Detection of DOM-based cross-site scripting vulnerabilities
First Claim
Patent Images
1. A system comprising:
- a computer-readable memory having computer-readable program code embodied therewith;
a processor coupled to the computer-readable memory, wherein responsive to executing the computer-readable program code, the processor is configured to perform executable operations comprising;
communicating at least one client request comprising a payload having a unique identifier to a Web-based application;
receiving from the Web-based application response HTML and an associated Document Object Model (DOM) object;
identifying in the received DOM object the unique identifier communicated to the web-based application in the payload; and
responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the payload, identifying as un-trusted a section of the received DOM object comprising content corresponding to the payload, which is identified in the received DOM object via the unique identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.
-
Citations
17 Claims
-
1. A system comprising:
-
a computer-readable memory having computer-readable program code embodied therewith; a processor coupled to the computer-readable memory, wherein responsive to executing the computer-readable program code, the processor is configured to perform executable operations comprising; communicating at least one client request comprising a payload having a unique identifier to a Web-based application; receiving from the Web-based application response HTML and an associated Document Object Model (DOM) object; identifying in the received DOM object the unique identifier communicated to the web-based application in the payload; and responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the payload, identifying as un-trusted a section of the received DOM object comprising content corresponding to the payload, which is identified in the received DOM object via the unique identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 15)
-
-
8. A computer program product for testing a Web-based application for security vulnerabilities, the computer program product comprising:
-
a computer-readable memory having computer-readable program code embodied therewith, the computer-readable program code comprising; computer-readable program code configured to communicate at least one client request comprising a payload having a unique identifier to the Web-based application; computer-readable program code configured to receive from the Web-based application response HTML and an associated Document Object Model (DOM) object; computer-readable program code configured to identify in the received DOM object the unique identifier communicated to the web-based application in the payload; and computer-readable program code configured to, responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the payload, identify as un-trusted a section of the received DOM object comprising content corresponding to the payload, which is identified in the received DOM object via the unique identifier. - View Dependent Claims (9, 10, 11, 12, 13, 14, 16)
-
-
17. A system comprising:
- a computer-readable memory having computer-readable program code embodied therewith;
a processor coupled to the computer-readable memory, wherein responsive to executing the computer-readable program code, the processor is configured to perform executable operations comprising; communicating at least one client request comprising a script code having a unique identifier to a Web-based application; receiving from the Web-based application response HTML and an associated Document Object Model (DOM) object, the received DOM object including the unique identifier communicated to the Web-based application in the script code; identifying in the received DOM object the unique identifier communicated to the Web-based application in the script code; and responsive to identifying in the received DOM object the unique identifier communicated to the web-based application in the script code, identifying as un-trusted a section of the received DOM object comprising content corresponding to the script code, which is identified in the received DOM object via the unique identifier.
- a computer-readable memory having computer-readable program code embodied therewith;
Specification