DE602008000026D1 - Verbesserte Cross-site-Angriffsvorbeugung - Google Patents

Verbesserte Cross-site-Angriffsvorbeugung

Info

Publication number
DE602008000026D1
DE602008000026D1 DE602008000026T DE602008000026T DE602008000026D1 DE 602008000026 D1 DE602008000026 D1 DE 602008000026D1 DE 602008000026 T DE602008000026 T DE 602008000026T DE 602008000026 T DE602008000026 T DE 602008000026T DE 602008000026 D1 DE602008000026 D1 DE 602008000026D1
Authority
DE
Germany
Prior art keywords
web page
determined
page
site
user application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
DE602008000026T
Other languages
English (en)
Inventor
Florian Kerschbaum
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SAP SE
Original Assignee
SAP SE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAP SE filed Critical SAP SE
Publication of DE602008000026D1 publication Critical patent/DE602008000026D1/de
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Information Transfer Between Computers (AREA)
  • Storage Device Security (AREA)
  • Fats And Perfumes (AREA)
  • Transition And Organic Metals Composition Catalysts For Addition Polymerization (AREA)
  • Pharmaceuticals Containing Other Organic And Inorganic Compounds (AREA)
DE602008000026T 2007-04-23 2008-04-21 Verbesserte Cross-site-Angriffsvorbeugung Active DE602008000026D1 (de)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/738,912 US8584232B2 (en) 2007-04-23 2007-04-23 Enhanced cross-site attack prevention

Publications (1)

Publication Number Publication Date
DE602008000026D1 true DE602008000026D1 (de) 2009-07-30

Family

ID=39673148

Family Applications (1)

Application Number Title Priority Date Filing Date
DE602008000026T Active DE602008000026D1 (de) 2007-04-23 2008-04-21 Verbesserte Cross-site-Angriffsvorbeugung

Country Status (5)

Country Link
US (1) US8584232B2 (de)
EP (1) EP1986395B1 (de)
CN (1) CN101296087B (de)
AT (1) ATE434332T1 (de)
DE (1) DE602008000026D1 (de)

