[go: up one dir, main page]

WO2011018316A1 - Web browser security - Google Patents

Web browser security Download PDF

Info

Publication number
WO2011018316A1
WO2011018316A1 PCT/EP2010/060619 EP2010060619W WO2011018316A1 WO 2011018316 A1 WO2011018316 A1 WO 2011018316A1 EP 2010060619 W EP2010060619 W EP 2010060619W WO 2011018316 A1 WO2011018316 A1 WO 2011018316A1
Authority
WO
WIPO (PCT)
Prior art keywords
url
rating
client terminal
web browser
sending
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2010/060619
Other languages
French (fr)
Inventor
Masood Syed Ghouse
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
WithSecure Oyj
Original Assignee
F Secure Oyj
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F Secure Oyj filed Critical F Secure Oyj
Publication of WO2011018316A1 publication Critical patent/WO2011018316A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Definitions

  • the present invention relates to web browser security and in particular to a mechanism for preventing sensitive information being sent from a web browser to a malicious website.
  • FIG. 1 shows an example piece of html code that creates within a displayed webpage a form with two input fields, "firstname” and "lastname", and one submit button.
  • Figure 2 shows how a malicious script may modify the destination URL ("www.example.com/getform.asp") associated with the action, to match a malicious site, in this case "www.stealyourdata.com/getform.asp”.
  • a Cross Site Scripting (XSS) attack may be used.
  • a so-called “reflective" XSS attack can be carried out by enticing the user to click on a link that contains as its root a trusted website address, and in addition a malicious script, e.g. "www.mybank.com/maliciousscript.js.
  • the browser sends a GET request to this URL, and the request is indeed received by a server of mybank.
  • the server expects to receive, appended to the URL, the user's username and password, and reflects these back in the returned webpage, e.g. the page contains the message "hello maliciousscript.js".
  • the browser receives the webpage data, recognises the script, and executes it.
  • Execution of the script results in the display of an otherwise valid webpage, but with the destination URL of one or more forms changed to a malicious URL.
  • this URL is not displayed to the user and, importantly, the address line of the browser window shows only a legitimate URL, e.g. "www.mybank.com/login”.
  • a related, but potentially more dangerous XSS attack is that known as a "type 2" or persistent XSS attack.
  • a type 2 XSS attack takes advantage of the fact that users may post html formatted data at a web application of a web server in a persistent manner. This might be the case for example with a web chat application.
  • a client reads the web page, e.g. chat board, a malicious script may be downloaded and executed by the client's web browser in order to modify the destination URL of a web page form.
  • a number of products designed to reduce the problems discussed above are available.
  • One approach employed is to detect when a user enters potentially sensitive information into a form field. For example the insertion of an "@" character may be detected as indicative of entry of a user's email address, or an algorithm such as an Luhn algorithm used to detect the entry of a credit card number.
  • a warning is displayed to the user, and the user must click the warning away in order to proceed.
  • the majority of form data submitted by a user is likely to be legitimate, such an approach may prove an annoying inconvenience.
  • Summary A "brute force" defence against phishing and pharming attacks of the type described above is to screen destination URLs for all outgoing traffic from the web browser.
  • An improved, or at least supplementary approach that is presented here is to detect either the presence of a form in a webpage or an attempt by a user to submit a form, and to check the associated URL against a database of rated URLs. Depending upon the result of the check, the URL submission can be blocked and/or a warning presented to the user.
  • a method of controlling the sending of sensitive electronic data from a client terminal to a peer over the Internet the client terminal implementing a web browser for displaying and interacting with webpages.
  • the method comprises, at the client terminal, identifying a URL associated with an html form tag of a webpage, and querying a reputation database in order to obtain a rating for the URL.
  • the sending of data entered into the field(s) of the form over the Internet is blocked, and/or a warning displayed to the user.
  • the step of identifying a URL may comprise parsing html code of said webpage to identify a form tag and an associated URL. Alternatively, this step may comprise intercepting and parsing outgoing http data to identify the URL.
  • Said steps of identifying, querying, blocking, and displaying may be carried out by a web browser plugin.
  • the step of querying a reputation database in order to obtain a rating for the URL may comprise formulating a query at the client terminal containing said URL and sending that query, across the Internet, to a reputation server, and, upon receipt of the query at the rating server determining a rating for the URL and sending a response containing the rating to the client terminal.
  • the step of querying a reputation database in order to obtain a rating for the URL may comprise querying a rating database maintained at the client terminal.
  • a computer program for use with a computer provided with a web browser for displaying and interacting with webpages.
  • the computer program causes the computer to identify a URL associated with an html form tag of a webpage, and query a reputation database in order to obtain a rating for the URL.
  • the program blocks the sending of data entered into the field(s) of the form over the Internet and/or displays a warning to the user.
  • the computer program may be implemented as a web browser plugin.
  • a computer storage medium having stored thereon a computer program according to the above second aspect of the invention.
  • a client terminal comprising a computer storage medium according to the above third aspect of the invention.
  • Figure 1 shows an example html code segment that creates within a displayed webpage a form
