dissertation.bib

@string{usenix-security = "Proceedings of the USENIX Security Symposium (USENIX)"}
@string{ccs             = "Proceedings of the ACM Conference on Computer and Communications Security (CCS)"}
@string{www             = "Proceedings of the International World Wide Web Conference (WWW)"}
@string{dsn             = "Proceedings of the Conference on Dependable Systems and Networks (DSN)"}
@string{raid-old        = "Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID)"}
@string{ieee-oakland    = "Proceedings of the IEEE Symposium on Security and Privacy"}
@string{acsac           = "Proceedings of the Annual Computer Security Applications Conference (ACSAC)"}
@string{codaspy         = "Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY)"}
@string{ccgrid          = "Proceedings of the IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID)"}
@string{icwe            = "Proceedings of the International Conference on Web Engineering (ICWE)"}
@string{icst            = "Proceedings of the IEEE International Conference on Software Testing, Verification and Validation (ICST)"}
@string{csmr            = "Proceedings of the European Conference on Software Maintenance and Reengineering (CSMR)"}
@string{fase            = "Proceedings of the International Conference on Fundamental Approaches to Software Engineering (FASE)"}
@string{vldb            = "Proceedings of the International Conference on Very Large Data Bases (VLDB)"}
@string{wcre            = "Proceedings of the Working Conference on Reverse Engineering (WCRE)"}
@string{ndss            = "Proceedings of the Symposium on Network and Distributed System Security (NDSS)"}
@string{asia-ccs        = "Proceedings of the ACM Symposium on Information, Computer and Communications Security (AsiaCCS)"}
@string{dimva           = "Proceedings of the Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)"}
@string{dls             = "Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS)"}
@string{ace             = "Proceedings of the IEEE/ACM Conference on Automated Software Engineering (ASE)"}
@string{acm-plas        = "Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS)"}
@string{tacas           = "Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS)"}
@string{pldi            = "Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI)"}
@string{esorics         = "Proceedings of the European Symposium on Research in Computer Security (ESORICS)"}
@string{ifip-sec        = "Proceedings of the IFIP International Information Security Conference"}
@string{popl            = "Proceedings of the Symposium on Principles of Programming Languages (POPL)"}
@string{usenix-hot-topics = "Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec)"}
@string{w2sp            = "Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP)"}
@string{sac             = "Proceedings of the ACM Symposium on Applied Computing (SAC)"}
@string{iceccs          = "Proceedings of the IEEE International Conference on Engineering of Complex Computer Systems (ICECCS)"}


@inproceedings{small08:predator,
    author = {S. Small and J. Mason and F. Monrose and N. Provos and A. Stubblefield},
    title = {{To Catch a Predator: A Natural Language Approach for
                  Eliciting Malicious Payloads}},
    booktitle = usenix-security,
    year = 2008
}

@inproceedings{provos08:iframes,
    author = {N. Provos and P. Mavrommatis and M. Rajab and F. Monrose},
    title = {{All Your iFRAMEs Point to Us}},
    booktitle = usenix-security,
    year = 2008
}

@InProceedings{balzarotti07:mimosa,
  title={{Multi-module Vulnerability Analysis of Web-based Applications}},
  author={Balzarotti, D. and Cova, M. and Felmetsger, V. and Vigna, G.},
  booktitle=ccs,
  year={2007}
}

@inproceedings{balzarotti08:saner,
  title={{Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications}},
  author={Balzarotti, D. and Cova, M. and Felmetsger, V. and Jovanovic, N. and Kirda, E. and Kruegel, C. and Vigna, G.},
  booktitle=ieee-oakland,
  year={2008},
}


@inproceedings{kals06:secubat,
    author = {S. Kals and E. Kirda and C. Kruegel and N. Jovanovic},
    title = {{SecuBat: A Web Vulnerability Scanner}},
    booktitle = www,
    year = 2006
}

@inproceedings{vieira09,
    author = {M. Vieira and N. Antunes and H. Madeira},
    title = {{Using Web Security Scanners to Detect Vulnerabilities in Web Services}},
    booktitle = dsn,
    year = 2009
}

@inproceedings{mcallister08,
    author = {S. McAllister and C. Kruegel and E. Kirda},
    title = {{Leveraging User Interactions for In-Depth Testing of Web Applications}},
    booktitle = raid-old,
    year = 2008
}

@inproceedings{robertson09,
    author = {William Robertson and Giovanni Vigna},
    title = {{Static Enforcement of Web Application Integrity Through Strong Typing}},
    booktitle = usenix-security,
    year = {2009},
}

@inproceedings{chong07,
  title={{SIF: Enforcing confidentiality and integrity in web applications}},
  author={Chong, S. and Vikram, K. and Myers, A.C.},
  booktitle=usenix-security,
  year={2007},
}

@InProceedings{felmetsger10:logic,
  author =       {V. Felmetsger and L. Cavedon and C. Kruegel and G. Vigna},
  title =        {{Toward Automated Detection of Logic Vulnerabilities in Web Applications}},
  booktitle = usenix-security,
  year =         2010,
}