Families Citing this family (81)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8112799B1 (en) * 2005-08-24 2012-02-07 Symantec Corporation Method, system, and computer program product for avoiding cross-site scripting attacks
US7673135B2 (en) 2005-12-08 2010-03-02 Microsoft Corporation Request authentication token
US20080234998A1 (en) * 2007-03-22 2008-09-25 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Coordinating instances of a thread or other service in emulation
US20080235000A1 (en) * 2007-03-22 2008-09-25 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Implementing security control practice omission decisions from service emulation indications
US8495708B2 (en) * 2007-03-22 2013-07-23 The Invention Science Fund I, Llc Resource authorizations dependent on emulation environment isolation policies
US20080235001A1 (en) * 2007-03-22 2008-09-25 Searete Llc, A Limited Liability Corporation Of The State Of Delaware Implementing emulation decisions in response to software evaluations or the like
US8874425B2 (en) * 2007-03-22 2014-10-28 The Invention Science Fund I, Llc Implementing performance-dependent transfer or execution decisions from service emulation indications
US9558019B2 (en) * 2007-03-22 2017-01-31 Invention Science Fund I, Llc Coordinating instances of a thread or other service in emulation
US9378108B2 (en) * 2007-03-22 2016-06-28 Invention Science Fund I, Llc Implementing performance-dependent transfer or execution decisions from service emulation indications
US8438609B2 (en) * 2007-03-22 2013-05-07 The Invention Science Fund I, Llc Resource authorizations dependent on emulation environment isolation policies
US8181246B2 (en) * 2007-06-20 2012-05-15 Imperva, Inc. System and method for preventing web frauds committed using client-scripting attacks
US20090292983A1 (en) * 2007-11-30 2009-11-26 Kunal Anand Html filter for prevention of cross site scripting attacks
US8949990B1 (en) 2007-12-21 2015-02-03 Trend Micro Inc. Script-based XSS vulnerability detection
US8578482B1 (en) 2008-01-11 2013-11-05 Trend Micro Inc. Cross-site script detection and prevention
US8850567B1 (en) * 2008-02-04 2014-09-30 Trend Micro, Inc. Unauthorized URL requests detection
US8078693B2 (en) * 2008-04-14 2011-12-13 Microsoft Corporation Inserting a multimedia file through a web-based desktop productivity application
CN101594343B (zh) * 2008-05-29 2013-01-23 国际商业机器公司 安全提交请求的装置和方法、安全处理请求的装置和方法
US8341200B2 (en) * 2008-06-12 2012-12-25 Pomian & Corella, Llc Protecting a web application against attacks through shared files
US8640244B2 (en) * 2008-06-27 2014-01-28 Microsoft Corporation Declared origin policy
US8763120B1 (en) * 2008-07-15 2014-06-24 Zscaler, Inc. Exploitation detection
US8782797B2 (en) * 2008-07-17 2014-07-15 Microsoft Corporation Lockbox for mitigating same origin policy failures
US8020193B2 (en) * 2008-10-20 2011-09-13 International Business Machines Corporation Systems and methods for protecting web based applications from cross site request forgery attacks
US8180891B1 (en) * 2008-11-26 2012-05-15 Free Stream Media Corp. Discovery, access control, and communication with networked services from within a security sandbox
US20100192224A1 (en) * 2009-01-26 2010-07-29 International Business Machines Corporation Sandbox web navigation
EP2214373A1 (de) * 2009-01-30 2010-08-04 BRITISH TELECOMMUNICATIONS public limited company Sichere web-basierte Dienstbereitstellung
WO2010086625A1 (en) * 2009-01-30 2010-08-05 British Telecommunications Public Limited Company Secure web-based service provision
CN101877696B (zh) * 2009-04-30 2014-01-08 国际商业机器公司 在网络应用环境下重构错误响应信息的设备和方法
CN101895516B (zh) * 2009-05-19 2014-08-06 北京启明星辰信息技术股份有限公司 一种跨站脚本攻击源的定位方法及装置
US8332952B2 (en) * 2009-05-22 2012-12-11 Microsoft Corporation Time window based canary solutions for browser security
US8924553B2 (en) * 2009-08-31 2014-12-30 Red Hat, Inc. Multifactor validation of requests to thwart cross-site attacks
US8904521B2 (en) * 2009-11-30 2014-12-02 Red Hat, Inc. Client-side prevention of cross-site request forgeries
US8775818B2 (en) * 2009-11-30 2014-07-08 Red Hat, Inc. Multifactor validation of requests to thwart dynamic cross-site attacks
US8875285B2 (en) * 2010-03-24 2014-10-28 Microsoft Corporation Executable code validation in a web browser
US8856874B2 (en) 2010-05-19 2014-10-07 International Business Machines Corporation Method and apparatus for serving content elements of a markup language document protected against cross-site scripting attack
US9160756B2 (en) * 2010-05-19 2015-10-13 International Business Machines Corporation Method and apparatus for protecting markup language document against cross-site scripting attack
