. Demott, Systematic bug finding and fault localization enhanced with input data tracking, Computers & Security, vol.32, 2012.
DOI : 10.1016/j.cose.2012.09.015

. Dessiatnikoff, Anthony Dessiatnikoff, Rim Akrout, Eric Alata, Mohamed Kaaniche et Vincent Nicomette. A clustering approach for web vulnerabilities detection, 17th PRDC, pp.194-203, 2011.

. Doupé, Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner, 2012.

. Doupé, deDacota, Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, CCS '13, pp.1205-1216, 2013.
DOI : 10.1145/2508859.2516708

. Duchène, XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation, pp.815-817, 2012.
DOI : 10.1109/ICST.2012.181

. Duchène, Taint Assisted DOM-XSS Fuzzing with Dominator Pro, 2013.

. Duchène, Fuzzing Intelligent de XSS Type-2 Filtrés selon Darwin: KameleonFuzz, 11th SSTIC, pp.289-311, 2013.

. Duchène, A Hesitation Step into the Black-box: Heuristic based Web Application Reverse Engineering, 2013.

. Duchène, LigRE: Reverse-engineering of control and data flow models for black-box XSS detection, 2013 20th Working Conference on Reverse Engineering (WCRE), pp.252-261, 2013.
DOI : 10.1109/WCRE.2013.6671300

]. Duchène, CVE-2013-7297? Type-2 XSS in Elgg 1.8.13, 2013.

]. Duchène, CVE-2014-1599 ? 39 Type-1 XSS in SFR BOX NB6- MAIN-R3.3, 1930.

. ]-fabien-duchène, . Harder, F. Better, and . Fuzzer, Advances in Black- Box Evolutionary Fuzzing, Hack In The Box (HITB), 2014.

&. Faghani and . Saidi, Mohammad Reza Faghani et Hossein Saidi Malware propagation in online social networks, 4th MALWARE, pp.8-14, 2009.

. Feist, Josselin Feist, Laurent Mounier et Marie-Laure Potet. Statically Detecting Use After Free on Binary Code, 2013.

]. Forrester and B. Miller, An empirical study of the robustness of Windows NT applications using random testing, 4th USENIX Windows System Symposium, pp.59-68, 2000.

. Friedman, Projected state machine coverage for software testing, ACM SIGSOFT Software Engineering Notes, vol.27, issue.4, pp.134-143, 2002.
DOI : 10.1145/566171.566192

. Godefroid, Automated Whitebox Fuzz Testing, NDSS, pp.151-166, 2008.

I. Kyle and . Murray, FlashDOM: interacting with flash content from the document object model, Proceedings of the 12th international ACM SIGACCESS conference on Computers and accessibility, pp.311-312, 2010.

&. Offutt and . Abdurazik, Jeff Offutt et Aynur Abdurazik Generating tests from uml specifications, 1999.
DOI : 10.1007/3-540-46852-8_30

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.137.2771

. Owasp and . Owasp, WebGoat -the vulnerable web application. https://www. owasp.org/index

]. and D. Paola, DOM XSS Identification and Exploitation, 2011. http://media.hacking-lab.com/scs3, 2011.

. Petrenko, Alexandre Petrenko Keqin Inferring Approximated Models for Systems Engineering, 15th IEEE International Symposium on High Assurance Systems Engineering, pp.249-253, 2014.

G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson, Busting frame busting: a study of clickjacking vulnerabilities at popular sites, IEEE Oakland Web, vol.2, 2010.

. Sankaranarayanan, 2013] Sriram Sankaranarayanan, Aleksandar Chakarov et Sumit Gulwani Static analysis for probabilistic programs: inferring whole program properties from finitely many paths, Proceedings of the 34th ACM SIGPLAN conference on Programming language design and implementation, pp.447-458, 2013.

. Saxena, A Symbolic Execution Framework for JavaScript, 2010 IEEE Symposium on Security and Privacy, pp.513-528, 2010.
DOI : 10.1109/SP.2010.38

. Tonella, Finding the Optimal Balance between Over and Under Approximation of Models Inferred from Execution Logs, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation, 2012.
DOI : 10.1109/ICST.2012.82

. Tripp, Omer Tripp, Omri Weisman et Lotem Guy. Finding your way in the testing jungle: a learning approach to web security testing, ISSTA, pp.347-357, 2013.

