Automated detection of cross site scripting vulnerabilities

US 7,343,626 B1
Filed: 11/12/2002
Issued: 03/11/2008
Est. Priority Date: 11/12/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-performed method for automated detection of a cross site scripting vulnerability of a web site, comprising:

determining key-value pairs corresponding to the web site;

for each determined key-value pair, at least until a first vulnerability is detected, performing a sub-method comprising;

submitting the key-value pair to the web site, wherein the value of the key-value pair comprises a tracer value;

receiving a web page responsive to the submitted key-value pair;

determining a location of the tracer value, when present, in the received web page; and

when the tracer value is present in the received web page, submitting a second key-value pair to the web site, wherein the value of the second key-value pair comprises a script.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An automated method and system for testing a web site for vulnerability to a cross site scripting (XSS) attack are disclosed. The automated tool injects a tracer value into both GET and POST form data, and monitors the resultant HTML to determine whether the tracer value is returned to the local machine by the server to which it was sent. If the tracer value is returned, the automated tool attempts to exploit the web site by injecting a non-malicious script as part of an input value for some form data, based on the location in the returned HTML in which the returned tracer value was found. If the exploit is successful, as indicated by the non-malicious script, the automated tool logs the exploit to a log file that a user can review at a later time, e.g., to assist in debugging the web site.

147 Citations

54 Claims

1. A computer-performed method for automated detection of a cross site scripting vulnerability of a web site, comprising:
- determining key-value pairs corresponding to the web site;
  
  for each determined key-value pair, at least until a first vulnerability is detected, performing a sub-method comprising;
  
  submitting the key-value pair to the web site, wherein the value of the key-value pair comprises a tracer value;
  
  receiving a web page responsive to the submitted key-value pair;
  
  determining a location of the tracer value, when present, in the received web page; and
  
  when the tracer value is present in the received web page, submitting a second key-value pair to the web site, wherein the value of the second key-value pair comprises a script.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The computer-performed method of claim 1, wherein the script, if executed, signifies that the web site is vulnerable to a cross site scripting attack, and wherein a format of the script-comprised value of the second key-value pair is based on the determined location of the tracer value.
  - 3. The computer-performed method of claim 1, further comprising writing vulnerability data corresponding to the web page to a log file, based on whether the script is executed.
  - 4. The computer-performed method of claim 2, wherein the location of the tracer value is determined based on a document object model of the web page.
  - 5. The computer-performed method of claim 4, wherein when the location of the tracer value is within displayed text of a body of the web page, the format of the script-comprised value begins with a script tag.
  - 6. The computer-performed method of claim 4, wherein when the location of the tracer value is within an HTML tag, the format of the script-comprised value begins with indicia that closes the HTML tag.
  - 7. The computer-performed method of claim 6, wherein when the location of the tracer value is within an IMG tag, the format of the script-comprised value begins with a graphical file extension.
  - 8. The computer-performed method of claim 4, wherein when the location of the tracer value is within a script block, the format of the script-comprised value does not begin with a <
    - SCRIPT>
      
      tag.
  - 9. The computer-performed method of claim 6, wherein when the location of the tracer value is within a comment field, the format of the script-comprised value begins with “
    - -->
      
      ”
      
      .
  - 10. The computer-performed method of claim 1, further comprising:
    - prior to performing the sub-method, determining whether the web site falls within a range of allowed web sites; and
      
      if the web site does not fall within the range of allowed web sites, halting execution of the computer-performed method.
  - 11. The computer-performed method of claim 1, further comprising:
    - prior to performing the sub-method, determining whether the computer performing the method is located on a home network; and
      
