Detection of DOM-based cross-site scripting vulnerabilities

US 8,683,596 B2
Filed: 10/28/2011
Issued: 03/25/2014
Est. Priority Date: 10/28/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a computer-readable memory having computer-readable program code embodied therewith;

a processor coupled to the computer-readable memory, wherein responsive to executing the computer-readable program code, the processor is configured to perform executable operations comprising;

communicating at least one client request comprising a payload having a unique identifier to a Web-based application;

receiving from the Web-based application response HTML and an associated Document Object Model (DOM) object;

identifying in the received DOM object the unique identifier communicated to the web-based application in the payload; and

responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the payload, identifying as un-trusted a section of the received DOM object comprising content corresponding to the payload, which is identified in the received DOM object via the unique identifier.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

Citations

17 Claims

1. A system comprising:
- a computer-readable memory having computer-readable program code embodied therewith;
  
  a processor coupled to the computer-readable memory, wherein responsive to executing the computer-readable program code, the processor is configured to perform executable operations comprising;
  
  communicating at least one client request comprising a payload having a unique identifier to a Web-based application;
  
  receiving from the Web-based application response HTML and an associated Document Object Model (DOM) object;
  
  identifying in the received DOM object the unique identifier communicated to the web-based application in the payload; and
  
  responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the payload, identifying as un-trusted a section of the received DOM object comprising content corresponding to the payload, which is identified in the received DOM object via the unique identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 15)
- - 2. The system of claim 1, the executable operations further comprising:
    - generating a DOM abstraction from the DOM object, the DOM abstraction comprising a section of the DOM object containing the content corresponding to the payload;
      
      rendering a response HTML using the DOM abstraction in lieu of the DOM object.
  - 3. The system of claim 2, wherein generating the DOM abstraction from the DOM object comprises:
    - excluding from the DOM abstraction sections of the DOM object not comprising the content corresponding to the payload.
  - 4. The system of claim 2, said executable steps further comprising:
    - when rendering the response HTML, performing a static security analysis on the response HTML to monitor script code associated with the HTML that is executed in order to identify whether at least one access to the DOM abstraction retrieves the content corresponding to the payload; and
      
      when the access to the DOM abstraction retrieves the content corresponding to the payload, generating a flag indicating that a vulnerability exists within the Web-based application.
  - 5. The system of claim 4, wherein performing the static security analysis on the response HTML to monitor script code associated with the HTML that is executed in order to identify whether at least one access to the DOM abstraction retrieves the content corresponding to the payload comprises:
    - identifying a pop-up dialog containing the content corresponding to the payload.
  - 6. The system of claim 1, said executable steps further comprising:
    - receiving a list of a plurality of payloads;
      
      wherein communicating at least one client request comprising the payload having the unique identifier to the Web-based application comprises;
      
      automatically communicating a plurality of client requests to the Web-based application, where each of the client requests comprises a respective payload selected from the list of the plurality of payloads.
  - 7. The system of claim 1, wherein the payload having the unique identifier comprises content echoed by the Web-based application to a DOM of a web page.
  - 15. The system of claim 1, wherein the payload is script code provided to the Web-based application in the client request.

8. A computer program product for testing a Web-based application for security vulnerabilities, the computer program product comprising:
- a computer-readable memory having computer-readable program code embodied therewith, the computer-readable program code comprising;
  
  computer-readable program code configured to communicate at least one client request comprising a payload having a unique identifier to the Web-based application;
  
  computer-readable program code configured to receive from the Web-based application response HTML and an associated Document Object Model (DOM) object;
  
  computer-readable program code configured to identify in the received DOM object the unique identifier communicated to the web-based application in the payload; and
  
  computer-readable program code configured to, responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the payload, identify as un-trusted a section of the received DOM object comprising content corresponding to the payload, which is identified in the received DOM object via the unique identifier.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 16)
- - 9. The computer program product of claim 8, wherein the computer-readable program code further comprises:
    - computer-readable program code configured to generate a DOM abstraction from the DOM object, the DOM abstraction comprising a section of the DOM object containing the content corresponding to the payload;
      
      computer-readable program code configured to render a response HTML using the DOM abstraction in lieu of the DOM object.
  - 10. The computer program product of claim 9, wherein generating the DOM abstraction from the DOM object comprises:
    - excluding from the DOM abstraction sections of the DOM object not comprising the content corresponding to the payload.
  - 11. The computer program product of claim 9, wherein the computer-readable program code further comprises:
    - computer-readable program code configured to, when rendering the response HTML, to perform a static security analysis on the response HTML to monitor script code associated with the HTML that is executed in order to identify whether at least one access to the DOM abstraction retrieves the content corresponding to the payload; and
      
      computer-readable program code configured to, when the access to the DOM abstraction retrieves the content corresponding to the payload, generate a flag indicating that a vulnerability exists within the Web-based application.
  - 12. The computer program product of claim 11, wherein performing the static security analysis on the response HTML to monitor script code associated with the HTML that is executed in order to identify whether at least one access to the DOM abstraction retrieves the content corresponding to the payload comprises:
    - identifying a pop-up dialog containing the content corresponding to the payload.
  - 13. The computer program product of claim 8, wherein the computer-readable program code further comprises:
    - computer-readable program code configured to receive a list of a plurality of payloads;
      
      wherein communicating at least one client request comprising the payload having the unique identifier to the Web-based application comprises;
      
      automatically communicating a plurality of client requests to the Web-based application, where each of the client requests comprises a respective payload selected from the list of the plurality of payloads.
  - 14. The computer program product of claim 8, wherein the payload having the unique identifier comprises content echoed by the Web-based application to a DOM of a web page.
  - 16. The computer program product of claim 8, wherein the payload is script code provided to the Web-based application in the client request.

17. A system comprising:
- a computer-readable memory having computer-readable program code embodied therewith;
  
  a processor coupled to the computer-readable memory, wherein responsive to executing the computer-readable program code, the processor is configured to perform executable operations comprising;
  
  communicating at least one client request comprising a script code having a unique identifier to a Web-based application;
  
  receiving from the Web-based application response HTML and an associated Document Object Model (DOM) object, the received DOM object including the unique identifier communicated to the Web-based application in the script code;
  
  identifying in the received DOM object the unique identifier communicated to the Web-based application in the script code; and
  
  responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the script code, identifying as un-trusted a section of the received DOM object comprising content corresponding to the script code, which is identified in the received DOM object via the unique identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Amit, Yair, Haviv, Yinnon A., Tripp, Omer, Weisman, Omri, Kalman, Daniel
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
Jeudy, Josnel

Application Number

US13/283,989
Publication Number

US 20130111594A1
Time in Patent Office

879 Days
Field of Search

726 22- 33, 713/150, 713187-188, 709/203, 709217-219
US Class Current

726/25
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

Detection of DOM-based cross-site scripting vulnerabilities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of DOM-based cross-site scripting vulnerabilities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links