[go: up one dir, main page]

WO2013091709A1 - Procédé et appareil permettant la transformation dynamique en temps réel du code d'un document web - Google Patents

Procédé et appareil permettant la transformation dynamique en temps réel du code d'un document web Download PDF

Info

Publication number
WO2013091709A1
WO2013091709A1 PCT/EP2011/073824 EP2011073824W WO2013091709A1 WO 2013091709 A1 WO2013091709 A1 WO 2013091709A1 EP 2011073824 W EP2011073824 W EP 2011073824W WO 2013091709 A1 WO2013091709 A1 WO 2013091709A1
Authority
WO
WIPO (PCT)
Prior art keywords
obfuscation
document
web
code
obfuscated
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/EP2011/073824
Other languages
English (en)
Inventor
Antonio Felguera Segador
David HERNANDO DAVALILLO
Marta PALANQUES VILALLONGA
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fundacio Barcelona Digital Centre Tecnologic
Original Assignee
Fundacio Barcelona Digital Centre Tecnologic
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fundacio Barcelona Digital Centre Tecnologic filed Critical Fundacio Barcelona Digital Centre Tecnologic
Priority to PCT/EP2011/073824 priority Critical patent/WO2013091709A1/fr
Publication of WO2013091709A1 publication Critical patent/WO2013091709A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation

