University of Virginia, Department of Computer Science
cs851: Web Application Security Seminar — Spring 2007
cs851: WASS Fall 2007


Vulnerabilities and Defenses | Programming | Privacy | Threats | Identity
For additional papers, see Conferences.

Vulnerabilities and Defenses

(Mostly) Static Analysis

Gary Wassermann and Zhendong Su. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. PLDI 2007

Zhendong Su and Gary Wassermann. The Essence of Command Injection Attacks in Web Applications. POPL 2006.

Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). 2006 IEEE Symposium on Security and Privacy, Oakland, CA, May 2006. [Tech Report]

Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. NDSS 2007.

Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. Precise Alias Analysis for Static Detection of Web Application Vulnerabilities. ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa, Canada, June 2006.

Yichen Xie and Alex Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. USENIX Security 2006.

Stefan Kals, Engin Kirda, Christopher Kruegel, Nenad Jovanovic. SecuBat: A Web Vulnerability Scanner. WWW 2006.

Michael Martin, Benjamin Livshits, and Monica S. Lam. Finding Application Errors and Security Flaws Using PQL: a Program Query Language. Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), October 2005.

Benjamin Livshits and Monica S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. USENIX Security 2005.

William G.J. Halfond and Jeremy Viegas and Alessandro Orso. A Classification of SQL-Injection Attacks and Countermeasures. International Symposium on Secure Software Engineering 2006.

Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo. Securing Web Application Code by Static Analysis and Runtime Protection. 13th International World Wide Web Conference (WWW2004).

Dynamic Defenses

Emre Kiciman and Helen J. Wang. Live Monitoring: Using Adaptive Instrumentation and Analysis to Debug and Maintain Web Applications . Hot Topics in Operating Systems, 2007.

Wei Xu, Sandeep Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. USENIX Security 2006.

W. Halfond and A. Orso and P. Manolios. Using Positive Tainting and Syntax-Aware Evaluation to Counter SQL Injection Attacks. ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE) 2006.

Client-Side Defenses

Shuo Chen, David Ross, and Yi-Min Wang. An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism. ACM CCS 2007.

Emre Kiciman and Benjamin Livshits. AjaxScope: A Platform for Remotely Monitoring the Client-Side Behavior of Web 2.0 Applications. SOSP 2007.

Trevor Jim, Nikhil Swamy, Michael Hicks. Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. WWW 2007.

Ulfar Erlingsson, Benjamin Livshits, Yinglian Xie. End-to-end Web Application Security. Hot Topics in Operating Systems, 2007.

Chris Karlof, Umesh Shankar, J. D. Tygar, David Wagner. Dynamic Pharming Attacks and the Locked Same-Origin Policies for Web Browsers. ACM CCS 2007.

Malicious Content Detection

Alexander Moshchuk, Tanya Bragin, Damien Deville, Steven D. Gribble, and Henry M. Levy. SpyProxy: Execution-based Detection of Malicious Web Content. USENIX Security 2007.

Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, Saher Esmeir. BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML. OSDI 2006.

Programming Approaches

Programming Tools

Stephen Chong, K. Vikram, and Andrew C. Myers. SIF: Enforcing Confidentiality and Integrity in Web Applications. USENIX Security 2007.

Benjamin Livshits and Ulfar Erlingsson. Using Web Application Construction Frameworks to Protect Against Code Injection Attacks. Workshop on Programming Languages and Analysis for Security (PLAS 2007), June 2007.

Content Composition (Mash Ups)

Jon Howell, Collin Jackson, Helen Wang, and Xiaofeng Fan. MashupOS: Operating System Abstractions for Client Mashups. HotOS 2007. Helen Wang, Xiaofeng Fan, Jon Howell, Collin Jackson. Protection and Communication Abstractions for Web Browsers in MashupOS. 21st ACM Symposium on Operating Systems Principles (SOSP), October 2007.

Collin Jackson, Helen Wang. Subspace: Secure Cross-Domain Communication for Web Mashups. WWW 2007.

Raman Kazhamiakin, Marco Pistore, Luca Santuari. Analysis of communication models in web service compositions. WWW 2006. Paul A. Karger. Mashups Legitimize Man-in-the-Middle Attacks (Position Paper). Web 2.0 Security and Privacy Workshop 2007.

K. Vikram and Michael Steiner. Mashup Component Isolation via Server-Side Analysis and Instrumention. Web 2.0 Security and Privacy Workshop 2007.