  • Figure 2 shows an example html code segment with a modified destination URL
  • Figure 3 is a flow diagram illustrating a process for handling webpage form submissions to detect suspicious activities
  • Figure 4 illustrates schematically a client terminal configured to implement the process of Figure 3.
  • Detecting malware and other security threats in a client terminal environment can, if not properly optimised, consume large amounts of computer resources to the point where the performance of the terminal is severely impacted.
  • the brute force monitoring of all outgoing Internet traffic is particularly undesirable given that users have become used to extremely fast broadband browsing experiences.
  • a more efficient approach presented here involves detecting either the presence of form fields in a webpage, or when a web browser is attempting to submit form data across the Internet, and using this as a trigger to "scan" the URL submit destination.
  • Appropriate functionality can be introduced into a client terminal by way of a browser plugin, i.e. a program that makes use of standard interfaces of the browser to enhance the browser's operation. Browser plugin technology is well know to those of skill in the art.
  • Figure 3 presents a flow diagram illustrating an approach employing monitoring submitted forms.
  • the user has clicked on a submit "button" in order to submit the content of a form to a destination URL.
  • the submission is intercepted at step S2.
  • the destination URL for the submission is identified.
  • Browsers provide several methods that can be used to implement steps S2 and S3.
  • One approach employs JavaScript generated 'event notifications'. For example, the onclickO event is triggered whenever a certain element is "clicked". These events can be detected by script code segments in the webpage or by a browser plugin. Whenever a form submission occurs, at least the onsubmit() event is triggered by the browser. This event can be used by a script code segment or JavaScript to intercept the submission as required.
  • a query containing this URL is formulated and sent to a URL associated with a trusted server operated by an anti-virus application provider.
  • the query may be digitally signed (and possibly encrypted) to authenticate the sender to the server.
  • the server receives the query and extracts the destination URL.
  • the server looks up this URL in a website reputation database.
  • the database will have been constructed by the provider from an analysis of publicly available websites, e.g. using a "spider" to collect webpages and some automated malware detection process for analysing collected webpages. Data may also be entered manually into the database, e.g. based upon user reports of good and bad websites.
  • the result of the query is returned to the querying client terminal, again with the message signed (and possibly encrypted) to authenticate the server as the origin.
  • the client terminal must of course verify the signature to authenticate the response.
  • the web browser plugin allows the submission to proceed, i.e. forwarding the submission to the destination URL.
  • the plugin blocks the submission and displays an alert to the user at step S8.
  • the alert may be displayed in separate, pop-up window, or in a dedicated area of the browser frame, e.g. as a "traffic light" indicator.
  • the user may be able to force a submission, at least for unknown URLs.
  • FIG. 4 illustrates schematically a client terminal in the form of a PC 1 (the terminal may of course be any other computer device with Internet connectivity, e.g. a mobile phone).
  • the PC comprises a display 2 on which might be displayed the graphical user interface (GUI) of a web browser 3, e.g. Internet ExplorerTM.
  • GUI graphical user interface
  • a memory component 4 stores a computer software 5 which, when executed, provides a browser plugin for the web browser. As well as implementing the background URI scanning described above, the plugin also modifies the displayed GUI, for example to display an indication that a form submission has been allowed or blocked.
  • the PC further comprises a network interface 6 for coupling the PC to the Internet.
  • An alternative approach to defending against attacks of the type described above involves scanning webpages downloaded into a browser to detect html forms (e.g. using an appropriate browser plugin). This might involve, for example, parsing the Document Object Model (DOM) of a webpage, looking for occurrences of 'form' objects and extracting the 'action' attribute from those objects. This attribute contains the submission URL. If detected, the URL associated with the "action" parameter is extracted, and a query sent to the anti-virus provider server. Separate queries can be sent for each submit URL, or multiple URLs can be rolled into a single query. Similarly, one or more responses can be returned by the server.
  • DOM Document Object Model
  • a user can be warned of a potential threat at an early stage, potentially before the webpage is rendered and displayed in the browser window.
  • the embodiments of the invention described above are able to detect threats when entering and submitting data into any webpage containing a form. They are particularly effective in combating XSS attacks during which a legitimate URL is likely to appear in the web browser's address line. It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention.
  • the web browser plugin may submit this to a local held database and associated query engine. This database may receive regular updates from a service provider, e.g. pushed to it over the Internet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A method of controlling the sending of sensitive electronic data from a client terminal to a peer over the Internet, the client terminal implementing a web browser for displaying and interacting with webpages. The method comprises, at the client terminal, identifying a URL associated with an html form tag of a webpage, and querying a reputation database in order to obtain a rating for the URL. In dependence upon the rating, the sending of data entered into the field(s) of the form over the Internet is blocked, and/or a warning displayed to the user.

