Polluting results of vulnerability scans

US 9,485,270 B2
Filed: 09/30/2013
Issued: 11/01/2016
Est. Priority Date: 09/30/2013
Status: Active Grant

First Claim

Patent Images

1. A security device, comprising:

a memory; and

one or more processors, operatively connected to the memory, to;

receive, from a server device, a response to a request,the request being provided by an attacker device and including a plurality of input values input via at least one input field of a website associated with the server device,the response including a reflected input value, of the plurality of input values, that is included in the request and reflected by the response;

determine the plurality of input values included in the request based on information received from the server device,modify the response to form a modified response,the response being modified by adding information associated with a non-reflected input value, of the plurality of input values, that is included in the request but not reflected by the response,the response being modified in an attempt to prevent the attacker device from identifying a vulnerability, associated with the server device, based on the reflected input value being reflected in the response; and

provide the modified response to the attacker device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security device may receive, from a server device, a response to a request. The request may be provided by an attacker device and may include a plurality of input values. The security device may determine the plurality of input values, included in the request, based on receiving the response. The security device may modify the response to form a modified response. The response may be modified to include information associated with the plurality of input values. The response may be modified in an attempt to prevent the attacker device from identifying a vulnerability, associated with the server device, based on the plurality of input values being included in the response. The security device may provide the modified response to the attacker device.

Citations

20 Claims

1. A security device, comprising:
- a memory; and
  
  one or more processors, operatively connected to the memory, to;
  
  receive, from a server device, a response to a request,the request being provided by an attacker device and including a plurality of input values input via at least one input field of a website associated with the server device,the response including a reflected input value, of the plurality of input values, that is included in the request and reflected by the response;
  
  determine the plurality of input values included in the request based on information received from the server device,modify the response to form a modified response,the response being modified by adding information associated with a non-reflected input value, of the plurality of input values, that is included in the request but not reflected by the response,the response being modified in an attempt to prevent the attacker device from identifying a vulnerability, associated with the server device, based on the reflected input value being reflected in the response; and
  
  provide the modified response to the attacker device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The security device of claim 1, where the one or more processors, when modifying the response, are to:
    - modify a first portion of the response by adding information that identifies a first non-reflected input value of the plurality of input values; and
      
      modify a second portion of the response by adding information that identifies a second non-reflected input value of the plurality of input values.
  - 3. The security device of claim 1, where the information, associated with the non-reflected input value, indicates false positives associated with the plurality of input values.
  - 4. The security device of claim 1, where the one or more processors, when modifying the response, are to:
    - randomly select a location within the response; and
      
      insert the information, associated with the non-reflected input value at the location within the response.
  - 5. The security device of claim 1, where the one or more processors, when modifying the response, are to:
    - select a location, within the response, based on information associated with the input value; and
      
      insert the information associated with the non-reflected input value at the location within the response.
  - 6. The security device of claim 1, where the one or more processors are further to:
    - determine information that matches an input value of the plurality of input values provided by the attacker device; and
      
      where the one or more processors, when modifying the response, are to;
      
      modify the response by adding the information that matches the input value.
  - 7. The security device of claim 1,where the one or more processors are further to:
    - determine that a first portion of information associated with the plurality of input values is not to be included in the response;
      
      determine that a second portion of information associated with the plurality of input values is to be included in the response; and
      
      add the second portion of information to the response,the first portion of information not being included in the response.
  - 8. The security device of claim 1, where the plurality of input values include code associated with embedding a script in a document,the code being input by a user of the attacker device into the at least one input field of the web site.
  - 9. The security device of claim 8, where the one or more processors, when modifying the response to form the modified response, are to:
    - modify the code, input into the at least one input field of the website, to prevent the script from being embedded in the document.