Lars Backstrom, Cynthia Dwork, Jon Kleinberg. Wherefore Art Thou R3579X? Anonymized Social Networks, Hidden Patterns, and Structural Steganography. WWW 2007.

Ravi Kumar, Jasmine Novak, Bo Pang, Andrew Tomkins. On Anonymizing Query Logs via Token-based Hashing. WWW 2007.

Yabo Xu, Benyu Zhang, Zheng Chen, Ke Wang. Privacy-Enhancing Personalized Web Search. WWW 2007.


Jessica Staddon and Philippe Golle. Web-Based Inference Detection. USENIX Security 2007.

Information Leaks

Andrew Bortz, Dan Boneh, Palash Nandy. Exposing Private Information by Timing Web Applications. WWW 2007.

S.E. Coull, M.P. Collins, C.V. Wright, F. Monrose, M.K. Reiter. On Web Browsing Privacy in Anonymized NetFlows. USENIX Security 2007.

Browser Privacy

Markus Jakobsson, Sid Stamm. Invasive Browser Sniffing and Countermeasures. WWW 2006.

Umesh Shankar and Chris Karlof. Doppelganger: Better Browser Privacy Without the Bother. CCS 2006.

Collin Jackson, Andrew Bortz, Dan Boneh, John C Mitchell. Protecting Browser State from Web Privacy Attacks. WWW 2006.


Threat Assessment

Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev, Chad Verbowski, Shuo Chen, and Sam King.
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. NDSS 2006.

Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu. The Ghost In The Browser: Analysis of Web-based Malware. HotBots 2007.

V. T. Lam, S. Antonatos, P. Akritidis, and K. G.. Anagnostakis. Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. CCS 2006.

Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. CCS 2007.


Mengjun Xie, Heng Yin, Haining Wang. An Effective Defense Against Email Spam Laundering. CCS 2006.

Yi-Min Wang, Ming Ma, Yuan Niu, Hao Chen. Spam Double-Funnel: Connecting Web Spammers with Advertisers. WWW 2007.

Y. Niu, Y. M. Wang, H. Chen, M. Ma, and F. Hsu. A Quantitative Study of Forum Spamming Using Context-based Analysis. NDSS 2007.

David S. Anderson, Chris Fleizach, Stefan Savage, and Geoffrey M. Voelker. Spamscatter: Characterizing Internet Scam Hosting Infrastructure. USENIX Security 2007.

Search Engine Poisoning

Baoning Wu, Vinay Goel, Brian D. Davison. TrustRank: using topicality to combat web spam. WWW 2006.

Baoning Wu, Brian D. Davison. Detecting Semantic Cloaking on the Web. WWW 2006.

Alexandros Ntoulas, Marc Najork, Mark Manasse, Dennis Fetterly. Detecting Spam Web Pages through Content Analysis. WWW 2006.


Yue Zhang, Jason Hong, Lorrie Cranor. CANTINA: A Content-Based Approach to Detecting Phishing Web Sites. WWW 2007.

Ian Fette, Norman Sadeh, Anthony Tomasic. Learning to Detect Phishing Emails . WWW 2007.

Markus Jakobsson, Jacob Ratkiewicz. Designing ethical phishing experiments: a study of (ROT13) rOnl query features. WWW 2006.

Fraud Detection

Shashank Pandit, Duen Horng Chau, Samuel Wang, Christos Faloutsos. NetProbe: A Fast and Scalable System for Fraud Detection in Online Auction Networks. WWW 2007.

Ahmed Metwally, Divyakant Agrawal, Amr El Abbadi. DETECTIVES: DETEcting Coalition hiT Inflation attacks in adVertising nEtworks Streams. WWW 2007.

Neil Daswani, Michael Stoppelman, and the Google Click Quality and Security Teams. The Anatomy of Clickbot.A. HotBots 2007.

Ari Juels, Sid Stamm, Markus Jakobsson. Combating Click Fraud via Premium Clicks. USENIX Security 2007.

Social Networks

Boanerges Aleman-Meza, Meenakshi Nagarajan, Cartic Ramakrishnan, Li Ding, Pranam Kolari, Amit Sheth, I. Budak Arpinar, Anupam Joshi, Tim Finin. Semantic analytics on social networks: experiences in addressing the problem of conflict of interest detection. WWW 2006.



Dinei Florencio, Cormac Herley. A Large-Scale Study of Web Password Habits. WWW 2007.


B. Thomas Adler, Luca de Alfaro. A Content-Driven Reputation System for the Wikipedia . WWW 2007.

cs851: Web Application Security
University of Virginia