89 results about "Cross-site scripting" patented technology

An automated method and system for testing a web site for vulnerability to a cross site scripting (XSS) attack are disclosed. The automated tool injects a tracer value into both GET and POST form data, and monitors the resultant HTML to determine whether the tracer value is returned to the local machine by the server to which it was sent. If the tracer value is returned, the automated tool attempts to exploit the web site by injecting a non-malicious script as part of an input value for some form data, based on the location in the returned HTML in which the returned tracer value was found. If the exploit is successful, as indicated by the non-malicious script, the automated tool logs the exploit to a log file that a user can review at a later time, e.g., to assist in debugging the web site.

Various embodiments presented herein relate to scanning for and detecting web page vulnerabilities, including cross-site scripting (XSS). Some embodiments are configured to scan for and detect vulnerabilities of a target web page using a client-based approach, which may employ a remotely-controlled web browser application capable of generating a document object model (DOM) for the target web page as it is accessed. Some embodiments may scan for and detect web page vulnerabilities by monitoring the DOM associated with a targeted web page as one or more attack vectors are applied to the target web page. Certain embodiments are capable of detecting web page vulnerabilities independent of the complexity or presence of an event model, or obfuscation of the malicious code (e.g., XSS code). Target web pages that are scanned may include those associated with an application coded in a web browser-supported language, such a Rich Internet Application (RIA).

Method to prevent the effect of web application injection attacks, such as SQL injection and cross-site scripting (XSS), which are major threats to the security of the Internet. Method using complementary character coding, a new approach to character level dynamic tainting, which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components such as the application code interpreter, the database management system, and (optionally) the web browser allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches by offering a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. The technique is effective on a group of vulnerable benchmarks and has low overhead.

A web application decomposed into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain using a content handler.

A method for decomposing a web application into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain.

A system and method that prevents certain cookies, as specified by an Internet server, from being accessed through client-side script, thereby mitigating the amount of damage that cross-site scripting attacks can accomplish. The server marks selected cookies with an attribute that flags such cookies as being protected, and a security mechanism in the client prevents protected cookies from being accessed via script. A protected (flagged) cookie can still be accessed by the server, (e.g., via HTTP), while non-flagged cookies can be accessed by the server or script. An API or similar layer implements the security mechanism that checks for the attribute, and fails requests for any cookies having that attribute set. The present invention can also be adapted to prevent a malicious script from overwriting existing HTTP-only cookies on a client machine.

A system and method for protecting a user against a cross-site scripting attack or other network attack that relies on scripting code embedded within a uniform resource locator (URL) are described. Validation software executing on a client computer system may intercept a URL in response to a user providing the URL to a web browser or other client application. The validation software may analyze the URL to determine whether the URL includes scripting code. If the URL includes scripting code then the validation software may block the client application from accessing the URL or may otherwise inhibit access to the URL.

The invention provides a device for detecting cross site scripting. The device comprises an index calculating unit, an extracting unit, a code restoring unit, a semantics restoring unit, a matching degree calculating unit and a judging unit which cooperate with each other; and malicious cross site scripts entrained in a Web page are identified and extracted by a comprehensive HTML label analysis methods (comprising four methods, namely EJSRF analysis, JavaScript code deformation analysis, JavaScript semantics denaturation analysis and XSS attack characteristic mode matching). The cross site script identification and extraction technology taking HTML label analysis as a core can efficiently and accurately distinguish a normal JavaScript from the malicious cross site scripts in the Web page to make network security detection equipment and a network terminal accurately identify and filter the Web page which contains the malicious cross site scripts, and simultaneously guarantee legal Web page (without entrained malicious cross site scripts) normally pass.

A method, in a server, implementing a moving target defense against cross-site scripting includes receiving a request for a web page, wherein the server has N versions of the web page each with a mutated version of JavaScript; selecting a web page of the N versions; and sending an indication of the mutated version of JavaScript associated with the web page in response to the request. Another method, in a client device, using a moving target defense against cross-site scripting includes requesting a web page; receiving an indication of a mutated version of JavaScript for the web page; and adjusting a JavaScript interpreter based on the mutated version of JavaScript for the web page.

A method, in a server, implementing a moving target defense against cross-site scripting includes receiving a request for a web page, wherein the server has N versions of the web page each with a mutated version of JavaScript; selecting a web page of the N versions; and sending an indication of the mutated version of JavaScript associated with the web page in response to the request. Another method, in a client device, using a moving target defense against cross-site scripting includes requesting a web page; receiving an indication of a mutated version of JavaScript for the web page; and adjusting a JavaScript interpreter based on the mutated version of JavaScript for the web page.

Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

The invention provides an XSS (Cross Site Scripting) testing method based on a DOM (Document Object Model). The XSS testing method comprises the following steps of obtaining source codes of a destination page, and extracting script codes in the source codes; traversing all the script codes, and obtaining all dirty data inlets and variables passed by the dirty data inlets from the script codes by utilizing a predefined dirty data inlet; traversing all the script codes again, obtaining output functions in the script codes, extracting parameters of the output functions for being matched with the dirty data inlets and the variables passed by the dirty data inlets, and determining that bugs exist if the parameters of the output functions can be matched with the dirty data inlets and the variables passed by the dirty data inlets; and recording information of the bugs. The invention also provides an XSS testing device based on the DOM for realizing the XSS testing method. According to the XSS testing method based on the DOM and the XSS testing device based on the DOM, which are provided by the invention, the problem that XSS based on the DOM cannot be accurately tested can be solved.

The invention provides computer-implemented methods and computer systems for testing applications such as web-based (HTTP) applications for cross-site scripting (XSS) and related security vulnerabilities and permits the discovery of previously unknown XSS and related vulnerabilities in applications without relying on known or previously generated static XSS signatures. The invention may be applied to any type of XSS or related vulnerability for any variation of application code.

Method to prevent the effect of web application injection attacks, such as SQL injection and cross-site scripting (XSS), which are major threats to the security of the Internet. Method using complementary character coding, a new approach to character level dynamic tainting, which allows efficient and precise taint propagation across the boundaries of server components, and also between servers and clients over HTTP. In this approach, each character has two encodings, which can be used to distinguish trusted and untrusted data. Small modifications to the lexical analyzers in components such as the application code interpreter, the database management system, and (optionally) the web browser allow them to become complement aware components, capable of using this alternative character coding scheme to enforce security policies aimed at preventing injection attacks, while continuing to function normally in other respects. This approach overcomes some weaknesses of previous dynamic tainting approaches by offering a precise protection against persistent cross-site scripting attacks, as taint information is maintained when data is passed to a database and later retrieved by the application program. The technique is effective on a group of vulnerable benchmarks and has low overhead.

The invention discloses an XSS vulnerability detection method and device. The method comprises that a URL of a webpage to be detected and an executable script code of a Web server of the webpage to be detected are obtained; the script code is updated in the URL of the webpage to be detected; the updated URL is used to access the webpage to be detected; whether the Web server executes the script code is detected; and if the Web server executes the script code, it is determined that XSS vulnerability exists in the webpage to be detected. The method and device of the invention can be used to solve the technical problem that a detection result obtained via an XSS vulnerability detection scheme based on matching and analysis of webpage files is lower in accuracy.

A system for detecting security vulnerabilities in web applications, the system including, a black-box tester configured to provide a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, and an execution engine configured to detect the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determine, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction.

A method for detecting security vulnerabilities in web applications can include providing a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, detecting the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determining, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction.

The invention relates to a cross-site scripting attack monitoring system. The cross-site scripting attack monitoring system comprises an application serving module, a monitoring module and an analyzing module. The application serving module comprises a service module and a redefining module. The service module receives and responds to a service request of a user side, and the redefining module redefines a script built-in function adopted in a cross-site scripting attack and returns redefining information of the script built-in function to the user side; the monitoring module monitors calling information of the user side to the redefined script built-in function; the analyzing module analyzes the safety of the calling information. The cross-site scripting attack monitoring system can realize accurate locating of the source of the cross-site scripting attack, the attacking time, leaked data, attacked vulnerability and the like. In addition, the invention further provides a cross-site scripting attack monitoring method.

The invention proposes a web server and a method for preventing cross-site scripting attack, wherein the method includes: after the Web server receives an HTTP request from a browser, intercepting the HTTP request, and determining, according to a filter mapping table, whether a filtering operation with respect to the HTTP request is to be executed; if it is determined that the filtering operation with respect to the HTTP request is needed to be executed, executing, by the Web server, the filtering operation with respect to the intercepted HTTP request according to a predetermined cross-site scripting attack judging rule and a cross-site scripting attack processing rule. The Web server and the method for preventing cross-site scripting attack disclosed in the invention can prevent effectively the cross-site scripting attack with respect to the browser and / or Web server.

The invention discloses a defending device for a cross-site scripting attack. The defending device comprises an intercepting module, a judging module and a submitting module, wherein the intercepting module is used for intercepting a request transmitted to an application in an application server through a cross-site scripting attack filter; the judging module is used for analyzing and processing the intercepted request, and judging whether the request includes malicious codes applied to the cross-site scripting attack; and the submitting module is used for submitting the request to an open-source project for escaping if the request includes the malicious codes applied to the cross-site scripting attack in order to submit the escaped request to the application in the application server. The invention also discloses a defending method for the cross-site scripting attack. Through adoption of the defending device and method, hard coding of Web pages can be avoided; the workload is lowered; and the efficiency in defending of the cross-site scripting attack is increased.

