621 lines
52 KiB
BibTeX
621 lines
52 KiB
BibTeX
|
||
@techreport{hodges_http_2012,
|
||
type = {Request for {Comments}},
|
||
title = {{HTTP} {Strict} {Transport} {Security} ({HSTS})},
|
||
url = {https://datatracker.ietf.org/doc/rfc6797},
|
||
abstract = {This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS). The policy is declared by web sites via the Strict-Transport-Security HTTP response header field and/or by other means, such as user agent configuration, for example. [STANDARDS-TRACK]},
|
||
number = {RFC 6797},
|
||
urldate = {2022-06-15},
|
||
institution = {Internet Engineering Task Force},
|
||
author = {Hodges, Jeff and Jackson, Collin and Barth, Adam},
|
||
month = nov,
|
||
year = {2012},
|
||
doi = {10.17487/RFC6797},
|
||
note = {Num Pages: 46},
|
||
file = {rfc6797.txt.pdf:files/288/rfc6797.txt.pdf:application/pdf},
|
||
}
|
||
|
||
@article{sivakorn_http_2016,
|
||
title = {{HTTP} {Cookie} {Hijacking} in the {Wild}: {Security} and {Privacy} {Implications}},
|
||
language = {en},
|
||
author = {Sivakorn, Suphannee and Polakis, Jason and Keromytis, Angelos D},
|
||
year = {2016},
|
||
pages = {17},
|
||
file = {us-16-Sivakorn-HTTP-Cookie-Hijacking-In-The-Wild-Security-And-Privacy-Implications-wp.pdf:files/284/us-16-Sivakorn-HTTP-Cookie-Hijacking-In-The-Wild-Security-And-Privacy-Implications-wp.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{dabrowski_browser_2016,
|
||
title = {Browser {History} {Stealing} with {Captive} {Wi}-{Fi} {Portals}},
|
||
doi = {10.1109/SPW.2016.42},
|
||
abstract = {In this paper we show that HSTS headers and long-term cookies (like those used for user tracking) are so prevailing that they allow a malicious Wi-Fi operator to gain significant knowledge about the past browsing history of users. We demonstrate how to combine both into a history stealing attack by including specially crafted references into a captive portal or by injecting them into legitimate HTTP traffic. Captive portals are used on many Wi-Fi Internet hotspots to display the user a message, like a login page or an acceptable use policy before they are connected to the Internet. They are typically found in public places such as airports, train stations, or restaurants. Such systems have been known to be troublesome for many reasons. In this paper we show how a malicious operator can not only gain knowledge about the current Internet session, but also about the user's past. By invisibly placing vast amounts of specially crafted references into these portal pages, we can lure the browser into revealing a user's browsing history by either reading stored persistent (long-term) cookies or evaluating responses for previously set HSTS headers. An occurrence of a persistent cookie, as well as a direct call to the pages' HTTPS site is a reliable sign of the user having visited this site earlier. Thus, this technique allows for a site-based history stealing, similar to the famous link-color history attacks. For the Alexa Top 1,000 sites, between 82\% and 92\% of sites are effected as they use persistent cookies over HTTP. For the Alexa Top 200,000 we determined the number of vulnerable sites between 59\% and 86\%. We extended our implementation of this attack by other privacy-invading attacks that enrich the collected data with additional personal information.},
|
||
booktitle = {2016 {IEEE} {Security} and {Privacy} {Workshops} ({SPW})},
|
||
author = {Dabrowski, Adrian and Merzdovnik, Georg and Kommenda, Nikolaus and Weippl, Edgar},
|
||
month = may,
|
||
year = {2016},
|
||
keywords = {Internet, Browsers, Cookies, History, History Stealing, HSTS, IEEE 802.11 Standard, Portals, Servers, Smart phones, Wi-Fi, Captive Portal},
|
||
pages = {234--240},
|
||
file = {Browser_History_Stealing_with_Captive_Wi-Fi_Portals.pdf:files/272/Browser_History_Stealing_with_Captive_Wi-Fi_Portals.pdf:application/pdf},
|
||
}
|
||
|
||
@misc{noauthor_http_nodate,
|
||
title = {{HTTP} {Public} {Key} {Pinning} ({HPKP}) - {HTTP} {\textbar} {MDN}},
|
||
url = {https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning},
|
||
abstract = {HTTP Public Key Pinning (HPKP) was a security feature that used to tell a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. It has been removed in modern browsers and is no longer supported.},
|
||
language = {en-US},
|
||
urldate = {2022-06-15},
|
||
keywords = {https},
|
||
}
|
||
|
||
@techreport{evans_public_2015,
|
||
type = {Request for {Comments}},
|
||
title = {Public {Key} {Pinning} {Extension} for {HTTP}},
|
||
url = {https://datatracker.ietf.org/doc/rfc7469},
|
||
abstract = {This document defines a new HTTP header that allows web host operators to instruct user agents to remember ("pin") the hosts' cryptographic identities over a period of time. During that time, user agents (UAs) will require that the host presents a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of trusted authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities.},
|
||
number = {RFC 7469},
|
||
urldate = {2022-06-15},
|
||
institution = {Internet Engineering Task Force},
|
||
author = {Evans, Chris and Palmer, Chris and Sleevi, Ryan},
|
||
month = apr,
|
||
year = {2015},
|
||
doi = {10.17487/RFC7469},
|
||
note = {Num Pages: 28},
|
||
keywords = {certificate-pinning, hpkp, key-pinning},
|
||
file = {rfc7469.txt.pdf:files/292/rfc7469.txt.pdf:application/pdf},
|
||
}
|
||
|
||
@techreport{laurie_certificate_2021,
|
||
type = {Request for {Comments}},
|
||
title = {Certificate {Transparency} {Version} 2.0},
|
||
url = {https://datatracker.ietf.org/doc/rfc9162},
|
||
abstract = {This document describes version 2.0 of the Certificate Transparency (CT) protocol for publicly logging the existence of Transport Layer Security (TLS) server certificates as they are issued or observed, in a manner that allows anyone to audit certification authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves. The intent is that eventually clients would refuse to honor certificates that do not appear in a log, effectively forcing CAs to add all issued certificates to the logs. This document obsoletes RFC 6962. It also specifies a new TLS extension that is used to send various CT log artifacts. Logs are network services that implement the protocol operations for submissions and queries that are defined in this document.},
|
||
number = {RFC 9162},
|
||
urldate = {2022-06-15},
|
||
institution = {Internet Engineering Task Force},
|
||
author = {Laurie, Ben and Langley, Adam and Kasper, Emilia and Messeri, Eran and Stradling, Rob},
|
||
month = dec,
|
||
year = {2021},
|
||
doi = {10.17487/RFC9162},
|
||
note = {Num Pages: 53},
|
||
keywords = {certificate-transparency},
|
||
file = {rfc9162.pdf:files/274/rfc9162.pdf:application/pdf},
|
||
}
|
||
|
||
@misc{noauthor_certificate_nodate,
