REDUCING CROSS-SITE SCRIPTING ATTACKS BY SEGREGATING HTTP RESOURCES BY SUBDOMAIN

US 20090165124A1
Filed: 12/19/2007
Published: 06/25/2009
Est. Priority Date: 12/19/2007
Status: Active Grant

First Claim

Patent Images

1. A method of storing network-accessible resources, the method comprising the steps of:

assigning first and second subdomains to first and second network-accessible resources, respectively, the first and second subdomains being associated with first and second groups of users, respectively, and members of each group having a common set of access privileges to their respective network-accessible resources; and

storing the first and second resources at network locations having addresses within the first and second subdomains, respectively.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An arrangement for reducing the occurrence of harmful cross-site scripting is provided by segregating on-line content or other resources so that they are accessible at different domains or subdomains, each of which corresponds to a set of users, called a “sharing set,” where each user in the set has identical access privileges to certain resources. The sharing set is provided with an identifier (which may or may not be unique), so that the identifier may be used as the name of the domain or subdomain for which any member of the sharing set is authorized to access the resources located there. In this way, script that is embedded with the content can only be executed among members of the sharing set. Users who are not members of the sharing set are unable to invoke cross site-scripting attacks that would allow them to gain access to data from sharing set members.

91 Citations

View as Search Results

20 Claims

1. A method of storing network-accessible resources, the method comprising the steps of:
- assigning first and second subdomains to first and second network-accessible resources, respectively, the first and second subdomains being associated with first and second groups of users, respectively, and members of each group having a common set of access privileges to their respective network-accessible resources; and
  
  storing the first and second resources at network locations having addresses within the first and second subdomains, respectively.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 including a further step of storing metadata that associates the first and second resources with the first and second groups of users, respectively.
  - 3. The method of claim 1 including a further step of including in the first and second subdomains an ACL identifier of the first and second groups of users, respectively.
  - 4. The method of claim 1 including a further step of including in the first and second subdomains a hash of an ACL identifier of the first and second groups of users, respectively.
  - 5. The method of claim 1 including a further step of including in the addresses an encrypted version of a hash of an ACL identifier.
  - 6. The method of claim 1 in which the addresses of the network locations are URLs.
  - 7. The method of claim 1 including a further step of receiving the first network-accessible resource over a network from a first member of the first group of users and receiving the second network-accessible resource from a first member of the second group of users.
  - 8. The method of claim 7 including a further step of returning the addresses for the first and second network-accessible resources over the network to the first member of the first group and the first member of the second group, respectively.
  - 9. At least one computer-readable medium encoded with instructions which, when executed by a processor, performs the method of claim 1.

10. A method of accessing a network-accessible resource, the method comprising the steps of:
- receiving over a network an address of a resource to be accessed by a user, the address including a subdomain corresponding to a group of users who have a common set of access privileges with respect to the resource;
  
  retrieving the resource and metadata associated therewith using the address that is received; and
  
  comparing information derived from the metadata with the subdomain included with the address and, if a match is obtained, forwarding the resource over the network to the user.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The method of claim 10 comprising a further step of including in the subdomain an ACL identifier of the group of users.
  - 12. The method of claim 11 comprising a further step of including in the subdomain a hash of an ACL identifier of the group of users.
  - 13. The method of claim 10 including further steps of receiving, over the network, information from which an unprotected address associated with a trusted domain can be determined, and sending the user a second address corresponding to the address of the resource that is accessed by the user.
  - 14. The method of claim 10 including a further step of including within the address an encrypted version of a hash of an ACL identifier.

15. A method of securing network-accessible content from access by unauthorized users, the method comprising the steps of:
- establishing a sharing set, the sharing set including users having identical access privileges to selected network-accessible content;
  
  segregating the selected network-accessible content by storing it at a network location having a network address within a subdomain accessible only to the sharing set;
  
  storing an ACL associated with the selected network-accessible content, the ACL specifying the users in the sharing set;
  
  receiving a request from a user to access a content item from among the selected network-accessible content;
  
  determining if the user is a member of the sharing set; and
  
  forwarding the content item to the user only if the user is a member of the sharing set.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15 including further steps of forwarding the network address to the user if the user is specified in the ACL, and receiving a second request from the user to receive content located at the network address.
  - 17. The method of claim 16 in which the subdomain includes a representation of the ACL.
  - 18. The method of claim 17 including a further step of generating a hash of the ACL to serve as the representation of the ACL.
  - 19. The method of claim 17 including further steps of forwarding information associated with a trusted domain to the user if the user is specified in the ACL, receiving a second request from the user to receive content located at an unprotected network address determined from the information and, in response to the second request, forwarding the network address to the user.
  - 20. The method of claim 19 including a further step of encrypting the ACL to serve as the representation of the ACL.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Spektor, Daron

Granted Patent

US 9,172,707 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/21
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/104 Grouping of entities

REDUCING CROSS-SITE SCRIPTING ATTACKS BY SEGREGATING HTTP RESOURCES BY SUBDOMAIN

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

91 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REDUCING CROSS-SITE SCRIPTING ATTACKS BY SEGREGATING HTTP RESOURCES BY SUBDOMAIN

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links