi-asserted-by":"crossref","unstructured":"Clark, S., Frei, S., Blaze, M., Smith, J.: Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities. In: Annual Computer Security Applications Conference (2010)","key":"24_CR3","DOI":"10.1145\/1920261.1920299"},{"unstructured":"Dhamankar, R., Dausin, M., Eisenbarth, M., King, J.: The top cyber security risks (2009), http:\/\/www.sans.org\/top-cyber-security-risks\/","key":"24_CR4"},{"key":"24_CR5","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1145\/1162666.1162671","volume-title":"LSAD 2006: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense","author":"S. Frei","year":"2006","unstructured":"Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: LSAD 2006: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, pp. 131\u2013138. ACM, New York (2006)"},{"unstructured":"Microsoft Inc. Msdn code analysis team blog (2010), http:\/\/blogs.msdn.com\/b\/codeanalysis\/","key":"24_CR6"},{"key":"24_CR7","doi-asserted-by":"crossref","first-page":"601","DOI":"10.1145\/1242572.1242654","volume-title":"WWW 2007: Proceedings of the 16th International Conference on World Wide Web","author":"T. Jim","year":"2007","unstructured":"Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007: Proceedings of the 16th International Conference on World Wide Web, pp. 601\u2013610. ACM, New York (2007)"},{"key":"24_CR8","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"96","DOI":"10.1007\/978-3-642-11747-3_8","volume-title":"Engineering Secure Software and Systems","author":"M. Johns","year":"2010","unstructured":"Johns, M., Beyerlein, C., Giesecke, R., Posegga, J.: Secure Code Generation for Web Applications. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol.\u00a05965, pp. 96\u2013113. Springer, Heidelberg (2010)"},{"key":"24_CR9","first-page":"258","volume-title":"SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy","author":"N. Jovanovic","year":"2006","unstructured":"Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In: SP 2006: Proceedings of the 2006 IEEE Symposium on Security and Privacy, pp. 258\u2013263. IEEE Computer Society, Washington, DC (2006)"},{"key":"24_CR10","doi-asserted-by":"crossref","first-page":"330","DOI":"10.1145\/1141277.1141357","volume-title":"SAC 2006: Proceedings of the 2006 ACM Symposium on Applied Computing","author":"E. Kirda","year":"2006","unstructured":"Kirda, E., Kruegel, C., Vigna, G., Jovanovic, N.: Noxes: a client-side solution for mitigating cross-site scripting attacks. In: SAC 2006: Proceedings of the 2006 ACM Symposium on Applied Computing, pp. 330\u2013337. ACM, New York (2006)"},{"unstructured":"Kouns, J., Todd, K., Martin, B., Shettler, D., Tornio, S., Ingram, C., McDonald, P.: The open source vulnerability database (2010), http:\/\/osvdb.org\/","key":"24_CR11"},{"key":"24_CR12","doi-asserted-by":"publisher","first-page":"25","DOI":"10.1145\/1181309.1181314","volume-title":"ASID 2006: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability","author":"Z. Li","year":"2006","unstructured":"Li, Z., Tan, L., Wang, X., Lu, S., Zhou, Y., Zhai, C.: Have things changed now?: an empirical study of bug characteristics in modern open source software. In: ASID 2006: Proceedings of the 1st Workshop on Architectural and System Support for Improving Software Dependability, pp. 25\u201333. ACM, New York (2006)"},{"key":"24_CR13","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1145\/1255329.1255346","volume-title":"PLAS 2007: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security","author":"B. Livshits","year":"2007","unstructured":"Livshits, B., Erlingsson, \u00da.: Using web application construction frameworks to protect against code injection attacks. In: PLAS 2007: Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, pp. 95\u2013104. ACM, New York (2007)"},{"unstructured":"Livshits, V.B., Lam, M.S.: Finding security errors in Java programs with static analysis. In: Proceedings of the 14th Usenix Security Symposium, pp. 271\u2013286 (August 2005)","key":"24_CR14"},{"unstructured":"Martin, B., Brown, M., Paller, A., Kirby, D.: 2010 cwe\/sans top 25 most dangerous software errors (2010), http:\/\/cwe.mitre.org\/top25\/","key":"24_CR15"},{"unstructured":"Mavituna, F.: Sql injection cheat sheet (2009), http:\/\/ferruh.mavituna.com\/sql-injection-cheatsheet-oku\/","key":"24_CR16"},{"unstructured":"Mell, P., Scarfone, K., Romanosky, S.: A complete guide to the common vulnerability scoring system version 2.0 (2007), http:\/\/www.first.org\/cvss\/cvss-guide.html","key":"24_CR17"},{"unstructured":"MITRE. Common platform enumeration, cpe (2010), http:\/\/cpe.mitre.org\/","key":"24_CR18"},{"unstructured":"MITRE. Common vulnerabilities and exposures, cve (2010), http:\/\/cve.mitre.org\/","key":"24_CR19"},{"unstructured":"MITRE. Common