@inproceedings{huang03:web,
 author = {Huang, Yao-Wen and Huang, Shih-Kun and Lin, Tsung-Po and Tsai, Chung-Hung},
 title = {{Web Application Security Assessment by Fault Injection and Behavior Monitoring}},
 booktitle = www,
 year = {2003},
} 

@InProceedings{doupe11fear-the-ear,
  author = 	 {Adam Doup\'e and Bryce Boe and Christopher Kruegel and Giovanni Vigna},
  title = 	 {{Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities}},
  booktitle = ccs,
  year = 	 2011,
}

@inproceedings{berg08,
  title={{Regular Inference for State Machines using Domains with Equality Tests}},
  author={Berg, T. and Jonsson, B. and Raffelt, H.},
  booktitle=fase,
  year={2008},
}

@inproceedings{bau10:state,
  title={{State of the Art: Automated Black-Box Web Application Vulnerability Testing}},
  author={Bau, J. and Bursztein, E. and Gupta, D. and Mitchell, J. C.},
  booktitle=ieee-oakland,
  year={2010},
}

@InProceedings{li11:BLOCK,
  author = 		 {Xiaowei Li and Yuan Xue},
  title = 		 {{BLOCK: A Black-box Approach for Detection of State Violation Attacks Towards Web Applications}},
  booktitle = acsac,
  year = 	 2011,
}

@InProceedings{cova07:swaddler,
  author    = {M. Cova and D. Balzarotti and V. Felmetsger and G. Vigna},
  title = {{Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications}},
  booktitle = raid-old,
  year      = 2007,
}

@inproceedings{li12:sentinel,
  author    = {Xiaowei Li and Wei Yan and Yuan Xue},
  title     = {{SENTINEL: Securing Database from Logic Flaws in Web Applications}},
  booktitle = codaspy,
  year      = {2012},
}

@INPROCEEDINGS{nurmi09:eucalyptus, 
author={Nurmi, D. and Wolski, R. and Grzegorczyk, C. and Obertelli, G. and Soman, S. and Youseff, L. and Zagorodnov, D.}, 
booktitle=ccgrid,
title={{The Eucalyptus Open-Source Cloud-Computing System}}, 
year=2009, 
}

@INPROCEEDINGS{mesbah09:crawljax, 
author={Mesbah, A. and Bozdag, E. and van Deursen, A.}, 
booktitle=icwe, 
title={{Crawling AJAX by Inferring User Interface State Changes}}, 
year=2008, 
}

@inproceedings{halfond09:penetration,
  title={{Penetration Testing with Improved Input Vector Identification}},
  author={William G.J. Halfond and Shauvik Roy Choudhary and Alessandro Orso},
  booktitle=icst,
  year={2009},
}

@inproceedings{huang04:securing,
 author = {Yao-Wen Huang and Fang Yu and Christian Hang and Chung-Hung Tsai and Der-Tsai Lee and Sy-Yen Kuo},
 title = {{Securing Web Application Code by Static Analysis and Runtime Protection}},
 booktitle = www,
 year = {2004},
 }

@inproceedings{di02:ware,
  title={{WARE: a tool for the Reverse Engineering of Web applications}},
  author={Di Lucca, G. A. and Fasolino, A. R. and Pace, F. and Tramontana, P. and De Carlini, U.},
  booktitle=csmr,
  year={2002}
}

@inproceedings{scott02,
  title={{Abstracting Application-Level Web Security}},
  author={Scott, D. and Sharp, R.},
  booktitle=www,
  year={2002},
}

@inproceedings{raghavan01:hidden-web,
  title={{Crawling the Hidden Web}},
  author={Raghavan, S. and Garcia-Molina, H.},
  booktitle=vldb,
  year={2001},
}

@inproceedings{amalfitano08,
  title={{Reverse Engineering Finite State Machines from Rich Internet Applications}},
  author={Amalfitano, D. and Fasolino, A.R. and Tramontana, P.},
  booktitle=wcre,
  year={2008},
}

@InProceedings{ barth08:csrf,
  author = {Adam Barth and Collin Jackson and John C. Mitchell},
  title = {{Robust Defenses for Cross-Site Request Forgery}}, 
  booktitle = ccs,
  year = 2008  
}

@inproceedings{balduzzi11:hpp,
  title={{Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications}},
  author={Balduzzi, M. and Gimenez, C. T. and Balzarotti, D. and Kirda, E.},
  booktitle=ndss,
  year={2011}
}

@InProceedings{balduzzi10:clickjacking,
  author = 	 {M. Balduzzi and M. Egele and E. Kirda and D. Balzarotti and C. Kruegel},
  title = 	 {{A Solution for the Automated Detection of Clickjacking Attacks}},
  booktitle = asia-ccs,
  year =	 2010,
}

@inproceedings{childers10:ictf,
 author = {Childers, Nicholas and Boe, Bryce and Cavallaro, Lorenzo and Cavedon, Ludovico and Cova, Marco and Egele, Manuel and Vigna, Giovanni},
 title = {Organizing Large Scale Hacking Competitions},
 booktitle = dimva,
 year = {2010},
}

@InPROCEEDINGS{furr09:ril,
  TITLE = {{The Ruby Intermediate Language}},
  AUTHOR = {Michael Furr and Jong-hoon (David) An and Jeffrey S. Foster and Michael Hicks},
  BOOKTITLE = dls,
  YEAR = 2009
}

