Static detection of context-sensitive cross-site scripting vulnerabilities
US-2018025161-A1 · Jan 25, 2018 · US
String sanitizer modeling
US12182273B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12182273-B2 |
| Application number | US-202217665319-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 4, 2022 |
| Priority date | Feb 4, 2022 |
| Publication date | Dec 31, 2024 |
| Grant date | Dec 31, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Code injection is a type of security vulnerability in which an attacker injects client-side scripts modifying the content being delivered. A sanitizer function may provide defense against such attacks by removing certain characters (e.g., characters causing state transitions in HTML). A string sanitizer may be modeled in order to determine its effectiveness by obtaining data flow information indicating string operations that used an input string or information derived therefrom, including a string sanitizer function. A deterministic finite automata representing string values of the output parameter may be generated based on a graph generated from the data flow information, where the automata accepts possible output string values of the sanitizer. It can be determined whether there is a non-empty intersection between the automata for the sanitizer output and an automata representing a security exploit, which would indicate that the sanitizer function is vulnerable to the exploit.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer system, comprising: one or more processors; one or more machine-readable medium coupled to the one or more processors and storing computer program code comprising sets instructions executable by the one or more processors to: obtain data flow information indicating one or more string operations in source code that used an input string or information derived from the input string as a parameter when executing the source code, the one or more string operations including a string sanitizer function, the string sanitizer function including an input parameter and an output parameter; generate a graph representing the input parameter and the output parameter of the string sanitizer function; generate, based on the graph, a deterministic finite automata representing string values of the output parameter, the deterministic finite automata accepting possible output string values of the string sanitizer function; determine that there is a non-empty intersection between the deterministic finite automata and an exploit automata for a security exploit, the non-empty intersection indicating that the string sanitizer function is vulnerable to a code injection exploit, wherein the string sanitizer function includes at least one of: a replace-once string operation, the replace-once string operation replacing a first instance of matching string matching a target string but not later instances of the matching string, a first substring string operation that returns a first portion of the input string, a slice string operation that returns a second portion of the input string from a start index to a stop index, or a second substring string operation that returns a third portion of the input string from a first index to a second index. 2. The computer storage system of claim 1 , wherein the deterministic finite automata sets an accept status or a reject status such that it marks the first occurrence of matching strings in the input string. 3. The computer storage system of claim 1 , wherein the computer program code further comprises sets instructions executable by the one or more processors to: execute the source code using a taint tracking mechanism to obtain the obtain data flow information. 4. The computer storage system of claim 3 , wherein the source code is executed using a web browser. 5. The computer storage system of claim 1 , wherein the source code is in JavaScript format. 6. One or more non-transitory computer-readable medium storing computer program code comprising sets of instructions to: obtain data flow information indicating one or more string operations in source code that used an input string or information derived from the input string as a parameter when executing the source code, the one or more string operations including a string sanitizer function, the string sanitizer function including an input parameter and an output parameter; generate a graph representing the input parameter and the output parameter of the string sanitizer function; generate, based on the graph, a deterministic finite automata representing string values of the output parameter, the deterministic finite automata accepting possible output string values of the string sanitizer function; determine that there is a non-empty intersection between the deterministic finite automata and an exploit automata for a security exploit, the non-empty intersection indicating that the string sanitizer function is vulnerable to a code injection exploit, wherein the string sanitizer function includes at least one of: a replace-once string operation, the replace-once string operation replacing a first instance of matching string matching a target string but not later instances of the matching string, a first substring string operation that returns a first portion of the input string, a slice string operation that returns a second portion of the input string from a start index to a stop index, or a second substring string operation that returns a third portion of the input string from a first index to a second index. 7. The non-transitory computer-readable medium of claim 6 , wherein the deterministic finite automata sets an accept status or a reject status such that it marks the first occurrence of matching strings in the input string. 8. The non-transitory computer-readable medium of claim 6 , wherein the computer program code further comprises sets instructions to: execute the source code using a taint tracking mechanism to obtain the obtain data flow information. 9. The non-transitory computer-readable medium of claim 8 , wherein the source code is executed using a web browser. 10. The non-transitory computer-readable medium of claim 6 , wherein the source code is in JavaScript format. 11. A computer-implemented method, comprising: obtaining data flow information indicating one or more string operations in source code that used an input string or information derived from the input string as a parameter when executing the source code, the one or more string operations including a string sanitizer function, the string sanitizer function including an input parameter and an output parameter; generating a graph representing the input parameter and the output parameter of the string sanitizer function; generating a deterministic finite automata for the string sanitizer function based on the graph, the deterministic finite automata accepting possible output string values of the string sanitizer function; determining that there is a non-empty intersection between the deterministic finite automata and an exploit automata for a security exploit, the non-empty intersection indicating that the string sanitizer function is vulnerable to a code injection exploit, wherein the deterministic finite automata sets an accept status or a reject status such that it marks the first occurrence of matching strings in the input string. 12. The computer-implemented method of claim 11 , wherein the string sanitizer function includes a replace-once string operation, the replace-once string operation replacing a first instance of matching string matching a target string but not later instances of the matching string. 13. The computer-implemented method of claim 11 , further comprising: executing the source code using a taint tracking mechanism to obtain the obtain data flow information. 14. The computer-implemented method of claim 11 , wherein the source code is in JavaScript format.
Assignees
Inventors
Classifications
Test or assess a computer or a system · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
by source code analysis · CPC title
- G06F21/577Primary
Assessing vulnerabilities and evaluating computer system security · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12182273B2 cover?
- Code injection is a type of security vulnerability in which an attacker injects client-side scripts modifying the content being delivered. A sanitizer function may provide defense against such attacks by removing certain characters (e.g., characters causing state transitions in HTML). A string sanitizer may be modeled in order to determine its effectiveness by obtaining data flow information in…
- Who is the assignee on this patent?
- Sap Se
- What technology area does this patent fall under?
- Primary CPC classification G06F21/577. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 31 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).