Information security – Monitoring or scanning of software or data including attack... – Vulnerability assessment
Reexamination Certificate
2002-11-12
2008-03-11
Vu, Kim (Department: 2135)
Information security
Monitoring or scanning of software or data including attack...
Vulnerability assessment
C726S022000, C726S023000, C726S024000, C726S026000, C713S151000, C713S165000, C713S167000, C713S188000, C709S225000, C707S793000, C707S793000
Reexamination Certificate
active
07343626
ABSTRACT:
An automated method and system for testing a web site for vulnerability to a cross site scripting (XSS) attack are disclosed. The automated tool injects a tracer value into both GET and POST form data, and monitors the resultant HTML to determine whether the tracer value is returned to the local machine by the server to which it was sent. If the tracer value is returned, the automated tool attempts to exploit the web site by injecting a non-malicious script as part of an input value for some form data, based on the location in the returned HTML in which the returned tracer value was found. If the exploit is successful, as indicated by the non-malicious script, the automated tool logs the exploit to a log file that a user can review at a later time, e.g., to assist in debugging the web site.
REFERENCES:
patent: 6058482 (2000-05-01), Liu
patent: 6311278 (2001-10-01), Raanan et al.
patent: 6996845 (2006-02-01), Hurst et al.
patent: 2002/0004908 (2002-01-01), Galea
patent: 2002/0010855 (2002-01-01), Reshef et al.
patent: 2003/0037236 (2003-02-01), Simon et al.
patent: 2003/0120947 (2003-06-01), Moore et al.
patent: 2003/0159063 (2003-08-01), Apfelbaum et al.
Amit Klein, Cross Site Scripting Explained, Jun. 2002, □□Sanctum Inc.
Paul Lee, Cross-site scripting, Sep. 1, 2002, IBM Global Services.
CERT Cordination Center, How to remove meta-characters from user-supplied data in scripts, Feb. 13, 1998.
European Search Report (03023125.2 dated Apr. 24, 2006.
The Cross Site Scripting FAQ, CGSI Security, May 2002, 5 pages.
CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests, Feb. 2, 2002, pp. 1-8.
HTML Rendering Engine, printed from http://msdn.microsoft.com/library/en-us/westudio/htm/—HTML—Controls—Trident—.asp on Nov. 12, 2002, 1 page.
T. Dyck, “First Crack in OpenHack”, News Analysis, Eweek, p. 9, Oct. 28, 2002.
Cross-Site Scripting Security Exposure Executive Summary, printed from http://www.microsoft.com/technet/security/topics/exsumcs.asp?frame=true on Nov. 9, 2002, 3 pages.
Sanctum Inc.—Save Your Site, printed from http://www.sanctuminc.com/solutions/appscan/index.html on Nov. 9, 2002, 2 pages.
Sanctum, Web Application Security Testing, © 2002, 2 pages.
WhiteHat Community printed from http://community.whitehatsec.com/wharsenal/02/03/06/1856227.shtml on Nov. 9, 2002, 4 pages.
A. Klein, “Cross Site Scripting Explained”, Sanctum, Jun. 2002, 10 pages.
Perl.com: Preventing Cross-site Scripting Attacks [Feb. 20, 2002], printed from http://www.perl.com/pub/a/2002/02/20/css.html on Nov. 9, 2002, 6 pages.
D. Scott, et al., “Abstracting Application-Level Web Security”, WWW 2002, May 7-11, 2002, p. 396-407.
Dada Beemnet W
Vu Kim
LandOfFree
Automated detection of cross site scripting vulnerabilities does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Automated detection of cross site scripting vulnerabilities, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Automated detection of cross site scripting vulnerabilities will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3979050