@INPROCEEDINGS{jovanovic06:pixy-short,
    author = {Nenad Jovanovic and Christopher Kruegel and Engin Kirda},
    title = {{Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)}},
    booktitle = ieee-oakland,
    year = {2006},
}

@inproceedings{jovanovic06:pixy-improved,
 author = {Jovanovic, Nenad and Kruegel, Christopher and Kirda, Engin},
 title = {{Precise Alias Analysis for Static Detection of Web Application Vulnerabilities}},
 booktitle = acm-plas,
 year = {2006},
} 


@inproceedings{livshits05:java-static,
 author = {Livshits, V. Benjamin and Lam, Monica S.},
 title = {{Finding Security Vulnerabilities in Java Applications with Static Analysis}},
 booktitle = usenix-security,
 year = {2005},
} 

@inproceedings {wang11:caas,
	author = {Rui Wang and Shuo Chen and XiaoFeng Wang and Shaz Qadeer},
	title = {{How to Shop for Free Online - Security Analysis of Cashier-as-a-Service Based Web Stores}},
	booktitle = ieee-oakland,
	year = {2011},
}

@inproceedings{an09:stror,
    author = {Jong-hoon An and Avik Chaudhuri and Jeffrey Foster},
    title = {{Static Typing for Ruby on Rails}},
    booktitle = ace,
    year = {2009},
} 

@inproceedings{chaudhuri10:ssarorwa,
    author = {Avik Chaudhuri and Jeffrey Foster},
    title = {{Symbolic Security Analysis of Ruby-on-Rails Web Applications}},
    booktitle = ccs,
    year = {2010},
}

@InProceedings{yu:10,
  author = 		 {Fang Yu and Muath Alkhalaf and Tevfik Bultan},
  title = 		 {{{\sc Stranger}: An Automata-based String Analysis Tool for PHP}},
  booktitle = tacas,
  year = 	 2010}

@inproceedings{hooimeijer11:bek,
 author = {Pieter Hooimeijer and Benjamin Livshits and David Molnar and Prateek Saxena and Margus Veanes},
 title = {{Fast and Precise Sanitizer Analysis with {\sc Bek}}},
 booktitle = usenix-security,
 year = 2011,
} 

@inproceedings{tripp09:taj,
 author = {Omer Tripp and Marco Pistoia and Stephen J. Fink and Manu Sridharan and Omri Weisman},
 title = {{TAJ: Effective Taint Analysis of Web Applications}},
 booktitle = pldi, 
 year = {2009},
} 

@inproceedings{weinberger11:sanitization,
  author    = {Joel Weinberger and Prateek Saxena and Devdatta Akhawe and Matthew Finifter and Richard Shin and Dawn Song},
  title     = {{A Systematic Analysis of {XSS} Sanitization in Web Application Frameworks}},
  booktitle = esorics,
  year      = 2011
}

@inproceedings{xie06:static,
  author    = {Yichen Xie and Alex Aiken},
  title     = {{Static Detection of Security Vulnerabilities in Scripting Languages}},
  booktitle = usenix-security,
  year      = {2006},
}

@inproceedings{wassermann07:sound,
  author    = {Wassermann, Gary and Su, Zhendong},
  title     = {{Sound and Precise Analysis of Web Applications for Injection Vulnerabilities}},
  booktitle = pldi,
  year      = 2007,
}

@inproceedings{nguyen05:hardening,
  author    = {Anh Nguyen-tuong and Salvatore Guarnieri and Doug Greene and David Evans},
  title     = {{Automatically Hardening Web Applications Using Precise Tainting}},
  booktitle = ifip-sec,
  year      = {2005},
}

@inproceedings{samuel11:templating,
  author    = {Mike Samuel and Prateek Saxena and Dawn Song},
  title     = {{Context-Sensitive Auto-Sanitization in Web Templating Languages Using Type Qualifiers}},
  booktitle = ccs,
  year      = {2011},
}

@inproceedings{saxena11:scriptgard,
  title     = {{{\sc ScriptGard}: Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications}},
  author    = {Prateek Saxena and David Molnar and Benjamin Livshits},
  year      = 2011,
  booktitle = ccs,
}

@inproceedings{livshits13:automatic-sanitizers,
  author       = {Benjamin Livshits and Stephen Chong},
  title        = {{Towards Fully Automatic Placement of Security Sanitizers and Declassifiers}},
  year         = 2013,
  booktitle    = popl,
}

@inproceedings{stamm10:csp,
  author    = {Sid Stamm and Brandon Sterne and Gervase Markham},
  title     = {{Reining in the Web with Content Security Policy}},
  booktitle = www,
  year      = {2010},
}

@inproceedings{jim07:beep,
  author    = {Trevor Jim and Nikhil Swamy and Michael Hicks},
  title     = {{Defeating Script Injection Attacks with Browser-Enforced Embedded Policies}},
  booktitle = www,
  year      = {2007},
} 

@inproceedings{louw09:blueprint,
  author    = {Mike Ter Louw and V.N. Venkatakrishnan},
  title     = {{{\sc Blueprint}: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers}},
  booktitle = ieee-oakland,
  year      = {2009},
}

