Endpoint segregation to prevent scripting attacks

US 10,044,728 B1
Filed: 07/06/2015
Issued: 08/07/2018
Est. Priority Date: 07/06/2015
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a static content endpoint server implemented by one or more hardware computing devices, wherein the static content endpoint server is configured to;

receive a content page request from a client application;

generate a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint; and

provide the content page response to the client application from a static content endpoint that is distinct from the active content endpoint;

an active content endpoint server implemented by one or more hardware computing devices, wherein the active content endpoint server is configured to;

receive a loader request from the client application for the active content loader, wherein the active content loader is configured to execute at the client application to download, from the active content endpoint, one or more active content files for active content specified for the content page and a filtering pipe for the active content specified for the content page, wherein the filtering pipe is configured to execute at the client application to filter parameters for methods of the active content files prior to the methods executing at the client application;

generate a loader response to the loader request, wherein the loader response comprises the active content loader and a second policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint;

provide the loader response to the client application from the active content endpoint;

receive, from the active content loader at the client application, an active content request for the one or more active content files for active content specified for the content page;

generate an active content response to the active content request, wherein the active content response comprises the one or more active content files and the second policy setting that instructs the client application to not execute any active content for the content page unless the source of the active content is the active content endpoint; and

provide the active content response to the client application from the active content endpoint.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure and efficient technique to prevent cross-site scripting attacks based on segregating the content within a given content page among independent endpoints, or servers, where static content is provided from one endpoint and active content is provided from another endpoint. Together, the different endpoints make up an endpoint segregation system. Further, security features of HTTP/HTML are used to restrict sources from which active content may be executed according to the division of static and active content among the endpoints of the endpoint segregation system.

Citations

20 Claims

1. A system, comprising:
- a static content endpoint server implemented by one or more hardware computing devices, wherein the static content endpoint server is configured to;
  
  receive a content page request from a client application;
  
  generate a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint; and
  
  provide the content page response to the client application from a static content endpoint that is distinct from the active content endpoint;
  
  an active content endpoint server implemented by one or more hardware computing devices, wherein the active content endpoint server is configured to;
  
  receive a loader request from the client application for the active content loader, wherein the active content loader is configured to execute at the client application to download, from the active content endpoint, one or more active content files for active content specified for the content page and a filtering pipe for the active content specified for the content page, wherein the filtering pipe is configured to execute at the client application to filter parameters for methods of the active content files prior to the methods executing at the client application;
  
  generate a loader response to the loader request, wherein the loader response comprises the active content loader and a second policy setting that instructs the client application to not execute any active content for the content page unless a source of active content is the active content endpoint;
  
  provide the loader response to the client application from the active content endpoint;
  
  receive, from the active content loader at the client application, an active content request for the one or more active content files for active content specified for the content page;
  
  generate an active content response to the active content request, wherein the active content response comprises the one or more active content files and the second policy setting that instructs the client application to not execute any active content for the content page unless the source of the active content is the active content endpoint; and
  
  provide the active content response to the client application from the active content endpoint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the page is among a plurality of pages accessible from the static content endpoint server, wherein to generate the content page response to the content page request, the static content endpoint server is further configured to:
    - filter the page to remove active content source reference instructions except for the active content source reference that instructs the client application to download the active content loader from the active content endpoint;
      
      include the page in the content page response without filtering the page to remove active content; and
      
      set the first policy setting within the content page response.
  - 3. The system of claim 1, wherein the active content endpoint server is further configured to:
    - receive a request from the client application for a template for the content page, wherein the template specifies the active content files for the content page; and
      
      provide the template to the client application.
  - 4. The system of claim 3, wherein the template further specifies method names of the methods of the active content files to be called and parameters to the methods, wherein the filtering pipe obtains the method names and parameters specified in the template in order to filter the parameters prior to the methods executing at the client application.
  - 5. The system of claim 3, wherein the active content loader provided from the active content server examines the template to determine the active content files to request from the active content endpoint.
  - 6. The system of claim 1, wherein the active content endpoint server is further configured to:
    - receive a request from the client application for a filtering pipe configuration file corresponding to the content page, wherein the filtering pipe configuration file includes mapping information between the methods of the active content files and filtering methods; and
      
