公开(公告)号：US08578482B1

公开(公告)日：2013-11-05

申请号：US11972823

申请日：2008-01-11

Applicant: Shun-Fa Yang ,  Hsin-hsin Kuo

Inventor： Shun-Fa Yang ,  Hsin-hsin Kuo

IPC: G06F21/00

CPC classification number: G06F21/577 ,  G06F21/51 ,  H04L63/1441

Abstract: A Web site uses a behavior monitor that operates as a gatekeeper for a browser. The attack injects Web content with malicious executable code that executes on an end user device when the code executes in a browser on the device. A message is received at the monitor from a browser for retrieving Web content; the browser executes on a computing device having sensitive information. The Web content is retrieved from a target Web server and analyzed for XSS. If found, the destination to which some or all of the sensitive information will be sent if the XSS executes is determined. A message is displayed in the browser regarding whether the Web content that was requested should be viewed in the browser. In this manner, execution of the XSS in the browser is prevented. The analyzing and determining steps are performed before the Web content is received by the browser.

Abstract translation: 网站使用行为监视器作为浏览器的守门人。 当代码在设备上的浏览器中执行时，攻击将使用在最终用户设备上执行的恶意可执行代码来注入Web内容。 来自浏览器的监视器接收到用于检索Web内容的消息; 浏览器在具有敏感信息的计算设备上执行。 从目标Web服务器检索Web内容并分析XSS。 如果找到，则确定XSS执行时将发送一些或全部敏感信息的目的地。 浏览器中会显示一条消息，指示是否应在浏览器中查看请求的Web内容。 以这种方式，可以防止在浏览器中执行XSS。 在浏览器接收到Web内容之前执行分析和确定步骤。