|
||
title = {Certificate {Transparency} - {Web} security {\textbar} {MDN}},
|
||
url = {https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency},
|
||
abstract = {Certificate Transparency is an open framework designed to protect against and monitor for certificate mis-issuances. It's defined in RFC 9162. With certificate transparency, newly-issued certificates are 'logged' to publicly-run, often independent CT logs — which maintain an append-only, cryptographically-assured record of issued TLS certificates.},
|
||
language = {en-US},
|
||
urldate = {2022-06-15},
|
||
keywords = {certificate-transparency},
|
||
}
|
||
|
||
@inproceedings{drakonakis_cookie_2020,
|
||
address = {Virtual Event USA},
|
||
title = {The {Cookie} {Hunter}: {Automated} {Black}-box {Auditing} for {Web} {Authentication} and {Authorization} {Flaws}},
|
||
isbn = {978-1-4503-7089-9},
|
||
shorttitle = {The {Cookie} {Hunter}},
|
||
url = {https://dl.acm.org/doi/10.1145/3372297.3417869},
|
||
doi = {10.1145/3372297.3417869},
|
||
abstract = {In this paper, we focus on authentication and authorization flaws in web apps that enable partial or full access to user accounts. Specifically, we develop a novel fully automated black-box auditing framework that analyzes web apps by exploring their susceptibility to various cookie-hijacking attacks while also assessing their deployment of pertinent security mechanisms (e.g., HSTS). Our modular framework is driven by a custom browser automation tool developed to transparently offer fault-tolerance during extended interactions with web apps. We use our framework to conduct the first automated large-scale study of cookie-based account hijacking in the wild. As our framework handles every step of the auditing process in a completely automated manner, including the challenging process of account creation, we are able to fully audit 25K domains. Our framework detects more than 10K domains that expose authentication cookies over unencrypted connections, and over 5K domains that do not protect authentication cookies from JavaScript access while also embedding third party scripts that execute in the first party’s origin. Our system also automatically identifies the privacy loss caused by exposed cookies and detects 9,324 domains where sensitive user data can be accessed by attackers (e.g., address, phone number, password). Overall, our study demonstrates that cookie-hijacking is a severe and prevalent threat, as deployment of even basic countermeasures (e.g., cookie security flags) is absent or incomplete, while developers struggle to correctly deploy more demanding mechanisms.},
|
||
language = {en},
|
||
urldate = {2022-06-14},
|
||
booktitle = {Proceedings of the 2020 {ACM} {SIGSAC} {Conference} on {Computer} and {Communications} {Security}},
|
||
publisher = {ACM},
|
||
author = {Drakonakis, Kostas and Ioannidis, Sotiris and Polakis, Jason},
|
||
month = oct,
|
||
year = {2020},
|
||
pages = {1953--1970},
|
||
file = {The Cookie Hunter - Automated Black-box Auditing for Web Authentication and Authorization Flaws.pdf:files/302/The Cookie Hunter - Automated Black-box Auditing for Web Authentication and Authorization Flaws.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{sivakorn_cracked_2016,
|
||
address = {San Jose, CA},
|
||
title = {The {Cracked} {Cookie} {Jar}: {HTTP} {Cookie} {Hijacking} and the {Exposure} of {Private} {Information}},
|
||
isbn = {978-1-5090-0824-7},
|
||
shorttitle = {The {Cracked} {Cookie} {Jar}},
|
||
url = {http://ieeexplore.ieee.org/document/7546532/},
|
||
doi = {10.1109/SP.2016.49},
|
||
urldate = {2022-06-14},
|
||
booktitle = {2016 {IEEE} {Symposium} on {Security} and {Privacy} ({SP})},
|
||
publisher = {IEEE},
|
||
author = {Sivakorn, Suphannee and Polakis, Iasonas and Keromytis, Angelos D.},
|
||
month = may,
|
||
year = {2016},
|
||
pages = {724--742},
|
||
file = {sivakorn.sp2016.cookiehijack.pdf:files/303/sivakorn.sp2016.cookiehijack.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{bock_uncaptcha_2017,
|
||
address = {Vancouver, BC},
|
||
title = {{unCaptcha}: {A} {Low}-{Resource} {Defeat} of {reCaptcha}'s {Audio} {Challenge} {\textbar} {USENIX}},
|
||
url = {https://www.usenix.org/conference/woot17/workshop-program/presentation/bock},
|
||
abstract = {CAPTCHAs are the Internet’s first line of defense against automated account creation and service abuse. Google’s reCaptcha, one of the most popular captcha systems, is currently used by hundreds of thousands of websites to protect against automated attackers by testing whether a user is truly human. This paper presents unCaptcha, an automated system that can solve reCaptcha’s most difficult auditory challenges with high success rate. We evaluate unCaptcha using over 450 reCaptcha challenges from live websites, and show that it can solve them with 85.15\% accuracy in 5.42 seconds, on average. unCaptcha combines free, public, online speech-to-text engines with a novel phonetic mapping technique, demonstrating that it requires minimal resources to mount a large-scale successful attack on the reCaptcha system.},
|
||
urldate = {2022-06-14},
|
||
booktitle = {{unCaptcha}: {A} {Low}-{Resource} {Defeat} of {reCaptcha}'s {Audio} {Challenge}},
|
||
publisher = {USENIX Association},
|
||
author = {Bock, Kevin and Patel, Daven and Hughey, George and Levin, Dave},
|
||
year = {2017},
|
||
file = {woot17-paper-bock.pdf:files/306/woot17-paper-bock.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{onaolapo_what_2016,
|
||
address = {New York, NY, USA},
|
||
series = {{IMC} '16},
|
||
title = {What {Happens} {After} {You} {Are} {Pwnd}: {Understanding} the {Use} of {Leaked} {Webmail} {Credentials} in the {Wild}},
|
||
isbn = {978-1-4503-4526-2},
|
||
shorttitle = {What {Happens} {After} {You} {Are} {Pwnd}},
|
||
url = {https://doi.org/10.1145/2987443.2987475},
|
||
doi = {10.1145/2987443.2987475},
|
||
abstract = {Cybercriminals steal access credentials to webmail accounts and then misuse them for their own profit, release them publicly, or sell them on the underground market. Despite the importance of this problem, the research community still lacks a comprehensive understanding of what these stolen accounts are used for. In this paper, we aim to shed light on the modus operandi of miscreants accessing stolen Gmail accounts. We developed an infrastructure that is able to monitor the activity performed by users on Gmail accounts, and leaked credentials to 100 accounts under our control through various means, such as having information-stealing malware capture them, leaking them on public paste sites, and posting them on underground forums. We then monitored the activity recorded on these accounts over a period of 7 months. Our observations allowed us to devise a taxonomy of malicious activity performed on stolen Gmail accounts, to identify differences in the behavior of cybercriminals that get access to stolen accounts through different means, and to identify systematic attempts to evade the protection systems in place at Gmail and blend in with the legitimate user activity. This paper gives the research community a better understanding of a so far understudied, yet critical aspect of the cybercrime economy.},
