WO2011018316A1 - Sécurité de navigateur web - Google Patents

Sécurité de navigateur web Download PDF

Info

Publication number
WO2011018316A1
WO2011018316A1 PCT/EP2010/060619 EP2010060619W WO2011018316A1 WO 2011018316 A1 WO2011018316 A1 WO 2011018316A1 EP 2010060619 W EP2010060619 W EP 2010060619W WO 2011018316 A1 WO2011018316 A1 WO 2011018316A1
Authority
WO
WIPO (PCT)
Prior art keywords
url
rating
client terminal
web browser
sending
Prior art date
Application number
PCT/EP2010/060619
Other languages
English (en)
Inventor
Masood Syed Ghouse
Original Assignee
F-Secure Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by F-Secure Corporation filed Critical F-Secure Corporation
Publication of WO2011018316A1 publication Critical patent/WO2011018316A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2119Authenticating web pages, e.g. with suspicious links

Definitions

  • the present invention relates to web browser security and in particular to a mechanism for preventing sensitive information being sent from a web browser to a malicious website.
  • FIG. 1 shows an example piece of html code that creates within a displayed webpage a form with two input fields, "firstname” and "lastname", and one submit button.
  • Figure 2 shows how a malicious script may modify the destination URL ("www.example.com/getform.asp") associated with the action, to match a malicious site, in this case "www.stealyourdata.com/getform.asp”.
  • a Cross Site Scripting (XSS) attack may be used.
  • a so-called “reflective" XSS attack can be carried out by enticing the user to click on a link that contains as its root a trusted website address, and in addition a malicious script, e.g. "www.mybank.com/maliciousscript.js.
  • the browser sends a GET request to this URL, and the request is indeed received by a server of mybank.
  • the server expects to receive, appended to the URL, the user's username and password, and reflects these back in the returned webpage, e.g. the page contains the message "hello maliciousscript.js".
  • the browser receives the webpage data, recognises the script, and executes it.
  • Execution of the script results in the display of an otherwise valid webpage, but with the destination URL of one or more forms changed to a malicious URL.
  • this URL is not displayed to the user and, importantly, the address line of the browser window shows only a legitimate URL, e.g. "www.mybank.com/login”.
  • a related, but potentially more dangerous XSS attack is that known as a "type 2" or persistent XSS attack.
  • a type 2 XSS attack takes advantage of the fact that users may post html formatted data at a web application of a web server in a persistent manner. This might be the case for example with a web chat application.
  • a client reads the web page, e.g. chat board, a malicious script may be downloaded and executed by the client's web browser in order to modify the destination URL of a web page form.
  • a number of products designed to reduce the problems discussed above are available.
  • One approach employed is to detect when a user enters potentially sensitive information into a form field. For example the insertion of an "@" character may be detected as indicative of entry of a user's email address, or an algorithm such as an Luhn algorithm used to detect the entry of a credit card number.
  • a warning is displayed to the user, and the user must click the warning away in order to proceed.
  • the majority of form data submitted by a user is likely to be legitimate, such an approach may prove an annoying inconvenience.
  • Summary A "brute force" defence against phishing and pharming attacks of the type described above is to screen destination URLs for all outgoing traffic from the web browser.
  • An improved, or at least supplementary approach that is presented here is to detect either the presence of a form in a webpage or an attempt by a user to submit a form, and to check the associated URL against a database of rated URLs. Depending upon the result of the check, the URL submission can be blocked and/or a warning presented to the user.
  • a method of controlling the sending of sensitive electronic data from a client terminal to a peer over the Internet the client terminal implementing a web browser for displaying and interacting with webpages.
  • the method comprises, at the client terminal, identifying a URL associated with an html form tag of a webpage, and querying a reputation database in order to obtain a rating for the URL.
  • the sending of data entered into the field(s) of the form over the Internet is blocked, and/or a warning displayed to the user.
  • the step of identifying a URL may comprise parsing html code of said webpage to identify a form tag and an associated URL. Alternatively, this step may comprise intercepting and parsing outgoing http data to identify the URL.
  • Said steps of identifying, querying, blocking, and displaying may be carried out by a web browser plugin.
  • the step of querying a reputation database in order to obtain a rating for the URL may comprise formulating a query at the client terminal containing said URL and sending that query, across the Internet, to a reputation server, and, upon receipt of the query at the rating server determining a rating for the URL and sending a response containing the rating to the client terminal.
  • the step of querying a reputation database in order to obtain a rating for the URL may comprise querying a rating database maintained at the client terminal.
  • a computer program for use with a computer provided with a web browser for displaying and interacting with webpages.
  • the computer program causes the computer to identify a URL associated with an html form tag of a webpage, and query a reputation database in order to obtain a rating for the URL.
  • the program blocks the sending of data entered into the field(s) of the form over the Internet and/or displays a warning to the user.
  • the computer program may be implemented as a web browser plugin.
  • a computer storage medium having stored thereon a computer program according to the above second aspect of the invention.
  • a client terminal comprising a computer storage medium according to the above third aspect of the invention.
  • Figure 1 shows an example html code segment that creates within a displayed webpage a form
  • Figure 2 shows an example html code segment with a modified destination URL
  • Figure 3 is a flow diagram illustrating a process for handling webpage form submissions to detect suspicious activities
