System and method of monitoring attacks of cross site script

US 9,378,362 B2
Filed: 12/02/2013
Issued: 06/28/2016
Est. Priority Date: 12/06/2012
Status: Active Grant

First Claim

Patent Images

1. A system for monitoring cross site scripting attacks, comprising:

one or more processors; and

memory including instructions executable by the one or more processors, which when executed perform the following steps;

receiving and replying to a service request from a client terminal,redefining a scripting internal function applied by a cross site scripting attack, the redefining of the scripting internal function comprising adding a monitoring code to monitor the calling of the scripting internal function, and the monitoring code being embedded in an application service page of a third party,returning redefined information for the scripting internal function to the client terminal,monitoring calling information of the client terminal in relation to the redefined scripting internal function, andanalyzing security of the calling information of the client terminal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides techniques for monitoring a cross site scripting attack. These techniques may receive and reply to, by a computing device, a service request from a client terminal. The computing device may then redefine a scripting internal function applied by the cross site scripting attack, and return redefined information for the scripting internal function to the client terminal. The computing device may monitor calling information of the client terminal in relation to the redefined scripting internal function, and analyze the security of the calling information. The computing device may monitor an attacking source, an attacking time period, leakage information in the attack, and/or a vulnerability point in the attack that are associated with the cross site scripting attack.

Citations

20 Claims

1. A system for monitoring cross site scripting attacks, comprising:
- one or more processors; and
  
  memory including instructions executable by the one or more processors, which when executed perform the following steps;
  
  receiving and replying to a service request from a client terminal,redefining a scripting internal function applied by a cross site scripting attack, the redefining of the scripting internal function comprising adding a monitoring code to monitor the calling of the scripting internal function, and the monitoring code being embedded in an application service page of a third party,returning redefined information for the scripting internal function to the client terminal,monitoring calling information of the client terminal in relation to the redefined scripting internal function, andanalyzing security of the calling information of the client terminal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, wherein the redefining of the scripting internal function comprises adding a monitoring code to monitor the calling of the scripting internal function.
  - 3. The system of claim 1, wherein the redefined information in relation to the scripting internal function is formed in a head section of a corresponding webpage associated with a networking server that responds to the service request.
  - 4. The system of claim 1, wherein the redefined scripting internal function comprises at least one of an internal function of a scripting language, a function for creating a page element, a function for executing an external link code, or a function for displaying a page.
  - 5. The system of claim 4, wherein the scripting language is a JavaScript language.
  - 6. The system as claimed in claim 1, wherein the redefined scripting internal function is associated with at least one of a documenting creating function, a document writing function, an object locating function, an alerting message function, a user confirmation function, or a user input function.
  - 7. The system of claim 1, wherein the calling information of the redefined scripting internal function comprises at least one of a context environment of the scripting internal function, a calling time period of the redefined scripting internal function, a number of calling times for the redefined scripting internal function, a behavior of a client that calls the redefined scripting internal function, or one or more accounts and IP addresses associated with the client.
  - 8. The system of claim 1, wherein the analyzing security of the calling information of the client terminal further comprises determining whether the calling of the redefined scripting internal function is a cross site scripting attack according to a behavior characteristic, the behavior characteristic includes at least one of an application that is called by the redefined scripting internal function, a number of times that the scripting internal function is called, a sensitive information in a visit, or a sensitive information in a transmission.
  - 9. The system of claim 1, wherein the steps further comprise-a issuing a security warning in response to a determination that the calling of the redefined scripting internal function is the cross site scripting attack.
  - 10. The system of claim 1, wherein the steps further comprise:
    - intercepting a subsequent execution of the redefined scripting internal function,terminating rendering of a webpage associated with the service request; and
      
      replacing an attacked webpage with a safe page in response to a determination that a calling of the redefined scripting internal function is a cross site scripting attack.

11. A method for monitoring cross site scripting attacks, comprising:
- receiving and replying to a service request from a client terminal;
  
  redefining a scripting internal function applied by a cross site scripting attack, the redefining of the scripting internal function comprising adding a monitoring code to monitor the calling of the scripting internal function, and the monitoring code being embedded in an application service page of a third party;
  
  returning redefined information for the scripting internal function to the client terminal;
  
  monitoring calling information of the client terminal in relation to the redefined scripting internal function; and
  
  analyzing security of the calling information of the client terminal.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein the redefining of the scripting internal function comprises adding a monitoring code to monitor the calling of the scripting internal function.
  - 13. The method of claim 11, wherein the redefined information in relation to the scripting internal function is formed in a head section of a corresponding webpage associated with a networking server that responds to the service request.
  - 14. The method of claim 11, wherein the calling information of the redefined scripting internal function comprises at least one of a context environment of the scripting internal function, a calling time period of the redefined scripting internal function, a number of calling times for the redefined scripting internal function, a behavior of a client that calls the redefined scripting internal function, or one or more accounts and IP addresses associated with the client.
  - 15. The method of claim 11, further comprising determining whether the calling of the redefined scripting internal function is a cross site scripting attack according to a behavior characteristic, the behavior characteristic includes at least one of an application that is called by the redefined scripting internal function, a number of times that the scripting internal function is called, a sensitive information that the redefined scripting internal function visits, or a sensitive information that the redefined scripting internal function transmits.

16. One or more computer-readable media storing computer-executable instructions that, when executed by one or more processors, instruct the one or more processors to perform acts comprising:
- receiving a service request from a client terminal;
  
  redefining a scripting internal function applied by a cross site scripting attack, the redefining of the scripting internal function comprising adding a monitoring code to monitor the calling of the scripting internal function, and the monitoring code being embedded in an application service page of a third party;
  
  returning redefined information for the scripting internal function to the client terminal;
  
  monitoring calling information of the client terminal in relation to the redefined scripting internal function; and
  
  analyzing security of the calling information of the client terminal.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more computer-readable media of claim 16, wherein the acts further comprises issuing a security warning in response to a determination that the calling of the redefined scripting internal function is the cross site scripting attack.
  - 18. The one or more computer-readable media of claim 17, wherein the acts further comprisesintercepting a subsequent execution of the redefined scripting internal function;
    - terminating rendering of a webpage associated with the webpage; and
      
      replacing an attacked webpage with a safe page in response to a determination that a calling of the redefined scripting internal function is a cross site scripting attack.
  - 19. The one or more computer-readable media of claim 16, wherein the redefining the scripting internal function comprises adding a monitoring code to monitor the calling of the scripting internal function.
  - 20. The one or more computer-readable media of claim 16, wherein the redefined information in relation to the scripting internal function is formed in a head section of a corresponding webpage associated with a networking server that responds to the service request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Alibaba Group Holding Ltd.
Inventors
Zhu, Rong, Li, Xiaoshuan, Yi, Ziyi, Xu, Tianhe
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Anderson, Michael D

Application Number

US14/094,501
Publication Number

US 20140165192A1
Time in Patent Office

939 Days
Field of Search

726/22
US Class Current

1/1
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/55   Detecting local intrusion o...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

System and method of monitoring attacks of cross site script

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of monitoring attacks of cross site script

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links