Cross-site script detection and prevention

US 8,578,482 B1
Filed: 01/11/2008
Issued: 11/05/2013
Est. Priority Date: 01/11/2008
Status: Active Grant

First Claim

Patent Images

1. A method of detecting a cross-site script in Web content, the method comprising:

receiving, in a monitor of a client computer, a message from a browser for retrieving the Web content, the browser executing on said client computer having sensitive information, wherein the monitor is a separate component from the browser and is not a plug-in to the browser;

retrieving the Web content from a target Web server;

storing said Web content by said monitor in said client computer;

analyzing the Web content for a cross-site script by said monitor;

if a cross-site script is present in said Web content, determining a destination to which some or all of the sensitive information will be sent if the cross-site script executes, said determining performed by said monitor; and

displaying a message in the browser relating to display of the Web content, thereby preventing execution of the cross-site script in the browser, and wherein the storing step, analyzing step and the determining step are performed at the monitor and not at the browser, before the Web content is received by the browser.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A Web site uses a behavior monitor that operates as a gatekeeper for a browser. The attack injects Web content with malicious executable code that executes on an end user device when the code executes in a browser on the device. A message is received at the monitor from a browser for retrieving Web content; the browser executes on a computing device having sensitive information. The Web content is retrieved from a target Web server and analyzed for XSS. If found, the destination to which some or all of the sensitive information will be sent if the XSS executes is determined. A message is displayed in the browser regarding whether the Web content that was requested should be viewed in the browser. In this manner, execution of the XSS in the browser is prevented. The analyzing and determining steps are performed before the Web content is received by the browser.

78 Citations

View as Search Results

24 Claims

1. A method of detecting a cross-site script in Web content, the method comprising:
- receiving, in a monitor of a client computer, a message from a browser for retrieving the Web content, the browser executing on said client computer having sensitive information, wherein the monitor is a separate component from the browser and is not a plug-in to the browser;
  
  retrieving the Web content from a target Web server;
  
  storing said Web content by said monitor in said client computer;
  
  analyzing the Web content for a cross-site script by said monitor;
  
  if a cross-site script is present in said Web content, determining a destination to which some or all of the sensitive information will be sent if the cross-site script executes, said determining performed by said monitor; and
  
  displaying a message in the browser relating to display of the Web content, thereby preventing execution of the cross-site script in the browser, and wherein the storing step, analyzing step and the determining step are performed at the monitor and not at the browser, before the Web content is received by the browser.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1 further comprising:
    - transmitting the message to the target Web site.
  - 3. A method as recited in claim 1 wherein the Web content is retrieved using an HTTP response message.
  - 4. A method as recited in claim 1 wherein analyzing the Web content further comprises:
    - determining whether the destination is valid.
  - 5. A method as recited in claim 1 wherein determining a destination further comprises:
    - examining the cross-site script for an “
      
      IMG Src”
      
      statement in which a document cookie variable is equated with the destination.
  - 6. A method as recited in claim 1 wherein the sensitive information is a cookie in the browser.
  - 7. A method as recited in claim 1 further comprising:
    - determining whether the cross-site script is a JavaScript or a Visual Basic (VB) Script and if either one, checking for an application programming interface (API).
  - 8. A method as recited in claim 1 further comprising:
    - intercepting the message from another component within the browser.
  - 9. A method as recited in claim 1 further comprising:
    - inserting the cross-site script into the Web content by posting the cross-site script in a public content posting area.
  - 10. A method as recited in claim 4 wherein determining whether the destination is valid further comprises:
    - looking at URLs in said browser to which said client computer has sent cookie information in the past.
  - 11. A method as recited in claim 4 wherein determining whether the destination is valid further comprises:
    - checking a domain property in a cookie in the browser of the client computer, wherein the domain property lists acceptable destinations to which the sensitive information may be sent.

12. A client device comprising:
- a processor;
  
  a network interface; and
  
  a memory for storinga cross-site script detection monitor havinga browser interface coupled to an independent browser;
  
  a Web interface; and
  
  a Web content analysis module including a URL determination component and a URL validation component;
  
  wherein the cross-cite script detection monitor is separate from the browser and is not a plug-in to the browser; and
  
  a Web content storage area for storing Web content from a Web site, wherein the cross-site detection monitor detects a malicious cross-site script in said Web content that enables transmission of sensitive data relating to the client device to an unauthorized Web site.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. A client device as recited in claim 12 wherein the monitor performs as a broker for a browser such that the monitor receives requests for content from the browser and transmits the requests to a destination and receives the content to perform an analysis.
  - 14. A client device as recited in claim 12 wherein the browser interface receives messages from a browser.
  - 15. A client device as recited in claim 12 wherein the Web interface of the cross-site script detection monitor receives said Web content from said Web site.
  - 16. A client device as recited in claim 12 wherein the URL validation component contains a URL allowed pattern list.
  - 17. A client device as recited in claim 12 wherein the URL determination component searches for an “
    - IMG Src”
      
      statement in which a cookie variable is equated with a URL.
  - 18. A client device as recited in claim 12 wherein said detection monitor is further arranged to check a domain property in a cookie in said browser of said client device, wherein the domain property lists acceptable destinations to which the sensitive information may be sent.
  - 19. A client device as recited in claim 12 wherein said detection monitor is further arranged to look at URLs in said browser to which said client device has sent cookie information in the past.

20. A tangible and non-transitory computer-readable medium comprising computer code for detecting a cross-site script, said computer code of said computer-readable medium effecting the following:
- receiving, in a monitor of a client computer, a message from a browser for retrieving the Web content, the browser executing on said client computer having sensitive information wherein the monitor is a separate component from the browser and is not a plug-in to the browser;
  
  retrieving the Web content from a target Web server;
  
  storing said Web content by said monitor in said client computer;
  
  analyzing the Web content for a cross-site script by said monitor;
  
  if cross-site script is present in said Web content, determining a destination to which some or all of the sensitive information will be sent if the cross-site script executes, said determining performed by said monitor; and
  
  displaying a message in the browser relating to display of the Web content, thereby preventing execution of the cross-site script in the browser if desired by a user, and wherein the storing step, analyzing step and the determining step are performed at the monitor and not at the browser, before the Web content is received by the browser.
- View Dependent Claims (21, 22, 23, 24)
- - 21. A computer-readable medium as recited in claim 20 wherein analyzing the Web content further comprises determining whether the destination is valid.
  - 22. A computer-readable medium as recited in claim 20 wherein determining whether the destination is valid further comprises checking a domain property in a cookie in the browser of the client computer, wherein the domain property lists acceptable destinations to which the sensitive information may be sent.
  - 23. A computer-readable medium as recited in claim 20 wherein determining a destination further comprises examining the cross-site script for an “
    - IMG Src”
      
      statement in which a document cookie variable is equated with the destination.
  - 24. A tangible and non-transitory computer-readable medium as recited in claim 20 wherein determining whether the destination is valid further comprises looking at URLs in said browser to which said client computer has sent cookie information in the past.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Yang, Shun-Fa, Kuo, Hsin-hsin
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Salehi, Helai

Application Number

US11/972,823
Time in Patent Office

2,125 Days
Field of Search

726/22, 726/13, 707/6
US Class Current

726/22
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1441   Countermeasures against mal...

Cross-site script detection and prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

78 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-site script detection and prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links