WO2011018316A1 - Sécurité de navigateur web - Google Patents
Sécurité de navigateur web Download PDFInfo
- Publication number
- WO2011018316A1 WO2011018316A1 PCT/EP2010/060619 EP2010060619W WO2011018316A1 WO 2011018316 A1 WO2011018316 A1 WO 2011018316A1 EP 2010060619 W EP2010060619 W EP 2010060619W WO 2011018316 A1 WO2011018316 A1 WO 2011018316A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- url
- rating
- client terminal
- web browser
- sending
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
- G06F16/9535—Search customisation based on user profiles and personalisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Definitions
- the present invention relates to web browser security and in particular to a mechanism for preventing sensitive information being sent from a web browser to a malicious website.
- FIG. 1 shows an example piece of html code that creates within a displayed webpage a form with two input fields, "firstname” and "lastname", and one submit button.
- Figure 2 shows how a malicious script may modify the destination URL ("www.example.com/getform.asp") associated with the action, to match a malicious site, in this case "www.stealyourdata.com/getform.asp”.
- a Cross Site Scripting (XSS) attack may be used.
- a so-called “reflective" XSS attack can be carried out by enticing the user to click on a link that contains as its root a trusted website address, and in addition a malicious script, e.g. "www.mybank.com/maliciousscript.js.
- the browser sends a GET request to this URL, and the request is indeed received by a server of mybank.
- the server expects to receive, appended to the URL, the user's username and password, and reflects these back in the returned webpage, e.g. the page contains the message "hello maliciousscript.js".
- the browser receives the webpage data, recognises the script, and executes it.
- Execution of the script results in the display of an otherwise valid webpage, but with the destination URL of one or more forms changed to a malicious URL.
- this URL is not displayed to the user and, importantly, the address line of the browser window shows only a legitimate URL, e.g. "www.mybank.com/login”.
- a related, but potentially more dangerous XSS attack is that known as a "type 2" or persistent XSS attack.
- a type 2 XSS attack takes advantage of the fact that users may post html formatted data at a web application of a web server in a persistent manner. This might be the case for example with a web chat application.
- a client reads the web page, e.g. chat board, a malicious script may be downloaded and executed by the client's web browser in order to modify the destination URL of a web page form.
- a number of products designed to reduce the problems discussed above are available.
- One approach employed is to detect when a user enters potentially sensitive information into a form field. For example the insertion of an "@" character may be detected as indicative of entry of a user's email address, or an algorithm such as an Luhn algorithm used to detect the entry of a credit card number.
- a warning is displayed to the user, and the user must click the warning away in order to proceed.
- the majority of form data submitted by a user is likely to be legitimate, such an approach may prove an annoying inconvenience.
- Summary A "brute force" defence against phishing and pharming attacks of the type described above is to screen destination URLs for all outgoing traffic from the web browser.
- An improved, or at least supplementary approach that is presented here is to detect either the presence of a form in a webpage or an attempt by a user to submit a form, and to check the associated URL against a database of rated URLs. Depending upon the result of the check, the URL submission can be blocked and/or a warning presented to the user.
- a method of controlling the sending of sensitive electronic data from a client terminal to a peer over the Internet the client terminal implementing a web browser for displaying and interacting with webpages.
- the method comprises, at the client terminal, identifying a URL associated with an html form tag of a webpage, and querying a reputation database in order to obtain a rating for the URL.
- the sending of data entered into the field(s) of the form over the Internet is blocked, and/or a warning displayed to the user.
- the step of identifying a URL may comprise parsing html code of said webpage to identify a form tag and an associated URL. Alternatively, this step may comprise intercepting and parsing outgoing http data to identify the URL.
- Said steps of identifying, querying, blocking, and displaying may be carried out by a web browser plugin.
- the step of querying a reputation database in order to obtain a rating for the URL may comprise formulating a query at the client terminal containing said URL and sending that query, across the Internet, to a reputation server, and, upon receipt of the query at the rating server determining a rating for the URL and sending a response containing the rating to the client terminal.
- the step of querying a reputation database in order to obtain a rating for the URL may comprise querying a rating database maintained at the client terminal.
- a computer program for use with a computer provided with a web browser for displaying and interacting with webpages.
- the computer program causes the computer to identify a URL associated with an html form tag of a webpage, and query a reputation database in order to obtain a rating for the URL.
- the program blocks the sending of data entered into the field(s) of the form over the Internet and/or displays a warning to the user.
- the computer program may be implemented as a web browser plugin.
- a computer storage medium having stored thereon a computer program according to the above second aspect of the invention.
- a client terminal comprising a computer storage medium according to the above third aspect of the invention.
- Figure 1 shows an example html code segment that creates within a displayed webpage a form
- Figure 2 shows an example html code segment with a modified destination URL
- Figure 3 is a flow diagram illustrating a process for handling webpage form submissions to detect suspicious activities
- Figure 4 illustrates schematically a client terminal configured to implement the process of Figure 3.
- Detecting malware and other security threats in a client terminal environment can, if not properly optimised, consume large amounts of computer resources to the point where the performance of the terminal is severely impacted.
