公开(公告)号：GB2510756A

公开(公告)日：2014-08-13

申请号：GB201408612

申请日：2012-12-03

Applicant: IBM

Inventor： GUY LOTEM ,  KALMAN DANIEL ,  SEGAL ORI ,  WEISMAN OMRI ,  AMIT YAIR

IPC: G06F21/57

Abstract: Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads.

公开(公告)号：GB2496730A

公开(公告)日：2013-05-22

申请号：GB201218726

申请日：2012-10-18

Applicant: IBM

Inventor： TRIPP OMER ,  AMIT YAIR ,  KALMAN DANIEL ,  WEISMAN OMRI ,  HAVIV YINNON

IPC: G06F21/57 ,  G06F21/00 ,  G06F21/56 ,  H04L29/06

Abstract: A client 120 request 130 comprising a payload 132 an injected script for example is communicated to a web-based application 112. The payload has a unique identifier. Response HTML 134 with an associated Document Object Model (DOM) object 136 is received from the web-based application and content corresponding to the payload is identified in the DOM object via its unique identifier. A section of the DOM object comprising the payload is then identified as un-trusted. A DOM abstraction 126 may be generated from the DOM object comprising a section of the DOM object containing the content corresponding to the payload whilst, preferably, excluding sections of the DOM object not comprising said content. The response HTML is then preferably rendered using the DOM abstraction in lieu of the DOM object. A static security analysis of the response HTML may be performed when rendering to identify whether any access to a DOM abstraction retrieves content corresponding to the payload and, if so, a flag is generated to indicate that a vulnerability exists within the web-based application.

公开(公告)号：CA2694326A1

公开(公告)日：2010-05-18

申请号：CA2694326

申请日：2010-03-10

Applicant: IBM CANADA

Inventor： PODJARNY GUY ,  AMIT YAIR ,  SHARABANI ADI

IPC: H04L9/32 ,  G06F21/00 ,  G06Q20/40

Abstract: A method and system for preventing Cross-Site Request Forgery (CSRF) security attacks on a server in a client-server environment. The method includes embedding a nonce and a script to all responses from the server to the client wherein when executed the script will add the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each said request from the client includes the nonce sent by the server from the server to the client. The script modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and confirms the request with the client if the value is not the same as the value previously sent by the server. Server-side aspects of the invention might be embodied in the server or a proxy between the server and the client.