@inproceedings{bisht08:xssguard,
author        = {Prithvi Bisht and V.N. Venkatakrishnan},
title         = {{XSS-GUARD: Precise Dynamic Prevention of Cross-Site Scripting Attacks}},
booktitle = dimva,
year          = 2008,
} 

@inproceedings{weinberger11:client,
  author    = {Joel Weinberger and Adam Barth and Dawn Song},
  title     = {{Towards Client-side {HTML} Security Policies}},
  booktitle = usenix-hot-topics,
  year      = {2011},
}

@inproceedings{akhawe12:privilege,
  author    = {Devdatta Akhawe and Prateek Saxena and Dawn Song},
  title     = {{Privilege Separation in {HTML5} Applications}},
  booktitle = usenix-security,
  year = {2012},
}

@inproceedings{heiderich12,
 author = {Mario Heiderich and Marcus Niemietz and Felix Schuster and Thorsten Holz and J\"{o}rg Schwenk},
 title = {{Scriptless Attacks: Stealing the Pie Without Touching the Sill}},
 booktitle = ccs,
 year = {2012},
}

@inproceedings{cui12:tracking,
  title={{Tracking Rootkit Footprints with a Practical Memory Analysis System}},
  author={Weidong Cui and Marcus Peinado and Zhilei Xu and Ellick Chan},
  booktitle=usenix-security,
  year={2012},
}

@inproceedings{pietraszek05,
  author    = {Tadeusz Pietraszek and Chris Vanden Berghe},
  title     = {{Defending against Injection Attacks through Context-Sensitive String Evaluations}},
  booktitle = raid-old,
  year      = {2005}
}

@inproceedings{su06:sqlcheck,
  author    = {Zhendong Su and Gary Wassermann},
  title     = {{The Essence of Command Injection Attacks in Web Applications}},
  booktitle = popl,
  year      = {2006},
}

@inproceedings{vangundy09:noncespaces,
  author    = {Matthew Van Gundy and Hao Chen},
  title     = {{Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks}},
  booktitle = ndss,
  year      = {2009},
}

@inproceedings{livshits07,
  author    = {Benjamin Livshits and Ulfar Erlingsson},
  title     = {{Using Web Application Construction Frameworks to Protect Against Code Injection Attacks}},
  booktitle = acm-plas,
  year      = {2007},
}

@inproceedings{athanasopoulos09,
  author    = {Elias Athanasopoulos and Vasilis Pappas and Evangelos P. Markatos},
  title     = {{Code-Injection Attacks in Browsers Supporting Policies}},
  booktitle = w2sp, 
  year      = 2009,
}

@inproceedings{martin08:autoxss,
  author    = {Michael Martin and Monica S. Lam},
  title     = {{Automatic Generation of {XSS} and {SQL} Injection Attacks with Goal-Directed Model Checking}},
  booktitle = usenix-security,
  year      = {2008},
}

@INPROCEEDINGS{johns07:smask,
    author = {Martin Johns and Christian Beyerlein},
    title = {{SMask: Preventing Injection Attacks in Web Applications by Approximating Automatic Data/Code Separation}},
    booktitle = sac,
    year = {2007}
}

@inproceedings{saxena10:kudzu,
  author    = {Prateek Saxena and Devdatta Akhawe and Steve Hanna and Feng Mao and Stephen McCamant and Dawn Song},
  title     = {{A Symbolic Execution Framework for JavaScript}},
  booktitle = ieee-oakland,
  year      = {2010},
}

@inproceedings{nadji08:structure-integrity,
  author    = {Yacin Nadji and Prateek Saxena and Dawn Song},
  title     = {{Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense}},
  booktitle = ndss,
  year      = {2008}
}

@inproceedings{kirda06:noxes,
  author    = {Engin Kirda and Christopher Kruegel and Giovanni Vigna and Nenad Jovanovic},
  title     = {{Noxes: A Client-Side Solution for Mitigating Cross-Site Scripting Attacks}},
  booktitle = sac,
  year      = 2006,
}

@inproceedings{vogt07,
  author    = {Philipp Vogt and Florian Nentwich and Nenad Jovanovic and Engin Kirda and Christopher Kruegel and Giovanni Vigna},
  title = 	 {{Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis}},
  booktitle = ndss,
  year      = {2007}
}

@inproceedings{meyerovich10:conscript,
  author    = {Leo Meyerovich and Benjamin Livshits},
  title     = {{{ConScript}: Specifying and Enforcing Fine-Grained Security Policies for {J}avaScript in the Browser}},
  year      = 2010,
  booktitle = ieee-oakland,
}

@inproceedings{hallaraker05,
  author    = {Oystein Hallaraker and Giovanni Vigna},
  title     = {{Detecting Malicious {J}ava{S}cript Code in {M}ozilla}},
  booktitle = iceccs,
  year      = 2005,
}







 

@book{jensen94:graph,
  author={Jensen, Tommy R. and Toft, Bjarne},
  title={{Graph Coloring Problems}},
  publisher={Wiley},
  series={Wiley-Interscience Series on Discrete Mathematics and Optimization},
  year={1994}
}