Definitions

  • the present invention relates generally to secure internet browsing, and in particular, to enhancing browsing security by transforming the morphology of a web application code.
  • FIG. 1 depicts a standard architecture 100 for accessing a web application which may be used, for example, for navigating the Internet.
  • a piece of software called a browser 111
  • a user's computing device 110 such as personal computer PC
  • the browser 111 establishes a communication link 140 from the user's device 110 to a web server 120 hosted by any web application provider.
  • the link 140 is established over a network 130, which is typically the Internet, but which can also refer to any sort of public or private network.
  • the most common browsers used are Internet Explorer from Microsoft, Firefox from Mozilla, Chrome from Google, or Safari from Apple.
  • Interaction between the browser 111 and the server 120 typically follows a series of steps that starts when the browser requests some contents, i.e. a specific web page.
  • the server then generates and/or retrieves the requested contents, depending on whether those are dynamic or static, and sends them as a response to the browser.
  • To retrieve a web page, which is composed by a set of web documents the user introduces an address, or Universal Resource Locator URL, into the browser triggering a request to be sent from the PC's browser to the web server via the Hypertext Transfer Protocol HTTP.
  • the web server 120 receives and processes the request and either recovers the document from a local storage or generates it dynamically.
  • the web server 120 transmits the document to the user's PC 110 via link 140.
  • the browser on the PC receives the document, it processes its contents to end up rendering it in the user device's 110 display.
  • One protection typically applied to the channel established between the browser and the web application server is the use of ciphering protocols, so that information cannot be sniffed or modified throughout the channel.
  • the contents need to be deciphered for processing by the browser.
  • cryptographic tools may enable confidentiality and verification of integrity
  • a security gap exists between the endpoints of the actual channel (the user and the server) and the actual endpoints of the secure channel offered by these technologies (the browser and the server). This means that ciphering protocols cannot protect data once it reaches the browser and is deciphered. Therefore, a need exists to provide further security after deciphering occurs and before and while the user interacts with the application.
  • malware is illegitimately installed on the user device and manipulates the browser, which in turn enables it to log contents, or modify contents, be it either contents to be transmitted or received content.
  • a typical attack could be an attacker targeting a financial application in order to deviate legitimate money transfer operations to a different account.
  • the attacker first automatically changes the account number in a form.
  • Crafting such an attack requires analysis of the source code of the web page showing the form, in order to identify the variable to be changed, and of the corresponding confirmation screen, where the opposite substitution has to be made to prevent the user from noticing the attack. This task is usually facilitated due to human factors related to code development habits.
  • the invention provides methods and devices that implement various aspects, embodiments, and features of the invention, and are implemented by various means. For example, these techniques may be implemented in hardware, software, firmware, or a combination thereof.
  • the processing units may be implemented within one or more application specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field programmable gate arrays (FPGAs), processors, controllers, microcontrollers, microprocessors, other electronic units designed to perform the functions described herein, or a combination thereof.
  • ASICs application specific integrated circuits
  • DSPs digital signal processors
  • DSPDs digital signal processing devices
  • PLDs programmable logic devices
  • FPGAs field programmable gate arrays
  • processors controllers, microcontrollers, microprocessors, other electronic units designed to perform the functions described herein, or a combination thereof.
  • the various means may comprise modules (e.g. procedures, functions, and so on) that perform the functions described herein.
  • the software codes may be stored in a memory unit and executed by a processor.
  • the memory unit may be implemented within the processor or external to the processor.
  • FIG. 1 is a general overview of an Internet navigation system of the prior art.
  • FIG. 2 depicts the Obfuscation Server and web application server interaction according to the main embodiment of the invention.
  • FIG. 3 depicts a detailed view of the Obfuscation Server.
  • FIG. 4 depicts a process for code transformation determination.
  • FIG. 5 depicts a process implemented by the Parameter Translation Modules according to one aspect of the invention.
  • FIG. 6 depicts the information flow and exchange according to the main embodiment of the invention.
  • FIG. 7 depicts the steps performed by the Session Object upon receiving a web page request.
  • FIG. 8 depicts a method of delivering an obfuscated document.
  • FIG. 9 depicts a complementary method of delivering an obfuscated document applied to user requests.
  • FIG. 10 depicts the steps performed during document caching according to a first aspect of the invention.
  • FIG. 11 the steps performed during document caching according to a second aspect of the invention.
  • FIG. 12 depicts the caching process when a document with static contents is requested for the first time.
  • FIG. 13 depicts the caching process when a document with static contents is requested again.
  • web document refers to the data files hosted on diverse computing devices on the Internet and which are served to end users by transmission to their computing devices so that they can be displayed for viewing on the user device's display.
  • web page refers to a set of web documents which, when processed together, result in one screen display. These documents may follow different formatting; moreover, they can use different coding languages.
  • web application will be used to refer to a set of related web pages that offer in conjunction a certain functionality to the user.
  • the term "browser” refers to the software, computer program, or application, which permits the content files received to be displayed on the user device's display.
  • the browser typically performs a number of data processing actions for converting the received data file to a format ready for display.
  • the browser responds to user interaction with the web page executing scripts or requesting a new web page.
  • malware will be used to refer to any code, such as software code or computer program, which is hosted by a legitimate user and which executes actions in detriment of the host, thereby exhibiting malicious behaviour. From the following description, it will be understood by the person skilled in the art that although any one preferred aspect of the invention already provides solutions to at least some of the problems of the devices and methods of the prior art, the combination of multiple aspects herein disclosed results in additional synergistic advantageous effects over the prior art, as will be described in the following.
  • Obfuscation techniques consist in applying a series of transformations to source code such that it becomes unintelligible and hence harder to reverse engineer while visual appearance and functionality of the code are maintained. These latter characteristics are necessary to make this solution transparent to the user. Moreover, one distinguishing feature of obfuscation, when compared to encryption, is the fact that contents do not need to be de-obfuscated for execution, interpretation and/or use. On the contrary, the transformations applied are such that obfuscated code can be executed and works properly without need to transform it back to the original code. These characteristics have been identified and exploited in the present invention.
  • the present invention provides an Obfuscation Server 220 and a corresponding method for real-time transforming the code generated by a web server before it is delivered to the user device, the code being used to provide a web page, or web application, to at least one user of a computing device. Since the invention is configured to act as an intermediate layer between the client device and the web server, similar to a proxy, it advantageously provides transparency to both of them.
  • the Obfuscation Server may be integrated within web application servers which receive web page requests, generate content therefrom, and provide the contents in return to the client devices.
  • the Obfuscation Server may be implemented external to web application servers, interacting with them as necessary to provide the advantageous functionalities of the invention.
  • some functionalities of the Obfuscation Server may be partially integrated within web application servers, and the remaining functionalities may be implemented external to these web application servers.
  • FIG. 2 depicts the main components of a web server 120 necessary to manage the data flow from a document's request to its delivery.
  • a request for a web application is normally transmitted by a computing device as an HTTP request comprising a universal resource locator, URL.
  • this request is received by the web server 120, it is pre-treated by an input processor 211.
  • the content generator 212 creates the web page document to be sent to the user device 1 10 in response, as a function of the requested URL and the parameters comprised within.
  • This document is then processed by the output processor 213, where it is again treated before it is sent to the user.
  • the input and output processor perform a set of operations intended to ease operation of the content generator, for instance, packet header manipulation. Moreover, these processors can be modified to add new and customized operations, also called filters.
  • FIG. 2 depicts also the integration of the Obfuscation Server 220 with the web server 120 according to an embodiment of the invention.
  • the Obfuscation Server 220 is placed in parallel to the web server, as it interacts both at the input as well as the output end of the server 120.
  • the Obfuscation Server 220 performs transformations by means of a Translation Module 222 and an Obfuscation Module 223.
  • the Obfuscation Module interacts with the web server's output processor in order to transform contents before being output by the web server.
  • the Translation Module intervenes during the input processor to process the received requests in order to reverse transform obfuscated code or requests.
  • new filters are added to both processors, implementing interception of requests and responses. These filters might communicate with the Obfuscation Server in the same machine or remotely, with an independent server hosting the Obfuscation Server.
  • Obfuscation Core 221 is provided to coordinate the Translation and Obfuscation Modules, as will be explained in more detail in the following.
  • the Obfuscation Module 223 receives the contents generated by the web server, obfuscates them and sends the result back to the output processor 213 for it to be further treated and finally delivered to the user device. Since transformations and their application partially depend on the type of code that is being analyzed, a specific Obfuscation Module is required for each of these types of codes.
  • the Obfuscation Server 220 therefore will have at least one Obfuscation Module 223, but is preferred to implement many such Modules to enable universal transformation when combining many code types. Different code types are for example Hyper Text Markup Language, HTML, JavaScript and Cascading Style Sheets, CSS, code.
  • the Obfuscation Core 221 is in charge of maintaining coherence across changes to every kind of code although they are obfuscated by different modules.
