References
- Akamai. (2019). Global state of the internet security & DDoS attack reports. Akamai. https://www.akamai.com/us/en/resources/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp
- Alharbi, F., Chang, J., Zhou, Y., Qian, F., Qian, Z., & Abu-Ghazaleh, N. (2019). Collaborative client-side DNS cache poisoning attack. IEEE INFOCOM 2019 - IEEE Conference on Computer Communications, 1153–1161. Paris, France. https://doi.org/https://doi.org/10.1109/INFOCOM.2019.8737514
- Ali, N. S. (2018). Investigation framework of web applications vulnerabilities, attacks and protection techniques in structured query language injection attacks. International Journal of Wireless and Mobile Computing, 14(2), 103–122. https://doi.org/https://doi.org/10.1504/IJWMC.2018.091137
- Álvarez, G., & Petrović, S. (2003). A new taxonomy of web attacks suitable for efficient encoding. Computers & Security, 22(5), 435–449. https://doi.org/https://doi.org/10.1016/S0167-4048(03)00512-1
- Anomali. (2013). What Is MITRE ATT&CK and How Is It Useful? | From Anomali. https://www.anomali.com/resources/what-mitre-attck-is-and-how-it-is-useful
- Aznoli, F., & Navimipour, N. J. (2017). Deployment strategies in the wireless sensor networks: Systematic literature review, classification, and current trends. Wireless Personal Communications, 95(2), 819–846. https://doi.org/https://doi.org/10.1007/s11277-016-3800-0
- Bergadano, F., Boetti, M., Cogno, F., Costamagna, V., Leone, M., & Evangelisti, M. (2020). A modular framework for mobile security analysis. Information Security Journal: A Global Perspective, 1–24. https://doi.org/https://doi.org/10.1080/19393555.2020.1741743
- Callegati, F., Cerroni, W., & Ramilli, M. (2009). Man-in-the-middle attack to the HTTPS protocol. IEEE Security Privacy, 7(1), 78–81. https://doi.org/https://doi.org/10.1109/MSP.2009.12
- Calzavara, S., Focardi, R., Squarcina, M., & Tempesta, M. (2017). Surviving the web: A journey into web session security. ACM Computing Surveys (CSUR), 50(1), 13:1–13:34. https://doi.org/https://doi.org/10.1145/3038923
- CAPEC. (2019). CAPEC - CAPEC-588: DOM-Based XSS (Version 3.2). The MITRE Corporation. https://capec.mitre.org/data/definitions/588.html
- CAPEC. (n.d.). CAPEC - Common Attack Pattern Enumeration and Classification (CAPEC). The MITRE Corporation. Retrieved February 15, 2020, from https://capec.mitre.org/
- Chen, P., Desmet, L., Huygens, C., & Joosen, W. (2016). Longitudinal study of the use of client-side security mechanisms on the European web. Proceedings of the 25th International Conference Companion on World Wide Web, 457–462. Montreal, Canada. https://doi.org/https://doi.org/10.1145/2872518.2888605
- Cloudflare. (n.d.). HTTP Flood DDoS Attack. Cloudflare. Retrieved February 15, 2020, from https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
- Cook, D. J. (1997). The relation between systematic reviews and practice guidelines. Annals of Internal Medicine, 127(3), 210. https://doi.org/https://doi.org/10.7326/0003-4819-127-3-199708010-00006
- CWE. (2019). CWE - 2019 CWE Top 25 most dangerous software errors. The MITRE Corporation. https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
- Deepa, G., & Thilagam, P. S. (2016). Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information and Software Technology, 74, 160–180. https://doi.org/https://doi.org/10.1016/j.infsof.2016.02.005
- FBI. (2019). 2018 internet crime report (pp. 1–28). FBI Internet Crime Complaint Center. Federal Bureau of Investigation. https://pdf.ic3.gov/2018_IC3Report.pdf
- Garg, S., Singh, R. K., & Mohapatra, A. K. (2019). Analysis of software vulnerability classification based on different technical parameters. Information Security Journal: A Global Perspective, 28(1–2), 1–19. https://doi.org/https://doi.org/10.1080/19393555.2019.1628325
- Grigorik, I. (2013). High performance browser networking. O’Reilly Media. http://shop.oreilly.com/product/0636920028048.do
- Hajiheidari, S., Wakil, K., Badri, M., & Navimipour, N. J. (2019). Intrusion detection systems in the Internet of things: A comprehensive investigation. Computer Networks, 160, 165–191. https://doi.org/https://doi.org/10.1016/j.comnet.2019.05.014
- Hansman, S., & Hunt, R. (2005). A taxonomy of network and computer attacks. Computers & Security, 24(1), 31–43. https://doi.org/https://doi.org/10.1016/j.cose.2004.06.011
- Helme, S. (2013). Analysing the Adobe hack and poor password security. Scott Helme. https://scotthelme.co.uk/the-adobe-hack/
- Howard, J. D., & Longstaff, T. A. (1998). A common language for computer security incidents. Sandia National Labs, Sandia National Labs. Livermore, CA (US) https://www.osti.gov/servlets/purl/751004
- Howard, M., LeBlanc, D., & Viega, J. (2005). 19 deadly sins of software security: Programming flaws and how to fix them. McGraw-Hill Professional.