@book{boehm81:see,
 author = {Boehm, Barry W.},
 title = {Software Engineering Economics},
 year = {1981},
 isbn = {0138221227},
 edition = {1st},
 publisher = {Prentice Hall PTR},
 address = {Upper Saddle River, NJ, USA},
}

@Book{howard03:secure-code,
  author = 	 {Michael Howard and David LeBlanc},
  title = 		 {Writing Secure Code},
  publisher = 	 {Microsoft Press},
  year = 		 2003,
  edition = 	 {Second}}
 




@article{steve07,
  title={{Vulnerability Type Distributions in CVE}},
  author={Steve, C. and Martin, R.},
  journal={Mitre report, May},
  year={2007}
}

@article{ curphey06,
author = {Mark Curphey and Rudolph Araujo},
title = {{Web Application Security Assessment Tools}},
journal ={IEEE Security and Privacy},
volume = {4},
number = {4},
issn = {1540-7993},
year = {2006},
pages = {32-41},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}


@article{jovanovic10:static,
  title={{Static analysis for detecting taint-style vulnerabilities in web applications}},
  author={Jovanovic, N. and Kruegel, C. and Kirda, E.},
  journal={Journal of Computer Security},
  volume={18},
  number={5},
  pages={861--907},
  issn={0926-227X},
  year={2010},
  publisher={IOS Press}
}

@Article{dijkstra59:shortestpath,
  author =	 {Edsger W. Dijkstra},
  title =	 {{A Note on Two Problems in Connexion with Graphs}},
  journal =	 {Numerische Mathematik},
  year =	 1959,
  volume =	 1,
  pages =	 {269--271},
}

@article{csallner08:dsd,
  title={{DSD-Crasher: A hybrid analysis tool for bug finding}},
  author={Csallner, C. and Smaragdakis, Y. and Xie, T.},
  journal={ACM Transactions on Software Engineering and Methodology (TOSEM)},
  volume={17},
  number={2},
  pages={1--37},
  issn={1049-331X},
  year={2008},
  publisher={ACM}
}

@article{artzi10:finding,
  title={{Finding Bugs in Web Applications Using Dynamic Test Generation and Explicit-State Model Checking}},
  author={Artzi, S. and Kiezun, A. and Dolby, J. and Tip, F. and Dig, D. and Paradkar, A. and Ernst, M. D.},
  journal={IEEE Transactions on Software Engineering},
  issn={0098-5589},
  year={2010},
  publisher={Published by the IEEE Computer Society}
}




% News Article citations

@article{bilton11:sony,
  title={{Sony Says PlayStation Hacker Got Personal Data}},
  author = {Nick Bilton and Brian Stelter},
  journal = {The New York Times},
  year = {2011},
  month = apr # "~27,",
}

@article{jewell07:tjmaxx,
  title = {{Data Theft Believed to Be Biggest Hack}},
  author = {Mark Jewell},
  journal = {The Washington Post},
  year = 2007,
  month = mar # "~29,",
}

@article{acohido09:heartland,
  title = {{Hackers breach Heartland Payment credit card system}},
  author = {Byron Acohido},
  journal = {USA TODAY},
  year = 2009,
  month = jan # "~23,",
}







@TechReport{wiegenstein06,
  author = 	 {A. Wiegenstein and F. Weidemann and M. Schumacher and S. Schinzel},
  title = 	 {{Web Application Vulnerability Scanners---a Benchmark}},
  institution = {Virtual Forge GmbH},
  month = 	 oct,
  year = 	 2006}

@TechReport{peine06,
  author = 	 {Holger Peine},
  title = 	 {{Security Test Tools for Web Applications}},
  institution =  {Fraunhofer IESE},
  year = 	 2006,
  number = 	 {048.06},
  month = 	 jan}

@TechReport{fossi09:symantec,
  author = 	 {M. Fossi},
  title = 	 {{Symantec Global Internet Security Threat Report}},
  institution =  {Symantec},
  year = 	 2009,
  month =	 apr,
  note =	 {Volume XIV}
}

@TechReport{reenskaug79:mvc,
  author = 	 {T. Reenskaug},
  title = 	 {Models - views - controllers},
  institution =  {Xerox Parc},
  year = 	 1979}





@Unpublished{anantasec09,
  author = 	 {AnantaSec},
  title = 	 {{Web Vulnerability Scanners Evaluation}},
  note = 	 {\url{http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html}},
  month = 	 jan,
  year = 	 2009}


@Unpublished{suto07,
  author = 	 {Larry Suto},
  title = 	 {{Analyzing the Effectiveness and Coverage of Web Application Security Scanners}},
  note = 	 {Case Study},
  month = 	 oct,
  year = 	 2007}

@Unpublished{klein04:http-response-splitting,
  author = 	 {Amit Klein},
  title = 	 {{``Divide and conquer'': HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics.}},
  note = 	 {\url{http://www.packetstormsecurity.org/papers/general/whitepaper/httpresponse.pdf}},
  year = 	 2004}


@phdthesis{robertson09:dissertation,
  author = {William Robertson},
  title = {{Detecting and Preventing Attacks Against Web Applications}},
  school = {University of California, Santa Barbara},
  year = 2009,
  month = jun,
}


