Systems and methods for automated detection of login sequence for web form-based authentication

US 9,807,085 B2
Filed: 03/14/2014
Issued: 10/31/2017
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method for determining a login sequence, the method comprising:

(a) receiving in memory coupled to a processor of a client device, a model of a web artifact, the model comprising at least one of;

(i) a structure of the web artifact, and (ii) one or more events associated with an element of the structure, the processor of the client device being different from another processor transmitting the web artifact;

(b) identifying by the processor of the client device, a password field in the model, and a form associated with the password field, the form comprising a set of distinct input fields, each distinct input field having a respective type selected from a group consisting of;

(i) an unspecified type, (ii) a text type, and (iii) an email type, one field in the set being the identified password field;

(c) determining by the processor of the client device a total number of distinct input fields in the form, the determined total number identifying a count of the distinct input fields in the form;

(d) ascertaining by the processor of the client device that the determined total number equals a specified total number of distinct input fields provided in user credentials stored in the memory;

(e) identifying by the processor of the client device a submit element in the form;

(f) attempting login at a website corresponding to the web artifact by supplying by the processor of the client device the user credentials stored in the memory to the web artifact.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system for automating login can determine if a web artifact, such as a web page, includes a login form, by identifying a password field, a user ID field, and a submit button or another element providing the functionality to submit credentials for authorization. Submission of user credentials may be emulated, and access to password protected areas can be ascertained, e.g., by identifying any element that permits signing out from the password protected area.

Citations

20 Claims

1. A method for determining a login sequence, the method comprising:
- (a) receiving in memory coupled to a processor of a client device, a model of a web artifact, the model comprising at least one of;
  
  (i) a structure of the web artifact, and (ii) one or more events associated with an element of the structure, the processor of the client device being different from another processor transmitting the web artifact;
  
  (b) identifying by the processor of the client device, a password field in the model, and a form associated with the password field, the form comprising a set of distinct input fields, each distinct input field having a respective type selected from a group consisting of;
  
  (i) an unspecified type, (ii) a text type, and (iii) an email type, one field in the set being the identified password field;
  
  (c) determining by the processor of the client device a total number of distinct input fields in the form, the determined total number identifying a count of the distinct input fields in the form;
  
  (d) ascertaining by the processor of the client device that the determined total number equals a specified total number of distinct input fields provided in user credentials stored in the memory;
  
  (e) identifying by the processor of the client device a submit element in the form;
  
  (f) attempting login at a website corresponding to the web artifact by supplying by the processor of the client device the user credentials stored in the memory to the web artifact.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the web artifact comprises at least one of a web page and a web application.
  - 3. The method of claim 1, wherein the structure comprises a document object model (DOM) of the web artifact.
  - 4. The method of claim 1, wherein an event from the one or more events comprises a JavaScript event.
  - 5. The method of claim 1, wherein identifying one or more input fields comprises identifying an input field of at least one of:
    - (i) an unspecified type, (ii) a text type, and (iii) an email type.
  - 6. The method of claim 1, wherein identifying the submit element comprises identifying at least one of an input field, an element of type button, an element associated with an onClickevent, and a link.
  - 7. The method of claim 1, wherein:
    - the web artifact comprises a webpage;
      
      the model comprises a plurality of iframes associated with the webpage; and
      
      identifying a password field in the model in step (b) comprises identifying a password field in at least one iframe.
  - 8. The method of claim 1, further comprising executing by the processor of the client device at least one click on a non-login artifact to retrieve the web artifact.
  - 9. The method of claim 1, further comprising generating a login script by outputting by the processor of the client device:
    - one or more first commands, each first command corresponding to a different one of the identified input fields;
      
      a second command corresponding to the password field; and
      
      a third command corresponding to the submit element.
  - 10. The method of claim 9, wherein each one of the first commands and the second command comprises at least a portion of user credentials stored in the memory.
  - 11. The method of claim 10, wherein the user credentials comprise a user name and a corresponding password.
  - 12. The method of claim 1, further comprising:
    - verifying the attempted login at the web artifact using a first non-login artifact received in response to the supplied user credentials.
  - 13. The method of claim 12, wherein verifying the attempted login comprises:
    - storing in the memory an access handle to the first non-login artifact; and
      
      testing if the first non-login artifact comprises a sign-out element.
  - 14. The method of claim 13, wherein the access handle comprises a uniform resource locator (URL).
  - 15. The method of claim 13, wherein the sign-out element comprises at least one of a field, a button, and a link, and the sign-out element is associated with a string selected from the group consisting of:
    - “
      
      signout,”
      
      “
      
      sign out,”
      
      “
      
      logout,”
      
      “
      
      log out,”
      
      “
      
      my profile,”
      
      “
      
      your profile,”
      
      “
      
      edit profile,”
      
      “
      
      my account,”
      
      “
      
      your account,”
      
      “
      
      edit account,”
      
      “
      
      my settings,”
      
      “
      
      your settings,”
      
      “
      
      edit settings,” and
      
      “
      
      account settings”
      
      .
  - 16. The method of claim 13, further comprising:
    - seeking by the processor of the client device access to the stored access handle and, in response, receiving a second non-login artifact; and
      
      testing by the processor of the client device that the second non-login artifact lacks any sign out elements.
  - 17. The method of claim 16, further comprising generating a verification script by outputting by the processor of the client device:
    - a command to seek the stored access handle; and
      
      at least one command testing a lack of a particular sign-out element.

18. A system for determining a login sequence, comprising:
- a memory comprising a model of a web artifact transmitted by a server at a website associated with the web artifact, the model comprising at least one of;
  
  (i) a structure of the web artifact, and (ii) one or more events associated with an element of the structure; and
  
  a processor different from the server coupled to the memory and configured to;
  
  identify a password field in the model, and a form associated with the password field, the form comprising a set of distinct input fields, each distinct input field having a respective type selected from a group consisting of;
  
  (i) an unspecified type, (ii) a text type, and (iii) an email type, one field in the set being the identified password field;
  
  determine a total number of distinct input fields in the form;
  
  the determined total number identifying a count of the distinct input fields in the form;
  
  ascertain that the determined total number equals a specified total number of distinct input fields provided in user credentials stored in the memory;
  
  identify a submit element in the form; and
  
  attempt login at the website corresponding to the web artifact by supplying user credentials stored in the memory to the web artifact.
- View Dependent Claims (19, 20)
- - 19. The system of claim 18, wherein the processor is further configured to:
    - generate one or more first commands, each first command corresponding to a different one of the identified input fields;
      
      generate a second command corresponding to the password field;
      
      generate a third command corresponding to the submit element; and
      
      output a login script comprising the one or more first commands, the second command, and the third command.
  - 20. The system of claim 18, wherein the processor is further configured to:
    - verify the web artifact using a first non-login artifact received in response to the supplied user credentials; and
      
      output a verification script if the verification is successful.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veracode Incorporated (Broadcom, Inc.)
Original Assignee
Veracode Incorporated (Broadcom, Inc.)
Inventors
Linszner, Daniel
Primary Examiner(s)
Rahman, Mahfuzur
Assistant Examiner(s)
Victoria, Narciso

Application Number

US14/213,388
Publication Number

US 20140282975A1
Time in Patent Office

1,327 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 63/083 using passwords cryptograph...

H04L 67/02 based on web technology, e....

Systems and methods for automated detection of login sequence for web form-based authentication

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for automated detection of login sequence for web form-based authentication

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links