      provide the filtering pipe configuration file to the client application;
      
      wherein to filter parameters for the methods of the active content files prior to the methods executing at the client application, the filtering pipe is configured to, for each given method of the methods of the active content files;
      
      examine the filtering pipe configuration file to determine a filtering method to apply for the given method to be invoked;
      
      call the determined filtering method to filter parameters for the given method to generate a filtered set of parameters; and
      
      invoke the given method with the filtered set of parameters.
  - 7. The system of claim 6, wherein to determine the filtering method to apply for the given method of the methods of the active content files, the filtering pipe is further configured to:
    - determine, based on an examination of the filtering pipe configuration file, that no filtering method is mapped to the given method of the methods of the active content files; and
      
      determine the filtering method to apply to be a default filtering method.
  - 8. The system of claim 6, wherein the active content endpoint server is further configured to:
    - receive a request from the client application for the filtering methods; and
      
      provide the filtering methods to the client application;
      
      wherein a given filtering method of the filtering methods is configured to, in response to being invoked with a method identifier and a suspect set of parameters;
      
      apply a whitelist filter to the suspect set of parameters, wherein the whitelist filter is defined based at least on a type of parameters expected for a method corresponding to the method identifier, oridentify one or more portions of the suspect set of parameters interpretable by the client application as active content and encode the identified one or more portions to not be interpretable by the client application as active content.
  - 9. The system of claim 1, wherein to generate the content page response to the content page request, the static content endpoint server is further configured to:
    - generate a Hypertext Transfer Protocol (HTTP) message, wherein the HTTP message includes;
      
      a message header specifying the first policy setting as an HTTP content security policy; and
      
      a Hypertext Markup Language (HTML) message body including the page.
  - 10. The system of claim 1, wherein to generate the content page response to the content page request, the static content endpoint server is further configured to:
    - insert a Hypertext Markup Language tag within the page specifying the first policy setting as a Hypertext Transfer Protocol content security policy.

11. A method, comprising:
- performing by one or more servers of a static content endpoint, in response to receiving a content page request from a client application;
  
  generating a content page response to the content page request, wherein the content page response comprises a page including static content for the requested content page, an active content source reference that instructs the client application to download an active content loader from an active content endpoint, and a first policy setting that instructs the client application to not execute any active content for the content page unless sourced from the active content endpoint;
  
  providing the content page response to the client application from a static content endpoint that is distinct from the active content endpoint; and
  
  performing by one or more servers of the active content endpoint;
  
  in response to receiving a loader request from the client application for the active content loader;
  
  generating a loader response to the loader request, wherein the active content loader is configured to execute at the client application to download, from the active content endpoint, one or more active content files for active content specified for the content page and a filtering pipe for the active content specified for the content page, and wherein the loader response comprises the active content loader and a second policy setting that instructs the client application to not execute any active content for the content page unless sourced from the active content endpoint; and
  
  providing the loader response to the client application from the active content endpoint; and
  
  in response to receiving an active content request from the active content loader at the client application;
  
  generating an active content response to the active content request, wherein the active content request specifies one or more active content files for active content specified for the content page, and wherein the active content response comprises the one or more active content files and the second policy setting; and
  
  providing the active content response to the client application from the active content endpoint.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, wherein the page is among a plurality of pages, and wherein said generating the content page response to the content page request further comprises:
    - filtering the page to remove active content source reference instructions except for the active content source reference that instructs the client application to download the active content loader from the active content endpoint;
      
      including the page in the content page response without filtering the page to remove active content; and
      
      setting the first policy setting within the content page response.
  - 13. The method of claim 11, further comprising:
    - in response to receiving a template request from the client application for a template for the content page;
      
      generating a template response to the request for the template, wherein the template response comprises the template and a third policy setting, and wherein the template specifies the active content files for the content page; and
      
      providing the template response to the client application.
  - 14. The method of claim 13, wherein the template further specifies method names of the methods of the active content files to be called and parameters to the methods, wherein the filtering pipe obtains the method names and parameters specified in the template in order to filter the parameters prior to the methods executing at the client application.
  - 15. The method of claim 11, further comprising:
    - in response to receiving a filtering pipe configuration file request from the client application for the filtering pipe configuration file for the content page;
      