  • FIG. 3 depicts an embodiment of the Obfuscation Modules 223 of FIG. 2 according to one embodiment of the invention.
  • each Obfuscation Module is divided into three main components, namely a Code Parser, a Transformer and a Serializer.
  • the first Code Parser analyzes its content and transforms it into an Abstract Syntax Tree, AST, object, which contains all the web document information within the code itself. This allows easy navigation, extraction and manipulation of the elements of the code.
  • This object is input to the Transformer 312, which comprises the obfuscation algorithms and iteratively applies transformations to the object.
  • the obfuscation process is advantageously applied by the transformers in many steps, each of them sequentially and independently applying one specific transformation.
  • This stepped transformation simplifies the obfuscation process and thus enhances performance. It alsoprovides additional randomness, as explained later.
  • the output of the Transformer 312 is a modified AST object that needs to be converted back to the source code in the original web document language. This task is implemented by the Serializer, which generates plain text source code to be sent back to the output processor 213 for delivery to the user.
  • the main Obfuscation Module 310 has a different function from the rest, as it acts as a code distributor, channelling different codes to the remaining Obfuscation Modules 320.
  • the main Obfuscation Module 310 is determined depending on the document type under analysis. In the figure, for instance, an HTML document is received and hence the main Obfuscation Module chosen is an HTML Obfuscation Module. At this point the main Obfuscation Module 310 receives a document and starts parsing it.
  • FIG. 3 depicts two other obfuscators, one for JavaScript code obfuscation and the other for CSS code obfuscation. Each obfuscator builds an independent AST, which is then separately transformed, and serialized. Finally, the outcome of the JavaScript and CSS Serializers 322 is collected by the main Obfuscation Module 310 which integrates these in the main obfuscated document.
  • the person skilled in the art will understand that any number of Obfuscation Modules, as well as Code Parsers, Transformers, and Serializers may be implemented, dependent on the number of different code types.
  • each Obfuscation Module has at its disposal a set of transformation types and for every type a set of transformation algorithms may be applied.
  • FIG. 4 depicts a process 400 implemented by the Session Object according to one embodiment of the invention for determining which transformations to apply to a particular element of the AST.
  • a transformation type is selected and, according to this selected type, a determination 420 is made as to which algorithm to choose from among the available transformation algorithms.
  • the selected transformation is then applied 430 by the respective Transformer to the code.
  • a determination 440 is made as to whether the obfuscation process has been completed.
  • process returns to step 410 where a new transformation type and algorithm are selected again and applied.
  • determination step 440 the complete obfuscated code is output.
  • the transformation determination process 400 can be configured to select types and algorithms randomly.
  • the Session Object can be configured to go through the list of types in a specific order, and apply one algorithm for each one sequentially.
  • a specific set of types and algorithms are randomly selected.
  • the web page provider's security and performance requirements can be taken into account. Since code complexity is increased in each iteration of the transformation determination process 400, the application of previous transformations complicate the task of the Obfuscation Module 223 to perform future iterations. Hence executing the transformations following a specific pattern sensibly lightens the task of obfuscation. Therefore, in order to optimise the use of resources, a deterministic application of transformations is possible so as to reduce the time needed to obfuscate a page. This results eventually in an overall reduction of the Obfuscation Server's load and resource consumption.
  • the Session Object can determine whether performance is more relevant or security, and thereby select the applicable level or randomness accordingly.
  • the Session Object can be configured to apply transformations until a certain number of iterations have been completed. This implementation has the advantage of providing a constant loading for the Obfuscation Server.
  • the Session Object can be configured to apply transformations until a certain complexity overhead is reached as determined by a pre-evaluated threshold.
  • the Obfuscation Server's loading can be dynamically set depending on other criteria, for example, a desired complexity level.
  • the Session Object may determine a desired balance between the loading produced by transformation processing, on one hand, and the loading produced due to the number of simultaneously operating Obfuscation Modules, on the other, thereby levying performance and security.
  • the number of types of transformation algorithms is limited to five, and all transformations are grouped in one of these five types.
  • a first type is the Variable Name Transformation, wherein variable identifiers are replaced with random names so that they, and specially their purpose, are difficult to deduce.
  • an attacker could identify the above mentioned variable through other characteristics, besides of its name. For instance, constant values can be indicators of a variable's purpose. Therefore a second type of transformation is proposed consisting in Constant Values Modification.
  • a constant value 23 can also be coded as a formula (10+5+11-3) or as hexadecimal (0x17), among others. This results in the value being less recognizable.
  • Constant strings for example, a URL, may also similarly be transformed.
  • Form Structure Modification is proposed which enables alteration of a form's structure, such that the layout will vary in every resulting piece of code.
  • These changes comprise disordering of fields, addition of dummy fields and division of the form in many pieces.
  • the fifth type of transformation type proposed is Change of Function Prototypes, which also allows hiding of variables through hiding the use of these in function calls and alteration of code's layout. In this case, the number and order of the parameters used in function calls can be changed, making analysis more difficult.
  • transformation types have the overall effect of confusing one specific type of information or complicating one concrete step in the reverse engineering process.
  • Grouping of algorithms in transformation types allows configuration of rules that may, for instance, assure that at least one algorithm is applied under every type, such that every kind of information is eventually obfuscated.
  • An additional advantage of this grouping is that it makes the transformation determination process more efficient as setting a specific order to the obfuscation process is simplified.
  • malware attacks attempt to modify web page requests systematically.
  • a typical scenario for attacks are e-banking applications wherein a user requests a bank transfer. The user would fill in a form with the details of the operation, such as the amount of money to transfer and the source and destination account numbers.
  • An attacker could systematically search for a variable representing the 'destination account number', and replace it with another account number of his choice thereby re-routing the money transfer to himself.
  • This fraudulent operation would need to be complemented with changes to the verification web page, and hence the attacker would need to modify the incoming response to the mentioned form.
  • the obfuscation techniques described above difficult the task of hiding the attack, however they cannot completely stop the execution of it.
  • user requests are obfuscated as a result of the obfuscation of web pages. For instance, when transforming the name of a variable in the original web page code, requests generated in response use the already obfuscated variable name instead of the original one. In fact, the browser does not even know the original variable name since it is never transmitted to it. As a consequence, obfuscation of the web page enables also to obtain obfuscated requests from the user in return.
  • these obfuscated requests are de-obfuscated by the Obfuscation Server before they enter the content generation phase. This ensures transparency with the web application server, which does not need to deal with details of code reverse transformation processing.
  • the de-obfuscation is performed by the Translation Module 222 when it is requested by the input processor 211, so that requests are reverse transformed before they reach the content generator 212.
  • Translation Modules are divided based on the tasks they perform.
  • a user request comprises, in general terms, two types of obfuscated information: the requested URL and a series of filled in fields, this is, a set of parameters with values that have been assigned based on user's input to the form.
  • the requested URL comprises, in general terms, two types of obfuscated information: the requested URL and a series of filled in fields, this is, a set of parameters with values that have been assigned based on user's input to the form.
  • the obfuscation transformations are present in the returned request.
  • changes to be undone by the Translation Modules include modification of URLs, changes to both variable names and their content formatting, substitution of constant strings and changes to form's structures, such as insertion of dummy fields or splitting into many forms.
  • the Obfuscation Core 221 provides the Translation Modules the necessary data for reverse transformation processing, such as the correspondence between original names, and the transformed replacements.
  • translation of URLs variable names and constant values are translated through substitution of the obfuscated values by the original names as dictated by the Obfuscation Core.
  • translations of variable formatting require transforming the received values into the expected format before replacing the value by its original. Translation of dummy fields is straightforward as it comprises a dummy field deletion operation.
  • the obfuscated requests resulting from a split form are classified into two types comprising a single primary request and one or many secondary requests.
  • the classification is performed by the Obfuscation Core 221 in correspondence with the Obfuscation Module 223, that is, when the splitting is actually defined and implemented.
  • the result of the classification is stored together with obfuscation information for later use in a memory in the Session Object.
  • the reverse transformation process upon translation, the primary request is converted into an original petition by gathering the parameters in all split requests and assigning them to the intended URL.
  • the role of the URL Translation Modules is to replace the obfuscated address by the corresponding original as recorded upon obfuscation.
  • the primary request is assigned the intended URL, while the secondary requests return a URL containing a blank document.
  • the content generator 212 delivers this blank document, hence causing the original request to receive an empty confirmation which causes no changes on the browser display.
  • the primary request triggers delivering of the document the user requested.
  • the Parameter Translation Modules are configured to translate parameters into their original names, values and formats, as well as collecting them, in case the request has been split, in order to obtain a single table. FIG.
  • step 510 the Parameter Translation Module is configured to verify whether the request is secondary and, in such case, extracts and stores its parameters and returns an empty confirmation to the input processor, as in steps 520 and 530.