. Trivedi, Dependability and security models, 2009 7th International Workshop on Design of Reliable Communication Networks, pp.11-20, 2009.
DOI : 10.1109/DRCN.2009.5340029

V. Matthew, H. Gundy, and . Chen, Fuzzing with DOM Level 2 and 3 Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks, DeepSec NDSS, 2009.

. Vogt, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis, NDSS, 2007.

Y. Wang, C. Mao, and H. Lee, Structural Learning of Attack Vectors for Generating Mutated XSS Attacks, Electronic Proceedings in Theoretical Computer Science, vol.35, 2010.
DOI : 10.4204/EPTCS.35.2

. Wassermann, Dynamic test input generation for web applications, Proceedings of the 2008 international symposium on Software testing and analysis, ISSTA '08, pp.249-260, 2008.
DOI : 10.1145/1390630.1390661

C. Evernote, 2014-1404 on Windows: a warning is displayed though, p.162

?. .. Siemens, Type-2 Reflection in a JS context -source, p.164

?. .. Siemens, Type-2 Reflection in a JS context -code, p.165

?. Siemens, Type-2 Reflection in a JS context -execution, p.165

.. Attack-input-grammar, AIG) (excerpt), p.141

. Extract and . Configuration-file........, FLOOR of this value * population_size will be choosen: how many % of the BEST individuals do we consider for crossover --> 31 <param name="Elitism" value="2" /> 32 <param name="crossoverNodeSelectionAndNumberOfPointsStrategy" value="samePrefix_and_1NodeRandom" /> 33 <!--strategies: samePrefix_and_1NodeRandom, samePrefix_and_1NodeFirstFromRoot --> 34 <param name="mutationRate" value="0.5" /> 35 <param name="mutationStrategy" value="random" /> 36 <!--other values of mutationStrategy include # most frequent value first ... within nodes "close" from leafs --> 37 <param name="firstGenerationInputParamSelectOneInXPercents" value="0.8" /> 38 <param name="modelMaxDepthForPrefixingInputSequences" value="7 " /> 39 </EvolutionaryAlgorithmConfig> 40 41 <Fitness> <!--the higher the more important the weight will be --> 42 <param name="number_of_classes_injected_vs_sent" value="2" /> 43 <param name="string_distance" value="2" /> 44 <param name="number_of_tainted_nodes" value="3" /> 45 <param name=" number_of_nodes_between_fuzzed_input_sending_and_reflection " value="2" /> 46 47 <param name="number_of_unique_states_from_start_node" value=" 0.5" /> 48 <param name="how_well_formed_wrt_HTML_is_the_output" value=" 0.5" /> 49 50 <param name="new_output_symbol_discovered" value="5" /> 51 <param name="percentage_of_expected_output_symbols" value="3" /> 52 <param name=" number_of_different_macro_states_between_fuzzed_value_submission_and_reflection " value="1" /> 53 <param name="singularity_on_fuzzed_input_param_value" value= "4" /> 54 <param name="singularity_on_input_sequence" value="3" /> 55 </Fitness> 56 57 <InternalTests> 193 194 <ModelAnnotation> 195 <param name="ignoreOutputSymbols" value="True" /> 196 <param name="modelExplorationMethod" value=" breath_first_prefix_1by1_bounded" /> 197 <!--values include: 198 -breath_first_prefix_1by1_bounded 199 -random_bounded: 200 NOTE: for both, the length of input sequences is bounded by modelMaxInputSequencesLength 201 --> 202 <param name="random_bounded. max_attempts_to_generate_input_sequences" value= 211 <param name="method" value=, 142 <EvolutionaryAlgorithmConfig> 25 <param name= 216 <param name="efficient_substring.min_string_length" value="6" /> 217 <!--only input parameters with value of at least xx characters will be considered for approximate taint computation, pp.205-206

=. Domtaintmaxnodedistance, /> 273 <param name="DOMTaintIfNodeWithBrother" value="0.40" /> 274 <param name="DOMTaintMaxNodeDistance" value="2" /> 275 <param name="TaintPropagationOnDOM" value=, p.271

A. A. Web, php &quote;coucou&quote