|
||
urldate = {2022-06-14},
|
||
booktitle = {Proceedings of the 2016 {Internet} {Measurement} {Conference}},
|
||
publisher = {Association for Computing Machinery},
|
||
author = {Onaolapo, Jeremiah and Mariconti, Enrico and Stringhini, Gianluca},
|
||
month = nov,
|
||
year = {2016},
|
||
keywords = {cybercrime, malware, underground economy, webmail},
|
||
pages = {65--79},
|
||
file = {What Happens After You Are Pwnd - Understanding the Use of Leaked Webmail Credentials in the Wild.pdf:files/307/What Happens After You Are Pwnd - Understanding the Use of Leaked Webmail Credentials in the Wild.pdf:application/pdf},
|
||
}
|
||
|
||
@misc{noauthor_cookies_2022,
|
||
title = {Cookies {That} {Give} {You} {Away} {\textbar} {Proceedings} of the 24th {International} {Conference} on {World} {Wide} {Web}},
|
||
url = {https://dl.acm.org/doi/abs/10.1145/2736277.2741679},
|
||
urldate = {2022-06-14},
|
||
month = jun,
|
||
year = {2022},
|
||
file = {2736277.2741679.pdf:files/275/2736277.2741679.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{bursztein_handcrafted_2014,
|
||
address = {Vancouver BC Canada},
|
||
title = {Handcrafted {Fraud} and {Extortion}: {Manual} {Account} {Hijacking} in the {Wild}},
|
||
isbn = {978-1-4503-3213-2},
|
||
shorttitle = {Handcrafted {Fraud} and {Extortion}},
|
||
url = {https://dl.acm.org/doi/10.1145/2663716.2663749},
|
||
doi = {10.1145/2663716.2663749},
|
||
language = {en},
|
||
urldate = {2022-06-14},
|
||
booktitle = {Proceedings of the 2014 {Conference} on {Internet} {Measurement} {Conference}},
|
||
publisher = {ACM},
|
||
author = {Bursztein, Elie and Benko, Borbala and Margolis, Daniel and Pietraszek, Tadek and Archer, Andy and Aquino, Allan and Pitsillidis, Andreas and Savage, Stefan},
|
||
month = nov,
|
||
year = {2014},
|
||
pages = {347--358},
|
||
file = {43469.pdf:files/281/43469.pdf:application/pdf},
|
||
}
|
||
|
||
@misc{noauthor_how_nodate,
|
||
title = {How {CT} {Works} : {Certificate} {Transparency}},
|
||
url = {https://certificate.transparency.dev/howctworks/},
|
||
urldate = {2022-06-16},
|
||
}
|
||
|
||
@techreport{barth_http_2011,
|
||
type = {Request for {Comments}},
|
||
title = {{HTTP} {State} {Management} {Mechanism}},
|
||
url = {https://datatracker.ietf.org/doc/rfc6265},
|
||
abstract = {This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 2965. [STANDARDS-TRACK]},
|
||
number = {RFC 6265},
|
||
urldate = {2022-06-16},
|
||
institution = {Internet Engineering Task Force},
|
||
author = {Barth, Adam},
|
||
month = apr,
|
||
year = {2011},
|
||
doi = {10.17487/RFC6265},
|
||
note = {Num Pages: 37},
|
||
file = {rfc6265.txt.pdf:files/287/rfc6265.txt.pdf:application/pdf},
|
||
}
|
||
|
||
@techreport{fielding_hypertext_2014,
|
||
type = {Request for {Comments}},
|
||
title = {Hypertext {Transfer} {Protocol} ({HTTP}/1.1): {Semantics} and {Content}},
|
||
shorttitle = {Hypertext {Transfer} {Protocol} ({HTTP}/1.1)},
|
||
url = {https://datatracker.ietf.org/doc/rfc7231},
|
||
abstract = {The Hypertext Transfer Protocol (HTTP) is a stateless {\textbackslash}textbackslash\%application- level protocol for distributed, collaborative, hypertext information systems. This document defines the semantics of HTTP/1.1 messages, as expressed by request methods, request header fields, response status codes, and response header fields, along with the payload of messages (metadata and body content) and mechanisms for content negotiation.},
|
||
number = {RFC 7231},
|
||
urldate = {2022-06-16},
|
||
institution = {Internet Engineering Task Force},
|
||
author = {Fielding, Roy T. and Reschke, Julian},
|
||
month = jun,
|
||
year = {2014},
|
||
doi = {10.17487/RFC7231},
|
||
note = {Num Pages: 101},
|
||
file = {rfc7231.txt.pdf:files/290/rfc7231.txt.pdf:application/pdf},
|
||
}
|
||
|
||
@article{wedman_analytical_2013,
|
||
title = {An {Analytical} {Study} of {Web} {Application} {Session} {Management} {Mechanisms} and {HTTP} {Session} {Hijacking} {Attacks}},
|
||
volume = {22},
|
||
issn = {1939-3555},
|
||
url = {https://doi.org/10.1080/19393555.2013.783952},
|
||
doi = {10.1080/19393555.2013.783952},
|
||
abstract = {The HTTP protocol is designed for stateless transactions, but many Web applications require a session to be maintained between a Web browser and a server creating a stateful environment. Each Web application decides how its session is managed and needs to be able to trust the session identifier. However, it is possible for sessions to be hijacked, and an intruder can gain unauthorized access to the hijacked session. The purpose of this paper is to provide an analysis of current session management mechanisms and examine various hijacking techniques. The primary issues that will be addressed pertain to session management and the importance of securing the creation, deletion, and transmission of a session token. We provide a broader view of the session hijacking threat environment by analyzing existing Web application implementations to help demonstrate the need for session hijacking prevention. We will identify the session management areas that are targeted by attackers and will identify and examine various attacks that can lead to a session being hijacked.},
|
||
number = {2},
|
||
urldate = {2022-06-16},
|
||
journal = {Information Security Journal: A Global Perspective},
|
||
author = {Wedman, Shellie and Tetmeyer, Annette and Saiedian, Hossein},
|
||
month = mar,
|
||
year = {2013},
|
||
note = {Publisher: Taylor \& Francis
|
||
\_eprint: https://doi.org/10.1080/19393555.2013.783952},
|
||
keywords = {HTTP programming, internet security, session hijacking, session management, web browser vulnerability},
|
||
pages = {55--67},
|
||
file = {An Analytical Study of Web Application Session Management Mechanisms and HTTP Session Hijacking Attacks.pdf:files/270/An Analytical Study of Web Application Session Management Mechanisms and HTTP Session Hijacking Attacks.pdf:application/pdf},
|
||
}
|
||
|
||
@article{gutzmann_access_2001,
|
||
title = {Access control and session management in the {HTTP} environment},
|
||
volume = {5},
|
||
issn = {1941-0131},
|
||
doi = {10.1109/4236.895139},
|
||