CA2704863A1 (en) * 2010-06-10 2010-08-16 Ibm Canada Limited - Ibm Canada Limitee Injection attack mitigation using context sensitive encoding of injected input
US9021586B2 (en) * 2010-07-20 2015-04-28 At&T Intellectual Property I, L.P. Apparatus and methods for preventing cross-site request forgery
US8068011B1 (en) 2010-08-27 2011-11-29 Q Street, LLC System and method for interactive user-directed interfacing between handheld devices and RFID media
US8578461B2 (en) 2010-09-27 2013-11-05 Blackberry Limited Authenticating an auxiliary device from a portable electronic device
US8910247B2 (en) 2010-10-06 2014-12-09 Microsoft Corporation Cross-site scripting prevention in dynamic content
CN102571846B (zh) * 2010-12-23 2014-11-19 北京启明星辰信息技术股份有限公司 一种转发http请求的方法及装置
CN102073559A (zh) * 2011-01-12 2011-05-25 北京搜狗科技发展有限公司 一种网页输入数据保护方法及系统
US8949992B2 (en) 2011-05-31 2015-02-03 International Business Machines Corporation Detecting persistent vulnerabilities in web applications
US10445528B2 (en) * 2011-09-07 2019-10-15 Microsoft Technology Licensing, Llc Content handling for applications
CN102984117B (zh) * 2011-09-07 2016-06-22 中国移动通信集团公司 一种网页组件的鉴权方法、鉴权服务器及鉴权系统
US9223976B2 (en) 2011-09-08 2015-12-29 Microsoft Technology Licensing, Llc Content inspection
CN103001817B (zh) * 2011-09-16 2016-08-10 厦门市美亚柏科信息股份有限公司 一种实时检测网页跨域请求的方法和装置
GB2496107C (en) * 2011-10-26 2022-07-27 Cliquecloud Ltd A method and apparatus for preventing unwanted code execution
US9813429B2 (en) * 2012-01-03 2017-11-07 International Business Machines Corporation Method for secure web browsing
US9191405B2 (en) * 2012-01-30 2015-11-17 Microsoft Technology Licensing, Llc Dynamic cross-site request forgery protection in a web-based client application
CN103312666B (zh) * 2012-03-09 2016-03-16 腾讯科技(深圳)有限公司 一种防御跨站请求伪造csrf攻击的方法、系统和装置
CN102664913B (zh) * 2012-03-21 2015-04-15 北京奇虎科技有限公司 网页访问控制方法和装置
US8898766B2 (en) * 2012-04-10 2014-11-25 Spotify Ab Systems and methods for controlling a local application through a web page
US10171483B1 (en) 2013-08-23 2019-01-01 Symantec Corporation Utilizing endpoint asset awareness for network intrusion detection
WO2015147779A1 (en) * 2014-03-24 2015-10-01 Hewlett-Packard Development Company, L.P. Monitoring for authentication information
CN104036193B (zh) * 2014-05-16 2017-02-01 北京金山安全软件有限公司 一种应用程序的本地跨域漏洞检测方法及装置
US10057217B2 (en) 2014-07-15 2018-08-21 Sap Se System and method to secure sensitive content in a URI
CN105512559B (zh) * 2014-10-17 2019-09-17 阿里巴巴集团控股有限公司 一种用于提供访问页面的方法与设备
US9740879B2 (en) 2014-10-29 2017-08-22 Sap Se Searchable encryption with secure and efficient updates
US9342707B1 (en) 2014-11-06 2016-05-17 Sap Se Searchable encryption for infrequent queries in adjustable encrypted databases
US9608809B1 (en) 2015-02-05 2017-03-28 Ionic Security Inc. Systems and methods for encryption and provision of information security using platform services
CN105991615B (zh) * 2015-03-04 2019-06-07 杭州迪普科技股份有限公司 基于csrf攻击的防护方法及装置
CN106339309B (zh) * 2015-07-14 2020-01-31 腾讯科技(深圳)有限公司 应用程序的测试方法、客户端及系统
CN106549925A (zh) * 2015-09-23 2017-03-29 阿里巴巴集团控股有限公司 防止跨站点请求伪造的方法、装置及系统
US9830470B2 (en) 2015-10-09 2017-11-28 Sap Se Encrypting data for analytical web applications
US10740474B1 (en) 2015-12-28 2020-08-11 Ionic Security Inc. Systems and methods for generation of secure indexes for cryptographically-secure queries
US10503730B1 (en) 2015-12-28 2019-12-10 Ionic Security Inc. Systems and methods for cryptographically-secure queries using filters generated by multiple parties
CN107436873B (zh) * 2016-05-25 2021-05-07 北京奇虎科技有限公司 一种网址跳转方法、装置及中转装置
CN106603572B (zh) * 2017-01-16 2020-07-14 深圳市九州安域科技有限公司 一种基于探针的漏洞检测方法及其装置
US11108762B2 (en) * 2018-06-05 2021-08-31 The Toronto-Dominion Bank Methods and systems for controlling access to a protected resource
US10992759B2 (en) 2018-06-07 2021-04-27 Sap Se Web application session security with protected session identifiers
US10972481B2 (en) * 2018-06-07 2021-04-06 Sap Se Web application session security
EP3588347B1 (de) * 2018-06-29 2021-01-13 AO Kaspersky Lab Systeme und verfahren zum identifizieren unbekannter attribute von webdatenfragmenten beim starten einer webseite in einem browser
CN109040073B (zh) * 2018-08-07 2021-04-16 北京神州绿盟信息安全科技股份有限公司 一种万维网异常行为访问的检测方法、装置、介质和设备
CN109948025B (zh) * 2019-03-20 2023-10-20 上海古鳌电子科技股份有限公司 一种数据引用记录方法
US10746567B1 (en) 2019-03-22 2020-08-18 Sap Se Privacy preserving smart metering
US11275840B2 (en) 2019-07-29 2022-03-15 Sap Se Management of taint information attached to strings
CN112115400A (zh) * 2020-02-02 2020-12-22 郭春燕 网页数据处理方法、装置及网页云平台
CN113783824B (zh) * 2020-06-10 2022-08-30 中国电信股份有限公司 防止跨站请求伪造的方法、装置、客户端、系统及介质
US11720988B1 (en) * 2020-06-12 2023-08-08 Wells Fargo Bank, N.A. Automated data agent monitoring bot
KR102413355B1 (ko) * 2021-03-25 2022-06-27 주식회사 이알마인드 디바이스로의 보안 서비스 제공 방법 및 이를 수행하는 서버