      if the computer performing the method is not located on the home network, halting execution of the computer-performed method.
  - 12. The computer-performed method of claim 1, wherein web site information from which the key-value pairs are determined is received via a clipboard of the computer'"'"'s operating system.
  - 13. The computer-performed method of claim 1, wherein web site information from which the key-value pairs are determined is received via an input file comprising a listing of multiple web sites to be tested.
  - 14. The computer-performed method of claim 1, further comprising:
    - when the web site has no corresponding key-value pairs, submitting to the web site a third key-value pair, wherein the value of the third key-value pair comprises a script that, if executed, signifies that the web site is vulnerable to a cross site scripting attack.
  - 15. The computer-performed method of claim 1, wherein the key-value pairs are submitted via a form.
  - 16. The computer-performed method of claim 15, wherein the key-value pairs are submitted via a POST command.
  - 17. The computer performed method of claim 1, wherein the key-value pairs are submitted via a URL.
  - 18. The computer-performed method of claim 17, wherein the key-value pairs are submitted via a GET method.

19. A computer-readable storage medium storing computer readable instructions that, when executed, cause a computer to perform a method for automated detection of a cross site scripting vulnerability of a web site, comprising:
- determining key-value pairs corresponding to the web site;
  
  for each determined key-value pair, at least until a first vulnerability is detected, performing a sub-method comprising;
  
  submitting the key-value pair to the web site, wherein the value of the key-value pair comprises a tracer value;
  
  receiving a web page responsive to the submitted key-value pair;
  
  determining a location of the tracer value, when present, in the received web page; and
  
  when the tracer value is present in the received web page, submitting a second key-value pair to the web site, wherein the value of the second key-value pair comprises a script.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The computer-readable storage medium of claim 19, wherein the script, if executed, signifies that the web site is vulnerable to a cross site scripting attack, and wherein a format of the script-comprised value of the second key-value pair is based on the determined location of the tracer value.
  - 21. The computer-readable storage medium of claim 19, wherein the computer readable instructions further comprise writing vulnerability data corresponding to the web page to a log file, based on whether the script is executed.
  - 22. The computer-readable storage medium of claim 20, wherein the location of the tracer value is determined based on a document object model of the web page.
  - 23. The computer-readable storage medium of claim 22, wherein when the location of the tracer value is within displayed text of a body of the web page, the format of the script-comprised value begins with a script tag.
  - 24. The computer-readable storage medium of claim 22, wherein when the location of the tracer value is within an HTML tag, the format of the script-comprised value begins with indicia that closes the HTML tag.
  - 25. The computer-readable storage medium of claim 24, wherein when the location of the tracer value is within an IMG tag, the format of the script-comprised value begins with a graphical file extension.
  - 26. The computer-readable storage medium of claim 22, wherein when the location of the tracer value is within a script block, the format of the script-comprised value does not begin with a <
    - SCRIPT>
      
      tag.
  - 27. The computer-readable storage medium of claim 24, wherein when the location of the tracer value is within a comment field, the format of the script-comprised value begins with “
    - -->
      
      ”
      
      .
  - 28. The computer-readable storage medium of claim 19, wherein the computer readable instructions further comprise:
    - prior to performing the sub-method, determining whether the web site falls within a range of allowed web sites; and
      
      if the web site does not fall within the range of allowed web sites, halting execution of the computer-performed method.
  - 29. The computer-readable storage medium of claim 19, wherein the computer readable instructions further comprise:
    - prior to performing the sub-method, determining whether the computer performing the method is located on a home network; and
      
      if the computer performing the method is not located on the home network, halting execution of the computer-performed method.
  - 30. The computer-readable storage medium of claim 19, wherein web site information from which the key-value pairs are determined is received via a clipboard of the computer'"'"'s operating system.
  - 31. The computer-readable storage medium of claim 19, wherein web site information from which the key-value pairs are determined is received via an input file comprising a listing of multiple web sites to be tested.
  - 32. The computer-readable storage medium of claim 19, further comprising:
    - when the web site has no corresponding key-value pairs, submitting to the web site a third key-value pair, wherein the value of the third key-value pair comprises a script that, if executed, signifies that the web site is vulnerable to a cross site scripting attack.
  - 33. The computer-readable storage medium of claim 19, wherein the key-value pairs are submitted via a form.
  - 34. The computer-readable storage medium of claim 33, wherein the key-value pairs are submitted via a POST command.
  - 35. The computer-readable storage medium of claim 19, wherein the key-value pairs are submitted via a URL.
  - 36. The computer-readable storage medium of claim 35, wherein the key-value pairs are submitted via a GET method.