10. A non-transitory computer-readable medium storing instructions, the instructions comprising:
- one or more instructions that, when executed by one or more processors, cause the one or more processors to;
  
  receive, from a server device, a response associated with a request provided by an attacker device,the request including a set of inputs input by a user of the attacker device via at least one field of a website associated with the server device,the response including a reflected input, of the set of inputs, that is included in the request and reflected by the response;
  
  obtain information that identifies the set of inputs included in the request based on information received from the server device,modify the response to form a modified response,the response being modified by adding information associated with a non-reflected input, of the set of inputs, that is included in the request but not reflected by the response,the response being modified in an attempt to prevent the attacker device from receiving information that identifies a vulnerability, associated with the server device, based on the reflected input being reflected in the modified response; and
  
  provide the modified response to the attacker device.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The non-transitory computer-readable medium of claim 10, where the one or more instructions, that cause the one or more processors to modify the response, cause the one or more processors to:
    - modify a first portion of the response by adding information that identifies a first non-reflected input included in the set of inputs; and
      
      modify a second portion of the response by adding information that identifies a second non-reflected input included in the set of inputs.
  - 12. The non-transitory computer-readable medium of claim 10, where the information associated with the non-reflected input indicates false positives associated with the set of inputs.
  - 13. The non-transitory computer-readable medium of claim 10, where the one or more instructions, that cause the one or more processors to modify the response, cause the one or more processors to:
    - select a location, within the response, based on the information associated with the non-reflective input; and
      
      insert the information that identifies the non-reflective input at the location within the response.
  - 14. The non-transitory computer-readable medium of claim 10, where the one or more instructions, when executed by the one or more processors, cause the one or more processors to:
    - determine information that matches a particular input included in the set of inputs provided by the attacker device; and
      
      where the one or more instructions, that cause the one or more processors to modify the response, cause the one or more processors to;
      
      modify the response by adding the information that matches the particular input.
  - 15. The non-transitory computer-readable medium of claim 10,where the one or more instructions, when executed by the one or more processors, further cause the one or more processors to:
    - determine that a first portion of information associated with the set of inputs is not to be included in the response;
      
      determine that a second portion of information associated with the set of inputs is to be included in the response; and
      
      add the second portion of information to the response,the first portion of information not being included in the response.

16. A method, comprising:
- receiving, by a security device, a response to a request,the request being provided to a server device by an attacker device and including input values,the input values being input via at least one input field of a website associated with the server device,the response being provided by the server device, andthe response including a reflected input value, of the input values, that is included in the request and reflected by the response;
  
  determining, by the security device, the input values included in the request based on information received from the server device,modifying, by the security device, the response to generate a modified response,the response being modified by adding information associated with a non-reflective input value, of the input values, that is included in the request but not reflected by the response; and
  
  providing, by the security device, the modified response to attempt to cause the attacker device to be unable to identify a vulnerability, associated with the server device, based on the reflected input value being reflected in the response.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16, where modifying the response comprises:
    - modifying a first portion of the response by adding information that identifies a first non-reflective input value of the input values; and
      
      modifying a second portion of the response by adding information that identifies a second non-reflective input value of the input values.
  - 18. The method of claim 16, where modifying the response comprises:
    - selecting a location, within the response, based on information associated with the non-reflective input value; and
      
      inserting information that identifies the non-reflective input value at the location within the response.
  - 19. The method of claim 16, further comprising:
    - determining information that matches an input value of the input values provided by the attacker device; and
      
      where modifying the response comprises;
      
      modifying the response by adding the information that matches the input value.
  - 20. The method of claim 16, where the input values comprise:
    - a first portion of information and a second portion of information; and
      
      where the method further comprises;
      
      determining that the first portion of information is not to be included in the response;
      
      determining that the second portion of information is to be included in the response; and
      
      adding the second portion of information to the response,the first portion of information not being included in the response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Adams, Kyle
Primary Examiner(s)
Patel, Nirav B

Application Number

US14/042,380
Publication Number

US 20150096035A1
Time in Patent Office

1,128 Days
Field of Search

726 22- 25
US Class Current

1/1
CPC Class Codes

G06F 21/554   involving event detection a...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

Polluting results of vulnerability scans

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Polluting results of vulnerability scans

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links