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6357010B1 (en) 1998-02-17 2002-03-12 Secure Computing Corporation System and method for controlling access to documents stored on an internal network
US6658400B2 (en) * 1999-12-04 2003-12-02 William S. Perell Data certification and verification system having a multiple-user-controlled data interface
US7424445B1 (en) * 2000-04-06 2008-09-09 Apple Inc. Virtual bundles
US7370011B2 (en) * 2000-06-28 2008-05-06 Yahoo! Inc. Financial information portal
US7100049B2 (en) 2002-05-10 2006-08-29 Rsa Security Inc. Method and apparatus for authentication of users and web sites
US8272032B2 (en) * 2004-11-10 2012-09-18 Mlb Advanced Media, L.P. Multiple user login detection and response system
US20070136809A1 (en) * 2005-12-08 2007-06-14 Kim Hwan K Apparatus and method for blocking attack against Web application
CN1870493A (zh) * 2006-06-15 2006-11-29 北京华景中天信息技术有限公司 网站安全漏洞扫描方法
US8079076B2 (en) * 2006-11-02 2011-12-13 Cisco Technology, Inc. Detecting stolen authentication cookie attacks

Also Published As

Publication number Publication date
ATE434332T1 (de) 2009-07-15
CN101296087B (zh) 2011-09-21
US8584232B2 (en) 2013-11-12
CN101296087A (zh) 2008-10-29
US20080263650A1 (en) 2008-10-23
EP1986395A1 (de) 2008-10-29
EP1986395B1 (de) 2009-06-17

Similar Documents

Publication Publication Date Title
ATE434332T1 (de) Verbesserte cross-site-angriffsvorbeugung
WO2007120625A3 (en) Secure and granular index for information retrieval
FR2914378B1 (fr) Dispositif et clavette de verrouillage.
BRPI0819426A2 (pt) "método de identificação de documento, dispositivo para autenticação de documentos de segurança e meio legível por computador"
EP1806674A3 (de) Verfahren und Vorrichtung für schutzbereichbasierte Sicherheit
BRPI0812547A2 (pt) Método e dispositivo de segurança de documentos
ATE513406T1 (de) Transparente bewusste datenumwandlung auf dateisystemebene
BRPI0819421A2 (pt) "método para verificação de um documento desconhecido, dispositivo para autenticação de documentos de segurança, meio legível por computador e método para a identificação ou validação de um documento desconhecido"
BRPI0810234A2 (pt) Dispositivo eletrônico, e, método para proteger dados de restrição de uso
WO2005025291A3 (en) Identifying and/or blocking ads such as document-specific competitive ads
DE602004012996D1 (de) Verfahren und vorrichtung zum authentifizieren von benutzern und websites
BRPI0907386A2 (pt) Transmissão de arquivo de segurança e pesquisa de reputação.
SG157328A1 (en) System and method for detecting false code
BRPI0916697A2 (pt) recomendações de conteúdo baseado em informações de navegação
WO2008002456A3 (en) Program instrumentation method and apparatus for constraining the behavior of embedded script in documents
DE602005022194D1 (de) Verfahren gegen unbefugten Zugang zu Entschlüsselungsschlüsseln mit Hilfe einer verschlüsselten digitalen Unterschrift
WO2005101185A3 (en) Authenticating a web site with user-provided indicators
BR112012003212A8 (pt) dispositivo periférico inteligente e um sistema para autenticação e verificação de pessoas físicas e/ou documentos através de um serviço seguro de autenticação multifuncional com capacidade de armazenamento de dados.
BRPI0919240A2 (pt) características de segurança à prova de falsificação em documentos de segurança ou documentos de valor
FR2926134B1 (fr) Dispositif de securite et d'armement micro-usine ou micro-grave
BRPI1013381A2 (pt) método de gerenciamento de informação de chave, método de transmissão de conteúdo, aparelho de gerenciamento de informação de chave, aparelho de gerenciamento de licença, sistema de transmissão de conteúdo, e aparelho de terminal
WO2010033633A3 (en) Method and system for enabling access to a web service provider through login based badges embedded in a third party site
FR2911743B1 (fr) Dispositif portable d'authentification.
FR2904130B1 (fr) Procedes et dispositifs de securisation et d'authentification de documents
FR2890099B1 (fr) Dispositif de securite pour un puits de petrole et installation de securite associee.

Legal Events

Date Code Title Description
8364 No opposition during term of opposition