  • Figure 4 illustrates schematically a client terminal configured to implement the process of Figure 3.
  • Detecting malware and other security threats in a client terminal environment can, if not properly optimised, consume large amounts of computer resources to the point where the performance of the terminal is severely impacted.
  • the brute force monitoring of all outgoing Internet traffic is particularly undesirable given that users have become used to extremely fast broadband browsing experiences.
  • a more efficient approach presented here involves detecting either the presence of form fields in a webpage, or when a web browser is attempting to submit form data across the Internet, and using this as a trigger to "scan" the URL submit destination.
  • Appropriate functionality can be introduced into a client terminal by way of a browser plugin, i.e. a program that makes use of standard interfaces of the browser to enhance the browser's operation. Browser plugin technology is well know to those of skill in the art.
  • Figure 3 presents a flow diagram illustrating an approach employing monitoring submitted forms.
  • the user has clicked on a submit "button" in order to submit the content of a form to a destination URL.
  • the submission is intercepted at step S2.
  • the destination URL for the submission is identified.
  • Browsers provide several methods that can be used to implement steps S2 and S3.
  • One approach employs JavaScript generated 'event notifications'. For example, the onclickO event is triggered whenever a certain element is "clicked". These events can be detected by script code segments in the webpage or by a browser plugin. Whenever a form submission occurs, at least the onsubmit() event is triggered by the browser. This event can be used by a script code segment or JavaScript to intercept the submission as required.
  • a query containing this URL is formulated and sent to a URL associated with a trusted server operated by an anti-virus application provider.
  • the query may be digitally signed (and possibly encrypted) to authenticate the sender to the server.
  • the server receives the query and extracts the destination URL.
  • the server looks up this URL in a website reputation database.
  • the database will have been constructed by the provider from an analysis of publicly available websites, e.g. using a "spider" to collect webpages and some automated malware detection process for analysing collected webpages. Data may also be entered manually into the database, e.g. based upon user reports of good and bad websites.
  • the result of the query is returned to the querying client terminal, again with the message signed (and possibly encrypted) to authenticate the server as the origin.
  • the client terminal must of course verify the signature to authenticate the response.
  • the web browser plugin allows the submission to proceed, i.e. forwarding the submission to the destination URL.
  • the plugin blocks the submission and displays an alert to the user at step S8.
  • the alert may be displayed in separate, pop-up window, or in a dedicated area of the browser frame, e.g. as a "traffic light" indicator.
  • the user may be able to force a submission, at least for unknown URLs.
  • FIG. 4 illustrates schematically a client terminal in the form of a PC 1 (the terminal may of course be any other computer device with Internet connectivity, e.g. a mobile phone).
  • the PC comprises a display 2 on which might be displayed the graphical user interface (GUI) of a web browser 3, e.g. Internet ExplorerTM.
  • GUI graphical user interface
  • a memory component 4 stores a computer software 5 which, when executed, provides a browser plugin for the web browser. As well as implementing the background URI scanning described above, the plugin also modifies the displayed GUI, for example to display an indication that a form submission has been allowed or blocked.
  • the PC further comprises a network interface 6 for coupling the PC to the Internet.
  • An alternative approach to defending against attacks of the type described above involves scanning webpages downloaded into a browser to detect html forms (e.g. using an appropriate browser plugin). This might involve, for example, parsing the Document Object Model (DOM) of a webpage, looking for occurrences of 'form' objects and extracting the 'action' attribute from those objects. This attribute contains the submission URL. If detected, the URL associated with the "action" parameter is extracted, and a query sent to the anti-virus provider server. Separate queries can be sent for each submit URL, or multiple URLs can be rolled into a single query. Similarly, one or more responses can be returned by the server.
  • DOM Document Object Model
  • a user can be warned of a potential threat at an early stage, potentially before the webpage is rendered and displayed in the browser window.
  • the embodiments of the invention described above are able to detect threats when entering and submitting data into any webpage containing a form. They are particularly effective in combating XSS attacks during which a legitimate URL is likely to appear in the web browser's address line. It will be appreciated by the person of skill in the art that various modifications may be made to the above described embodiments without departing from the scope of the present invention.
  • the web browser plugin may submit this to a local held database and associated query engine. This database may receive regular updates from a service provider, e.g. pushed to it over the Internet.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Medical Informatics (AREA)
  • Data Mining & Analysis (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L’invention concerne un procédé permettant de contrôler l’envoi de données électroniques sensibles depuis un terminal client vers un pair sur Internet, le terminal client utilisant un navigateur Web pour afficher des pages Web et interagir avec celles-ci. Le procédé consiste, sur le terminal client, à identifier une URL associée à une balise de formulaire HTML d’une page Web, et à interroger une base de données de réputation afin d’obtenir un classement pour l’URL. En fonction du classement, l’envoi des données saisies dans le ou les champs du formulaire sur Internet est bloqué, et/ou un avertissement est affiché à l’attention de l’utilisateur.
PCT/EP2010/060619 2009-08-12 2010-07-22 Sécurité de navigateur web WO2011018316A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI20093350 2009-08-12
MYPI20093350 2009-08-12