@Misc{suto10:webscanners,
    author = {Larry Suto},
    title = {{Analyzing the Accuracy and Time Costs of Web Application Security Scanners}},
    month = feb,
    year = 2010
}

@misc{grossman04,
    author = {J. Grossman},
    title = {{Challenges of Automated Web Application Scanning}},
    booktitle = {BlackHat Windows Security Conference},
    year = 2004
}


@misc{cve,
  author = {{CVE}},
  title = {{Common Vulnerabilities and Exposures}},
  howpublished = {\url{http://www.cve.mitre.org}}
}

@misc{datalossdb,
    author = {{Open Security Foundation}},
    title = {{OSF DataLossDB: Data Loss News, Statistics, and Research}},
    howpublished = "\url{http://datalossdb.org/}"
}

@Misc{pci,
  key = 	 {PCI},
  author = {{PCI Security Standards Council}},
  title = 	 {{PCI DDS Requirements and Security Assessment Procedures, v1.2}},
  month = 	 oct,
  year = 	 2008}

@Misc{owasptopten,
  key = 	 {OWASP},
  author = {{Open Web Application Security Project (OWASP)}},
  title = 	 {{OWASP Top Ten Project}},
  howpublished = "\url{http://www.owasp.org/index.php/Top_10}",
  year = 	 2010
}

@Misc{rsnake:xss_cheat_sheet,
  key = 	 {cheatsheet},
  author = 	 {RSnake},
  title = 	 {{XSS (Cross Site Scripting) Cheat Sheet}},
  howpublished = {\url{http://ha.ckers.org/xss.html}}}

@Misc{rsnake:sql_cheat_sheet,
  key = 	 {cheatsheet},
  author = 	 {RSnake},
  title = 	 {SQL Injection Cheat Sheet},
  howpublished = {\url{http://ha.ckers.org/sqlinjection/}}}

@Misc{owasp-webgoat,
  key = 	 {owasp},
  author = {{Open Web Application Security Project (OWASP)}},
  title = 	 {{OWASP WebGoat Project}},
  howpublished = {http://www.owasp.org/index.php/Category:OWASP\_WebGoat\_Project}}

@Misc{hacme_bank,
  key = 	 {foundstone},
  author = {{Foundstone}},
  title = 	 {{Hacme Bank v2.0}},
  howpublished = {\url{http://www.foundstone.com/us/resources/proddesc/hacmebank.htm}},
  month = 	 may,
  year = 	 2006}


@Misc{owasp_sitegenerator,
  key = 	 {owasp},
  author = {{Open Web Application Security Project (OWASP)}},
  title = 	 {{OWASP SiteGenerator}},
  howpublished = {\url{http://www.owasp.org/index.php/OWASP\_SiteGenerator}}}

@Misc{openid,
  key = 	 {openID},
  author = {{OpenID Foundation}},
  title = 	 {{OpenID}},
  howpublished = {\url{http://openid.net/}}}

@misc{wivet,
    author = {{Open Web Application Security Project (OWASP)}},
    title = {{Web Input Vector Extractor Teaser}},
    howpublished = "\url{http://code.google.com/p/wivet/}"
}

@misc{vankesteren06:xmlhttprequest,
  author = {Anne van Kesteren and Dean Jackson},
  title = {{The XMLHttpRequest Object}},
  howpublished={\url{http://www.w3.org/TR/2006/WD-XMLHttpRequest-20060405/}},
  month = apr,
  year = 2006
}

@misc{garrett05:ajax,
  author={Garrett, Jesse James},
  title={{Ajax: A New Approach to Web Applications}},
  month=feb,
  year=2005,
  howpublished={\url{http://www.adaptivepath.com/ideas/essays/archives/000385.php}}
}

@misc{w3af,
  author={Riancho, Andrés},
  title={{w3af -- Web Application Attack and Audit Framework}},
  howpublished={\url{http://w3af.sourceforge.net/}},
}

@misc{htmlunit,
  author={{Gargoyle Software Inc.}},
  title={{HtmlUnit}},
  howpublished={\url{http://htmlunit.sourceforge.net/}},
}

@misc{grendelscan,
  author={Byrne, David},
  title={{Grendel-Scan}},
  howpublished={\url{http://www.grendel-scan.com/}},
}

@misc{paros,
  author={{Chinotec Technologies}},
  title={{Paros}},
  howpublished={\url{http://www.parosproxy.org/}},
}

@misc{acunetix,
  author={{Acunetix}},
  title={{Acunetix Web Vulnerbility Scanner}},
  howpublished={\url{http://www.acunetix.com/}},
}

@misc{appscan,
  author={{IBM}},
  title={{AppScan}},
  howpublished={\url{http://www-01.ibm.com/software/awdtools/appscan/}},
}

@misc{burp,
  author={{PortSwigger}},
  title={{Burp Proxy}},
  howpublished={\url{http://www.portswigger.net/burp/}},
}

@misc{webinspect,
  author={{HP}},
  title={{WebInspect}},
  howpublished={\url{https://download.hpsmartupdate.com/webinspect/}},
}