abstract = {As the only ubiquitous public data network, the Internet offers business partners a communications channel that previously existed only in unique situations with private, special-purpose networks. Well-publicized security risks, however, have limited the deployment of business-to-business extranets, which typically use the Internet's public data network infrastructure. These risks extend behind firewalls to intranets, where any user gaining entry to a facility is often implicitly authenticated to access unprotected services by simply plugging a portable computer into an unused network port. The author describes an approach that uses role-based access controls (RBACs) and Web session management to protect against network security breaches in the HTTP environment. The RBAC and session management services augment network-level security, such as firewalls, inherent in the deployment of any Web based system with untrusted interfaces. The RBACs are implemented through the Internet Engineering Task Force's Lightweight Directory Access Protocol (LDAP). Session management is implemented through cryptographically secured, cookie-based ticket mechanisms.},
|
||
number = {1},
|
||
journal = {IEEE Internet Computing},
|
||
author = {Gutzmann, K.},
|
||
month = jan,
|
||
year = {2001},
|
||
note = {Conference Name: IEEE Internet Computing},
|
||
keywords = {Data security, Access control, Business communication, Communication channels, Computer network management, Environmental management, Extranets, IP networks, Portable computers, Protection},
|
||
pages = {26--35},
|
||
file = {Gutzmann-IEEE-RBAC-SSO.pdf:files/269/Gutzmann-IEEE-RBAC-SSO.pdf:application/pdf},
|
||
}
|
||
|
||
@article{kolsek_session_2002,
|
||
title = {Session fixation vulnerability in web-based applications},
|
||
journal = {ACROS Security},
|
||
author = {Kolsek, Mitja},
|
||
month = dec,
|
||
year = {2002},
|
||
file = {attaqueFixation.pdf:files/294/attaqueFixation.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{takamatsu_automated_2012,
|
||
title = {Automated detection of session management vulnerabilities in web applications},
|
||
doi = {10.1109/PST.2012.6297927},
|
||
abstract = {Many web applications employ session management to keep track of visitors' activities across pages and over periods of time. A session is a period of time linked to a visitor, which is initiated when he/she arrives at a web application and it ends when his/her browser is closed or after a certain time of inactivity. Attackers can hijack a user's session by exploiting session management vulnerabilities by means of session fixation and cross-site request forgery attacks. Even though such session management vulnerabilities can be eliminated in the development phase of web applications, the test operator is required to have detailed knowledge on the attacks and to set up a test environment each time he/she attempts to detect vulnerabilities. We propose a technique that automatically detects session management vulnerabilities in web applications by simulating real attacks. Our technique requires the test operator to only enter a few pieces of basic information about the web application, without requiring a test environment to be set up or detailed knowledge on the web application. Our experiments demonstrated that our technique could detect vulnerabilities in five web applications deployed in the real world.},
|
||
booktitle = {2012 {Tenth} {Annual} {International} {Conference} on {Privacy}, {Security} and {Trust}},
|
||
author = {Takamatsu, Yusuke and Kosuga, Yuji and Kono, Kenji},
|
||
month = jul,
|
||
year = {2012},
|
||
keywords = {Browsers, Data mining, Electronic mail, Force, Forgery, Knowledge engineering, Security},
|
||
pages = {112--119},
|
||
file = {Automated_detection_of_session_management_vulnerabilities_in_web_applications.pdf:files/271/Automated_detection_of_session_management_vulnerabilities_in_web_applications.pdf:application/pdf},
|
||
}
|
||
|
||
@article{vlsaggio_session_2010,
|
||
title = {Session management vulnerabilities in today's web},
|
||
volume = {8},
|
||
issn = {1558-4046},
|
||
doi = {10.1109/MSP.2010.114},
|
||
abstract = {Many cyber attacks exploit session management vulnerabilities that allow recognition of attackers as valid website users. Under these fake identities, attackers can steal sensitive data, alter private settings, and compromise website structure and content. This article describes Web application design flaws that could be exploited for session management attacks and discusses these flaws' current prevalence.},
|
||
number = {5},
|
||
journal = {IEEE Security \& Privacy},
|
||
author = {Vlsaggio, Corrado Aaron and Blasio, Lorenzo Convertito},
|
||
month = sep,
|
||
year = {2010},
|
||
note = {Conference Name: IEEE Security \& Privacy},
|
||
keywords = {session management, Authentication, Computer crime, Computer security, Content management, Engineering management, Identity management systems, Navigation, Privacy, security and privacy, Technology management, Web application security, Web server},
|
||
pages = {48--56},
|
||
file = {Session_management_vulnerabilities_in_todays_web.pdf:files/296/Session_management_vulnerabilities_in_todays_web.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{unger_shpf_2013,
|
||
title = {{SHPF}: {Enhancing} {HTTP}({S}) {Session} {Security} with {Browser} {Fingerprinting}},
|
||
shorttitle = {{SHPF}},
|
||
doi = {10.1109/ARES.2013.33},
|
||
abstract = {Session hijacking has become a major problem in today's Web services, especially with the availability of free off-the-shelf tools. As major websites like Facebook, You tube and Yahoo still do not use HTTPS for all users by default, new methods are needed to protect the users' sessions if session tokens are transmitted in the clear. In this paper we propose the use of browser fingerprinting for enhancing current state-of-the-art HTTP(S) session management. Monitoring a wide set of features of the user's current browser makes session hijacking detectable at the server and raises the bar for attackers considerably. This paper furthermore identifies HTML5 and CSS features that can be used for browser fingerprinting and to identify or verify a browser without the need to rely on the User Agent string. We implemented our approach in a framework that is highly configurable and can be added to existing Web applications and server-side session management with ease.},
|
||
booktitle = {2013 {International} {Conference} on {Availability}, {Reliability} and {Security}},
|
||
author = {Unger, Thomas and Mulazzani, Martin and Frühwirt, Dominik and Huber, Markus and Schrittwieser, Sebastian and Weippl, Edgar},
|
||
month = sep,
|
||
year = {2013},
|
||
keywords = {Browsers, Servers, IP networks, Security, Browser Fingerprinting, Cascading style sheets, Fingerprint recognition, Monitoring, Session Hijacking},
|
||
pages = {255--261},
|
||
