Injection attack mitigation using context sensitive encoding of injected input

US 9,009,821 B2
Filed: 06/08/2011
Issued: 04/14/2015
Est. Priority Date: 06/10/2010
Status: Active Grant

First Claim

Patent Images

1. A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser, the method comprising:

monitoring all incoming traffic, generated by the web browser, and outgoing traffic generated by a server;

identifying a page of the web application and inputs associated with the page to form a set of identified inputs associated with the page;

transforming each identified input associated with the page to have a unique element representative of an input value of that identified input associated with the page;

sending the monitored incoming traffic including each transformed input having a unique element representative of an input value of that transformed identified input to the server;

determining whether a given unique element, defined in a configuration file, is matched with an input value of the monitored incoming traffic to form a matched input value;

responsive to a determination that the given unique element is matched with an input value of the monitored incoming traffic, saving the matched input value;

determining whether an output from the server contains the matched input value in an expected location in the output from the server;

responsive to a determination that the output from the server contains the matched input value in an expected location in the output from the server, encoding the matched input value using a definition from the configuration file; and

returning the output from the server to a requester.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser (308), the method comprising: monitoring all incoming traffic (310), generated by the web browser, and outgoing traffic (326) generated by a server (318) to form monitored traffic; determining whether a unique element, defined in a configuration file, is matched with an input value of the monitored traffic to form a matched input value; responsive to a determination that the unique element is matched with an input value of the monitored traffic, saving the matched input value, determining whether an output contains the matched input value in an expected location; responsive to a determination that the output contains the matched input value in an expected location, encoding the matched input value using a respective definition from the configuration file; and returning the output (330) to the requester.

Citations

12 Claims

1. A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser, the method comprising:
- monitoring all incoming traffic, generated by the web browser, and outgoing traffic generated by a server;
  
  identifying a page of the web application and inputs associated with the page to form a set of identified inputs associated with the page;
  
  transforming each identified input associated with the page to have a unique element representative of an input value of that identified input associated with the page;
  
  sending the monitored incoming traffic including each transformed input having a unique element representative of an input value of that transformed identified input to the server;
  
  determining whether a given unique element, defined in a configuration file, is matched with an input value of the monitored incoming traffic to form a matched input value;
  
  responsive to a determination that the given unique element is matched with an input value of the monitored incoming traffic, saving the matched input value;
  
  determining whether an output from the server contains the matched input value in an expected location in the output from the server;
  
  responsive to a determination that the output from the server contains the matched input value in an expected location in the output from the server, encoding the matched input value using a definition from the configuration file; and
  
  returning the output from the server to a requester.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method as claimed in claim 1 wherein determining whether an output from the server contains the matched input value in an expected location in the output from the server further comprises:
    - determining whether the given unique element is identified in the output from the server; and
      
      identifying a location and context associated with the given unique element identified in the output from the server, wherein determining and identifying further comprises embedding of unique test values in the monitored incoming traffic sent fo the server.
  - 3. A method as claimed in claim 2, wherein identifying a location and context associated with the given unique element identified in the output from the server further comprises:
    - exporting a scan result containing a list of identified locations in the configuration file.
  - 4. A method as claimed in claim 1, wherein the configuration file contains a list of each input of the set of identified inputs and expected output locations and context of each input of the set of identified inputs.
  - 5. A method as claimed in claim 1, wherein responsive to a determination that the given unique element is not matched with the input value of the monitored incoming traffic returning to monitoring all incoming and outgoing traffic.
  - 6. A method as claimed in claim 1 wherein responsive to a determination that the output from the server does not contain the matched input value in an expected location in the output from the server, encoding the matched input value using a default definition.

7. A computer program product for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser, the computer program product comprising:
- a computer-readable storage medium having computer-readable program code embodied therein, the computer-readable program code comprising;
  
  computer-readable program code configured to monitor all incoming traffic, generated by the web browser, and outgoing traffic generated by a server;
  
  computer-readable program code configured to identify a page of the web application and inputs associated with the page to form a set of identified inputs associated with the page;
  
  computer-readable program code configured to transform each identified input associated with the page to have a unique element representative of an input value of that identified input associated with the page; and
  
  computer-readable program code configured to send the monitored incoming traffic including each transformed input having a unique element representative of an input value of that transformed identified input to the server;
  
  computer-readable program code configured to determine whether a given unique element, defined in a configuration file, is matched with an input value of the monitored incoming traffic to form a matched input value;
  
  computer-readable program code, responsive to a determination that the given unique element is matched with an input value of the monitored incoming traffic, configured to save the matched input value;
  
  computer-readable program code configured to determine whether an output from the server contains the matched input value in an expected location in the output from the server;
  
  computer-readable program code, responsive to a determination that the output from the server contains the matched input value in an expected location in the output from the server, configured to encode the matched input value using a definition from the configuration file; and
  
  computer-readable program code configured to return the output from the server to a requester.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product claim 7, wherein the computer-readable program code configured to determine whether an output from the server contains the matched input value in an expected location in the output from the server further comprises:
    - computer-readable program code configured to determine whether the given unique element is identified in the output from the server;
      
      computer-readable program code configured to identify a location and context associated with the given unique element identified in the output from the server; and
      
      computer-readable program code configured to embed unique test values in the monitored incoming traffic sent to the server.
  - 9. The computer program product claim 8, wherein the computer-readable program code configured to identify a location and context associated with the given unique element identified in the output from the server further comprises:
    - computer-readable program code configured to export a scan result containing a list of identified locations in the configuration file.
  - 10. The computer program product claim 7, wherein the configuration file contains a list of each input of the set of identified inputs and expected output locations and context of each input of the set of identified inputs.
  - 11. The computer program product claim 7, further comprising computer-readable program code configured to return to monitoring all incoming and outgoing traffic in response to a determination that the given unique element is not matched with the input value of the monitored incoming traffic.
  - 12. The computer program product claim 7, further comprising computer-readable program code configured to encode the matched input value using a default definition in response to a determination that the output from the server does not contain the matched input value in an expected location in the output.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Podjarny, Guy, Sharabani, Adi
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Nobahar, Abdulhakim

Application Number

US13/574,011
Publication Number

US 20130081135A1
Time in Patent Office

1,406 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

G06F 21/563   by source code analysis

H04L 63/1441   Countermeasures against mal...

H04L 67/02   based on web technology, e....

Injection attack mitigation using context sensitive encoding of injected input

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Injection attack mitigation using context sensitive encoding of injected input

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links