□ «Writing Secure Code, Second Edition» by Michael Howard and David C. LeBlanc (Microsoft Press, 2002), Chapter 13 «Web–specific Input Issues»

□ Mitigating Cross–site Scripting With HTTP–only Cookies: http://msdn. microsoft.com/library/default.asp?url=/workshop/author/dhtml/httponly_ cookies.asp

□ Request Validation – Preventing Script Attacks: www.asp.net/faq/ requestvalidation.aspx

□ mod_perl Apache::TaintRequest: www.modperlcookbook.org/code.html

□ «UrlScan Security Tool»: www.microsoft.com/technet/security/tools/ urlscan.mspx

□ «Divide and Conquer – HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics»: www.securityfocus.com/archive/1/356293

□ «Prevent a cross–site scripting attack» ny Anand K. Sharma: www–106. ibm.com/developerworks/library/wa–secxss/?ca=dgr–lnxw93PreventXSS

□ «Prevent Cross–site Scripting Attacks» by Paul binder: www.perl.eom/pub/a/ 2002/02/20/css.html

□ «CERT Advisory CA–2000–02 Malicious HTML Tags Embedded in Client Web Requests»: www.cert.org/advisories/CA–2000–0.html

□ The Open Web Application Security Project (OWASP): www.owasp.org

□ «HTML Code Injection and Cross–site Scripting» by Gunter Oilman: www.technicalinfo.net/papers/CSS.html

□ Building Secure ASP.NET Pages and Controls: http://msdn/microsoft.com/ library/default.asp?url=/library/en–us/dnnetsec/html/THCMChl0.asp

□ Understanding Malicious Content Mitigation for Web Developers: wwweert. org/ tech_tips/malicious_code_mitigation. html

□ How to Prevent Cross–Site Scripting Security Issues in CGI or ISAPI: support. microsoft.com/default.aspx?scid=kb%3BEN–US%3BQ253165

□ Hacme Bank: www.foundstone.com/resources/proddesc/hacmebank.htm

□ WebGoat: www.owasp.org/software/webgoat.html