Publications (1)

Publication Number Publication Date
WO2011018316A1 true WO2011018316A1 (fr) 2011-02-17

Family

ID=43858387

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2010/060619 WO2011018316A1 (fr) 2009-08-12 2010-07-22 Sécurité de navigateur web

Country Status (1)

Country Link
WO (1) WO2011018316A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013053278A1 (fr) * 2011-10-14 2013-04-18 腾讯科技(深圳)有限公司 Procédé d'identification de sécurité de réseau, serveur de détection de sécurité, client et système
EP2648128A1 (fr) * 2012-04-02 2013-10-09 Trusteer Ltd. Détection de tentatives d'hameçonnage
WO2015000428A1 (fr) * 2013-07-05 2015-01-08 腾讯科技(深圳)有限公司 Procédé, serveur et système de traitement de données
CN110348239A (zh) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 脱敏规则配置方法以及数据脱敏方法、系统、计算机设备
US20220232038A1 (en) * 2021-01-21 2022-07-21 Mcafee, Llc Web Conference Security

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US20060253578A1 (en) * 2005-05-03 2006-11-09 Dixon Christopher J Indicating website reputations during user interactions
US20090055928A1 (en) * 2007-08-21 2009-02-26 Kang Jung Min Method and apparatus for providing phishing and pharming alerts

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060253446A1 (en) * 2005-05-03 2006-11-09 E-Lock Corporation Sdn. Bhd.. Internet security
US20060253578A1 (en) * 2005-05-03 2006-11-09 Dixon Christopher J Indicating website reputations during user interactions
US20090055928A1 (en) * 2007-08-21 2009-02-26 Kang Jung Min Method and apparatus for providing phishing and pharming alerts

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013053278A1 (fr) * 2011-10-14 2013-04-18 腾讯科技(深圳)有限公司 Procédé d'identification de sécurité de réseau, serveur de détection de sécurité, client et système
US9154522B2 (en) 2011-10-14 2015-10-06 Tencent Technology (Shenzhen) Company Limited Network security identification method, security detection server, and client and system therefor
EP2648128A1 (fr) * 2012-04-02 2013-10-09 Trusteer Ltd. Détection de tentatives d'hameçonnage
US9111090B2 (en) 2012-04-02 2015-08-18 Trusteer, Ltd. Detection of phishing attempts
WO2015000428A1 (fr) * 2013-07-05 2015-01-08 腾讯科技(深圳)有限公司 Procédé, serveur et système de traitement de données
CN110348239A (zh) * 2019-06-13 2019-10-18 平安普惠企业管理有限公司 脱敏规则配置方法以及数据脱敏方法、系统、计算机设备
CN110348239B (zh) * 2019-06-13 2023-10-27 张建军 脱敏规则配置方法以及数据脱敏方法、系统、计算机设备
US20220232038A1 (en) * 2021-01-21 2022-07-21 Mcafee, Llc Web Conference Security

Similar Documents

Publication Publication Date Title
US11570211B1 (en) Detection of phishing attacks using similarity analysis
Wu et al. Effective defense schemes for phishing attacks on mobile computing platforms
US10148681B2 (en) Automated identification of phishing, phony and malicious web sites
US20060070126A1 (en) A system and methods for blocking submission of online forms.
US9979726B2 (en) System and method for web application security
Milletary et al. Technical trends in phishing attacks
EP2859494B1 (fr) Tableaux de bord destinés à afficher des informations donnant un aperçu sur des menaces
Wu et al. MobiFish: A lightweight anti-phishing scheme for mobile phones
Bin et al. A DNS based anti-phishing approach
Weider et al. A phishing vulnerability analysis of web based systems
US20120222117A1 (en) Method and system for preventing transmission of malicious contents
US20110239300A1 (en) Web based remote malware detection
US20100235918A1 (en) Method and Apparatus for Phishing and Leeching Vulnerability Detection
EP2203860A2 (fr) Système et procédé pour détecter des défauts de sécurité dans des applications
US20070245343A1 (en) System and Method of Blocking Keyloggers
GB2461422A (en) Phishing/key logging countermeasure compares keyboard input stream to sensitive data and issues alert before data is completely entered
Soni et al. A phishing analysis of web based systems
Siddiqui et al. Cross site request forgery: A common web application weakness
De Ryck et al. Tabshots: Client-side detection of tabnabbing attacks
WO2011018316A1 (fr) Sécurité de navigateur web
SatheeshKumar et al. A lightweight and proactive rule-based incremental construction approach to detect phishing scam
US10474810B2 (en) Controlling access to web resources
Canfora et al. A set of features to detect web security threats
Montazer et al. Identifying the critical indicators for phishing detection in Iranian e-banking system
Ismaila et al. Vulnerability assessment of some key Nigeria government websites

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10737546

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10737546

Country of ref document: EP

Kind code of ref document: A1