- HULK. (2012). HULK - Http Unbearable Load King ≈ Packet Storm. Packet Storm. http://goo.gl/PWhEJk
- Hunt, T. (2019). The 773 Million Record “Collection #1” Data Breach. Troy Hunt. https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
- Hydara, I., Sultan, A. B. M., Zulzalil, H., & Admodisastro, N. (2015). Current state of research on cross-site scripting (XSS) – A systematic literature review. Information and Software Technology, 58, 170–186. https://doi.org/https://doi.org/10.1016/j.infsof.2014.07.010
- Igure, V. M., & Williams, R. D. (2008). Taxonomies of attacks and vulnerabilities in computer systems. IEEE Communications Surveys & Tutorials, 10(1), 6–19. https://doi.org/https://doi.org/10.1109/COMST.2008.4483667
- Iqbal, S., Kiah, M. L. M., Dhaghighi, B., Hussain, M., Khan, S., Khan, M. K., & Choo, -K.-K. R. (2016). On cloud security attacks: A taxonomy and intrusion detection and prevention as a service. Journal of Network and Computer Applications, 74, 98–120. https://doi.org/https://doi.org/10.1016/j.jnca.2016.08.016
- Jazi, H. H., Gonzalez, H., Stakhanova, N., & Ghorbani, A. A. (2017). Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling. Computer Networks, 121, 25–36. https://doi.org/https://doi.org/10.1016/j.comnet.2017.03.018
- Jia, Y., Chen, Y., Dong, X., Saxena, P., Mao, J., & Liang, Z. (2015). Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning. Computers & Security, 55, 62–80. https://doi.org/https://doi.org/10.1016/j.cose.2015.07.004
- Kiciman, E., & Livshits, B. (2007). AjaxScope: A platform for remotely monitoring the client-side behavior of web 2.0 applications. ACM SIGOPS Operating Systems Review, 41(6), 17–30. https://doi.org/https://doi.org/10.1145/1323293.1294264
- Kitchenham, B., & Charters, S. (2007). Guidelines for performing systematic literature reviews in software engineering (EBSE Technical Report). EBSE.
- Kitchenham, B., Pretorius, R., Budgen, D., Pearl Brereton, O., Turner, M., Niazi, M., & Linkman, S. (2010). Systematic literature reviews in software engineering – A tertiary study. Information and Software Technology, 52(8), 792–805. https://doi.org/https://doi.org/10.1016/j.infsof.2010.03.006
- Kottler, S. (2018). February 28th DDoS Incident Report. The GitHub Blog. GitHub. https://github.blog/2018-03-01-ddos-incident-report/
- Krasimirov, A., & Tsolova, T. (2019). In systemic breach, hackers steal millions of Bulgarians’ financial data. Reuters. https://www.reuters.com/article/us-bulgaria-cybersecurity-idUSKCN1UB0MA
- Landwehr, C. E., Bull, A. R., McDermott, J. P., & Choi, W. S. (1994). A taxonomy of computer program security flaws. ACM Computing Surveys (CSUR), 26(3), 211–254. https://doi.org/https://doi.org/10.1145/185403.185412
- Li, X., & Xue, Y. (2014). A survey on server-side approaches to securing web applications. ACM Computing Surveys (CSUR), 46(4), 54:1–54: 29. https://doi.org/https://doi.org/10.1145/2541315
- Lindqvist, U., & Jonsson, E. (1997). How to systematically classify computer security intrusions. Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097), 154–163. Oakland, CA. https://doi.org/https://doi.org/10.1109/SECPRI.1997.601330
- Liu, X., Liu, J., Wang, W., & Zhu, S. (2018). Android single sign-on security: Issues, taxonomy and directions. Future Generation Computer Systems, 89, 402–420. https://doi.org/https://doi.org/10.1016/j.future.2018.06.049
- Lough, D. L. (2001). A taxonomy of computer attacks with applications to wireless networks [PhD Thesis, Virginia Tech]. Virginia Tech. https://vtechworks.lib.vt.edu/handle/10919/27242
- Martin, B., Brown, M., Paller, A., & Christey, S. (2009). 2009 CWE/SANS Top 25 most dangerous programming errors.
