公开(公告)号：US10320832B2

公开(公告)日：2019-06-11

申请号：US15373883

申请日：2016-12-09

Applicant: SAP SE

Inventor： Martin Johns ,  Christoph Haefner

IPC: H04L29/06 ,  H04N5/225

Abstract: WebRTC is vulnerable to malicious JavaScript, injected by cross-site scripting attacks or compromised or malicious script providers. Through these attacks, attackers can access a WebRTC connection and leak or monitor the audio and video data transmitted. By preventing modification of key WebRTC functions and preventing outgoing streams from being used more than once, these attacks can be thwarted.

公开(公告)号：US20180351986A1

公开(公告)日：2018-12-06

申请号：US15615527

申请日：2017-06-06

Applicant: SAP SE

Inventor： Martin Johns

IPC: H04L29/06

Abstract: Embodiments detect cross-site request forgery (CSRF) attacks by monitoring, mutation, and analysis of suspect requests that are received by an application server. An engine observes UI interaction, HTTP traffic, and server-side changes in order to create an initial list of CSRF candidates (e.g., HTTP requests that could indicate a CSRF vulnerability). Embodiments may feature a virtualized server-side platform including sensors deployed for application persistence monitoring. Using inter-trace analysis, these CSRF candidates are de-composed into their semantic components (e.g., parameter values and classes). By performing value mutation operations on these components and repeated replay of the resulting HTTP requests, CSRF candidates are tested to see if the underlying HTTP request could be utilized in the context of a CSRF attack. Subsequent validation and exploitability assessment may reduce the initial list of suspect candidate requests to only those exploitable cases for which a proof-of-vulnerability demonstration exploit can be created.

公开(公告)号：US20220197998A1

公开(公告)日：2022-06-23

申请号：US17127772

申请日：2020-12-18

Applicant: SAP SE

Inventor： Thomas Barber ,  David Klein ,  Martin Johns

IPC: G06F21/54 ,  G06F21/56 ,  G06F21/55 ,  G06F21/62

Abstract: Various embodiments of systems and methods to track tainting information via non-intrusive bytecode instrumentation are described herein. The described techniques include, at one aspect, defining a taint-aware class to shadow an original data class. The taint-aware class includes a payload field to store objects of the original data class, a metadata field to store tainting information corresponding to the objects of the original data class, and a method proxying a corresponding method of the original data class. In another aspect, the instances of the original data class are replaced with corresponding instances of the taint-aware class in an application bytecode. Further, in a yet another aspect, when executing the application in a runtime environment, the method propagates the content of the metadata filed and calls the corresponding method of the original data class to manage the content of the payload field.

公开(公告)号：US10831892B2

公开(公告)日：2020-11-10

申请号：US16002412

申请日：2018-06-07

Applicant: SAP SE

Inventor： Martin Johns

IPC: G06F21/56 ,  H04L29/06

Abstract: Various examples are directed to systems and methods for securing a web browser. The web browser may parse web content received from a server and identify a script associated with the web content. The web browser may generate script fingerprint data for the script. The script fingerprint data may comprise script code data describing script code for the script and script syntax data describing the script. The web browser may determine that the script fingerprint data is not described by local known script data and may send an anomalous script report to the server, where the anomalous script report comprising the script fingerprint data. The web browser may also update the local known script data to describe the script fingerprint data.

公开(公告)号：US10824770B2

公开(公告)日：2020-11-03

申请号：US16218761

申请日：2018-12-13

Applicant: SAP SE

Inventor： Martin Johns

IPC: G06F21/84 ,  H04L29/06 ,  G06F21/60 ,  G06F16/958 ,  G06F21/83

Abstract: Various examples are directed to systems and methods for executing a web application with client-side encryption. A web application may execute in a web browser at a client computing device. The web browser may generate a document comprising a secure display element. The web browser may request to render the document at the client computing device. A cryptographic tool of the web browser may decrypt the first encrypted value to generate a first clear value. The web browser may render the document at an output device of the client computing device using the clear value. The web browser may also be programmed to prevent the web application from accessing the first clear value.

