Reducing cross-site scripting attacks by segregating HTTP resources by subdomain

US 9,172,707 B2
Filed: 12/19/2007
Issued: 10/27/2015
Est. Priority Date: 12/19/2007
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more processors that when executing instructions are configured to;

receive a request for a resource from a caller;

based at least in part on determining that the request is directed to a first uniform resource locator (URL) comprising a non-segregated sub-domain, redirect the request to a second URL comprising a segregated sub-domain and a path part, the path part comprising an encryption based at least in part on an identifier that corresponds to a sharing set of callers authorized to access the resource;

decrypt the path part to determine the identifier; and

based at least in part on determining that the identifier matches the segregated sub-domain, provide the resource to the caller.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An arrangement for reducing the occurrence of harmful cross-site scripting is provided by segregating on-line content or other resources so that they are accessible at different domains or subdomains, each of which corresponds to a set of users, called a “sharing set,” where each user in the set has identical access privileges to certain resources. The sharing set is provided with an identifier (which may or may not be unique), so that the identifier may be used as the name of the domain or subdomain for which any member of the sharing set is authorized to access the resources located there. In this way, script that is embedded with the content can only be executed among members of the sharing set. Users who are not members of the sharing set are unable to invoke cross site-scripting attacks that would allow them to gain access to data from sharing set members.

67 Citations

View as Search Results

20 Claims

1. A system comprising:
- one or more processors that when executing instructions are configured to;
  
  receive a request for a resource from a caller;
  
  based at least in part on determining that the request is directed to a first uniform resource locator (URL) comprising a non-segregated sub-domain, redirect the request to a second URL comprising a segregated sub-domain and a path part, the path part comprising an encryption based at least in part on an identifier that corresponds to a sharing set of callers authorized to access the resource;
  
  decrypt the path part to determine the identifier; and
  
  based at least in part on determining that the identifier matches the segregated sub-domain, provide the resource to the caller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, the segregated sub-domain different than the path part.
  - 3. The system of claim 1, the identifier comprising at least one of a hash or token.
  - 4. The system of claim 1, the encryption based at least in part on a name of the resource.
  - 5. The system of claim 1, the one or more processors configured to provide one or more users of the sharing set with identical access privileges to the resource.
  - 6. The system of claim 1, the sharing set associated with an access control list (ACL).
  - 7. The system of claim 6, the ACL inherited from a parent container.
  - 8. The system of claim 1, the first URL different than the second URL.
  - 9. The system of claim 1, the request comprising a HyperText Transport Protocol request.
  - 10. The system of claim 1, the sharing set comprising a set of users.

11. A method, comprising:
- receiving a request for a resource from a caller, the request directed to a second uniform resource locator (URL) comprising a segregated sub-domain and a path part;
  
  decrypting the path part to determine an identifier that corresponds to a sharing set of callers authorized to access the resource; and
  
  based at least in part on determining that the identifier matches the segregated sub-domain, providing the resource to the caller, at least some of the method implemented at least in part via a processor.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The method of claim 11, the identifier comprising at least one of a hash or token.
  - 13. The method of claim 11, the sharing set associated with an access control list (ACL).
  - 14. The method of claim 11, the request comprising a HyperText Transport Protocol request.
  - 15. The method of claim 11, the sharing set comprising a set of users.
  - 16. The method of claim 13, the ACL inherited from a parent container.

17. A computer-readable storage unit comprising computer-executable code, which when executed via a processor on a computer perform acts, comprising:
- receiving a request to upload a resource from a caller;
  
  based at least in part on receiving the request, encrypting an identifier that corresponds to a sharing set of callers authorized to access the resource to generate an encryption; and
  
  providing a second uniform resource locator (URL) for accessing the resource once uploaded, the second URL comprising a segregated sub-domain and a path part, the path part comprising the encryption.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable storage unit of claim 17, the encrypting comprising encrypting the identifier and a name of the resource to generate the encryption.
  - 19. The computer-readable storage unit of claim 17, the request comprising an indication of the sharing set.
  - 20. The computer-readable storage unit of claim 17, the identifier matching the segregated sub-domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Spektor, Daron
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Korsak, Oleg

Application Number

US11/959,479
Publication Number

US 20090165124A1
Time in Patent Office

2,869 Days
Field of Search

726/21
US Class Current

1/1
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

H04L 63/104 Grouping of entities

Reducing cross-site scripting attacks by segregating HTTP resources by subdomain

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Reducing cross-site scripting attacks by segregating HTTP resources by subdomain

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links