@misc{spi02:complete,
  title={{Complete Web Application Security: Phase 1 -- Building Web Application Security into Your Development Process}},
  author={{SPI Dynamics}},
  howpublished={{SPI Dynamics Whitepaper}},
  year=2002
}

@Misc{gonzalez08:indictment,
  key = {Indictment in U.S. v. Albert Gonzalez},
  title = 	 {{Indictment in U.S. v. Albert Gonzalez}},
  howpublished = {\url{http://www.justice.gov/usao/ma/news/IDTheft/Gonzalez,\%20Albert\%20-\%20Indictment\%20080508.pdf}},
  month = 	 aug,
  year = 	 2008}

@Misc{ortiz10:outcome,
  author = 	 {Carmen Ortiz},
  title = 	 {{Outcome of sentencing in U.S. v. Albert Gonzalez}},
  howpublished = {\url{http://www.justice.gov/usao/ma/news/IDTheft/09-CR-10382/GONZALEZ\%20website\%20info\%205-11-10.pdf}},
  month = 	 mar,
  year = 	 2010}

@Misc{carettoni09:hpp,
  author = 	 {Carettoni, L. and Di Paola, S.},
  title = 	 {{HTTP Parameter Pollution}},
  howpublished = {OWASP AppSec Europe 2009},
  month = 	 may,
  year = 	 2009}

@Misc{hansen08:clickjacking,
  author = 	 {R. Hansen},
  title = 	 {Clickjacking},
  howpublished = {\url{http://ha.ckers.org/blog/20080915/clickjacking/}},
  month = 	 sep,
  year = 	 2008}

@Misc{fielding99:http11statuscode,
  author = 	 {R. Fielding and J. Gettys and J. Mogul and H. Frystyk and L. Masinter and P. Leach and T. Berners-Lee},
  title = 	 {{RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 Status Code Definitions}},
  howpublished = {\url{http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html}},
  month = 	 jun,
  year = 	 1999}

@Misc{fielding99:http11,
  author = 	 {R. Fielding and J. Gettys and J. Mogul and H. Frystyk and L. Masinter and P. Leach and T. Berners-Lee},
  title = 	 {{RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1}},
  howpublished = {\url{http://www.w3.org/Protocols/rfc2616/rfc2616.html}},
  month = 	 jun,
  year = 	 1999}


@Misc{fielding99:http11location,
  author = 	 {R. Fielding and J. Gettys and J. Mogul and H. Frystyk and L. Masinter and P. Leach and T. Berners-Lee},
  title = 	 {{RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 Header Field Definitions}},
  howpublished = {\url{http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30}},
  month = 	 jun,
  year = 	 1999}

@misc{ecmascript97,
  author = {{Ecma International}},
  title = {{ECMAScript: A general purpose, cross-platform programming language}},
  howpublished = {\url{http://www.ecma-international.org/publications/files/ECMA-ST-ARCH/ECMA-262,\%201st\%20edition,\%20June\%201997.pdf}},
  month = jun,
  year = 1997}

@misc{kristol97:cookies,
  author = {D. Kristol and L. Montulli},
  title = {{RFC 2109: HTTP State Management Mechanism}},
  howpublished = {\url{http://www.w3.org/Protocols/rfc2109/rfc2109}},
  month = feb,
  year = 1997}

@Misc{berjon14:html5,
  author = {Robin Berjon and Steve Faulkner and Travis Leithead and Erika Doyle Navara and Edward O'Connor and Silvia Pfeiffer and Ian Hickson},
  title = {{HTML5}},
  howpublished = {\url{http://www.w3.org/TR/2014/CR-html5-20140204/}},
  month = feb,
  year = {2014},
  }

@Misc{boe11:frameworks,
  author = {Bryce Boe},
  title = 	 {{Using StackOverflow's API to Find the Top Web Frameworks}},
  howpublished = {\url{http://cs.ucsb.edu/~bboe/r/top-web-frameworks}},
  month = 	 feb,
  year = 	 2011}

@Misc{boe11:earchallenge,
  author = {Bryce Boe},
  title = 	 {{UCSB's International Capture The Flag Competition 2010 Challenge 6: Fear The EAR}},
  howpublished = {\url{http://cs.ucsb.edu/~bboe/r/ictf10}},
  month = 	 dec,
  year = 	 2010}


@Misc{grails-redirects,
  author = {{SpringSource}},
  title = 	 {{Contollers - Redirects}},
  howpublished = {\url{http://www.grails.org/Controllers+-+Redirects}},
  year = 	 2010
}

@Misc{django-redirect,
  author = {{Django Software Foundation}},
  title = 	 {{Django shortcut functions}},
  howpublished = {\url{http://docs.djangoproject.com/en/dev/topics/http/shortcuts/#django.shortcuts.redirect}},
  year = 	 2011
}

@misc{asp-dot-net,
  author={{Microsoft}},
  Title={{ASP.NET}},
  howpublished={\url{http://www.asp.net/}},
}


@Misc{asp-net-mvc,
  key = 	 {asp-net-mvc},
  title = 	 {{ASP.NET MVC}},
  howpublished = {\url{http://www.asp.net/mvc}}}