- Martin, B., Brown, M., Paller, A., Kirby, D., & Christey, S. (2011). 2011 CWE/SANS top 25 most dangerous software errors. Common Weakness Enumeration, 7515.
- Matsakis, L., & Lapowsky, I. (2018). Everything we know about facebook’s massive security breach. Wired. https://www.wired.com/story/facebook-security-breach-50-million-accounts/
- Mirkovic, J., & Reiher, P. (2004). A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Computer Communication Review, 34(2), 39–53. https://doi.org/https://doi.org/10.1145/997150.997156
- MITRE. (2007). CWE - Vulnerability Type Distributions in CVE. The MITRE Corporation. https://cwe.mitre.org/documents/vuln-trends/index.html
- MITRE. (n.d.). MITRE ATT&CKTM. The MITRE Corporation. Retrieved February 6, 2020, from https://attack.mitre.org/
- Ng, A., & Musil, S. (2017). Equifax data leak may affect nearly half the US population. CNET. https://www.cnet.com/news/equifax-data-leak-hits-nearly-half-of-the-us-population/
- OWASP. (2004). OWASP Top 10 2004. OWASP Foundation. https://github.com/owasp-top/owasp-top-2004
- OWASP. (2007). OWASP TOP 10 2007. OWASP Foundation. https://github.com/owasp-top/owasp-top-2007
- OWASP. (2017a). 2017 Top 10 | OWASP. OWASP Foundation. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_Top_10.html
- OWASP. (2017b). A3-Sensitive Data Exposure | OWASP. OWASP Foundation. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A3-Sensitive_Data_Exposure.html
- OWASP. (2017c). A6-Security Misconfiguration | OWASP. OWASP Foundation. https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A6-Security_Misconfiguration.html
- OWASP. (2017d). OWASP Top Ten. OWASP Foundation. https://owasp.org/www-project-top-ten/
- OWASP. (2019). HTML5 Security Cheat Sheet | OWASP. OWASP Foundation. https://owasp.org/www-project-cheat-sheets/cheatsheets/HTML5_Security_Cheat_Sheet.html
- Pellegrino, G., & Balzarotti, D. (2014). Toward black-box detection of logic flaws in web applications. NDSS.
- Prokhorenko, V., Choo, -K.-K. R., & Ashman, H. (2016). Web application protection techniques: A taxonomy. Journal of Network and Computer Applications, 60, 95–112. https://doi.org/https://doi.org/10.1016/j.jnca.2015.11.017
- Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, 106960. https://doi.org/https://doi.org/10.1016/j.comnet.2019.106960
- Ryck, P. D., Desmet, L., Piessens, F., & Johns, M. (2014). Primer on client-side web security. Springer International Publishing. https://doi.org/https://doi.org/10.1007/978-3-319-12226-7
- Sadqi, Y., Asimi, A., & Asimi, Y. (2014). Short: A lightweight and secure session management protocol. International Conference on Networked Systems, 319–323. Marrakech, Morocco.
- Sadqi, Y., Asimi, A., & Asimi, Y. (2015). A secure and efficient user authentication scheme for the web. International Journal of Internet Technology and Secured Transactions, 6(1), 43–63. https://doi.org/https://doi.org/10.1504/IJITST.2015.073936
- Sahingoz, O. K., Buber, E., Demir, O., & Diri, B. (2019). Machine learning based phishing detection from URLs. Expert Systems with Applications, 117, 345–357. https://doi.org/https://doi.org/10.1016/j.eswa.2018.09.029
- SANS. (2018). CEO Fraud/BECSANS Security Awareness. SANS Institute. https://www.sans.org//security-awareness-training/resources/ceo-fraudbec
- Sarmah, U., Bhattacharyya, D. K., & Kalita, J. K. (2018). A survey of detection methods for XSS attacks. Journal of Network and Computer Applications, 118, 113–143. https://doi.org/https://doi.org/10.1016/j.jnca.2018.06.004
- Saxena, P., Hanna, S., Poosankam, P., & Song, D. (2010). FLAX: Systematic discovery of client-side validation vulnerabilities in rich web applications. 17th Annual Network and Distributed System Security Symposium (NDSS). NDSS Symposium 2010. San Diego, CA, USA. https://www.ndss-symposium.org/wp-content/uploads/2017/09/saxe.pdf
- Scholte, T., Balzarotti, D., & Kirda, E. (2012). Have things changed now? An empirical study on input validation vulnerabilities in web applications. Computers & Security, 31(3), 344–356. https://doi.org/https://doi.org/10.1016/j.cose.2011.12.013
- Shahriar, H., Weldemariam, K., Zulkernine, M., & Lutellier, T. (2014). Effective detection of vulnerable and malicious browser extensions. Computers & Security, 47, 66–84. https://doi.org/https://doi.org/10.1016/j.cose.2014.06.005
