XSS detection method and device

US 9,021,593 B2
Filed: 07/23/2010
Issued: 04/28/2015
Est. Priority Date: 07/23/2009
Status: Active Grant

First Claim

Patent Images

1. A cross-site scripting (XSS) detection method for detecting XSS vulnerabilities in a web page, comprising steps of:

determining a set of parameter-value pairs that can be accepted by the web page;

and for each parameter-value pair in the set;

constructing a parameter-value pair in which a dedicated script is inserted;

assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted, wherein the URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script;

wherein in assembling the URL corresponding to the web page, a plurality of URLs are assembled by changing the sequence of the parameter-value pairs and by inserting other special codes in the URL;

acquiring dynamic web page content corresponding to the assembled URL;

simulating the execution of the dynamic web page content, wherein the steps of acquiring the dynamic web page content and simulating the execution of the dynamic web page content are performed respectively for each one of the plurality of URLs, anddetermining when the dedicated script is executed, that the processing of the parameter-value pair in the web page contains XSS vulnerabilities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a XSS detection method for detecting the XSS vulnerabilities in a web page, comprising for each parameter-value pair in a set of parameter-value pairs that can be accepted by the web page: constructing a parameter-value pair in which a dedicated script is inserted; assembling a URL corresponding to the web page based on the parameter-value pair in which a dedicated script is inserted; acquiring the dynamic web page content corresponding to the assembled URL; and simulating the execution of the acquired dynamic web page content, if the dedicated script is executed, it is determined that the processing of the parameter in the web page contains XSS vulnerabilities. The present invention further discloses a corresponding XSS detection device and a web site security scanning system and a web scanning system using such a device.

30 Citations

View as Search Results

9 Claims

1. A cross-site scripting (XSS) detection method for detecting XSS vulnerabilities in a web page, comprising steps of:
- determining a set of parameter-value pairs that can be accepted by the web page;
  
  and for each parameter-value pair in the set;
  
  constructing a parameter-value pair in which a dedicated script is inserted;
  
  assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted, wherein the URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script;
  
  wherein in assembling the URL corresponding to the web page, a plurality of URLs are assembled by changing the sequence of the parameter-value pairs and by inserting other special codes in the URL;
  
  acquiring dynamic web page content corresponding to the assembled URL;
  
  simulating the execution of the dynamic web page content, wherein the steps of acquiring the dynamic web page content and simulating the execution of the dynamic web page content are performed respectively for each one of the plurality of URLs, anddetermining when the dedicated script is executed, that the processing of the parameter-value pair in the web page contains XSS vulnerabilities.
- View Dependent Claims (2, 3, 4)
- - 2. The XSS detection method according to claim 1, wherein in simulating the execution of the dynamic web page content, a script parsing engine is used to execute scripts in the web page content and the script parsing engine is constructed to determine whether XSS vulnerabilities exist depending on whether the dedicated script is triggered.
  - 3. The XSS detection method according to claim 1, wherein the dedicated script is an alert function.
  - 4. The XSS detection method according to claim 1, further comprising:
    - recording whether a parameter in the set of parameter-value pairs contains XSS vulnerabilities.

5. A cross-site scripting (XSS) detection device for detecting XSS vulnerabilities in a web page, comprising hardware and:
- a web page parameter-value pair set determining unit configured to determine a set of parameter-value pairs that can be accepted by the web page;
  
  a testing URL assembler configured to assemble a testing URL for each parameter-value pair in the set of parameter-value pairs, wherein a dedicated script is inserted in the value of the parameter-value pair during the assembly of the testing URL and, wherein the testing URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the testing URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script;
  
  wherein the testing URL assembler is configured to assemble a plurality of testing URLs by changing the sequence of the parameter-value pair and by inserting other special codes in the URL when assembling the testing URL;
  
  a communicator configured to send each testing URL to a web server and receive dynamic web page content returned from the web server in order to detect XSS vulnerabilities for each testing URL; and
  
  a simulator configured to simulate the execution of the dynamic web page content and determine the existence of XSS vulnerabilities in the parameter-value pair when the dedicated script has been executed.
- View Dependent Claims (6, 7, 8)
- - 6. The XSS detection device according to claim 5, further comprising:
    - a script parsing engine, with which the simulator executes the script when simulating the execution of the web page content, wherein the script parsing engine determines whether XSS vulnerabilities exist in the parameter-value pair depending on whether the dedicated script has been triggered.
  - 7. The XSS detection device according to claim 5, wherein the dedicated script is an alert function.
  - 8. The XSS detection device according to claim 5, further comprising a recorder configured to record whether a parameter in the set of parameter-value pairs contains XSS vulnerabilities.

9. A non-volatile computer readable medium including instructions that, when executed by a microprocessor, cause the following steps to be performed:
- determining a set of parameter-value pairs that can be accepted by a web page; and
  
  for each parameter-value pair in the set;
  
  constructing a parameter-value pair in which a dedicated script is inserted;
  
  assembling a URL corresponding to the web page based on the parameter-value pair in which the dedicated script has been inserted, wherein the URL is assembled by modifying a sequence of the parameter-value pair in which the dedicated script has been inserted by adding the dedicated script at an end of the URL and by adding a closing tag of a hypertext markup language element or a specific character before the dedicated script;
  
  wherein in assembling the URL corresponding to the web page, a plurality of URLs are assembled by changing the sequence of the parameter-value pairs and by inserting other special codes in the URL;
  
  acquiring dynamic web page content corresponding to the assembled URL;
  
  simulating the execution of the acquired dynamic web page content, wherein the steps of acquiring the dynamic web page content and simulating the execution of the dynamic web page content are performed respectively for each one of the plurality of URLs, andwhen the dedicated script is executed, it is determined that the processing of the parameter-value pair in the web page contains cross-site scripting (XSS) vulnerabilities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NSFocus Information Technology Co., Ltd.
Original Assignee
NSFocus Information Technology Co., Ltd.
Inventors
Liu, Guangxu, Wen, Yujie, Zhou, Da, Wang, Xiaoming, Liu, Xiaoxia
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LYNCH, SHARON S

Application Number

US13/386,206
Publication Number

US 20120198558A1
Time in Patent Office

1,740 Days
Field of Search

726/4, 726/12, 726/22, 726/25, 726/26, 713/164
US Class Current

726/25
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1475   Passive attacks, e.g. eaves...

H04L 63/1483   service impersonation, e.g....

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99939   Privileged access

XSS detection method and device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

XSS detection method and device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others