Description

WEB BROWSER SECURITY Technical Field The present invention relates to web browser security and in particular to a mechanism for preventing sensitive information being sent from a web browser to a malicious website.
Background
Most users of the Internet are by now familiar with so-called "phishing" attacks, where an attacker seeks to gain access to a user's sensitive information, e.g. bank account details, passwords, etc, by sending to the user an unsolicited email containing an innocent looking link. If the user clicks on the link, he or she is directed to a URL that loads a webpage into the user's web browser and which is a copy of a seemingly legitimate webpage. The displayed page may contain fields into which the user is requested to enter sensitive data. The html construct for displaying such fields is the form construct. If the user chooses to submit the form, the sensitive data is sent to a URL associated with the form in the html data. Even if a user clicks on the malicious link in the first instance, he or she may well spot the attack by observing that the address line appearing in the web browser window is not a trusted address. For example, where the trusted address of a user's bank is "www.mybank.com", that appearing in the browser's address line may be "www.mybank1 .com". Moreover, certain security or "anti-virus" applications may be able to detect phishing attacks by both scanning emails and monitoring outgoing browser traffic to detect suspicious URLs, albeit without achieving 100% security.
Attackers are constantly changing and improving their strategies to counteract new security measures. Due to the reduced effectiveness of phishing attacks, many are now resorting to more ingenious forms of attacks. One such attack involves tricking a user into running a piece of code or "script" in his or her web browser which modifies only a part of an otherwise valid webpage. Typically, the part which is modified is the destination URL to which form data is submitted. Figure 1 shows an example piece of html code that creates within a displayed webpage a form with two input fields, "firstname" and "lastname", and one submit button. Figure 2 shows how a malicious script may modify the destination URL ("www.example.com/getform.asp") associated with the action, to match a malicious site, in this case "www.stealyourdata.com/getform.asp".
In order to modify a downloaded website, a Cross Site Scripting (XSS) attack may be used. A so-called "reflective" XSS attack can be carried out by enticing the user to click on a link that contains as its root a trusted website address, and in addition a malicious script, e.g. "www.mybank.com/maliciousscript.js. The browser sends a GET request to this URL, and the request is indeed received by a server of mybank. The server expects to receive, appended to the URL, the user's username and password, and reflects these back in the returned webpage, e.g. the page contains the message "hello maliciousscript.js". The browser receives the webpage data, recognises the script, and executes it. Execution of the script results in the display of an otherwise valid webpage, but with the destination URL of one or more forms changed to a malicious URL. Of course, this URL is not displayed to the user and, importantly, the address line of the browser window shows only a legitimate URL, e.g. "www.mybank.com/login".
A related, but potentially more dangerous XSS attack is that known as a "type 2" or persistent XSS attack. A type 2 XSS attack takes advantage of the fact that users may post html formatted data at a web application of a web server in a persistent manner. This might be the case for example with a web chat application. When a client reads the web page, e.g. chat board, a malicious script may be downloaded and executed by the client's web browser in order to modify the destination URL of a web page form.
A number of products designed to reduce the problems discussed above are available. One approach employed is to detect when a user enters potentially sensitive information into a form field. For example the insertion of an "@" character may be detected as indicative of entry of a user's email address, or an algorithm such as an Luhn algorithm used to detect the entry of a credit card number. A warning is displayed to the user, and the user must click the warning away in order to proceed. Of course, as the majority of form data submitted by a user is likely to be legitimate, such an approach may prove an annoying inconvenience. Summary A "brute force" defence against phishing and pharming attacks of the type described above is to screen destination URLs for all outgoing traffic from the web browser. However, this is slow and inefficient, and may result in a delayed response for all browser requests. An improved, or at least supplementary approach that is presented here is to detect either the presence of a form in a webpage or an attempt by a user to submit a form, and to check the associated URL against a database of rated URLs. Depending upon the result of the check, the URL submission can be blocked and/or a warning presented to the user.
According to a first aspect of the present invention there is provided a method of controlling the sending of sensitive electronic data from a client terminal to a peer over the Internet, the client terminal implementing a web browser for displaying and interacting with webpages. The method comprises, at the client terminal, identifying a URL associated with an html form tag of a webpage, and querying a reputation database in order to obtain a rating for the URL. In dependence upon the rating, the sending of data entered into the field(s) of the form over the Internet is blocked, and/or a warning displayed to the user. The step of identifying a URL may comprise parsing html code of said webpage to identify a form tag and an associated URL. Alternatively, this step may comprise intercepting and parsing outgoing http data to identify the URL.
Said steps of identifying, querying, blocking, and displaying may be carried out by a web browser plugin.
The step of querying a reputation database in order to obtain a rating for the URL may comprise formulating a query at the client terminal containing said URL and sending that query, across the Internet, to a reputation server, and, upon receipt of the query at the rating server determining a rating for the URL and sending a response containing the rating to the client terminal.