@Misc{zend-redirector,
  author = {{Zend Technologies Ltd.}},
  title = 	 {{Zend Framework: Documentation: Action Helpers - Zend Framework Manual}},
  howpublished = {\url{http://framework.zend.com/manual/en/zend.controller.actionhelpers.html#zend.controller.actionhelpers.redirector}},
  year = 	 2011
}

@Misc{cake-redirect,
  author = {{Cake Software Foundation, Inc.}},
  title = 	 {{The CakePHP 1.3 Book}},
  howpublished = {\url{http://book.cakephp.org/view/982/redirect}},
  year = 	 2011
}

@Misc{codeigniter-url,
  author = {{EllisLab, Inc.}},
  title = 	 {{CodeIgniter User Guide Version 2.0.2}},
  howpublished = {\url{http://codeigniter.com/user_guide/helpers/url_helper.html}},
  year = 	 2011
}

@Misc{github,
  key = 	 {github},
  title = 	 {{GitHub}},
  howpublished = {\url{http://github.com}}}

@Misc{hofstetter06:redirect,
  author = 	 {Daniel Hofstetter},
  title = 	 {Don’t forget to exit after a redirect},
  howpublished = {\url{http://cakebaker.wordpress.com/2006/08/28/dont-forget-to-exit-after-a-redirect/}},
  month = 	 aug,
  year = 	 2006}

@Misc{cake-ear-bug:06,
  key = 	 {cake-ear-ticket},
  title = 	 {Include exit with a redirect call},
  howpublished = {\url{http://replay.web.archive.org/20061011152124/https://trac.cakephp.org/ticket/1076}},
  month = 	 aug,
  year = 	 2006}

@Misc{cake-doc-bug:06,
  key = 	 {cake-php-ticket},
  title = 	 {docs should mention redirect does not ``exit'' a script},
  howpublished = {\url{http://replay.web.archive.org/20061011180440/https://trac.cakephp.org/ticket/1358}},
  month = 	 aug,
  year = 	 2006}

@Misc{cve13:overview,
  author = 	 {{CVE Details}},
  title = 	 {{Vulnerabilities by Type}},
  howpublished = {\url{http://www.cvedetails.com/vulnerabilities-by-types.php}},
  year = 	 2013
}

@misc{google13:autoescape,
  author    = {Google},
  title     = {{Google {A}uto{E}scape for {CT}emplate}},
  howpublished = {\url{http://code.google.com/p/ctemplate/}}
}

@Misc{klein05:dom-xss,
  author = 		 {Amit Klein},
  title = 		 {{DOM Based Cross Site Scripting or XSS of the Third Kind}},
  year = 		 {2005},
  howpublished = {\url{http://www.webappsec.org/projects/articles/071105.shtml}},

}

@Misc{ror,
  key = 		 {ror},
  title = 	 {{Ruby on Rails}},
  howpublished = {\url{http://rubyonrails.org/}},
  year = 	 2013}

@Misc{django,
  key = 		 {django},
  title = 	 {Django},
  howpublished = {\url{http://djangoproject.com}},
  year = 	 2013}

@Misc{builtwith,
  key = {builtwith},
  title = 	 {{Top in Frameworks - Week beginning Jun 24th 2013}},
  howpublished = {\url{http://trends.builtwith.com/framework}},
  year = 	 2013}

@Misc{msr:cci,
  author = 	 {{Microsoft Research}},
  title = 	 {{Common Compiler Infrastructure}},
  howpublished = {\url{http://research.microsoft.com/en-us/projects/cci/}},
  year = 	 2013
}

@Misc{bugtracker,
  key = {BugTracker.NET},
  title = 	 {{BugTracker.NET - Free Bug Tracking}},
  howpublished = {\url{http://ifdefined.com/bugtrackernet.html}},
  year = 	 {2013}
}

@Misc{blogengine,
  key = {blogengine.net},
  title = 	 {{blogengine.net - an innovative open source blogging platform}},
  howpublished = {\url{http://www.dotnetblogengine.net}},
  year = 	 2013
}

@Misc{blogsa,
  key = {BlogSA.NET},
  title = 	 {{BlogSA.NET}},
  howpublished = {\url{http://www.blogsa.net/}},
  year = 	 2013}

@Misc{screwturn,
  key = {ScrewTurn},
  title = 	 {{ScrewTurn Wiki}},
  howpublished = {\url{http://www.screwturn.eu/}},
  year = 	 2013}

@Misc{webgoat,
  author = 	 {Jerry Hoff},
  title = 	 {{WebGoat.NET}},
  howpublished = {\url{https://github.com/jerryhoff/WebGoat.NET}},
  year = 	 2013}

@Misc{chronozoom,
  key = 	 {chronozoom},
  title = 	 {{Chronozoom - A Brief History of the World}},
  howpublished = {\url{http://chronozoom.cloudapp.net/firstgeneration.aspx}},
  year = 	 {2013}
}

@misc{kirk12:bitfloor,
  title = {{BitCoin exchange loses \$250,0000 after unencrypted keys stolen}},
  author = {Jeremy Kirk},
  journal = {ComputerWorld},
  year = {2012},
  month = sep # "~5,",
  howpublished = {\url{http://www.computerworld.com/s/article/9230919/BitCoin_exchange_loses_250_0000_after_unencrypted_keys_stolen}},
}