公开(公告)号：US10789360B2

公开(公告)日：2020-09-29

申请号：US15880398

申请日：2018-01-25

Applicant: SAP SE

Inventor： Martin Johns

IPC: G06F21/56 ,  H04L29/06 ,  G06F21/54 ,  G06F16/93 ,  G06F21/51 ,  G06F16/10

Abstract: Embodiments protect against security vulnerabilities arising from 3rd party JavaScript code. A browser receives from a server, a document including a first JavaScript. The browser in turn references a list stored in a database to recognize the first JavaScript as originating from other than the server. This recognition process may involve obtaining a stacktrace. The browser then references a second JavaScript in order to instrument a document object model (DOM) feature (e.g., global API, DOM element-attached API, DOM node property) to sanitize the first JavaScript. For instrumenting a global API, this may comprise overwriting a global reference in the first JavaScript with a replacement reference to a sanitization function. For instrumenting the DOM element-attached API or the DOM node property, the instrumenting may comprise altering a prototype of the DOM node element. The browser causes the DOM feature to sanitize the first JavaScript, and passes a sanitized JavaScript for execution.

公开(公告)号：US10609067B2

公开(公告)日：2020-03-31

申请号：US16386083

申请日：2019-04-16

Applicant: SAP SE

Inventor： Martin Johns ,  Christoph Haefner

IPC: H04L29/06 ,  H04N5/225

Abstract: WebRTC is vulnerable to malicious JavaScript, injected by cross-site scripting attacks or compromised or malicious script providers. Through these attacks, attackers can access a WebRTC connection and leak or monitor the audio and video data transmitted. By preventing modification of key WebRTC functions and preventing outgoing streams from being used more than once, these attacks can be thwarted.

公开(公告)号：US20190245886A1

公开(公告)日：2019-08-08

申请号：US16386083

申请日：2019-04-16

Applicant: SAP SE

Inventor： Martin Johns ,  Christoph Haefner

IPC: H04L29/06 ,  H04N5/225

CPC classification number: H04L63/1441 ,  H04L63/08 ,  H04L63/1416 ,  H04L63/1466 ,  H04L65/608 ,  H04N5/225

Abstract: WebRTC is vulnerable to malicious JavaScript, injected by cross-site scripting attacks or compromised or malicious script providers. Through these attacks, attackers can access a WebRTC connection and leak or monitor the audio and video data transmitted. By preventing modification of key WebRTC functions and preventing outgoing streams from being used more than once, these attacks can be thwarted.

公开(公告)号：US10129285B2

公开(公告)日：2018-11-13

申请号：US15140154

申请日：2016-04-27

Applicant: SAP SE

Inventor： Martin Johns ,  Stephan Pfistner

IPC: H04L29/06 ,  H04L29/08

Abstract: The embodiments described in this disclosure may be adapted to detect and mitigate tainted content in network communications across client-server boundaries using a pair of complementary taint engines at both ends of the network. Methods, systems and computer readable storage media are adapted to receive request from a web application of a client system and generate standard responses. The header of the request can include a request taint value that can be evaluated to determine whether the request is a standard network transfer protocol request (e.g., HTTP request) or a multipart network transfer protocol request (e.g., a CTTP request). If the request is a multipart network transfer protocol request, a multipart network transfer protocol response can be constructing based on the generated standard network transfer protocol response, and client systems can be configured to detect tainted content based on the multipart network transfer protocol response.

公开(公告)号：US20180196939A1

公开(公告)日：2018-07-12

申请号：US15403603

申请日：2017-01-11

Applicant: SAP SE

Inventor： Christoph Haefner ,  Martin Johns ,  Martin Haerterich

IPC: G06F21/53

CPC classification number: G06F21/53 ,  G06F2221/033

Abstract: Systems and methods are provided herein for establishing a protection framework for a component. Identified assets of a component requiring protection from a potential attack are received. A list of assets is generated based on the identified assets. A protection framework is configured to include at least one defensive pattern to protect the list of assets against the potential attack. The protection framework is executed to establish a hardened boundary between the component and an attack surface of the component.