Method and system for improved internet security via HTTP-only cookies

US 7,359,976 B2
Filed: 11/23/2002
Issued: 04/15/2008
Est. Priority Date: 11/23/2002
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method comprising:

receiving data from a web site at a transport component, the data including unsafe content;

parsing and interpreting the unsafe content received via the transport component, including invoking an engine to execute code present in the unsafe content, the code requesting access to a cookie; and

determining at a security mechanism operably connected to the browser component whether the cookie is accessible to the unsafe content based on information associated with the cookie, wherein the security mechanism is configured to deny access to the cookie when the information indicates that the cookie is not accessible to the unsafe content,wherein the unsafe content requests return of a cookie via a function called by the engine, and wherein the function obtains the information associated with the cookie from the transport component for evaluation by the security mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that prevents certain cookies, as specified by an Internet server, from being accessed through client-side script, thereby mitigating the amount of damage that cross-site scripting attacks can accomplish. The server marks selected cookies with an attribute that flags such cookies as being protected, and a security mechanism in the client prevents protected cookies from being accessed via script. A protected (flagged) cookie can still be accessed by the server, (e.g., via HTTP), while non-flagged cookies can be accessed by the server or script. An API or similar layer implements the security mechanism that checks for the attribute, and fails requests for any cookies having that attribute set. The present invention can also be adapted to prevent a malicious script from overwriting existing HTTP-only cookies on a client machine.

Citations

19 Claims

1. In a computing environment, a method comprising:
- receiving data from a web site at a transport component, the data including unsafe content;
  
  parsing and interpreting the unsafe content received via the transport component, including invoking an engine to execute code present in the unsafe content, the code requesting access to a cookie; and
  
  determining at a security mechanism operably connected to the browser component whether the cookie is accessible to the unsafe content based on information associated with the cookie, wherein the security mechanism is configured to deny access to the cookie when the information indicates that the cookie is not accessible to the unsafe content,wherein the unsafe content requests return of a cookie via a function called by the engine, and wherein the function obtains the information associated with the cookie from the transport component for evaluation by the security mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the unsafe content corresponds to script, and wherein receiving the request comprises receiving a function call initiated by the script.
  - 3. The method of claim 1 wherein determining whether the cookie is protected comprises looking for the presence of a particular attribute in data of the cookie.
  - 4. The method of claim 1 wherein the request to access the cookie corresponds to a get cookie request, wherein the information does not indicate that the cookie is protected, and further comprising, returning the cookie.
  - 5. The method of claim 1 wherein the request to access the cookie corresponds to a get cookie request, wherein the information indicates that the cookie is protected, and wherein denying the request comprises returning an error in response to the request.
  - 6. The method of claim 1 further comprising, receiving the script in a response generated at a remote web site.
  - 7. The method of claim 6 further comprising, passing the script to the remote web site in a request for content.
  - 8. The method of claim 1 wherein the request to access the cookie corresponds to a set cookie request, wherein the information indicates that the cookie is protected, and wherein denying the request comprises returning an error in response to the request.
  - 9. The method of claim 1 further comprising, at a content server, providing the information associated with the cookie that indicates that the cookie is protected.
  - 10. The method of claim 9 wherein providing the information associated with the cookie comprises adding an attribute to data of the cookie.
  - 11. A computer-readable storage medium having stored computer-executable instructions for performing the method of claim 1.

12. In a computing environment, a system comprising:
- a transport component that receives a response from a web site, the response including unsafe content;
  
  a browser component that parses and interprets the unsafe content received via the transport component, including invoking an engine to execute code present in the unsafe content, the code requesting access to a cookie; and
  
  a security mechanism operably connected to the browser component, the security mechanism configured to determine whether the cookie is accessible to the unsafe content based on information associated with the cookie, the security mechanism further configured to deny access to the cookie when the information indicates that the cookie is not accessible to the unsafe content, wherein the unsafe content requests return of a cookie via a function called by the engine, and wherein the function obtains the information associated with the cookie from the transport component for evaluation by the security mechanism.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12 wherein the code comprises script and wherein the engine comprises a script engine that runs the script.
  - 14. The system of claim 12 wherein the security mechanism is incorporated into a function called by the engine that runs the code present in the unsafe content.
  - 15. The system of claim 12 wherein the unsafe content requests return of a cookie via a function called by the engine, wherein the information associated with the cookie indicates that the cookie is inaccessible to the unsafe content, and wherein the security mechanism denies the requested return of the cookie.
  - 16. The system of claim 12 wherein the information associated with the cookie comprises an attribute.
  - 17. The system of claim 16 the attribute comprises a text string which when present indicates that the cookie is inaccessible to the unsafe content.

18. A computer-readable storage medium having stored computer-executable instructions for performing a method, comprising:
- receiving a response from a web site;
  
  interpreting content in the response, including invoking a script engine to run script present in the content;
  
  receiving a request originating in the script to return a cookie, and in response, calling a function to return the cookie in response; and
  
  determining whether the cookie is protected from script access by evaluating information associated with the cookie, wherein determining whether the cookie is protected from script access comprises, receiving the cookie by communicating from the function to a transport component to retrieve the cookie, and thereafter evaluating attributes associated with the cookie to determine if at least one attribute indicates the cookie is protected, anda) if the information indicates the cookie is not protected, returning the cookie in response to the request; and
  
  b) if the information indicates the cookie is protected, denying the request.
- View Dependent Claims (19)
- - 19. The computer-readable medium having computer-executable instructions of claim 18 wherein the presence of a defined attribute associated with the cookie indicates the cookie is protected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Paya, Cem, Goldfeder, Aaron, Ross, David A.
Primary Examiner(s)
NGUYEN, PHUOC H

Application Number

US10/303,113
Publication Number

US 20040103200A1
Time in Patent Office

1,970 Days
Field of Search

709/203, 709/225, 709/229
US Class Current

709/229
CPC Class Codes

G06F 21/6263   during internet communicati...

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

H04L 69/329   in the application layer [O...

Method and system for improved internet security via HTTP-only cookies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for improved internet security via HTTP-only cookies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links