file = {shpf_extendedPreprint.pdf:files/298/shpf_extendedPreprint.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{nikiforakis_sessionshield_2011,
|
||
address = {Berlin, Heidelberg},
|
||
series = {Lecture {Notes} in {Computer} {Science}},
|
||
title = {{SessionShield}: {Lightweight} {Protection} against {Session} {Hijacking}},
|
||
isbn = {978-3-642-19125-1},
|
||
shorttitle = {{SessionShield}},
|
||
doi = {10.1007/978-3-642-19125-1_7},
|
||
abstract = {The class of Cross-site Scripting (XSS) vulnerabilities is the most prevalent security problem in the field of Web applications. One of the main attack vectors used in connection with XSS is session hijacking via session identifier theft. While session hijacking is a client-side attack, the actual vulnerability resides on the server-side and, thus, has to be handled by the website’s operator. In consequence, if the operator fails to address XSS, the application’s users are defenseless against session hijacking attacks.},
|
||
language = {en},
|
||
booktitle = {Engineering {Secure} {Software} and {Systems}},
|
||
publisher = {Springer},
|
||
author = {Nikiforakis, Nick and Meert, Wannes and Younan, Yves and Johns, Martin and Joosen, Wouter},
|
||
editor = {Erlingsson, Úlfar and Wieringa, Roel and Zannone, Nicola},
|
||
year = {2011},
|
||
keywords = {session hijacking, client-side proxy, http-only},
|
||
pages = {87--100},
|
||
file = {sshield.pdf:files/297/sshield.pdf:application/pdf},
|
||
}
|
||
|
||
@article{dacostaitalo_one-time_2012,
|
||
title = {One-time cookies},
|
||
volume = {12},
|
||
url = {https://dl.acm.org/doi/abs/10.1145/2220352.2220353},
|
||
doi = {10.1145/2220352.2220353},
|
||
abstract = {HTTP cookies are the de facto mechanism for session authentication in Web applications.
|
||
However, their inherent security weaknesses allow attacks against the integrity of
|
||
Web sessions. HTTPS is often recommended to protect cookies, but deploying full ...},
|
||
language = {EN},
|
||
number = {1},
|
||
urldate = {2022-06-16},
|
||
journal = {ACM Transactions on Internet Technology (TOIT)},
|
||
author = {DacostaItalo and ChakradeoSaurabh and AhamadMustaque and TraynorPatrick},
|
||
month = jul,
|
||
year = {2012},
|
||
note = {Publisher: ACM
|
||
PUB27
|
||
New York, NY, USA},
|
||
pages = {24},
|
||
file = {2220352.2220353.pdf:files/291/2220352.2220353.pdf:application/pdf},
|
||
}
|
||
|
||
@article{kamal_state_2016,
|
||
title = {State of the {Art} {Survey} on {Session} {Hijacking}},
|
||
issn = {0975-4172},
|
||
url = {https://computerresearch.org/index.php/computer/article/view/1342},
|
||
language = {en-US},
|
||
urldate = {2022-06-16},
|
||
journal = {Global Journal of Computer Science and Technology},
|
||
author = {Kamal, Parves},
|
||
month = mar,
|
||
year = {2016},
|
||
file = {1342-1-1350-1-10-20160323.pdf:files/300/1342-1-1350-1-10-20160323.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{jain_session_2015,
|
||
address = {amity University, Greater Noida},
|
||
title = {Session {Hijacking}: {Threat} {Analysis} and {Countermeasures}},
|
||
volume = {1},
|
||
abstract = {Most of the web applications are HTTP driven and inherently stateless. Thus request of every end user is managed separately and is executed in a separate context. Session management is one of solution to set requests from the end user in the same context. Exploitation of web control mechanism through session hijacking has proliferated in recent years. The impact of this may range from a petty nuisance to a significant security risk. Secure session management is still a challenging task for web developers. Hence to tackle these issues a threat analysis in context of session hijacking has been conducted. The develop threat analysis model optimizes web application security by identifying objectives and session vulnerabilities, and then providing countermeasures to prevent, or mitigate the effects of session hijacking to the end users and security professionals.},
|
||
language = {en},
|
||
booktitle = {International {Conference} on {Futuristic} {Trends} in {Computational} analysis and {Knowledge} management},
|
||
author = {Jain, Vineeta and Sahu, Divya Rishi and Tomar, Deepak Singh},
|
||
month = feb,
|
||
year = {2015},
|
||
pages = {7},
|
||
file = {finalcameracopyofpaperid-372.pdf:files/295/finalcameracopyofpaperid-372.pdf:application/pdf},
|
||
}
|
||
|
||
@article{bugliesi_cookiext_2015,
|
||
title = {{CookiExt}: {Patching} the browser against session hijacking attacks},
|
||
volume = {23},
|
||
issn = {0926-227X},
|
||
shorttitle = {{CookiExt}},
|
||
url = {https://doi.org/10.3233/JCS-150529},
|
||
doi = {10.3233/JCS-150529},
|
||
abstract = {Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, by presenting a mechanized proof of noninterference assessing the robustness of the HttpOnly and Secure cookie flags against both web and network attackers with the ability to perform arbitrary XSS code injection. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking, based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying these cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user’s browsing experience. Finally, we report on the experiments we carried out to practically evaluate the effectiveness of our approach.},
|
||
number = {4},
|
||
urldate = {2022-06-16},
|
||
journal = {Journal of Computer Security},
|
||
author = {Bugliesi, Michele and Calzavara, Stefano and Focardi, Riccardo and Khan, Wilayat},
|
||
month = sep,
|
||
year = {2015},
|
||
keywords = {Browser security, formal methods, noninterference, session cookies},
|
||
pages = {509--537},
|
||
file = {jcs15.pdf:files/276/jcs15.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{gill_experiences_2006,
|
||
address = {AUS},
|
||
series = {{ACSW} {Frontiers} '06},
|
||
title = {Experiences in passively detecting session hijacking attacks in {IEEE} 802.11 networks},
|
||
isbn = {978-1-920682-36-1},
|
||
abstract = {Current IEEE 802.11 wireless networks are vulnerable to session hijacking attacks as the existing standards fail to address the lack of authentication of management frames and network card addresses, and rely on loosely coupled state machines. Even the new WLAN security standard - IEEE 802.11i does not address these issues. In our previous work, we proposed two new techniques for improving detection of session hijacking attacks that are passive, computationally inexpensive, reliable, and have minimal impact on network performance. These techniques utilise unspoofable characteristics from the MAC protocol and the physical layer to enhance confidence in the intrusion detection process. This paper extends our earlier work and explores usability, robustness and accuracy of these intrusion detection techniques by applying them to eight distinct test scenarios. A correlation engine has also been introduced to maintain the false positives and false negatives at a manageable level. We also explore the process of selecting optimum thresholds for both detection techniques. For the purposes of our experiments, Snort-Wireless open source wireless intrusion detection system was extended to implement these new techniques and the correlation engine. Absence of any false negatives and low number of false positives in all eight test scenarios successfully demonstrated the effectiveness of the correlation engine and the accuracy of the detection techniques.},