- Silva, C., Batista, R., Queiroz, R., Garcia, V., Silva, J., Gatti, D., Assad, R., Nascimento, L., Brito, K., & Miranda, P. (2016). Towards a taxonomy for security threats on the web ecosystem. NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium, 584–590. Istanbul, Turkey. https://doi.org/https://doi.org/10.1109/NOMS.2016.7502862
- Sjösten, A., Van Acker, S., & Picazo-Sanchez, P. (2019). Latex gloves: Protecting browser extensions from probing and revelation attacks. 26th Annual Network and Distributed System Security Symposium. NDSS Symposium 2019. San Diego, California, USA. https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_01B-5_Sjosten_paper.pdf
- Srivatsa, M., Iyengar, A., Yin, J., & Liu, L. (2008). Mitigating application-level denial of service attacks on Web servers: A client-transparent approach. ACM Transactions on the Web (TWEB), 2(3), 15:1–15: 49. https://doi.org/https://doi.org/10.1145/1377488.1377489
- Statista. (2020). Global digital population 2020. Statista. https://www.statista.com/statistics/617136/digital-population-worldwide/
- Stock, B., Johns, M., Steffens, M., & Backes, M. (2017). How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security. 971–987. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/stock
- Stock, B., Lekies, S., Mueller, T., Spiegel, P., & Johns, M. (2014). Precise Client-side Protection against DOM-based Cross-Site Scripting. 655–670. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/stock
- Stock, B., Pfistner, S., Kaiser, B., Lekies, S., & Johns, M. (2015). From facepalm to brain bender: Exploring client-side cross-site scripting. Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 1419–1430. Denver Colorado, USA. https://doi.org/https://doi.org/10.1145/2810103.2813625
- Symantec. (2019). 2019 internet security threat report (No. 24). Symantec. https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf
- Tsipenyuk, K., Chess, B., & McGraw, G. (2005). Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy, 3(6), 81–84. https://doi.org/https://doi.org/10.1109/MSP.2005.159
- VCloudNews. (2015). Every Day Big Data Statistics – 2.5 Quintillion Bytes of Data Created Daily. VCloudNews. http://www.vcloudnews.com/every-day-big-data-statistics-2-5-quintillion-bytes-of-data-created-daily/
- Volkamer, M., Renaud, K., Reinheimer, B., & Kunz, A. (2017). User experiences of TORPEDO: TOoltip-poweRed phishing email detectiOn. Computers & Security, 71, 100–113. https://doi.org/https://doi.org/10.1016/j.cose.2017.02.004
- WASC. (2012a). The web application security consortium/threat classification. The Web Application Security Consortium (WASC). http://projects.webappsec.org/w/page/13246978/Threat%20Classification
- WASC. (2012b). The web application security consortium/threat classification development view. The Web Application Security Consortium (WASC). http://projects.webappsec.org/w/page/13246969/Threat%20Classification%20Development%20View
- WASC. (2012c). The web application security consortium/threat classification enumeration view. The Web Application Security Consortium (WASC). http://projects.webappsec.org/w/page/13246970/Threat%20Classification%20Enumeration%20View
- WASC. (2012d). The web application security consortium/threat classification taxonomy cross reference view. The Web Application Security Consortium (WASC). http://projects.webappsec.org/w/page/13246975/Threat%20Classification%20Taxonomy%20Cross%20Reference%20View
- Weber, S., Karger, P. A., & Paradkar, A. (2005). A software flaw taxonomy: Aiming tools at security. ACM SIGSOFT Software Engineering Notes, 30(4), 1–7. https://doi.org/https://doi.org/10.1145/1082983.1083209
- Whittaker, Z. (2019). DoorDash confirms data breach affected 4.9 million customers, workers and merchants. TechCrunch. http://social.techcrunch.com/2019/09/26/doordash-data-breach/
- Williams, J. (n.d.). OWASP risk rating methodology. OWASP Foundation. Retrieved April 30, 2020, available from https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
- Xie, Y., & Yu, S.-Z. (2009). Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Transactions on Networking, 17(1), 15–25. https://doi.org/https://doi.org/10.1109/TNET.2008.925628
- Zargar, S. T., Joshi, J., & Tipper, D. (2013). A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Communications Surveys Tutorials, 15(4), 2046–2069. https://doi.org/https://doi.org/10.1109/SURV.2013.031413.00127