      generating a filtering pipe configuration file response comprising the filtering pipe configuration file and a third policy setting, wherein the filtering pipe configuration file includes mapping information between the methods of the active content files and filtering methods, and wherein the mapping information is specified for the filtering pipe to perform, for methods of the active content files prior to the methods executing at the client application, and for a given method of the methods of the active content files;
      
      examining the filtering pipe configuration file to determine a filtering method to apply for the given method to be invoked;
      
      calling the determined filtering method to filter parameters for the given method to generate a filtered set of parameters; and
      
      invoking the given method with the filtered set of parameters; and
      
      providing the filtering pipe configuration file response to the client application.
  - 16. The method of claim 15, further comprising:
    - in response to receiving a filtering method request from the client application for the filtering methods;
      
      generating a filtering methods response comprising the filtering methods and a third policy setting, wherein a given filtering method performs, in response to being invoked with a method identifier and a suspect set of parameters;
      
      applying a whitelist filter to the suspect set of parameters, wherein the whitelist filter is defined based at least on a type of parameters expected for a method corresponding to the method identifier, oridentifying one or more portions of the suspect set of parameters interpretable by the client application as active content and encode the identified one or more portions to not be interpretable by the client application as active content; and
      
      providing the filtering methods response to the client application.

17. A method, comprising:
- performing, by one or more computer devices;
  
  receiving, from one or more servers for a static content endpoint, a page and a first policy setting, wherein the page includes static content for a requested content page and an active content source reference that instructs a client application to download an active content loader from a particular active content endpoint that is distinct from the static content endpoint, and wherein the first policy setting instructs the client application to not execute any active content for the content page unless a source of the active content is the particular active content endpoint;
  
  applying the first policy setting to prevent execution of any active content for the content page unless a source of active content is the particular active content endpoint;
  
  downloading, based at least in part on the active content source reference in the page, the active content loader and a second policy setting from the particular active content endpoint;
  
  applying the second policy setting to prevent execution of any active content for the content page unless a source of active content is the particular active content endpoint; and
  
  executing the active content loader, wherein said executing the active content loader comprises;
  
  downloading, from one or more servers of the particular active content endpoint, a filtering pipe and one or more active content files for active content specified for the content page; and
  
  executing the filtering pipe, wherein said executing the filtering pipe comprises filtering parameters for one or more methods of the one or more active content files prior to executing the one or more methods to generate active content for the content page.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - prior to said downloading the one or more active content files;
      
      downloading, in response to a request for a template to the particular active content endpoint, a template specifying the one or more active content files and specifying method names of the methods of the active content files to be called and parameters to the methods, wherein the filtering pipe obtains the method names and parameters specified in the template in order to filter the parameters prior to the methods executing at the client application.
  - 19. The method of claim 17, further comprising:
    - downloading, in response to a request for filtering methods to the particular active content endpoint, the filtering methods;
      
      downloading, in response to a request for a filtering pipe configuration file to the particular active content endpoint, the filtering pipe configuration file; and
      
      wherein said executing the filtering pipe comprises, for each given method of the methods of the active content files;
      
      examining the filtering pipe configuration file to determine a filtering method to apply for the given method to be invoked;
      
      calling the determined filtering method to filter parameters for the given method to generate a filtered set of parameters; and
      
      invoking the given method with the filtered set of parameters.
  - 20. The method of claim 19, wherein the determined filtering method, in response to being called with a method identifier and a suspect set of parameters, performs:
    - applying a whitelist filter to the suspect set of parameters, wherein the whitelist filter is defined based at least on a type of parameters expected for a method corresponding to the method identifier, oridentifying one or more portions of the suspect set of parameters interpretable by the client application as active content and encode the identified one or more portions to not be interpretable by the client application as active content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Tripathi, Aridaman, Candebat, Thibault
Primary Examiner(s)
Armouche, Hadi S
Assistant Examiner(s)
Lapian, Alexander R

Application Number

US14/792,003
Time in Patent Office

1,128 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/606   by securing the transmissio...

H04L 63/105   Multiple levels of security

H04L 63/1466   Active attacks involving in...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/12   specially adapted for propr...

Endpoint segregation to prevent scripting attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Endpoint segregation to prevent scripting attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links