37. A computer system comprising:
- a processor; and
  
  memory storing computer readable instructions that, when executed by the processor, cause the computer system to perform a method for automated detection of a cross site scripting vulnerability of a web site, comprising;
  
  determining key-value pairs corresponding to the web site;
  
  for each determined key-value pair, at least until a first vulnerability is detected, performing a sub-method comprising;
  
  submitting the key-value pair to the web site, wherein the value of the key-value pair comprises a tracer value;
  
  receiving a web page responsive to the submitted key-value pair;
  
  determining a location of the tracer value, when present, in the received web page; and
  
  when the tracer value is present in the received web page, submitting a second key-value pair to the web site, wherein the value of the second key-value pair comprises a script.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 38. The computer system of claim 37, wherein the script, if executed, signifies that the web site is vulnerable to a cross site scripting attack, and wherein a format of the script-comprised value of the second key-value pair is based on the determined location of the tracer value.
  - 39. The computer system of claim 37, wherein the computer readable instructions further comprise writing vulnerability data corresponding to the web page to a log file, based on whether the script is executed.
  - 40. The computer system of claim 38, wherein the location of the tracer value is determined based on a document object model of the web page.
  - 41. The computer system of claim 40, wherein when the location of the tracer value is within displayed text of a body of the web page, the format of the script-comprised value begins with a script tag.
  - 42. The computer system of claim 40, wherein when the location of the tracer value is within an HTML tag, the format of the script-comprised value begins with indicia that closes the HTML tag.
  - 43. The computer system of claim 42, wherein when the location of the tracer value is within an IMG tag, the format of the script-comprised value begins with a graphical file extension.
  - 44. The computer system of claim 40, wherein when the location of the tracer value is within a script block, the format of the script-comprised value does not begin with a <
    - SCRIPT>
      
      tag.
  - 45. The computer system of claim 42, wherein when the location of the tracer value is within a comment field, the format of the script-comprised value begins with “
    - -->
      
      ”
      
      .
  - 46. The computer system of claim 37, wherein the computer readable instructions further comprise:
    - prior to performing the sub-method, determining whether the web site falls within a range of allowed web sites; and
      
      if the web site does not fall within the range of allowed web sites, halting execution of the computer-performed method.
  - 47. The computer system of claim 37, wherein the computer readable instructions further comprise:
    - prior to performing the sub-method, determining whether the computer performing the method is located on a home network; and
      
      if the computer performing the method is not located on the home network, halting execution of the computer-performed method.
  - 48. The computer system of claim 37, wherein web site information from which the key-value pairs are determined is received via a clipboard of the computer'"'"'s operating system.
  - 49. The computer system of claim 37, wherein web site information from which the key-value pairs are determined is received via an input file comprising a listing of multiple web sites to be tested.
  - 50. The computer system of claim 37, further comprising:
    - when the web site has no corresponding key-value pairs, submitting to the web site a third key-value pair, wherein the value of the third key-value pair comprises a script that, if executed, signifies that the web site is vulnerable to a cross site scripting attack.
  - 51. The computer system of claim 37, wherein the key-value pairs are submitted via a form.
  - 52. The computer system of claim 51, wherein the key-value pairs are submitted via a POST command.
  - 53. The computer system of claim 37, wherein the key-value pairs are submitted via a URL.
  - 54. The computer system of claim 53, wherein the key-value pairs are submitted via a GET method.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Gallagher, Thomas P.
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Dada; Beemnet W

Application Number

US10/291,369
Time in Patent Office

1,946 Days
Field of Search

726 22- 26, 713165-167, 713/188, 713/151, 707/3, 707/9, 709/225
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

H04L 69/22   Parsing or analysis of headers

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99939   Privileged access

Automated detection of cross site scripting vulnerabilities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Automated detection of cross site scripting vulnerabilities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links