Systems and methods for mitigating cross-site scripting

US 20040260754A1
Filed: 06/20/2003
Published: 12/23/2004
Est. Priority Date: 06/20/2003
Status: Abandoned Application

First Claim

Patent Images

1. In a system that includes a user computer that communicates with a server computer over a network, a method for mitigating a cross-site scripting attack, the method comprising:

receiving a request from a user computer, wherein the request includes data derived from an outside source;

determining if the request from the user computer includes a marker of active content; and

refraining from executing the request if the request includes the marker of active content.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for mitigating cross-site scripting attacks. When an HTTP request is received from a user computer, the HTTP request is evaluated to determine if it includes a script construct. Particularly, data derived from an outside source that is included in the HTTP request is examined for the presence of script constructs. The presence of a script construct indicates that a cross-site scripting attack is being executed and the server computer is able to prevent the attack from being carried out.

Citations

25 Claims

1. In a system that includes a user computer that communicates with a server computer over a network, a method for mitigating a cross-site scripting attack, the method comprising:
- receiving a request from a user computer, wherein the request includes data derived from an outside source;
  
  determining if the request from the user computer includes a marker of active content; and
  
  refraining from executing the request if the request includes the marker of active content.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A method as defined in claim 1, wherein receiving a request from a user computer further comprises receiving an HTTP request from the user computer.
  - 3. A method as defined in claim 1, wherein receiving a request from a user computer further comprises at least one of:
    - receiving a cookie from the user computer;
      
      receiving a query string from the user computer;
      
      receiving an HTTP form from the user computer; and
      
      receiving one or more HTTP headers from the user computer.
  - 4. A method as defined in claim 3, wherein determining if the request from the user computer includes a marker of active content further comprises evaluating only a portion of the request that includes the data derived from an outside source.
  - 5. A method as defined in claim 1, wherein determining if the request from the user computer includes a marker of active content further comprises at least one of:
    - searching the request for one or more character combinations that correspond to a script construct;
      
      searching the request for an event that includes a script construct; and
      
      searching the request for an expression that includes a script construct.
  - 6. A method as defined in claim 1, wherein determining if the request from the user computer includes a marker of active content further comprises searching the request for a pattern that indicates an unauthorized script.
  - 7. A method as defined in claim 1, wherein refraining from executing the request if the request includes the marker of active content further comprises at least one of:
    - generating an event that is logged at the server;
      
      encoding a response that is delivered to the user computer; and
      
      requiring the user computer to re-submit the request.

8. In a system that includes a user computer that communicates with a server computer over a network, wherein the server computer generates dynamic content based on input from the user computer, a method for mitigating a cross-site scripting attack such that data submitted to the server computer is not sent back to the user computer as script, the method comprising:
- receiving an HTTP request at a server computer, wherein the HTTP request includes input data that was not generated by the server computer;
  
  evaluating the HTTP request to determine if the input data includes a script construct, wherein the script construct indicates that HTTP request is part of a cross-site scripting attack; and
  
  preventing the cross-site scripting attack if the input data includes a script construct.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. A method as defined in claim 8, wherein receiving an HTTP request at a server computer further comprises at least one of:
    - receiving a query string that includes at least one query string variable;
      
      receiving a cookie;
      
      receiving one or more headers in the HTTP request; and
      
      receiving one or more form fields.
  - 10. A method as defined in claim 8, wherein evaluating the HTTP request to determine if the input data includes a script construct further comprises at least one of:
    - searching the HTTP request for one or more character combinations that correspond to a script construct;
      
      searching the HTTP request for an event that includes a script construct;
      
      searching server variables that derive input data from another source; and
      
      searching the HTTP request for an expression that includes a script construct.
  - 11. A method as defined in claim 8, wherein evaluating the HTTP request to determine if the input data includes a script construct further comprises searching the input data for a script construct.
  - 12. A method as defined in claim 11, wherein searching the input data for a script construct further comprises searching for patterns associated with scripts.
  - 13. A method as defined in claim 8, wherein preventing the cross-site scripting attack if the input data includes a script construct further comprises refraining from executing the HTTP request.
  - 14. A method as defined in claim 8, wherein preventing the cross-site scripting attack if the input data includes a script construct further comprises logging an event at the server computer.
  - 15. A method as defined in claim 8, wherein preventing the cross-site scripting attack if the input data includes a script construct further comprises encoding the user input including the script construct to render the script inert.
  - 16. A method as defined in claim 8, wherein evaluating the HTTP request to determine if the input data includes a script construct further comprises evaluating the HTTP request to determine in the input data includes a marker of active content.
  - 17. A method as defined in claim 16, wherein evaluating the HTTP request to determine in the input data includes a marker of active content further comprises determining if the marker of active content is within a particular element, wherein the marker of active content is harmful only when rendered within the particular element.

18. In a system that includes a user computer that communicates with a server computer over a network, wherein the server computer generates dynamic content based on input from the user computer, a computer program product for implementing a method for mitigating a cross-site scripting attack such that input data submitted to the server computer is not sent back to the user computer as script, the computer program product comprising:
- a computer-readable medium having computer executable instructions for performing the method, the method comprising;
  
  receiving an HTTP request at a server computer, wherein the HTTP request includes input data that was not generated by the server computer;
  
  evaluating the HTTP request to determine if the input data includes a script construct that indicates a cross-site scripting attack; and
  
  preventing the cross-site scripting attack if the input data includes a script construct.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. A computer program product as defined in claim 18, wherein receiving an HTTP request at a server computer further comprises at least one of:
    - receiving a query string that includes query string variables;
      
      receiving a cookie;
      
      receiving one or more headers in the HTTP request; and
      
      receiving one or more form fields.
  - 20. A computer program product as defined in claim 18, wherein evaluating the HTTP request to determine if the input data includes a script construct further comprises at least one of:
    - searching the HTTP request for one or more character combinations that correspond to a script construct;
      
      searching the HTTP request for an event that includes a script construct;
      
      searching server variables that derive input data from another source; and
      
      searching the HTTP request for an expression that includes a script construct.
  - 21. A computer program product as defined in claim 18, wherein evaluating the HTTP request to determine if the input data includes a script construct further comprises searching the input data for a script construct.
  - 22. A computer program product as defined in claim 21, wherein searching the input data for a script construct further comprises searching for patterns associated with scripts.
  - 23. A computer program product as defined in claim 18, wherein preventing the cross-site scripting attack if the input data includes a script construct further comprises refraining from executing the HTTP request.
  - 24. A computer program product as defined in claim 18, wherein preventing the cross-site scripting attack if the input data includes a script construct further comprises logging an event at the server computer.
  - 25. A computer program product as defined in claim 18, wherein preventing the cross-site scripting attack if the input data includes a script construct further comprises encoding the user input including the script construct to render the script inert.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Han, Peixin, Olson, Erik, Kothari, Nikhil, Robsman, Dmitry, Ebbo, David S., Guthrie, Scott, Warren, Susan

Application Number

US10/600,683
Publication Number

US 20040260754A1
Time in Patent Office

Days
Field of Search
US Class Current

709/200
CPC Class Codes

H04L 63/1466   Active attacks involving in...

H04L 63/162   at the data link layer

H04L 67/02   based on web technology, e....

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Systems and methods for mitigating cross-site scripting

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for mitigating cross-site scripting

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links