weakness enumeration, cwe (2010), http:\/\/cwe.mitre.org\/","key":"24_CR20"},{"doi-asserted-by":"crossref","unstructured":"MITRE. Mitre faqs (2010), http:\/\/cve.mitre.org\/about\/faqs.html","key":"24_CR21","DOI":"10.1080\/07374836.2011.10555810"},{"doi-asserted-by":"crossref","unstructured":"Neuhaus, S., Zimmermann, T.: Security trend analysis with cve topic models. In: Proceedings of the 21st IEEE International Symposium on Software Reliability Engineering (November 2010)","key":"24_CR22","DOI":"10.1109\/ISSRE.2010.53"},{"unstructured":"Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: NDSS. The Internet Society (2005)","key":"24_CR23"},{"key":"24_CR24","first-page":"295","volume-title":"SEC 2005","author":"A. Nguyen-Tuong","year":"2005","unstructured":"Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: SEC 2005, pp. 295\u2013308. Springer, Heidelberg (2005)"},{"unstructured":"Computer Security\u00a0Division of\u00a0National Institute\u00a0of Standards and Technology. National vulnerability database version 2.2 (2010), http:\/\/nvd.nist.gov\/","key":"24_CR25"},{"key":"24_CR26","volume-title":"USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium","author":"A. Ozment","year":"2006","unstructured":"Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2006)"},{"key":"24_CR27","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"124","DOI":"10.1007\/11663812_7","volume-title":"Recent Advances in Intrusion Detection","author":"T. Pietraszek","year":"2006","unstructured":"Pietraszek, T., Berghe, C.V.: Defending Against Injection Attacks Through Context-Sensitive String Evaluation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol.\u00a03858, pp. 124\u2013145. Springer, Heidelberg (2006)"},{"unstructured":"The Open Web Application\u00a0Security Project. Owasp top 10 - 2010, the ten most critical web application security risks (2010)","key":"24_CR28"},{"unstructured":"Robertson, W., Vigna, G.: Static enforcement of web application integrity through strong typing. In: Proceedings of the 18th Conference on USENIX Security Symposium, pp. 283\u2013298. USENIX Association (2009)","key":"24_CR29"},{"unstructured":"RSnake. Xss (cross site scripting) cheat sheet esp: for filter evasion (2009), http:\/\/ha.ckers.org\/xss.html","key":"24_CR30"},{"key":"24_CR31","first-page":"173","volume-title":"CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security","author":"K. Vikram","year":"2009","unstructured":"Vikram, K., Prateek, A., Livshits, B.: Ripley: automatically securing web 2.0 applications through replicated execution. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 173\u2013186. ACM, New York (2009)"},{"unstructured":"Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: In Proceedings of 14th Annual Network and Distributed System Security Symposium, NDSS 2007 (2007)","key":"24_CR32"},{"key":"24_CR33","volume-title":"Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation","author":"G. Wassermann","year":"2007","unstructured":"Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation. ACM Press, New York (2007)"},{"key":"24_CR34","volume-title":"Proceedings of the 30th International Conference on Software Engineering","author":"G. Wassermann","year":"2008","unstructured":"Wassermann, G., Su, Z.: Static Detection of Cross-Site Scripting Vulnerabilities. In: Proceedings of the 30th International Conference on Software Engineering, Leipzig, Germany. ACM, New York (2008) (in press)"},{"key":"24_CR35","volume-title":"USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium","author":"Y. Xie","year":"2006","unstructured":"Xie, Y., Aiken, A.: Static detection of security vulnerabilities in scripting languages. In: USENIX-SS 2006: Proceedings of the 15th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2006)"},{"key":"24_CR36","first-page":"507","volume-title":"WWW 2008: Proceeding of the 17th International Conference on World Wide Web","author":"D. Yu","year":"2008","unstructured":"Yu, D., Chander, A., Inamura, H., Serikov, I.: Better abstractions for secure server-side scripting. In: WWW 2008: Proceeding of the 17th International Conference on World Wide Web, pp. 507\u2013516. ACM, New York (2008)"}],"container-title":["Lecture Notes in Computer Science","Financial Cryptography and Data Security"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-642-27576-0_24","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,12,27]],"date-time":"2021-12-27T12:56:37Z","timestamp":1640609797000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-642-27576-0_24"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2012]]},"ISBN":["9783642275753","9783642275760"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-642-27576-0_24","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2012]]}}}