Runtime Detection of Browser Exploits Via Injected Scripts

What is claimed is: 1 . A computing apparatus, comprising: a processor and a memory; a web browser; and a web exploit mitigation engine, comprising instructions within the memory to instruct the processor to: insert a script into an incoming webpage, the script including instructions to hook application programming interface (API) function calls of a scripting language, the API function calls for a plurality of functions commonly used by browser exploits; observe information passed by a running script to the plurality of API functions; correlate the called API functions to a malware model; detect a web page making the API function calls as containing a browser exploit according to the correlating; and act on the detecting. 2 . The computing apparatus of claim 1 , wherein the inserted script is written in the scripting language. 3 . The computing apparatus of claim 1 , wherein the web exploit mitigation engine comprises a browser plugin to insert the script. 4 . The computing apparatus of claim 1 , wherein the web exploit mitigation engine further comprises a whitelist, and wherein the instructions are further to not insert the script into pages received from websites listed on the whitelist. 5 . The computing apparatus of claim 1 , further comprising a security agent resident on the computing apparatus and external to the web exploit mitigation engine, wherein the security agent includes instructions to provide support services to the web exploit mitigation engine. 6 . The computing apparatus of claim 1 , wherein the web exploit detection engine is to assign individual scores to discrete behaviors. 7 . The computing apparatus of claim 6 , wherein the web exploit detection engine is to compute a sum of individual scores, and to compare the sum to a threshold. 8 . The computing apparatus of claim 6 , wherein the web exploit detection engine is to log the individual scores. 9 . The computing apparatus of claim 6 , wherein the web exploit detection engine is further to compute a running sum of individual scores, and to detect the webpage when the running sum exceeds a threshold. 10 . The computing apparatus of claim 1 , wherein the web exploit detection engine is further to correlate the called API functions to the malware during a memory layout preparation phase. 11 . The computing apparatus of claim 1 , wherein the web exploit detection engine is further to block the running script after detecting the running script. 12 . The computing apparatus of claim 1 , wherein the scripting language is JavaScript. 13 . One or more tangible, non-transitory computer-readable media having stored thereon executable instructions to: receive an incoming webpage from a remote server; select the incoming webpage for verification; inject a monitoring script, written in a scripting language, at or near the top of the incoming webpage, the monitoring script comprising hooks into application programming interfaces (APIs) of the scripting language; observe individual calls to the hooked APIs by a script under analysis; assign to the individual calls individual scores, the individual scores representing a weighted probability that the individual calls are malicious activity; compute a sum of individual scores; and if the sum of individual scores exceeds a threshold, detect the script under analysis as malicious. 14 . The one or more tangible, non-transitory computer-readable media of claim 13 , wherein injecting the monitoring script is performed via a browser extension. 15 . The one or more tangible, non-transitory computer-readable media of claim 13 , wherein the instructions are further to provision a whitelist, to not select the incoming webpage for monitoring if it appears on the whitelist. 16 . The one or more tangible, non-transitory computer-readable media of claim 13 , wherein the instructions are to assign the individual scores during a memory layout preparation phase. 17 . The one or more tangible, non-transitory computer-readable media of claim 13 , wherein the scripting language is JavaScript. 18 . A computer-implemented method of remediating browser exploits via a browser extension, comprising: receiving an incoming webpage; selecting the incoming webpage for injection; injecting, via the browser extension, a monitoring script written in a scripting language, the monitoring script comprising hooks into application programming interfaces (API) calls of the scripting language, and injected so as to be executed before other scripts; monitoring access of the API calls by a script of the incoming webpage, including monitoring parameter data passed to the API calls; correlating the API calls to malware behavior; detecting the script of the incoming webpage as malicious or suspicious; and acting on the detecting. 19 . The method of claim 18 , further comprising performing the correlating during a memory layout phase of the script of the incoming webpage. 20 . The method of claim 18 , wherein the scripting language is JavaScript.