|
||
urldate = {2022-06-16},
|
||
booktitle = {Proceedings of the 2006 {Australasian} workshops on {Grid} computing and e-research - {Volume} 54},
|
||
publisher = {Australian Computer Society, Inc.},
|
||
author = {Gill, Rupinder and Smith, Jason and Clark, Andrew},
|
||
month = jan,
|
||
year = {2006},
|
||
keywords = {passive monitoring, received signal strength, round trip time, session hi-jacking, wireless intrusion detection},
|
||
pages = {221--230},
|
||
file = {c25301.pdf:files/280/c25301.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{johns_reliable_2011,
|
||
address = {New York, NY, USA},
|
||
series = {{SAC} '11},
|
||
title = {Reliable protection against session fixation attacks},
|
||
isbn = {978-1-4503-0113-8},
|
||
url = {https://doi.org/10.1145/1982185.1982511},
|
||
doi = {10.1145/1982185.1982511},
|
||
abstract = {The term 'Session Fixation vulnerability' subsumes issues in Web applications that under certain circumstances enable the adversary to perform a Session Hijacking attack through controlling the victim's session identifier value. A successful attack allows the attacker to fully impersonate the victim towards the vulnerable Web application. We analyse the vulnerability pattern and identify its root cause in the separation of concerns between the application logic, which is responsible for the authentication processes, and the framework support, which handles the task of session tracking. Based on this result, we present and discuss three distinct server-side measures for mitigating Session Fixation vulnerabilities. Each of our countermeasures is tailored to suit a specific real-life scenario that might be encountered by the operator of a vulnerable Web application.},
|
||
urldate = {2022-06-16},
|
||
booktitle = {Proceedings of the 2011 {ACM} {Symposium} on {Applied} {Computing}},
|
||
publisher = {Association for Computing Machinery},
|
||
author = {Johns, Martin and Braun, Bastian and Schrank, Michael and Posegga, Joachim},
|
||
month = mar,
|
||
year = {2011},
|
||
pages = {1531--1537},
|
||
file = {Reliable_protection_against_session_fixation_attac.pdf:files/293/Reliable_protection_against_session_fixation_attac.pdf:application/pdf},
|
||
}
|
||
|
||
@article{zeller_cross-site_nodate,
|
||
title = {Cross-{Site} {Request} {Forgeries}: {Exploitation} and {Prevention}},
|
||
abstract = {Cross-Site Request Forgery (CSRF) attacks occur when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site. These attacks have been called the “sleeping giant” of web-based vulnerabilities, because many sites on the Internet fail to protect against them and because they have been largely ignored by the web development and security communities. We present four serious CSRF vulnerabilities we have discovered on four major sites, including what we believe is the first published attack involving a financial institution. These vulnerabilities allow an attacker to transfer money out of user bank accounts, harvest user email addresses, violate user privacy and compromise user accounts. We recommend server-side changes (which we have implemented) that are able to completely protect a site from CSRF attacks. We also describe the features a server-side solution should have (the lack of which has caused CSRF protections to unnecessarily break typical web browsing behavior). Additionally, we have implemented a clientside browser plugin that can protect users from certain types of CSRF attacks even if a site has not taken steps to protect itself. We hope to raise the awareness of CSRF attacks while giving responsible web developers the tools to protect users from these attacks.},
|
||
language = {en},
|
||
author = {Zeller, William and Felten, Edward W},
|
||
pages = {13},
|
||
file = {csrf.pdf:files/277/csrf.pdf:application/pdf},
|
||
}
|
||
|
||
@article{keulemans_geo-cultural_2016,
|
||
title = {The {Geo}-cultural {Conditions} of {Kintsugi}},
|
||
volume = {9},
|
||
issn = {1749-6772},
|
||
url = {https://doi.org/10.1080/17496772.2016.1183946},
|
||
doi = {10.1080/17496772.2016.1183946},
|
||
abstract = {This paper concerns the analysis of transformative repair in ceramics using concepts of affect. The traditional Japanese craft of kintsugi, the repair of ceramics using urushi lacquer and gold or silver, is described and its techniques and historical relation to the Japanese tea ceremony discussed. Kintsugi is shown to demonstrate the propensity of repaired objects to embody dual perceptions of catastrophe and amelioration. Concepts of affect from the philosophers Giles Deleuze and Félix Guattari are used to illuminate these relationships and show how material capacities facilitate the movement of affects as forces that move through domestic objects and into sensation. Their concept of affect working in speeds and durations is discussed in regard to the sensory characteristics of cracks and their repair. The perception of kintsugi is explored using the concept of micro- and macropolitical expression, which broadens the analysis towards an understanding of traditional Japanese cultural sensitivities as a response to the breaking forces of geological phenomena, such as earthquakes, of which kintsugi ceramics, within the framework of this paper, are considered a material expression.I conclude the paper by contextualizing the craft of kintsugi to the broader field of transformative repair, and discuss contemporary works and modes of transformative repair in relation to kintsugi. This includes a discussion of my own ceramic works Archaeologic (2011–2015) that deploy kintsugi techniques with the use of photoluminescent pigment in order to potentialize an awareness of contemporary ecological issues. I make a few comments concerning the significance of kintsugi, as a culturally and ecologically embedded practice, to contemporary practitioners of transformative repair.},
|
||
number = {1},
|
||
urldate = {2022-06-16},
|
||
journal = {The Journal of Modern Craft},
|
||
author = {Keulemans, Guy},
|
||
month = jan,
|
||
year = {2016},
|
||
note = {Publisher: Routledge
|
||
\_eprint: https://doi.org/10.1080/17496772.2016.1183946},
|
||
