CROSS-SITE SCRIPTING FILTER

US 20090119769A1
Filed: 11/05/2007
Published: 05/07/2009
Est. Priority Date: 11/05/2007
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented system for processing a cross-site scripting (XSS) attack, comprising:

a communications component for processing traffic between a client and a server; and

a filter component for filtering a reflected XSS attack from the traffic.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reflected cross-site scripting (XSS) mitigation technique that can be implemented wholly on the client by installing a client-side filter that prevents reflected XSS vulnerabilities. XSS filtering performed entirely on the client-side enables web browsers to defend against XSS involving servers which may not have sufficient XSS mitigations in place. The technique accurately identifies XSS attacks using carefully selected heuristics and matching suspect portions of URLs and POST data with reflected page content. The technique used by the filter quickly identifies and passes through traffic which is deemed safe, keeping performance impact from the filter to a minimum. Non-HTML MIME types can be passed through quickly as well as requests which are same-site. For the remaining requests, regular expressions are not run across the full HTTP response unless XSS heuristics are matched in the HTTP request URL or POST data.

Citations

20 Claims

1. A computer-implemented system for processing a cross-site scripting (XSS) attack, comprising:
- a communications component for processing traffic between a client and a server; and
  
  a filter component for filtering a reflected XSS attack from the traffic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the communications component is a browser of the client that sends an HTTP request to the server and the filter component operates on the client to filter the XSS attack.
  - 3. The system of claim 1, wherein the traffic is HTTP request/response traffic and the filter component analyzes the request traffic to confirm the XSS attack in the response traffic.
  - 4. The system of claim 3, wherein the communications component is a firewall application at the server that processes the HTTP request/response traffic, and the filter component operates as part of the firewall application to filter the XSS attack.
  - 5. The system of claim 3, wherein the communications component is a proxy firewall application at the server, which is a proxy server or a reverse proxy server that processes the HTTP request/response traffic, and the filter component operates as part of the proxy firewall application to filter the XSS attack.
  - 6. The system of claim 1, wherein the server disables the filter component for a particular response based on a specific HTTP response header.
  - 7. The system of claim 1, wherein the filter component processes heuristics against outgoing traffic of the client to the server to generate signatures, and processes the signatures against incoming traffic from the server to filter the XSS attack.
  - 8. The system of claim 1, wherein the filter component chooses one or more neuter characters for replacement in a response from the server to the client for determining occurrence of the XSS attack.
  - 9. The system of claim 1, wherein the filter component processes one or more signatures against incoming traffic from the server to determine occurrence of the XSS attack, the attack based on content of the incoming traffic having a MIME type.
  - 10. The system of claim 1, wherein the filter component processes all input to a script engine and when a script block is identified, the filter component scans original outgoing traffic for a request to find a script that is about to be executed and filters the script block based on a match of the script with the script block.

11. A computer-implemented system for processing an XSS attack, comprising:
- a client browser for processing a request and a response between a client and a server; and
  
  a filter component as part of the client browser for analyzing the request using heuristics and the response using signatures generated from the heuristics, and filtering a reflected XSS attack from the response traffic based on the signatures.

12. A computer-implemented method of filtering a reflected XSS attack, comprising:
- sending a request to a server;
  
  processing the request using heuristics to determine if a signature is generated;
  
  receiving a response from the server; and
  
  filtering the response as a reflected XSS attack based on the generation of the signature.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The method of claim 12, further comprising matching suspect portions of the request with reflected webpage content to determine if an XSS attack exists in the response.
  - 14. The method of claim 12, wherein the request includes one or more of a URL or POST data.
  - 15. The method of claim 14, further comprising employing regular expressions to identify specific patterns of characters in the one or more of a URL or POST data of the request.
  - 16. The method of claim 12, further comprising passing through non-HTML MIME types and same-site requests without filter processing and without generating a signature.
  - 17. The method of claim 12, further comprising checking a referer header of the request by comparing a fully qualified domain name of the referer header to a fully qualified domain name of a URL being retrieved, and filtering the request if there is a mismatch or, there is an absent or empty referrer header.
  - 18. The method of claim 12, further comprising selecting and inserting one or more neuter characters into the heuristics to identify suspect characters in the request for modification in processing of the response.
  - 19. The method of claim 12, further comprising generating the signature from a heuristic based on a match of a specific pattern of characters in the request as determined by the heuristic.
  - 20. The method of claim 12, further comprising scanning the response using the signature, neutering the response using a neuter replacement character based on the signature, and returning the response to a client browser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ross, David A., Lipner, Steven B.

Application Number

US11/935,323
Publication Number

US 20090119769A1
Time in Patent Office

Days
Field of Search
US Class Current

726/13
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/56   Computer malware detection ...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

CROSS-SITE SCRIPTING FILTER

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CROSS-SITE SCRIPTING FILTER

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links