The step of querying a reputation database in order to obtain a rating for the URL may comprise querying a rating database maintained at the client terminal. According to a second aspect of the present invention there is provided a computer program for use with a computer provided with a web browser for displaying and interacting with webpages. The computer program causes the computer to identify a URL associated with an html form tag of a webpage, and query a reputation database in order to obtain a rating for the URL. In dependence upon the rating, the program blocks the sending of data entered into the field(s) of the form over the Internet and/or displays a warning to the user.
The computer program may be implemented as a web browser plugin.
According to a third aspect of the present invention there is provided a computer storage medium having stored thereon a computer program according to the above second aspect of the invention. According to a fourth aspect of the present invention there is provided a client terminal comprising a computer storage medium according to the above third aspect of the invention.
Brief Description of the Drawings
Figure 1 shows an example html code segment that creates within a displayed webpage a form;
Figure 2 shows an example html code segment with a modified destination URL;
Figure 3 is a flow diagram illustrating a process for handling webpage form submissions to detect suspicious activities;
Figure 4 illustrates schematically a client terminal configured to implement the process of Figure 3.
Detailed Description
Detecting malware and other security threats in a client terminal environment can, if not properly optimised, consume large amounts of computer resources to the point where the performance of the terminal is severely impacted. As has been discussed above, the brute force monitoring of all outgoing Internet traffic is particularly undesirable given that users have become used to extremely fast broadband browsing experiences. A more efficient approach presented here involves detecting either the presence of form fields in a webpage, or when a web browser is attempting to submit form data across the Internet, and using this as a trigger to "scan" the URL submit destination. Appropriate functionality can be introduced into a client terminal by way of a browser plugin, i.e. a program that makes use of standard interfaces of the browser to enhance the browser's operation. Browser plugin technology is well know to those of skill in the art.
Figure 3 presents a flow diagram illustrating an approach employing monitoring submitted forms. At step S1 , the user has clicked on a submit "button" in order to submit the content of a form to a destination URL. The submission is intercepted at step S2. At step S3, the destination URL for the submission is identified. Browsers provide several methods that can be used to implement steps S2 and S3. One approach employs JavaScript generated 'event notifications'. For example, the onclickO event is triggered whenever a certain element is "clicked". These events can be detected by script code segments in the webpage or by a browser plugin. Whenever a form submission occurs, at least the onsubmit() event is triggered by the browser. This event can be used by a script code segment or JavaScript to intercept the submission as required.
At step S4 a query containing this URL is formulated and sent to a URL associated with a trusted server operated by an anti-virus application provider. The query may be digitally signed (and possibly encrypted) to authenticate the sender to the server. At step S5, the server receives the query and extracts the destination URL. The server looks up this URL in a website reputation database. The database will have been constructed by the provider from an analysis of publicly available websites, e.g. using a "spider" to collect webpages and some automated malware detection process for analysing collected webpages. Data may also be entered manually into the database, e.g. based upon user reports of good and bad websites.
The result of the query is returned to the querying client terminal, again with the message signed (and possibly encrypted) to authenticate the server as the origin. The client terminal must of course verify the signature to authenticate the response. At step S6, if the response indicates that the URL is trusted, the web browser plugin allows the submission to proceed, i.e. forwarding the submission to the destination URL. If on the other hand the response indicates that the destination URL is malicious, suspicious, or unknown, the plugin blocks the submission and displays an alert to the user at step S8. The alert may be displayed in separate, pop-up window, or in a dedicated area of the browser frame, e.g. as a "traffic light" indicator. In response to the alert, the user may be able to force a submission, at least for unknown URLs.
Figure 4 illustrates schematically a client terminal in the form of a PC 1 (the terminal may of course be any other computer device with Internet connectivity, e.g. a mobile phone). The PC comprises a display 2 on which might be displayed the graphical user interface (GUI) of a web browser 3, e.g. Internet Explorer™. A memory component 4 stores a computer software 5 which, when executed, provides a browser plugin for the web browser. As well as implementing the background URI scanning described above, the plugin also modifies the displayed GUI, for example to display an indication that a form submission has been allowed or blocked. The PC further comprises a network interface 6 for coupling the PC to the Internet.
An alternative approach to defending against attacks of the type described above involves scanning webpages downloaded into a browser to detect html forms (e.g. using an appropriate browser plugin). This might involve, for example, parsing the Document Object Model (DOM) of a webpage, looking for occurrences of 'form' objects and extracting the 'action' attribute from those objects. This attribute contains the submission URL. If detected, the URL associated with the "action" parameter is extracted, and a query sent to the anti-virus provider server. Separate queries can be sent for each submit URL, or multiple URLs can be rolled into a single query. Similarly, one or more responses can be returned by the server. According to this approach, a user can be warned of a potential threat at an early stage, potentially before the webpage is rendered and displayed in the browser window. The embodiments of the invention described above are able to detect threats when entering and submitting data into any webpage containing a form. They are particularly effective in combating XSS attacks during which a legitimate URL is likely to appear in the web browser's address line. It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention. For example, rather than sending the query containing the destination URL to a remote server, the web browser plugin may submit this to a local held database and associated query engine. This database may receive regular updates from a service provider, e.g. pushed to it over the Internet.