keywords = {ceramics, earthquakes, experimental design, Japanese aesthetics, kintsugi, repair, transformative repair},
|
||
pages = {15--34},
|
||
file = {TheGeoculturalConditionsofKintsugi.pdf:files/304/TheGeoculturalConditionsofKintsugi.pdf:application/pdf},
|
||
}
|
||
|
||
@techreport{nielsen_hypertext_1996,
|
||
type = {Request for {Comments}},
|
||
title = {Hypertext {Transfer} {Protocol} – {HTTP}/1.0},
|
||
url = {https://datatracker.ietf.org/doc/rfc1945},
|
||
abstract = {The Hypertext Transfer Protocol (HTTP) is an application-level protocol with the lightness and speed necessary for distributed, collaborative, hypermedia information systems. This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind.},
|
||
number = {RFC 1945},
|
||
urldate = {2022-06-16},
|
||
institution = {Internet Engineering Task Force},
|
||
author = {Nielsen, Henrik and Fielding, Roy T. and Berners-Lee, Tim},
|
||
month = may,
|
||
year = {1996},
|
||
doi = {10.17487/RFC1945},
|
||
note = {Num Pages: 60},
|
||
file = {rfc1945.txt.pdf:files/289/rfc1945.txt.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{emil_dos_2001,
|
||
title = {Dos and {Don}'ts of {Client} {Authentication} on the {Web}},
|
||
abstract = {Client authentication has been a continuous source of problems on the Web. Although many well-studied techniques exist for authentication, Web sites continue to use extremely weak authentication schemes, especially in non-enterprise environments such as store fronts. These weaknesses often result from careless use of authenticators within Web cookies. Of the twenty-seven sites we investigated, we weakened the client authentication on two systems, gained unauthorized access on eight, and extracted the secret key used to mint authenticators from one.},
|
||
booktitle = {In {Proceedings} of the 10th {USENIX} {Security} {Symposium}},
|
||
author = {Emil, Kevin Fu and Fu, Kevin and Sit, Emil and Smith, Kendra and Feamster, Nick},
|
||
year = {2001},
|
||
pages = {251--268},
|
||
file = {10.1.1.18.1176.pdf:files/279/10.1.1.18.1176.pdf:application/pdf},
|
||
}
|
||
|
||
@article{calzavara_surviving_2018,
|
||
title = {Surviving the {Web}: {A} {Journey} into {Web} {Session} {Security}},
|
||
volume = {50},
|
||
issn = {0360-0300, 1557-7341},
|
||
shorttitle = {Surviving the {Web}},
|
||
url = {https://dl.acm.org/doi/10.1145/3038923},
|
||
doi = {10.1145/3038923},
|
||
abstract = {In this article, we survey the most common attacks against web sessions, that is, attacks that target honest web browser users establishing an authenticated session with a trusted web application. We then review existing security solutions that prevent or mitigate the different attacks by evaluating them along four different axes: protection, usability, compatibility, and ease of deployment. We also assess several defensive solutions that aim at providing robust safeguards against multiple attacks. Based on this survey, we identify five guidelines that, to different extents, have been taken into account by the designers of the different proposals we reviewed. We believe that these guidelines can be helpful for the development of innovative solutions approaching web security in a more systematic and comprehensive way.},
|
||
language = {en},
|
||
number = {1},
|
||
urldate = {2022-06-20},
|
||
journal = {ACM Computing Surveys},
|
||
author = {Calzavara, Stefano and Focardi, Riccardo and Squarcina, Marco and Tempesta, Mauro},
|
||
month = jan,
|
||
year = {2018},
|
||
pages = {1--34},
|
||
file = {3184558.3186232.pdf:files/301/3184558.3186232.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{jazayeri_trends_2007,
|
||
title = {Some {Trends} in {Web} {Application} {Development}},
|
||
volume = {1},
|
||
doi = {10.1109/FOSE.2007.26},
|
||
abstract = {A Web application is an application that is invoked with a Web browser over the Internet. Ever since 1994 when the Internet became available to the public and especially in 1995 when the World Wide Web put a usable face on the Internet, the Internet has become a platform of choice for a large number of ever-more sophisticated and innovative Web applications. In just one decade, the Web has evolved from being a repository of pages used primarily for accessing static, mostly scientific, information to a powerful platform for application development and deployment. New Web technologies, languages, and methodologies make it possible to create dynamic applications that represent a new model of cooperation and collaboration among large numbers of users. Web application development has been quick to adopt software engineering techniques of component orientation and standard components. For example, search, syndication, and tagging have become standard components of a new generation of collaborative applications and processes. Future developments in Web applications will be driven by advances in browser technology, Web Internet infrastructure, protocol standards, software engineering methods, and application trends.},
|
||
booktitle = {Future of {Software} {Engineering} ({FOSE} '07)},
|
||
publisher = {IEEE Computer Society},
|
||
author = {Jazayeri, Mehdi},
|
||
month = may,
|
||
year = {2007},
|
||
keywords = {Software engineering, Internet, Access protocols, Application software, Collaboration, Informatics, Multimedia databases, Software standards, Standards development, Web sites},
|
||
pages = {199--213},
|
||
file = {14_SomeTrendsinWebApplicationDevelopment.pdf:files/299/14_SomeTrendsinWebApplicationDevelopment.pdf:application/pdf},
|
||
}
|
||
|
||
@article{kristol_http_2001,
|
||
title = {{HTTP} {Cookies}: {Standards}, {Privacy}, and {Politics}},
|
||
copyright = {Assumed arXiv.org perpetual, non-exclusive license to distribute this article for submissions made before January 2004},
|
||
shorttitle = {{HTTP} {Cookies}},
|
||
url = {https://arxiv.org/abs/cs/0105018},
|
||
doi = {10.48550/ARXIV.CS/0105018},
|
||
abstract = {How did we get from a world where cookies were something you ate and where "non-techies" were unaware of "Netscape cookies" to a world where cookies are a hot-button privacy issue for many computer users? This paper will describe how HTTP "cookies" work, and how Netscape's original specification evolved into an IETF Proposed Standard. I will also offer a personal perspective on how what began as a straightforward technical specification turned into a political flashpoint when it tried to address non-technical issues such as privacy.},
|
||
urldate = {2022-06-20},
|
||
author = {Kristol, David M.},
|
||
year = {2001},
|
||
note = {Publisher: arXiv
|
||
Version Number: 1},
|
||
keywords = {C.2.2; K.2, Computers and Society (cs.CY), FOS: Computer and information sciences, Software Engineering (cs.SE)},
|
||
file = {0105018.pdf:files/285/0105018.pdf:application/pdf},
|
||
}
|
||
|
||
@book{grigorik_high-performance_2013,