  • step 540 a determination is made whether all contents are available for reverse transformation processing. These parameters are made available by other Translation Modules.
  • step 550 the Translation Module waits for the parameters of the corresponding secondary requests to be available. Once all secondary requests have been translated, this is, once parameters contained in all secondary requests have been stored, in step 560 the Parameter Translation Module retrieves them all and in step 570 undoes transformations to these parameters.
  • step 580 the translated parameters are provided to the input processor, where, together with the translated URL as provided by the URL Translation Module, the complete request is formed and forwarded to the content generator 212.
  • steps 540 and 550 once a Parameter Translation Module has received a primary request for processing it waits for the remaining parameters to arrive. Hence, if any secondary request reaches the server after the primary request, the Parameter Translation Module is not available for processing as it is in a blocked state waiting for its contents to be extracted. Hence, in another aspect of the invention at least two instances of the Parameter Translation Module are provided, so that secondary requests can be processed by the remaining at least one Parameter Translation Modules while the first one is blocked processing the primary request.
  • FIG. 6 depicts a method 600 according to one aspect of the invention showing the information flow and exchange throughout the previous aspects and embodiments.
  • a form is split into three requests.
  • the process starts when a first Request 1 is received 650 and the input processor extracts 651 the URL and parameters and delivers (652; 653) them to the URL Translation Module 610 and to any of the available Parameter Translation Modules, in this case the first one 620.
  • Those modules verify obfuscation information to find out that Request 1 is secondary, and hence the URL Translation Module 610 returns 654 a URL to a blank document, while the first Parameter Translation Modules 620 extracts parameters and returns 655 a blank table as confirmation.
  • the input processor receives both responses, it generates and provides 656 the translated Request 1 to the content generator 212.
  • Request 2 is received 660, its parameters and URL are extracted again and delivered (662; 663) to the URL Translation Module 610 and to the second Parameter Translation Module 630. Since Request 2 represents a primary request, the URL Translation Module 620 returns 664 the original intended destination of the petition. The second Parameter Translation Module 630, however, discovers that parameters are still left to complete the request, and therefore waits.
  • Request 3 is received 670 and the obfuscated information is extracted 671, the input processor is forced to deliver this request for parameter translation to the first Parameter Translation Module 620, since the second Parameter Translation Module 630 is busy processing the second Request 2.
  • Request 3 is processed (steps 672 to 676) similar to Request 1.
  • the second Parameter Translation Module 620 is able to collect all parameters of the split request and build a translated parameter table containing them. Upon receiving 665 of this table, the input processor re-assembles it together with the URL received 664 from the URL Translation Module 610 and provides 666 the translated primary request to the content generator 212.
  • the present invention proposes to apply the transformation operations dynamically to the code.
  • the effect of this is that the result of the obfuscation becomes time variant, therefore introducing further uncertainty in the code breaking process.
  • the code is generated on demand, as dictated by the user's browsing habits, these transformations are also applied in real time. This has the effect of reducing to a minimum the exposure window which can be used by a malicious user to break the obfuscated code. Therefore, in another aspect of the invention code is obfuscated in real-time and on demand, so that transformations are not only applied, but also chosen in real time.
  • the system can deliver a different result (obfuscated code) to different requests for the same document.
  • the combined effect is that of providing a dynamic and real-time obfuscation mechanism which maximises security while browsing the internet.
  • web pages are usually formed by a combination of several documents and languages, which usually include HTML, JavaScript and CSS.
  • these are separately transformed by different Obfuscation Modules, although some changes need to be applied coherently inside and between every piece of code. For instance, if the definition of a function (its name and the parameters accepted) is changed, all calls to this function should be changed in accordance; and these calls may appear in many documents forming the web page, independent from the language in use. The same applies to variables, which are defined once but can be used by many documents.
  • changes like Variable Name Transformation, Constant Value Modification and Form Structure Modification can also have effects on incoming requests from the user. Hence, it has been realised that it is not possible to apply different and independent sets of transformations to each document.
  • an Obfuscation Server which is configured to apply transformations to a set of documents, which belong to an obfuscation session, and to keep track of the changes made.
  • a Session Object is created for every obfuscation session in place.
  • An obfuscation session refers to a collection of transformations that are applied consistently to a set of contents generated by the web application server. These contents can be grouped under many criteria, such as, in the most fine-grained configuration, every obfuscation session can match up with a user session in the web application.
  • the session object thus stores all transformations relating a specific obfuscation session, so that they can be retrieved during both the obfuscation and the translation process and be applied to contents belonging to the same obfuscation session.
  • the Session Object is in charge of selecting the transformations to be applied during the session, as previously described by FIG. 4.
  • the Obfuscation Modules iteratively query the Session Object to obtain the specific transformation to apply in every step of the obfuscation process.
  • simultaneous accesses to the object could cause inconsistencies in the information stored by the Session Object and, as a consequence, in transformations performed by the different Obfuscation Modules.
  • the Session Object there is a need for the Session Object to be blocked to incoming requests when it is determining a new transformation.
  • FIG. 7 depicts a method 700 according to one aspect of the invention performed by the Session Object upon receiving a web page request.
  • the Session Object first tries to retrieve the transformation from storage. If the transformation has already been selected at any prior moment during the session, it is forwarded to the Obfuscation Module. Otherwise, the transformation needs to be selected and hence the Session Object is locked 720, so that any incoming requests have to wait and the flow in FIG. 4 is executed. Once this process is finished the result is stored 740, the object is unlocked 750 and the generated transformation is sent 760 to the requesting Obfuscation Module.
  • the Session Manager inside the core, is configured for managing and maintaining obfuscation sessions.
  • the number of sessions to be simultaneously handled can be large, which would pose a challenge to scalability.
  • session handling could provoke bottlenecks in the Obfuscation Server, which should keep track of every session's status in order to be able to identify the session to which requests and contents belong, both when obfuscating and when translating.
  • the Session Manager instead of storing stateful information about every session, contents (both requests and responses) are tagged with a cookie, which is associated to one corresponding obfuscation session.
  • the Session Manager stores both a reference to the Session Object and a relation of cookies and Session Identifiers.
  • FIG. 8 depicts a method 800 of delivering an obfuscated document according to this aspect of the invention.
  • the output processor 213 Upon receiving 810 a response to a web page request from the content generator 212, the output processor 213 extracts 820 the cookie and queries 830 the Session Manager hosted in the Obfuscation Core 221 to retrieve the corresponding Session Identifier, which is then provided 840 to the output processor.
  • the Obfuscation Modules are then queried (850, 860) with the content and the Session Identifier, which enables them to retrieve 870 the Session Object from the Session Manager.
  • the output processor obtains 880 in return an obfuscated version of the content, and forwards 890 it to the User Browser 111 through the output processor.
  • FIG. 9 depicts the complementary method 900 of delivering a translated user request to the content generator according to this aspect of the invention.
  • the input processor receives 910 a web page request and extracts 920 the cookie and obtains (930, 940) the Session Identifier from the Obfuscation Core.
  • the Translation Modules are queried 950 to de-obfuscate given the contents (URL and parameters, in this case) and the Session Identifier.
  • the Translation Modules then request 960 the Obfuscation Core and receive the Session Object in return 970, which contains the information necessary to undo the previously made transformations.
  • the input processor 211 receives 980 the translated URL and parameters, it creates a complete de-obfuscated request that is then forwarded 990 to the content generator 212.
  • the Session Manager is in charge for coordinating usage of the different instances. More concretely, once the Session Manager is queried with a cookie, it returns both the Session Identifier and a reference to the Translator/Obfuscator instance to be used. The input/output processor then issues a request for translation/obfuscation to the instance it has been assigned.
  • a group of user sessions is defined and a set of transformations is applied to each group. This is in contraposition to generating one unique set of transformations for every user session.
  • one obfuscation session composed by a Session Identifier and a Session Object, is assigned to a group of cookies, so that a one-to-many relationship is established by the Session Manager.
  • the system accepts establishment of this relationship following different rules.
  • a definite number of users N is assigned to each transformation.
  • the set of transformations is created. Progressively, as the user session progresses this Session Object is filled in with the transformations applied. Future user sessions are also assigned the same obfuscation session and they retrieve the previous generated obfuscation transformations.
  • the Obfuscation Modules generate the corresponding transformations and store them in the object. Once the limit has been reached, that is, once the object has been assigned to N user sessions, a new object is created for the next N user sessions.
  • This scheme sensibly decreases the processing time and resources needed, since fewer transformations need to be generated, especially if N is large enough.
  • one set of transformations can be used for a long time. If the exposure time of one specific set of transformations is long enough, an attacker can be able to analyze the code and create a piece of malware for that period that is able to modify user's actions.
  • a fixed validity time for every obfuscation session T is determined and all contents delivered and requests received during the period T are obfuscated using the same set of transformations. After period T is finished, a new set is created and all user sessions taking place are assigned the new obfuscation session, so that one can explicitly control the exposure time of every obfuscation session. Note how, following this scheme, one user session might be applied many obfuscation sessions during its life. This change is non-trivial since, as it has already been pointed out, some elements can be used during the whole browsing session.