Claims

Claims
1. A method of controlling the sending of sensitive electronic data from a client terminal to a peer over the Internet, the client terminal implementing a web browser for displaying and interacting with webpages, the method comprising:
at the client terminal, identifying a URL associated with an html form tag of a webpage;
querying a reputation database in order to obtain a rating for the URL; and in dependence upon the rating, blocking the sending of data entered into the field(s) of the form over the Internet and/or displaying a warning to the user.
2. A method according to claim 1 , said step of identifying a URL comprising parsing html code of said webpage to identify a form tag and an associated URL.
3. A method according to claim 1 , said step of identifying a URL comprising intercepting and parsing outgoing http data to identify the URL.
4. A method according to any one of the preceding claims, wherein said steps of identifying, querying, blocking, and displaying are carried out by a web browser plugin.
5. A method according to any one of the preceding claims, said step of querying a reputation database in order to obtain a rating for the URL comprising formulating a query at the client terminal containing said URL and sending that query, across the Internet, to a reputation server, and, upon receipt of the query at the rating server determining a rating for the URL and sending a response containing the rating to the client terminal.
6. A method according to any one of the preceding claims, said step of querying a reputation database in order to obtain a rating for the URL comprising querying a rating database maintained at the client terminal.
7. A computer program for use with a computer provided with a web browser for displaying and interacting with webpages, the computer program causing the computer to:
identify a URL associated with an html form tag of a webpage;
query a reputation database in order to obtain a rating for the URL; and in dependence upon the rating, block the sending of data entered into the field(s) of the form over the Internet and/or display a warning to the user.
8. A computer program according to claim 8, the computer program being implemented as a web browser plugin.
9. A computer storage medium having stored thereon a computer program according to claim 7 or 8.
10. A client terminal comprising a computer storage medium according to claim 9.
PCT/EP2010/060619 2009-08-12 2010-07-22 Web browser security Ceased WO2011018316A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI20093350 2009-08-12
MYPI20093350 2009-08-12

