PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY DETECTION

US 20160149947A1
Filed: 06/04/2015
Published: 05/26/2016
Est. Priority Date: 11/25/2014
Status: Active Grant

First Claim

Patent Images

1. A method for detecting a persistent cross-site scripting vulnerability comprising:

detecting, via a processor, a read operation executed on a resource using an instrumentation mechanism;

returning, via the processor, a malicious script in response to the read operation; and

detecting, via the processor, a script operation that indicates the execution of the malicious script that results in resource data being sent to an external computing device from a client device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various techniques for detecting a persistent cross-site scripting vulnerability are described herein. In one example, a method includes detecting, via the processor, a read operation executed on a resource using an instrumentation mechanism and returning, via the processor, a malicious script in response to the read operation. The method also includes detecting, via the processor, a write operation executed on the resource using the instrumentation mechanism and detecting, via the processor, a script operation executed by the malicious script that results in resource data being sent to an external computing device from a client device. Furthermore, the method includes receiving, via the processor, metadata indicating the execution of the read operation, the write operation, and the script operation.

23 Citations

View as Search Results

8 Claims

1. A method for detecting a persistent cross-site scripting vulnerability comprising:
- detecting, via a processor, a read operation executed on a resource using an instrumentation mechanism;
  
  returning, via the processor, a malicious script in response to the read operation; and
  
  detecting, via the processor, a script operation that indicates the execution of the malicious script that results in resource data being sent to an external computing device from a client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - detecting, via the processor, a write operation executed on the resource using the instrumentation mechanism; and
      
      receiving, via the processor, metadata indicating one or more of;
      
      the execution of the read operation, execution of the write operation, and the execution of the script operation.
  - 3. The method of claim 1, further comprising detecting the resource data from the external computing device in response to the execution of the malicious script on the client device.
  - 4. The method of claim 1, wherein the read operation executed on the resource is detected in response to input provided by a scanner.
  - 5. The method of claim 4, wherein the scanner generates the input, the input simulating user interaction with the application and requesting the execution of the read operation or the write operation.
  - 6. The method of claim 2, wherein the metadata comprises call stack data.
  - 7. The method of claim 1, further comprising detecting that an application fails to sanitize the malicious script returned by the instrumentation mechanism in response to the read operation.
  - 8. The method of claim 2, further comprising detecting that an application fails to sanitize a client-side script written to a resource through the write operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HCL Technologies Limited
Original Assignee
International Business Machines Corporation
Inventors
Bronshtein, Emanuel, Kedmi, Sagi, Hay, Roee

Granted Patent

US 9,948,665 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/1433 Vulnerability analysis

H04L 63/1466 Active attacks involving in...

PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY DETECTION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

23 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY DETECTION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links