- the brute force monitoring of all outgoing Internet traffic is particularly undesirable given that users have become used to extremely fast broadband browsing experiences.
- a more efficient approach presented here involves detecting either the presence of form fields in a webpage, or when a web browser is attempting to submit form data across the Internet, and using this as a trigger to "scan" the URL submit destination.
- Appropriate functionality can be introduced into a client terminal by way of a browser plugin, i.e. a program that makes use of standard interfaces of the browser to enhance the browser's operation. Browser plugin technology is well know to those of skill in the art.
- Figure 3 presents a flow diagram illustrating an approach employing monitoring submitted forms.
- the user has clicked on a submit "button" in order to submit the content of a form to a destination URL.
- the submission is intercepted at step S2.
- the destination URL for the submission is identified.
- Browsers provide several methods that can be used to implement steps S2 and S3.
- One approach employs JavaScript generated 'event notifications'. For example, the onclickO event is triggered whenever a certain element is "clicked". These events can be detected by script code segments in the webpage or by a browser plugin. Whenever a form submission occurs, at least the onsubmit() event is triggered by the browser. This event can be used by a script code segment or JavaScript to intercept the submission as required.
- a query containing this URL is formulated and sent to a URL associated with a trusted server operated by an anti-virus application provider.
- the query may be digitally signed (and possibly encrypted) to authenticate the sender to the server.
- the server receives the query and extracts the destination URL.
- the server looks up this URL in a website reputation database.
- the database will have been constructed by the provider from an analysis of publicly available websites, e.g. using a "spider" to collect webpages and some automated malware detection process for analysing collected webpages. Data may also be entered manually into the database, e.g. based upon user reports of good and bad websites.
- the result of the query is returned to the querying client terminal, again with the message signed (and possibly encrypted) to authenticate the server as the origin.
- the client terminal must of course verify the signature to authenticate the response.
- the web browser plugin allows the submission to proceed, i.e. forwarding the submission to the destination URL.
- the plugin blocks the submission and displays an alert to the user at step S8.
- the alert may be displayed in separate, pop-up window, or in a dedicated area of the browser frame, e.g. as a "traffic light" indicator.
- the user may be able to force a submission, at least for unknown URLs.
- FIG. 4 illustrates schematically a client terminal in the form of a PC 1 (the terminal may of course be any other computer device with Internet connectivity, e.g. a mobile phone).
- the PC comprises a display 2 on which might be displayed the graphical user interface (GUI) of a web browser 3, e.g. Internet ExplorerTM.
- GUI graphical user interface
- a memory component 4 stores a computer software 5 which, when executed, provides a browser plugin for the web browser. As well as implementing the background URI scanning described above, the plugin also modifies the displayed GUI, for example to display an indication that a form submission has been allowed or blocked.
- the PC further comprises a network interface 6 for coupling the PC to the Internet.
- An alternative approach to defending against attacks of the type described above involves scanning webpages downloaded into a browser to detect html forms (e.g. using an appropriate browser plugin). This might involve, for example, parsing the Document Object Model (DOM) of a webpage, looking for occurrences of 'form' objects and extracting the 'action' attribute from those objects. This attribute contains the submission URL. If detected, the URL associated with the "action" parameter is extracted, and a query sent to the anti-virus provider server. Separate queries can be sent for each submit URL, or multiple URLs can be rolled into a single query. Similarly, one or more responses can be returned by the server.
- DOM Document Object Model
- a user can be warned of a potential threat at an early stage, potentially before the webpage is rendered and displayed in the browser window.
- the embodiments of the invention described above are able to detect threats when entering and submitting data into any webpage containing a form. They are particularly effective in combating XSS attacks during which a legitimate URL is likely to appear in the web browser's address line. It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention.