  • a third option according to this aspect is provided which combines the first and second options, in other words two limits on the number of users N and sessions validity time T are established. Whenever one of these limits is reached, the session object is renewed, enabling control of both the exposure time and the number of users assigned.
  • Web pages also usually comprise static contents, which, furthermore, are usually repeatedly used throughout every session. This is the case, for instance, of headers or menus that are permanently displayed in the web pages.
  • the Obfuscation Core 221 comprises a Cache Manager 1111 which is responsible for caching obfuscated static documents.
  • the method 1000 as depicted by FIG. 10 is followed during the session whenever a request is received.
  • all static documents are obfuscated at the beginning of the obfuscation session.
  • the Session Manager Upon initialization of a session, the Session Manager notifies the Cache Manager 1111. The latter retrieves all static documents from the web server and requests the Obfuscation Modules to transform them. The resulting documents are then temporarily stored by the Cache Manager.
  • the input processor requests 1010 the URL Translation Module 610 to de-obfuscate the URL, the translator checks 1020 if the requested URL corresponds to a static document by asking the Cache Manager. If so, it returns 1030 a URL pointing to the temporary storage.
  • the content generator 212 when the content generator 212 processes the request, it retrieves 1050 the obfuscated document from the temporary storage location, instead of the original one. Finally, during output processing, the document is not sent to the Obfuscation Modules but it skips (1070, 1080) the obfuscation phase and is directly forwarded to the next step in the output processor.
  • the URL Translation Module replaces the URL by its original de- obfuscated version and the input processor 211 queries the Cache Manager thereafter to obtain a reference to the cached document. The method above presented requires for the Cache Manager to know in advance which documents are static.
  • the method 1100 as depicted by FIG. 11 is followed during the session whenever a first request is received for a static document.
  • a second mechanism is proposed which obfuscates static documents on demand, that is, whenever they are first requested by the user. This prevents the Obfuscation Modules from pointlessly obfuscating static documents that are never requested, and also reduces the workload peak upon session creation.
  • the Cache Manager verifies whether it has already been obfuscated and, in case it has, it delivers the cached content. Otherwise, it requests the Obfuscation Modules to obfuscate it and stores the result for future requests.
  • the URL Translation Module When the URL Translation Module receives 1010 a URL from the input processor 211, it queries 1020 the Cache Manager 1111 to determine whether it is a static document. However, following the on-demand caching method, if the document is static, the Cache Manager verifies 1110 whether it has already been cached. Since the document was still never requested during this session, it is not obfuscated and hence the manager requests 1120 an Obfuscation Module to perform 1130 the corresponding transformation. Note how, in the first aspect of FIG. 10, all documents were obfuscated in advance. Again, another option is for the input processor, instead of the URL Translation Module, to perform the query and obtain a reference to the cached document, which would accelerate the flow.
  • the Cache Manager determines a temporary storage location and provides 1030 the URL Translation Module a URL pointing to it. This URL is forwarded 1040 to the input processor and composes, together with a parameter table, the translated request.
  • the content generator 212 receives 1050 the translated request, it directly retrieves 1060 the obfuscated content from the location where the Cache Manager stored it and provides it (1070, 1080) via the output processor 213 to the user browser 111 without the need to be processed by any additional Obfuscation Modules.
  • the steps in FIG. 11 are only executed the first time a static document is requested inside one specific obfuscation session.
  • the caching and retrieval mechanisms presented require configuration of a list of static documents in order for the Obfuscation Server to identify the static documents. Configuration of the mentioned list can be burdensome for the administrator and, in large applications, it can tend to contain errors. Moreover, this mechanism only allows caching of fully static documents, while some dynamically generated documents in a web site might contain also static parts.
  • the Obfuscation Server accepts tagged code to identify static contents and documents, instead of configuration of a list of static documents. In this case, tags are identified by the Obfuscation Modules when they parse the document to build the Abstract Syntax Tree, as a result of which this option only works for on-demand caching, but not to cache contents at session start.
  • FIG. 12 illustrates the caching process 1200 followed when a document with static contents is requested for the first time.
  • the input processor 211 obtains a translated request and forwards 1210 it to the content generator 212, where a non- obfuscated document is generated for delivery 1215.
  • This document is sent to the output processor 213, which requests 1220 a corresponding Obfuscation Module to transform it.
  • the Obfuscation Module starts parsing 1225 the document, it detects static contents, which can be the whole document or part of it. In order to illustrate the complexity of the process, let us consider that only a fraction of the document is static.
  • the Obfuscation Module extracts the identifier attached to the tagged contents and forwards 1230 it to the Cache Manager.
  • the latter determines 1235 that the content has not been cached, it notifies 1240 the Obfuscation Module again who, in turn, obfuscates 1245 both the static and dynamic contents.
  • the obfuscated version of the static elements is finally provided 1250 to the Cache Manager for storage and at the same time integrated 1255 with the obfuscated dynamic content.
  • the integrated obfuscated contents are finally forwarded 1260 to the output processor 213 for delivery 1270 to the browser 111.
  • FIG. 13 illustrates the caching process 1300 followed when a document with static contents is requested again.
  • the process is similar to the one described for FIG. 12, with the difference that the Cache Manager retrieves the cached static obfuscated code version and delivers 1310 it to the Obfuscation Module, which only obfuscates the dynamic contents and then integrates the cached static code.
  • This system enables caching of static contents inside dynamic documents, which improves overall performance of the Obfuscation Server.
  • this problem can be solved by combining aspects of FIGs. 11 to 13, that is, using a configured list to identify fully static documents and tags to identify static parts in dynamic documents. This avoids the aforementioned limitations of the Obfuscation Module when retrieving static portions of dynamic documents.
  • one of the advantageous features of the present invention is that it automatically obfuscates the contents transmitted and de-obfuscates the contents received by any web application server.
  • the JavaScript eval function evaluates a string as if it was an expression and is an example of such a limitation.
  • Eval can be used, among others, to dynamically compose variable names using expressions. For instance, consider the existence of three variables VI, V2 and V3 and another one, an option O, which can be assigned a value of 1, 2 or 3.
  • a tagging mechanism is proposed that can be used to explicitly indicate whether an expression can be obfuscated or not.
  • the administrator can place tags to point out that variable names VI, V2 and V3 must not be obfuscated. This enables treatment of exceptions while not needing setting of too wide exceptions to the obfuscation algorithm.
  • tags can also be used to specify a certain complexity level, either higher or lower. For instance, the login web page, which is especially sensitive, can be tagged to force a high complexity level upon obfuscation.
  • tags can be used to mark relationships between code fractions that can be difficult to detect by an Obfuscation Module, in order to both increase sturdiness of the result and improve performance of the Obfuscation Server.
  • the embodiments described herein may be implemented by hardware, software, firmware, middleware, microcode, or any combination thereof.
  • systems and/or methods are implemented in software, firmware, middleware or microcode, program code or code segments, a computer program, they may be stored in a machine-readable medium, such as a storage component.
  • a computer program or a code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements.
  • a code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data,and the like, may be passed, forwarded, or transmitted using any suitable means including memory sharing, message passing, token passing, network transmission, or others.
  • the techniques described herein may be implemented with modules (for example, procedures, functions, and so on) that perform the functions described herein.
  • the software codes may be stored in memory units and executed by processors.
  • the memory unit may be implemented within the processor or external to the processor, in which case it can be communicatively coupled to the processor through various means as is known in the art.
  • at least one processor may include one or more modules operable to perform the functions described herein.
  • various aspects or features described herein may be implemented, on one hand, as a method or process or function, and on the other as an apparatus, a device, a system, or an article of manufacture using standard programming and/or engineering techniques.
  • article of manufacture as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media.
  • computer-readable media can include but are not limited to magnetic storage devices (for example, hard disk, floppy disk, magnetic strips,and similar), optical disks (for example, compact disk (CD), digital versatile disk (DVD), and similar), smart cards, and flash memory devices (for example, EPROM, card, stick, key drive, and similar).
  • various storage media described herein can represent one or more devices and/or other machine-readable media for storing information.
  • the term "machine-readable medium" can include, without being limited to, various media capable of storing, containing, and/or carrying instruction(s) and/or data.
  • a computer program product may include a computer readable medium having one or more instructions or codes operable to cause a computer to perform the functions described herein.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • a general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Bioethics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Medical Informatics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Databases & Information Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Serveur de brouillage, procédé correspondant et support exploitable par ordinateur permettant la transformation dynamique en temps réel du code généré par un serveur Web avant sa remise au dispositif d'utilisateur, le code étant utilisé pour fournir une page Web ou une application Web à au moins un utilisateur d'un dispositif informatique, ce qui permet d'améliorer la sécurité des données de l'application Web transmises à un utilisateur d'au moins un dispositif client et reçues de celui-ci.
PCT/EP2011/073824 2011-12-22 2011-12-22 Procédé et appareil permettant la transformation dynamique en temps réel du code d'un document web Ceased WO2013091709A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2011/073824 WO2013091709A1 (fr) 2011-12-22 2011-12-22 Procédé et appareil permettant la transformation dynamique en temps réel du code d'un document web