Publications (1)

Publication Number Publication Date
WO2011018316A1 true WO2011018316A1 (en) 2011-02-17

Family

ID=43858387

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2010/060619 Ceased WO2011018316A1 (en) 2009-08-12 2010-07-22 Web browser security

Country Status (1)

Country Link
WO (1) WO2011018316A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013053278A1 (en) * 2011-10-14 2013-04-18 腾讯科技(深圳)有限公司 Network security identification method, security detection server, client and system
EP2648128A1 (en) * 2012-04-02 2013-10-09 Trusteer Ltd. Detection of phishing attempts
WO2015000428A1 (en) * 2013-07-05 2015-01-08 腾讯科技(深圳)有限公司 Data processing method, server and system
CN110348239A (en) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 Desensitize regular configuration method and data desensitization method, system, computer equipment
US20220232038A1 (en) * 2021-01-21 2022-07-21 Mcafee, Llc Web Conference Security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US20060253578A1 (en) * 2005-05-03 2006-11-09 Dixon Christopher J Indicating website reputations during user interactions
US20090055928A1 (en) * 2007-08-21 2009-02-26 Kang Jung Min Method and apparatus for providing phishing and pharming alerts

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US20060253578A1 (en) * 2005-05-03 2006-11-09 Dixon Christopher J Indicating website reputations during user interactions
US20090055928A1 (en) * 2007-08-21 2009-02-26 Kang Jung Min Method and apparatus for providing phishing and pharming alerts

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013053278A1 (en) * 2011-10-14 2013-04-18 腾讯科技(深圳)有限公司 Network security identification method, security detection server, client and system
US9154522B2 (en) 2011-10-14 2015-10-06 Tencent Technology (Shenzhen) Company Limited Network security identification method, security detection server, and client and system therefor
EP2648128A1 (en) * 2012-04-02 2013-10-09 Trusteer Ltd. Detection of phishing attempts
US9111090B2 (en) 2012-04-02 2015-08-18 Trusteer, Ltd. Detection of phishing attempts
WO2015000428A1 (en) * 2013-07-05 2015-01-08 腾讯科技(深圳)有限公司 Data processing method, server and system
CN110348239A (en) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 Desensitize regular configuration method and data desensitization method, system, computer equipment
CN110348239B (en) * 2019-06-13 2023-10-27 张建军 Desensitization rule configuration method, data desensitization method, system and computer equipment
US20220232038A1 (en) * 2021-01-21 2022-07-21 Mcafee, Llc Web Conference Security

Similar Documents

Publication Publication Date Title
US12348561B1 (en) Detection of phishing attacks using similarity analysis
US20060070126A1 (en) A system and methods for blocking submission of online forms.
Milletary et al. Technical trends in phishing attacks
US8448245B2 (en) Automated identification of phishing, phony and malicious web sites
US9270691B2 (en) Web based remote malware detection
Wu et al. Effective defense schemes for phishing attacks on mobile computing platforms
EP2859494B1 (en) Dashboards for displaying threat insight information
Weider et al. A phishing vulnerability analysis of web based systems
US20160119344A1 (en) System and method for web application security
US20120222117A1 (en) Method and system for preventing transmission of malicious contents
US20100235918A1 (en) Method and Apparatus for Phishing and Leeching Vulnerability Detection
WO2009039434A2 (en) System and method for detecting security defects in applications
GB2461422A (en) Phishing/key logging countermeasure compares keyboard input stream to sensitive data and issues alert before data is completely entered
De Ryck et al. Tabshots: Client-side detection of tabnabbing attacks
SatheeshKumar et al. A lightweight and proactive rule-based incremental construction approach to detect phishing scam
WO2011018316A1 (en) Web browser security
Soni et al. A phishing analysis of web based systems
Siddiqui et al. Cross site request forgery: A common web application weakness
US20070245343A1 (en) System and Method of Blocking Keyloggers
Canfora et al. A set of features to detect web security threats
US10474810B2 (en) Controlling access to web resources
Montazer et al. Identifying the critical indicators for phishing detection in Iranian e-banking system
Ismaila et al. Vulnerability assessment of some key nigeria government websites
Abufardeh et al. The State of Phishing Attacks and Countermeasures
Singh et al. A literature survey on anti-phishing browser extensions

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10737546

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10737546

Country of ref document: EP

Kind code of ref document: A1