- the web browser plugin may submit this to a local held database and associated query engine. This database may receive regular updates from a service provider, e.g. pushed to it over the Internet.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Networks & Wireless Communication (AREA)
- Medical Informatics (AREA)
- Data Mining & Analysis (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Linvention concerne un procédé permettant de contrôler lenvoi de données électroniques sensibles depuis un terminal client vers un pair sur Internet, le terminal client utilisant un navigateur Web pour afficher des pages Web et interagir avec celles-ci. Le procédé consiste, sur le terminal client, à identifier une URL associée à une balise de formulaire HTML dune page Web, et à interroger une base de données de réputation afin dobtenir un classement pour lURL. En fonction du classement, lenvoi des données saisies dans le ou les champs du formulaire sur Internet est bloqué, et/ou un avertissement est affiché à lattention de lutilisateur.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
MYPI20093350 | 2009-08-12 | ||
MYPI20093350 | 2009-08-12 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011018316A1 true WO2011018316A1 (fr) | 2011-02-17 |
Family
ID=43858387
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2010/060619 WO2011018316A1 (fr) | 2009-08-12 | 2010-07-22 | Sécurité de navigateur web |
Country Status (1)
Country | Link |
---|---|
WO (1) | WO2011018316A1 (fr) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013053278A1 (fr) * | 2011-10-14 | 2013-04-18 | 腾讯科技(深圳)有限公司 | Procédé d'identification de sécurité de réseau, serveur de détection de sécurité, client et système |
EP2648128A1 (fr) * | 2012-04-02 | 2013-10-09 | Trusteer Ltd. | Détection de tentatives d'hameçonnage |
WO2015000428A1 (fr) * | 2013-07-05 | 2015-01-08 | 腾讯科技(深圳)有限公司 | Procédé, serveur et système de traitement de données |
CN110348239A (zh) * | 2019-06-13 | 2019-10-18 | 平安普惠企业管理有限公司 | 脱敏规则配置方法以及数据脱敏方法、系统、计算机设备 |
US20220232038A1 (en) * | 2021-01-21 | 2022-07-21 | Mcafee, Llc | Web Conference Security |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060253446A1 (en) * | 2005-05-03 | 2006-11-09 | E-Lock Corporation Sdn. Bhd.. | Internet security |
US20060253578A1 (en) * | 2005-05-03 | 2006-11-09 | Dixon Christopher J | Indicating website reputations during user interactions |
US20090055928A1 (en) * | 2007-08-21 | 2009-02-26 | Kang Jung Min | Method and apparatus for providing phishing and pharming alerts |
-
2010
- 2010-07-22 WO PCT/EP2010/060619 patent/WO2011018316A1/fr active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060253446A1 (en) * | 2005-05-03 | 2006-11-09 | E-Lock Corporation Sdn. Bhd.. | Internet security |
US20060253578A1 (en) * | 2005-05-03 | 2006-11-09 | Dixon Christopher J | Indicating website reputations during user interactions |
US20090055928A1 (en) * | 2007-08-21 | 2009-02-26 | Kang Jung Min | Method and apparatus for providing phishing and pharming alerts |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013053278A1 (fr) * | 2011-10-14 | 2013-04-18 | 腾讯科技(深圳)有限公司 | Procédé d'identification de sécurité de réseau, serveur de détection de sécurité, client et système |
US9154522B2 (en) | 2011-10-14 | 2015-10-06 | Tencent Technology (Shenzhen) Company Limited | Network security identification method, security detection server, and client and system therefor |
EP2648128A1 (fr) * | 2012-04-02 | 2013-10-09 | Trusteer Ltd. | Détection de tentatives d'hameçonnage |
US9111090B2 (en) | 2012-04-02 | 2015-08-18 | Trusteer, Ltd. | Detection of phishing attempts |
WO2015000428A1 (fr) * | 2013-07-05 | 2015-01-08 | 腾讯科技(深圳)有限公司 | Procédé, serveur et système de traitement de données |
CN110348239A (zh) * | 2019-06-13 | 2019-10-18 | 平安普惠企业管理有限公司 | 脱敏规则配置方法以及数据脱敏方法、系统、计算机设备 |
CN110348239B (zh) * | 2019-06-13 | 2023-10-27 | 张建军 | 脱敏规则配置方法以及数据脱敏方法、系统、计算机设备 |
US20220232038A1 (en) * | 2021-01-21 | 2022-07-21 | Mcafee, Llc | Web Conference Security |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11570211B1 (en) | Detection of phishing attacks using similarity analysis | |
Wu et al. | Effective defense schemes for phishing attacks on mobile computing platforms | |
US10148681B2 (en) | Automated identification of phishing, phony and malicious web sites | |
US20060070126A1 (en) | A system and methods for blocking submission of online forms. | |
US9979726B2 (en) | System and method for web application security | |
Milletary et al. | Technical trends in phishing attacks | |
EP2859494B1 (fr) | Tableaux de bord destinés à afficher des informations donnant un aperçu sur des menaces | |
Wu et al. | MobiFish: A lightweight anti-phishing scheme for mobile phones | |
Bin et al. | A DNS based anti-phishing approach | |
Weider et al. | A phishing vulnerability analysis of web based systems | |
US20120222117A1 (en) | Method and system for preventing transmission of malicious contents | |
US20110239300A1 (en) | Web based remote malware detection | |
US20100235918A1 (en) | Method and Apparatus for Phishing and Leeching Vulnerability Detection | |
EP2203860A2 (fr) | Système et procédé pour détecter des défauts de sécurité dans des applications | |
US20070245343A1 (en) | System and Method of Blocking Keyloggers | |
GB2461422A (en) | Phishing/key logging countermeasure compares keyboard input stream to sensitive data and issues alert before data is completely entered | |
Soni et al. | A phishing analysis of web based systems | |
Siddiqui et al. | Cross site request forgery: A common web application weakness | |
De Ryck et al. | Tabshots: Client-side detection of tabnabbing attacks | |
WO2011018316A1 (fr) | Sécurité de navigateur web | |
SatheeshKumar et al. | A lightweight and proactive rule-based incremental construction approach to detect phishing scam | |
US10474810B2 (en) | Controlling access to web resources | |
Canfora et al. | A set of features to detect web security threats | |
Montazer et al. | Identifying the critical indicators for phishing detection in Iranian e-banking system | |
Ismaila et al. | Vulnerability assessment of some key Nigeria government websites |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10737546 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10737546 Country of ref document: EP Kind code of ref document: A1 |