|
||
address = {Beijing ; Sebastopol, CA},
|
||
title = {High-performance browser networking},
|
||
isbn = {978-1-4493-4476-4},
|
||
abstract = {Highlights innovations for building even more powerful browser apps including HTTP 2.0, XHR improvements, Server-Sent Events (SSEs), WebSocket, and WebRTC},
|
||
publisher = {O'Reilly},
|
||
author = {Grigorik, Ilya},
|
||
year = {2013},
|
||
note = {OCLC: ocn827951729},
|
||
keywords = {Computer networks},
|
||
}
|
||
|
||
@incollection{sharma_history_2019,
|
||
address = {Cham},
|
||
series = {Intelligent {Systems} {Reference} {Library}},
|
||
title = {The {History}, {Present} and {Future} with {IoT}},
|
||
isbn = {978-3-030-04203-5},
|
||
url = {https://doi.org/10.1007/978-3-030-04203-5_3},
|
||
abstract = {Human beings quest for making comfortable life is due to their inquisitiveness about technical arena. Over the last few decades, mankind had experienced technical transformational journey with the inventions of new technology frontiers. These frontiers have interacted with human beings and performed every possible work in shorter period of time and with a much greater accuracy. With the advent of ‘Smart Concepts’, the world is now becoming more connected. Precisely termed as hyper-connected world. The smart concepts includes smart phones, smart devices, smart applications and smart cities. These smarter concepts forms an ecosystem of devices whose basic work is to connect various devices to send and receive data. Internet of Things is one the dominating technology that keeps eye on the connected smart devices. Internet of Things has bought applications from fiction to fact enabling fourth industrial revolution. It has laid an incredible impact on the technical, social, economic and on the lives of human and machines. Scientists claim that the potential benefit derived from this technology will sprout a foreseeable future where the smart objects sense, think and act. Internet of Things is the trending technology and embodies various concepts such as fog computing, edge computing, communication protocols, electronic devices, sensors, geo-location etc. The chapter presents the comprehensive information about the evolution of Internet of Things, its present developments to its futuristic applications.},
|
||
language = {en},
|
||
urldate = {2022-06-22},
|
||
booktitle = {Internet of {Things} and {Big} {Data} {Analytics} for {Smart} {Generation}},
|
||
publisher = {Springer International Publishing},
|
||
author = {Sharma, Neha and Shamkuwar, Madhavi and Singh, Inderjit},
|
||
editor = {Balas, Valentina E. and Solanki, Vijender Kumar and Kumar, Raghvendra and Khari, Manju},
|
||
year = {2019},
|
||
doi = {10.1007/978-3-030-04203-5_3},
|
||
keywords = {Communication model, Edge computing, Fog computing, Future of IoT, Internet of things, IoT, IoT applications, IoT architecture, IoT definition, IoT evolution, IoT history, IoT technologies, IoT trends, Sensors},
|
||
pages = {27--51},
|
||
file = {2019_Book_InternetOfThingsAndBigDataAnal.pdf:files/305/2019_Book_InternetOfThingsAndBigDataAnal.pdf:application/pdf},
|
||
}
|
||
|
||
@inproceedings{nikiforakis_you_2012,
|
||
address = {New York, NY, USA},
|
||
series = {{CCS} '12},
|
||
title = {You are what you include: large-scale evaluation of remote javascript inclusions},
|
||
isbn = {978-1-4503-1651-4},
|
||
shorttitle = {You are what you include},
|
||
url = {https://doi.org/10.1145/2382196.2382274},
|
||
doi = {10.1145/2382196.2382274},
|
||
abstract = {JavaScript is used by web developers to enhance the interactivity of their sites, offload work to the users' browsers and improve their sites' responsiveness and user-friendliness, making web pages feel and behave like traditional desktop applications. An important feature of JavaScript, is the ability to combine multiple libraries from local and remote sources into the same page, under the same namespace. While this enables the creation of more advanced web applications, it also allows for a malicious JavaScript provider to steal data from other scripts and from the page itself. Today, when developers include remote JavaScript libraries, they trust that the remote providers will not abuse the power bestowed upon them. In this paper, we report on a large-scale crawl of more than three million pages of the top 10,000 Alexa sites, and identify the trust relationships of these sites with their library providers. We show the evolution of JavaScript inclusions over time and develop a set of metrics in order to assess the maintenance-quality of each JavaScript provider, showing that in some cases, top Internet sites trust remote providers that could be successfully compromised by determined attackers and subsequently serve malicious JavaScript. In this process, we identify four, previously unknown, types of vulnerabilities that attackers could use to attack popular web sites. Lastly, we review some proposed ways of protecting a web application from malicious remote scripts and show that some of them may not be as effective as previously thought.},
|
||
urldate = {2022-06-23},
|
||
booktitle = {Proceedings of the 2012 {ACM} conference on {Computer} and communications security},
|
||
publisher = {Association for Computing Machinery},
|
||
author = {Nikiforakis, Nick and Invernizzi, Luca and Kapravelos, Alexandros and Van Acker, Steven and Joosen, Wouter and Kruegel, Christopher and Piessens, Frank and Vigna, Giovanni},
|
||
month = oct,
|
||
year = {2012},
|
||
keywords = {javascript, remote inclusions, trust},
|
||
pages = {736--747},
|
||
file = {2382196.2382274.pdf:files/312/2382196.2382274.pdf:application/pdf},
|
||
}
|
||
|
||
@misc{noauthor_owasp_nodate,
|
||
title = {{OWASP} {Top} {Ten} {Web} {Application} {Security} {Risks} {\textbar} {OWASP}},
|
||
url = {https://owasp.org/www-project-top-ten/},
|
||
abstract = {The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.},
|
||
language = {en},
|
||
urldate = {2022-06-23},
|
||
}
|
||
|
||
@techreport{the_open_web_application_security_project_owasp_2010,
|
||
title = {{OWASP} {Top} 10 - {The} {Ten} {Most} {Critical} {Web} {Application} {Security} {Risks}},
|
||
author = {The Open Web Application Security Project},
|
||
year = {2010},
|
||
file = {OWASP_Top_10_-_2010.pdf:files/323/OWASP_Top_10_-_2010.pdf:application/pdf},
|
||
}
|
||
|
||
@techreport{the_open_web_application_security_project_owasp_2017,
|
||
title = {{OWASP} {Top} 10 {Application} {Security} {Risks} - 2017},
|
||
author = {The Open Web Application Security Project},
|
||
year = {2017},
|
||
}
|
||
|
||
@techreport{the_open_web_application_security_project_owasp_2021,
|
||
title = {{OWASP} {Top} 10 - 2021},
|
||
author = {The Open Web Application Security Project},
|
||
year = {2021},
|
||
}
|