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2011/073824 WO2013091709A1 (fr) 2011-12-22 2011-12-22 Procédé et appareil permettant la transformation dynamique en temps réel du code d'un document web

Publications (1)

Publication Number Publication Date
WO2013091709A1 true WO2013091709A1 (fr) 2013-06-27

Family

ID=45464543

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2011/073824 Ceased WO2013091709A1 (fr) 2011-12-22 2011-12-22 Procédé et appareil permettant la transformation dynamique en temps réel du code d'un document web

Country Status (1)

Country Link
WO (1) WO2013091709A1 (fr)

Cited By (56)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8869281B2 (en) 2013-03-15 2014-10-21 Shape Security, Inc. Protecting against the introduction of alien content
US8892687B1 (en) 2013-12-06 2014-11-18 Shape Security, Inc. Client/server security by an intermediary rendering modified in-memory objects
US8893294B1 (en) 2014-01-21 2014-11-18 Shape Security, Inc. Flexible caching
US8954583B1 (en) 2014-01-20 2015-02-10 Shape Security, Inc. Intercepting and supervising calls to transformed operations and objects
US8997226B1 (en) 2014-04-17 2015-03-31 Shape Security, Inc. Detection of client-side malware activity
US9003511B1 (en) 2014-07-22 2015-04-07 Shape Security, Inc. Polymorphic security policy action
US9027142B1 (en) 2014-01-21 2015-05-05 Shape Security, Inc. Dynamic field re-rendering
US9075990B1 (en) 2014-07-01 2015-07-07 Shape Security, Inc. Reliable selection of security countermeasures
US9083739B1 (en) 2014-05-29 2015-07-14 Shape Security, Inc. Client/server authentication using dynamic credentials
US9112900B1 (en) 2014-09-30 2015-08-18 Shape Security, Inc. Distributed polymorphic transformation of served content
WO2015179286A1 (fr) * 2014-05-23 2015-11-26 Shape Security, Inc. Traitement polymorphe de données entrées chez des clients
US9210171B1 (en) 2014-05-29 2015-12-08 Shape Security, Inc. Selectively protecting valid links to pages of a web site
US9225729B1 (en) 2014-01-21 2015-12-29 Shape Security, Inc. Blind hash compression
US9225737B2 (en) 2013-03-15 2015-12-29 Shape Security, Inc. Detecting the introduction of alien content
US9258274B2 (en) 2014-07-09 2016-02-09 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs
WO2016040753A1 (fr) * 2014-09-12 2016-03-17 Adallom Technologies Inc. Mandataire de suffixe en nuage et procédés associés
US9325734B1 (en) 2014-09-30 2016-04-26 Shape Security, Inc. Distributed polymorphic transformation of served content
US9338143B2 (en) 2013-03-15 2016-05-10 Shape Security, Inc. Stateless web content anti-automation
JP2016521875A (ja) * 2013-05-20 2016-07-25 アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited データの保護
US9405910B2 (en) 2014-06-02 2016-08-02 Shape Security, Inc. Automatic library detection
US9413776B2 (en) 2012-02-17 2016-08-09 Shape Security, Inc. System for finding code in a data flow
US9438625B1 (en) 2014-09-09 2016-09-06 Shape Security, Inc. Mitigating scripted attacks using dynamic polymorphism
US9438565B2 (en) 2013-11-11 2016-09-06 Adallom Technologies, Ltd. Cloud service security broker and proxy
US9477836B1 (en) 2014-04-23 2016-10-25 Shape Security, Inc. Content modification in served code
US9489526B1 (en) 2014-01-21 2016-11-08 Shape Security, Inc. Pre-analyzing served content
US9529994B2 (en) 2014-11-24 2016-12-27 Shape Security, Inc. Call stack integrity check on client/server systems
US9544329B2 (en) 2014-03-18 2017-01-10 Shape Security, Inc. Client/server security by an intermediary executing instructions received from a server and rendering client application instructions
US9582666B1 (en) 2015-05-07 2017-02-28 Shape Security, Inc. Computer system for improved security of server computers interacting with client computers
US9602543B2 (en) 2014-09-09 2017-03-21 Shape Security, Inc. Client/server polymorphism using polymorphic hooks
US9608975B2 (en) 2015-03-30 2017-03-28 Shape Security, Inc. Challenge-dynamic credential pairs for client/server request validation
US9729506B2 (en) 2014-08-22 2017-08-08 Shape Security, Inc. Application programming interface wall
US9807113B2 (en) 2015-08-31 2017-10-31 Shape Security, Inc. Polymorphic obfuscation of executable code
US9813440B1 (en) 2015-05-15 2017-11-07 Shape Security, Inc. Polymorphic treatment of annotated content
US9825995B1 (en) 2015-01-14 2017-11-21 Shape Security, Inc. Coordinated application of security policies
US9825984B1 (en) 2014-08-27 2017-11-21 Shape Security, Inc. Background analysis of web content
US9858440B1 (en) 2014-05-23 2018-01-02 Shape Security, Inc. Encoding of sensitive data
US9917850B2 (en) 2016-03-03 2018-03-13 Shape Security, Inc. Deterministic reproduction of client/server computer state or output sent to one or more client computers
US9923919B2 (en) 2013-03-15 2018-03-20 Shape Security, Inc. Safe intelligent content modification
US9986058B2 (en) 2015-05-21 2018-05-29 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US10050935B2 (en) 2014-07-09 2018-08-14 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs with forced user interaction
US10089216B2 (en) 2014-06-30 2018-10-02 Shape Security, Inc. Automatically determining whether a page of a web site is broken despite elements on the page that may change
US10129289B1 (en) 2016-03-11 2018-11-13 Shape Security, Inc. Mitigating attacks on server computers by enforcing platform policies on client computers
US10216488B1 (en) 2016-03-14 2019-02-26 Shape Security, Inc. Intercepting and injecting calls into operations and objects
US10230718B2 (en) 2015-07-07 2019-03-12 Shape Security, Inc. Split serving of computer code
US10298599B1 (en) 2014-09-19 2019-05-21 Shape Security, Inc. Systems for detecting a headless browser executing on a client computer
US10324702B2 (en) 2014-09-12 2019-06-18 Microsoft Israel Research And Development (2002) Ltd. Cloud suffix proxy and a method thereof
US10375026B2 (en) 2015-10-28 2019-08-06 Shape Security, Inc. Web transaction status tracking
US10567419B2 (en) 2015-07-06 2020-02-18 Shape Security, Inc. Asymmetrical challenges for web security
US10567363B1 (en) 2016-03-03 2020-02-18 Shape Security, Inc. Deterministic reproduction of system state using seeded pseudo-random number generators
JP2020030850A (ja) * 2019-11-01 2020-02-27 株式会社三菱Ufj銀行 情報処理装置
US10834101B2 (en) 2016-03-09 2020-11-10 Shape Security, Inc. Applying bytecode obfuscation techniques to programs written in an interpreted language
CN113971284A (zh) * 2020-07-24 2022-01-25 中国电信股份有限公司 基于JavaScript的恶意网页检测方法、设备及计算机可读存储介质
US11263179B2 (en) 2018-06-15 2022-03-01 Microsoft Technology Licensing, Llc System for collaborative editing based on document evaluation
US11349816B2 (en) 2016-12-02 2022-05-31 F5, Inc. Obfuscating source code sent, from a server computer, to a browser on a client computer
US11741197B1 (en) 2019-10-15 2023-08-29 Shape Security, Inc. Obfuscating programs using different instruction set architectures
US20230273990A1 (en) * 2013-03-15 2023-08-31 Shape Security, Inc. Code modification for detecting abnormal activity

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999001815A1 (fr) * 1997-06-09 1999-01-14 Intertrust, Incorporated Techniques d'obscurcissement pour augmenter la securite de logiciels
US20080222736A1 (en) * 2007-03-07 2008-09-11 Trusteer Ltd. Scrambling HTML to prevent CSRF attacks and transactional crimeware attacks
WO2009033137A1 (fr) * 2007-09-07 2009-03-12 Dis-Ent, Llc Obscurcissement de données polymorphique multicanal par logiciel
US20090144829A1 (en) * 2007-11-30 2009-06-04 Grigsby Travis M Method and apparatus to protect sensitive content for human-only consumption