Various embodiments utilize nested Iframes within a web page to allow cross domain communication. That is, various embodiments can create an embedded Iframe that shares the domain of an Iframe or web page with which communication is desired. Because the embedded Iframe shares the domain of the Iframe or web page with which communication is desired, restrictions on cross-site scripting do not inhibit communication or scripting between the domain-matched Iframe(s) and / or web page. This embedded Iframe can then provide a mechanism by which web pages or Iframes from other domains can communicate with the Iframe or web page with which the embedded Iframe shares a domain.

The invention provides a cross-site scripting attack defense method and device and an application server. The method comprises the following steps: receiving an access request sent by a terminal through the application server; resolving the access request to obtain a request header; matching keywords in a feature library with target information in the request header by using a regular expression; and if keywords matched with the target information in the request header exist in the feature library, determining that a malicious code exists in the target information in the request header through the application server, and denying the access request through the application server in order to defense cross-site scripting attacks. Through uniform detection of the access requests sent by the terminal on the application server, hard coding of each Web page is avoided; the workload is lowered; and the cross-site scripting attack defense efficiency is increased.

Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

The invention provides a method and device for defending a document object model based cross site scripting (DOM-Based-XSS) vulnerability and a client. The method comprises the steps of: parsing a tree structure of a current page DOM; before a data hypertext markup language (HTML) text is loaded, checking a request field related to the DOM tree in a hypertext transfer protocol; and if the requestfield comprises a first category of character strings, carrying out filtering or escaping on the first category of character strings. According to the invention, at a moment before the data HTML textis loaded, the request field in the hypertext transfer protocol is verified, so that verification on a uniform resource locator (URL) can be comprehensively and efficiently implemented; the DOM-Based-XSS vulnerability is repaired; and the method and the device have a full-site defense effect and are helpful for controlling the online service increment DOM-Based-XSS vulnerability and preventing newDOM-Based-XSS vulnerability.

Methods and systems for protecting websites from cross-site scripting are disclosed. A request for a web page comprising a web page element is received from a client. It is determined if the web page comprises a data integrity token for the web page element. It is also determined if a value of the data integrity token matches an expected value. If the web page comprises the data integrity token and if the value matches the expected value, the web page comprising the web page element is sent to the client. If the web page does not comprise the data integrity token or if the value does not match the expected value, a protective operation is performed.

A method for generating a cross-site scripting attack is provided. An attack string sample is analyzed for obtaining a token sequence. A string word corresponding to each token is used to replace the token for generating a cross-site scripting attack string. Accordingly, a large number of cross-site scripting attacks are generated automatically, so as to execute a penetration test for a website.

A web application decomposed into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain using a content handler.

Methods and systems for cross-site scripting (XSS) defense are described herein. An embodiment includes, embedding one or more tags in content at a server to identify executable and non-executable regions in the content and transmitting the content with the tags to a client based on a request from the client. Another embodiment includes receiving content embedded with one or more permission tags from a server, processing the content and the permission tags, and granting permission to a browser to execute executable content in the content based on the permission tags. A method embodiment also includes receiving content embedded with one or more verify tags from a server, performing an integrity check using the verify tags and granting permission to a browser to execute executable content in the content based on the integrity check.

The invention discloses a method and a system for detecting cross-site scripting attack injection. The method comprises the following steps: recording request logs of user access by a reverse proxy module; grouping and classifying the request logs, and generate and saving a URL parameter; detecting a parameter name and a parameter value in the URL parameter, respectively; replacing the parameter value with corresponding content in a scripting injection attack dictionary list and generating a second request; sending a second request to a target server and receiving a response return request; judging whether the response return request contains attack content, and if so, adding the URL parameter to an injection risk list. In the way, the method for detecting the cross-site scripting attack injection is capable of detecting XSS bugs in a website more comprehensively, reducing the risk of attacks to users and improving the security of the website; besides, the URL detected by use of the method is more complete than the URL detected in a crawler way.

Disclosed are a method, apparatus, and terminal for detecting a document object model-based cross-site scripting attack vulnerability. The method comprises: obtaining a set of parameter value pairs in the original URL of a webpage, the set of parameter value pairs including at least one parameter value pair; replacing parameter values of the parameter pairs with a feature script to form a test URL of the webpage, the feature script being malicious codes that contain malicious characters and can be uniquely identified in a document object model tree of the webpage; obtaining the page content corresponding to the test URL; converting the page content into the document object model tree; and detecting whether the cross-site scripting attack vulnerabilities are in the parameter value pairs according to the document object model tree and the feature script. By using the above solution, DOM XSS vulnerabilities can be effectively found only through searching the inserted feature script in the converted DOM tree and without triggering the execution of the feature script, thus greatly improving the ability of vulnerability discovery and the detection efficiency.