Cross-site scripting prevention in dynamic content

US 8,910,247 B2
Filed: 10/06/2010
Issued: 12/09/2014
Est. Priority Date: 10/06/2010
Status: Active Grant

First Claim

Patent Images

1. A method in a computing environment utilizing a processor and memory for suppressing cross-site scripting in a content delivery system, the method comprising:

identifying, at a server, a scripted item within content requested by a user, at a user computing device;

determining, at the server, the scripted item includes an identifier, wherein the identifier is able to be used to identify authorized scripting elements within the content;

determining, at the server, the identifier is not an appropriate identifier; and

in response to determining that the identifier is not an appropriate identifier, preventing communication of the scripted item to the user, wherein preventing communication of the scripted item to the user comprises at least one of;

(1) altering the scripted item to prevent execution of the scripted item by a computing device associated with the user, or(2) removing the scripted item from the content.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiment relate to systems, methods, and computer storage media for suppressing cross-site scripting in a content delivery system. A request is received for content that includes a scripted item or scripted items. The scripted item is identified within the content. An identifier is associated with the scripted element when the scripted element is an intended scripted element to be associated with the content. The identifier may be a hash value based from a hash function and the scripted item. Prior to communicating the content to a user, the scripted item is identified again to determine if an identifier is associated with the scripted item. If an identifier is associated with the scripted item, the identifier is evaluated to determine if the identifier is appropriate. When the identifier is determined to not be appropriate, the scripted item is prevented from being communicated to a user.

Citations

18 Claims

1. A method in a computing environment utilizing a processor and memory for suppressing cross-site scripting in a content delivery system, the method comprising:
- identifying, at a server, a scripted item within content requested by a user, at a user computing device;
  
  determining, at the server, the scripted item includes an identifier, wherein the identifier is able to be used to identify authorized scripting elements within the content;
  
  determining, at the server, the identifier is not an appropriate identifier; and
  
  in response to determining that the identifier is not an appropriate identifier, preventing communication of the scripted item to the user, wherein preventing communication of the scripted item to the user comprises at least one of;
  
  (1) altering the scripted item to prevent execution of the scripted item by a computing device associated with the user, or(2) removing the scripted item from the content.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the scripted item is one from the following:
    - an executable script,an event handler,an object tag, orHTML code.
  - 3. The method of claim 1, wherein the identifier is associated with a request from the user for the content.
  - 4. The method of claim 1, wherein the identifier is a randomly-generated identifier.
  - 5. The method of claim 1, wherein the identifier is a hash value determined based, at least in part, on the scripted item.
  - 6. The method of claim 1, wherein the authorized scripting elements are scripting elements intended by an author of the content to be included with the content.
  - 7. The method of claim 1, wherein an appropriate identifier is an identifier previously associated with the request.
  - 8. The method of claim 1 further comprising communicating a notification of an inappropriate scripted item when the identifier is determined to be not appropriate.

9. One or more computer-readable media devices having computer-executable instructions embodied thereon, that when executed by a computing system having a processor and memory, cause the computing system to perform a method for identifying a scripted item within content requested by a user, the method comprising:
- receiving, at a server, a request for content from a user, at a user computing device;
  
  determining, at the server, a first hash value for a scripted item of the content, wherein the first hash value is based on a hash function and the scripted item;
  
  applying, at the server, the first hash value to the scripted item;
  
  determining, at the server, a second hash value for the scripted item, wherein the second hash value is based on the hash function and the scripted item;
  
  determining, at the server, the scripted item is not proper based on the first hash value and the second hash value; and
  
  in response to determining that the scripted item is not proper, preventing communication of the scripted item to the user, wherein preventing communication of the scripted item to the user comprises at least one of;
  
  (1) altering the scripted item to prevent execution of the scripted item by a computing device associated with the user, or(2) removing the scripted item from the content.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The media of claim 9, wherein the request is for a response in the form of a markup language.
  - 11. The media of claim 9, wherein the first hash value is a value unique to the scripted item.
  - 12. The media of claim 9, wherein elements of the hash function are unknown to the user.
  - 13. The media of claim 9, wherein applying the first hash value to the scripted item includes applying the first hash value in-line with the scripted item or applying an HTML tag to the scripted item.
  - 14. The media of claim 9, wherein applying the first hash value includes applying the first hash value to the scripted item as a variable.
  - 15. The media of claim 9, wherein applying the first hash value includes updating a look-up table with the first hash value in association with the scripted item.
  - 16. The media of claim 9, wherein the scripted item is not proper when the first hash value and the second hash value are not equivalents.
  - 17. The media of claim 9, wherein preventing communication of the scripted item to the user comprises removing the scripted item from the content prior to communicating the content to the user.

18. One or more computer-readable media devices having computer-executable instructions embodied thereon, that when executed by a computing system having a processor and memory, cause the computing system to perform a method for identifying a scripted item within content requested by a user, the method comprising:
- receiving, at a server, a request for markup language content from a user, at a user computing device, wherein the markup language content is provided by the server associated with the computing system;
  
  in response to receiving the markup language content request at the server, generating a unique identifier;
  
  identifying, at the server, within the markup language content, a first scripted item;
  
  associating, at the server, the unique identifier to the first scripted item;
  
  prior to communicating the markup language content to the user, identifying at the server, one or more scripted items to be communicated to the user, wherein the one or more scripted items includes the first scripted item;
  
  determining, at the server, a second scripted item of the one or more scripted items is not associated with the unique identifier;
  
  preventing, at the server, communication of the second scripted item to the user, wherein preventing communication of the second scripted item to the user comprises at least one of;
  
  (1) altering the second scripted item to prevent execution of the second scripted item by the user computing device, or(2) removing the second scripted item from the markup language content;
  
  removing, at the server, the association between the first scripted item and the unique identifier prior to communicating the first identifier to the user; and
  
  communicating the first scripted item to the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Andrews, Michael, Shroff, Sharat, Gursky, Dennis, Benua, Melissa Lauren
Primary Examiner(s)
Truong, Thanhnga B
Assistant Examiner(s)
VICTORIA, NARCISO F

Application Number

US12/899,255
Publication Number

US 20120090026A1
Time in Patent Office

1,525 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 16/958   Organisation or management ...

G06F 21/52   during program execution, e...

G06F 21/6218   to a system of files or obj...

G06F 21/6263   during internet communicati...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

Cross-site scripting prevention in dynamic content

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Cross-site scripting prevention in dynamic content

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links