| 发明名称 |
Systems and methods for client-side vulnerability scanning and detection |
| 摘要 |
Various embodiments presented herein relate to scanning for and detecting web page vulnerabilities, including cross-site scripting (XSS). Some embodiments are configured to scan for and detect vulnerabilities of a target web page using a client-based approach, which may employ a remotely-controlled web browser application capable of generating a document object model (DOM) for the target web page as it is accessed. Some embodiments may scan for and detect web page vulnerabilities by monitoring the DOM associated with a targeted web page as one or more attack vectors are applied to the target web page. Certain embodiments are capable of detecting web page vulnerabilities independent of the complexity or presence of an event model, or obfuscation of the malicious code (e.g., XSS code). Target web pages that are scanned may include those associated with an application coded in a web browser-supported language, such a Rich Internet Application (RIA). |
| 申请公布号 |
US8752183(B1) |
申请公布日期 |
2014.06.10 |
| 申请号 |
US201213545890 |
申请日期 |
2012.07.10 |
| 申请人 |
Hoyt Technologies, Inc. |
发明人 |
Heiderich Mario;Heyes Gareth;Aranguren-Aznarez Abraham |
| 分类号 |
H04L29/14 |
主分类号 |
H04L29/14 |
| 代理机构 |
|
代理人 |
|
| 主权项 |
1. A method for testing a vulnerability of a web site, comprising:
receiving a first set of addresses; identifying a second set of addresses by analyzing a first set of web pages located at the first set of addresses; identifying a third set of addresses by analyzing a first set of document object models (DOMs) associated with the first set of web pages and associated with a second set of web pages located at the second set of addresses; probing a third set of web pages for presence of a set of vulnerabilities using a document object model (DOM) analysis script to analyze a second set of document object models (DOMs) associated with the third set of web pages as a set of attack vectors is applied to the third set of web pages, wherein the third set of web pages is located at the first, second, and third sets of addresses, and the DOM analysis script is inserted into the third set of web pages; and determining presence of the set of vulnerabilities for the third set of web pages based on a set of results from the probing, wherein the attack vectors are designed to exploit a vulnerability of a web page.
|
| 地址 |
Stowe VT US |