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1999001815A1 (fr) * 1997-06-09 1999-01-14 Intertrust, Incorporated Techniques d'obscurcissement pour augmenter la securite de logiciels
US20080222736A1 (en) * 2007-03-07 2008-09-11 Trusteer Ltd. Scrambling HTML to prevent CSRF attacks and transactional crimeware attacks
WO2009033137A1 (fr) * 2007-09-07 2009-03-12 Dis-Ent, Llc Obscurcissement de données polymorphique multicanal par logiciel
US20090144829A1 (en) * 2007-11-30 2009-06-04 Grigsby Travis M Method and apparatus to protect sensitive content for human-only consumption

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"Just in time compression and obfuscation of HTML and script languages", IP.COM JOURNAL, IP.COM INC., WEST HENRIETTA, NY, US, 17 December 2006 (2006-12-17), XP013117244, ISSN: 1533-0001 *
COLLBERG C ET AL: "A Taxonomy of Obfuscating Transformations", TECHNICAL REPORT DEPARTMENT OF COMPUTER SCIENCE UNIVERSITY OFAUCKLAND, XX, XX, no. 148, 1 July 1997 (1997-07-01), pages 1 - 36, XP002140038 *

Cited By (90)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9413776B2 (en) 2012-02-17 2016-08-09 Shape Security, Inc. System for finding code in a data flow
US9338143B2 (en) 2013-03-15 2016-05-10 Shape Security, Inc. Stateless web content anti-automation
US11297097B2 (en) * 2013-03-15 2022-04-05 Shape Security, Inc. Code modification for detecting abnormal activity
US9609006B2 (en) 2013-03-15 2017-03-28 Shape Security, Inc. Detecting the introduction of alien content
US8869281B2 (en) 2013-03-15 2014-10-21 Shape Security, Inc. Protecting against the introduction of alien content
US12058170B2 (en) * 2013-03-15 2024-08-06 Shape Security, Inc. Code modification for detecting abnormal activity
US9794276B2 (en) 2013-03-15 2017-10-17 Shape Security, Inc. Protecting against the introduction of alien content
US20230273990A1 (en) * 2013-03-15 2023-08-31 Shape Security, Inc. Code modification for detecting abnormal activity
US10536479B2 (en) 2013-03-15 2020-01-14 Shape Security, Inc. Code modification for automation detection
US9225737B2 (en) 2013-03-15 2015-12-29 Shape Security, Inc. Detecting the introduction of alien content
US9178908B2 (en) 2013-03-15 2015-11-03 Shape Security, Inc. Protecting against the introduction of alien content
US9923919B2 (en) 2013-03-15 2018-03-20 Shape Security, Inc. Safe intelligent content modification
US9973519B2 (en) 2013-03-15 2018-05-15 Shape Security, Inc. Protecting a server computer by detecting the identity of a browser on a client computer
JP2016521875A (ja) * 2013-05-20 2016-07-25 アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited データの保護
US9836612B2 (en) 2013-05-20 2017-12-05 Alibaba Group Holding Limited Protecting data
US9438565B2 (en) 2013-11-11 2016-09-06 Adallom Technologies, Ltd. Cloud service security broker and proxy
US10091169B2 (en) 2013-11-11 2018-10-02 Microsoft Israel Research And Development (2002) Ltd. Method and system for protecting cloud-based applications executed in a cloud computing platform
US8892687B1 (en) 2013-12-06 2014-11-18 Shape Security, Inc. Client/server security by an intermediary rendering modified in-memory objects
US9270647B2 (en) 2013-12-06 2016-02-23 Shape Security, Inc. Client/server security by an intermediary rendering modified in-memory objects
US11088995B2 (en) 2013-12-06 2021-08-10 Shape Security, Inc. Client/server security by an intermediary rendering modified in-memory objects
EP3078178A1 (fr) * 2013-12-06 2016-10-12 Shape Security Inc. Sécurité client/serveur par rendu intermédiaire d'objets en mémoire modifiés
US10027628B2 (en) 2013-12-06 2018-07-17 Shape Security, Inc. Client/server security by an intermediary rendering modified in-memory objects
US9356954B2 (en) 2014-01-20 2016-05-31 Shape Security, Inc. Intercepting and supervising calls to transformed operations and objects
US8954583B1 (en) 2014-01-20 2015-02-10 Shape Security, Inc. Intercepting and supervising calls to transformed operations and objects
US9712561B2 (en) 2014-01-20 2017-07-18 Shape Security, Inc. Intercepting and supervising, in a runtime environment, calls to one or more objects in a web page
EP3097509A4 (fr) * 2014-01-20 2017-09-20 Shape Security Inc. Interception et supervision d'appels pour des opérations et des objets transformés
US9027142B1 (en) 2014-01-21 2015-05-05 Shape Security, Inc. Dynamic field re-rendering
US10212137B1 (en) 2014-01-21 2019-02-19 Shape Security, Inc. Blind hash compression
US9405851B1 (en) 2014-01-21 2016-08-02 Shape Security, Inc. Flexible caching
US8893294B1 (en) 2014-01-21 2014-11-18 Shape Security, Inc. Flexible caching
US9584534B1 (en) 2014-01-21 2017-02-28 Shape Security, Inc. Dynamic field re-rendering
US10554777B1 (en) 2014-01-21 2020-02-04 Shape Security, Inc. Caching for re-coding techniques
US9489526B1 (en) 2014-01-21 2016-11-08 Shape Security, Inc. Pre-analyzing served content
US9225729B1 (en) 2014-01-21 2015-12-29 Shape Security, Inc. Blind hash compression
US9544329B2 (en) 2014-03-18 2017-01-10 Shape Security, Inc. Client/server security by an intermediary executing instructions received from a server and rendering client application instructions
US9705902B1 (en) 2014-04-17 2017-07-11 Shape Security, Inc. Detection of client-side malware activity
US8997226B1 (en) 2014-04-17 2015-03-31 Shape Security, Inc. Detection of client-side malware activity
US9477836B1 (en) 2014-04-23 2016-10-25 Shape Security, Inc. Content modification in served code
US9411958B2 (en) 2014-05-23 2016-08-09 Shape Security, Inc. Polymorphic treatment of data entered at clients
WO2015179286A1 (fr) * 2014-05-23 2015-11-26 Shape Security, Inc. Traitement polymorphe de données entrées chez des clients
US9858440B1 (en) 2014-05-23 2018-01-02 Shape Security, Inc. Encoding of sensitive data
US9716702B2 (en) 2014-05-29 2017-07-25 Shape Security, Inc. Management of dynamic credentials
US9210171B1 (en) 2014-05-29 2015-12-08 Shape Security, Inc. Selectively protecting valid links to pages of a web site
US9083739B1 (en) 2014-05-29 2015-07-14 Shape Security, Inc. Client/server authentication using dynamic credentials
US9621583B2 (en) 2014-05-29 2017-04-11 Shape Security, Inc. Selectively protecting valid links to pages of a web site
US11552936B2 (en) 2014-05-29 2023-01-10 Shape Security, Inc. Management of dynamic credentials
US9405910B2 (en) 2014-06-02 2016-08-02 Shape Security, Inc. Automatic library detection
US10089216B2 (en) 2014-06-30 2018-10-02 Shape Security, Inc. Automatically determining whether a page of a web site is broken despite elements on the page that may change
US9075990B1 (en) 2014-07-01 2015-07-07 Shape Security, Inc. Reliable selection of security countermeasures
US10333924B2 (en) 2014-07-01 2019-06-25 Shape Security, Inc. Reliable selection of security countermeasures
US9813444B2 (en) 2014-07-01 2017-11-07 Shape Security, Inc. Reliable selection of security countermeasures
US9275222B2 (en) 2014-07-01 2016-03-01 Shape Security, Inc. Reliable selection of security countermeasures
US9258274B2 (en) 2014-07-09 2016-02-09 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs
US10050935B2 (en) 2014-07-09 2018-08-14 Shape Security, Inc. Using individualized APIs to block automated attacks on native apps and/or purposely exposed APIs with forced user interaction
US9003511B1 (en) 2014-07-22 2015-04-07 Shape Security, Inc. Polymorphic security policy action
US9479529B2 (en) 2014-07-22 2016-10-25 Shape Security, Inc. Polymorphic security policy action
US9729506B2 (en) 2014-08-22 2017-08-08 Shape Security, Inc. Application programming interface wall
US9825984B1 (en) 2014-08-27 2017-11-21 Shape Security, Inc. Background analysis of web content
US9438625B1 (en) 2014-09-09 2016-09-06 Shape Security, Inc. Mitigating scripted attacks using dynamic polymorphism
US9602543B2 (en) 2014-09-09 2017-03-21 Shape Security, Inc. Client/server polymorphism using polymorphic hooks
US10642600B2 (en) 2014-09-12 2020-05-05 Microsoft Technology Licensing, Llc. Cloud suffix proxy and a method thereof
WO2016040753A1 (fr) * 2014-09-12 2016-03-17 Adallom Technologies Inc. Mandataire de suffixe en nuage et procédés associés
CN105793826A (zh) * 2014-09-12 2016-07-20 阿道罗姆技术股份有限公司 云后缀代理及其方法
US10324702B2 (en) 2014-09-12 2019-06-18 Microsoft Israel Research And Development (2002) Ltd. Cloud suffix proxy and a method thereof
US10298599B1 (en) 2014-09-19 2019-05-21 Shape Security, Inc. Systems for detecting a headless browser executing on a client computer
US9325734B1 (en) 2014-09-30 2016-04-26 Shape Security, Inc. Distributed polymorphic transformation of served content
US9112900B1 (en) 2014-09-30 2015-08-18 Shape Security, Inc. Distributed polymorphic transformation of served content
USRE50024E1 (en) 2014-11-24 2024-06-25 Shape Security, Inc. Call stack integrity check on client/server systems
US9529994B2 (en) 2014-11-24 2016-12-27 Shape Security, Inc. Call stack integrity check on client/server systems
US9825995B1 (en) 2015-01-14 2017-11-21 Shape Security, Inc. Coordinated application of security policies
US9608975B2 (en) 2015-03-30 2017-03-28 Shape Security, Inc. Challenge-dynamic credential pairs for client/server request validation
US9582666B1 (en) 2015-05-07 2017-02-28 Shape Security, Inc. Computer system for improved security of server computers interacting with client computers
US9813440B1 (en) 2015-05-15 2017-11-07 Shape Security, Inc. Polymorphic treatment of annotated content
US9986058B2 (en) 2015-05-21 2018-05-29 Shape Security, Inc. Security systems for mitigating attacks from a headless browser executing on a client computer
US10567419B2 (en) 2015-07-06 2020-02-18 Shape Security, Inc. Asymmetrical challenges for web security
US10230718B2 (en) 2015-07-07 2019-03-12 Shape Security, Inc. Split serving of computer code
US10382482B2 (en) 2015-08-31 2019-08-13 Shape Security, Inc. Polymorphic obfuscation of executable code
US9807113B2 (en) 2015-08-31 2017-10-31 Shape Security, Inc. Polymorphic obfuscation of executable code
US10375026B2 (en) 2015-10-28 2019-08-06 Shape Security, Inc. Web transaction status tracking
US9917850B2 (en) 2016-03-03 2018-03-13 Shape Security, Inc. Deterministic reproduction of client/server computer state or output sent to one or more client computers
US10567363B1 (en) 2016-03-03 2020-02-18 Shape Security, Inc. Deterministic reproduction of system state using seeded pseudo-random number generators
US10834101B2 (en) 2016-03-09 2020-11-10 Shape Security, Inc. Applying bytecode obfuscation techniques to programs written in an interpreted language
US10129289B1 (en) 2016-03-11 2018-11-13 Shape Security, Inc. Mitigating attacks on server computers by enforcing platform policies on client computers
US10216488B1 (en) 2016-03-14 2019-02-26 Shape Security, Inc. Intercepting and injecting calls into operations and objects
US11349816B2 (en) 2016-12-02 2022-05-31 F5, Inc. Obfuscating source code sent, from a server computer, to a browser on a client computer
US11263179B2 (en) 2018-06-15 2022-03-01 Microsoft Technology Licensing, Llc System for collaborative editing based on document evaluation
US11741197B1 (en) 2019-10-15 2023-08-29 Shape Security, Inc. Obfuscating programs using different instruction set architectures
JP2020030850A (ja) * 2019-11-01 2020-02-27 株式会社三菱Ufj銀行 情報処理装置
CN113971284A (zh) * 2020-07-24 2022-01-25 中国电信股份有限公司 基于JavaScript的恶意网页检测方法、设备及计算机可读存储介质
CN113971284B (zh) * 2020-07-24 2024-03-05 中国电信股份有限公司 基于JavaScript的恶意网页检测方法、设备及计算机可读存储介质

Similar Documents

Publication Publication Date Title
WO2013091709A1 (fr) Procédé et appareil permettant la transformation dynamique en temps réel du code d'un document web
US10834101B2 (en) Applying bytecode obfuscation techniques to programs written in an interpreted language
US10798202B2 (en) Security systems for mitigating attacks from a headless browser executing on a client computer
US10430588B2 (en) Method of and system for analysis of interaction patterns of malware with control centers for detection of cyber attack
EP3097509B1 (fr) Interception et supervision d'appels pour des opérations et des objets transformés
Lekies et al. 25 million flows later: large-scale detection of DOM-based XSS
CN105678170B (zh) 一种动态检测xss漏洞的方法
US20160359901A1 (en) Mitigating scripted attacks using dynamic polymorphism
Mitropoulos et al. How to train your browser: Preventing XSS attacks using contextual script fingerprints
Elshazly et al. A survey of SQL injection attack detection and prevention
CN111881337B (zh) 一种基于Scrapy框架的数据采集方法、系统及存储介质
Christodorescu et al. End-to-end software diversification of internet services
CN103929498B (zh) 处理客户端请求的方法和装置
Kerschbaumer et al. Towards precise and efficient information flow control in web browsers
Athanasopoulos et al. Code-injection attacks in browsers supporting policies
Stein et al. Leveraging MDS2 and SBOM data for LLM-assisted vulnerability analysis of medical devices
Lekies Client-side Cross-site Scripting: Exploitation, Detection, Mitigation, and Prevention
EP4575801A1 (fr) Test d'une mise à jour d'une application logicielle sur un site web cible
Neef Uncovering Fingerprinting Networks. An Analysis of In-Browser Tracking using a Behavior-based Approach
Nguyen Building a tourism application with React and Nodes. js
CN113590624A (zh) 一种数据处理方法及电子装置
Jiang et al. Offensive and defensive strategy of web crawler
CN121283687A (zh) 反爬虫方法、装置、设备、计算机介质及产品
Jourdan Software Security Vulnerabilities Seen As Feature Interactions
Akinwale et al. Ontology of input validation attack patterns on web applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11805846

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11805846

Country of ref document: EP

Kind code of ref document: A1