With the development of numerous Internet based service and content providers, users can readily request information and applications from their fixed or mobile computing devices virtually whenever and wherever they choose. Most service and content providers are available 24 hours a day, and the geographic location of providers is limited only by the availability of suitable network connections. Users have come to take for granted the constant availability of content and services, often at minimal cost.
Such Internet based provisioning presents security issues. When content is received, users typically are unable to determine if the received content is the valid content that they requested, or if a hacker or other third party has injected some unwanted content such as malicious code that can present a security risk at either the server side or the client side or both. Thus, routine interaction with content provider can present substantial security risks. Some technologies that address the potential problems of injected content are based on secure coding techniques that can reduce the likelihood of such code injection, or application firewalls that are configured to block the entry of malicious code at a content provider or a content requestor.
Disclosed herein are methods and apparatus that permit the detection of potentially malicious injected code or other injected code. In typical examples, cryptographic or similar techniques are used to provide secure, verifiable indications of possible code injections. Such techniques can be based on mathematical identifications of executable portions of code at the time of code creation or deployment and provide such identifications to both client and server for subsequent code verification. Any code injection in intermediate processes or in transit between client and server is detectable at the client as execution of a code verification process will fail to produce the anticipated identifier. In addition, the identifier can be digitally signed or authenticated so that any modification of the identifier by an intrusion process can be detectable. Upon verification failure, the client can return an alarm to the server and client side processing halted until verification is successful. With such processing, known or unknown injected malicious code (or other injected code) can be detected. Using authenticated or digitally signed identifiers, code injection from so-called man in the middle (MITM) attacks can be detected.
Typical web application components are independent and code must be verified at one or more layers. In a so-called cross-site scripting attach (XSS), malicious code is injected at the client side, and a request is transmitted to web server, and the malicious code (or by-product thereof) is stored in a database. Subsequent client/server interaction varies from the expected behavior when the malicious code is rendered to clients. By providing an identifier to a client sider application (for example, a web browser), the presence of injected code can be detected.
Methods for detecting injections comprise receiving a content digest associated with content received from a content server and determining if the received content corresponds to the content digest. The received content is processed based on the determination. In some examples, the content received from the content server includes at least one web page and determining if the received content corresponds to the content digest is based on applying a hash function to the received content. In further examples, the determining is based on a comparison of the received content digest with a received digest obtained by applying the hash function to the received content. In some examples, the received content digest is associated with static content portions, and the received content is parsed to identify static content portions and a static content digest associated with the identified static content portions is obtained. The received content is determined to correspond to the received message digest based on a comparison of the static content digest and the received content digest. In alternative embodiments, the static content digest is obtained by applying a hash function to the identified static content portions, and in some examples, the hash function is the Secure Hash Algorithm (SHA). In other embodiments, the content digest can be determined to be associated with the content provider based on a digital signature. In some particular examples, the digital signature is extracted from the content digest.
Methods of providing content on a network comprise receiving content for communication to one or more network clients from a content provider. A web page is prepared for communication to a selected client in response to a client request, and a web page identifier associated with the prepared web page is obtained. The web page and the web page identifier are forwarded to the selected client. In some examples, a plurality of web page identifiers associated with respective web pages is stored, and the web page identifier is obtained from among the stored web page identifiers. In some embodiments, the web page identifier is a hash corresponding to at least a portion of the prepared web page, such as a static portion of the prepared web page. In some representative examples, the web page identifier is a hash corresponding to one or more client-side scripts contained in the prepared web page. In still further examples, the web page identifier is associated with client-side scripts and client input fields contained in the prepared web page. In additional examples, the web page identifier is a hash of the portions of the prepared web page corresponding to the client-side scripts and the client input fields.
Computer readable storage medium are provided that contain computer-executable instructions for a method that comprises transmitting a content request to a content provider via a wide area network. Content and a content identifier are received in response to the request. Using the received content, a local content identifier is obtained based on the content as received from the content provider. The local content identifier and the received content identifier are compared, and the received content is processed based on the comparison. In some alternatives, a notification is communicated to the content provider if the received content provider and the local content identifier indicate an injection in the received content. In other examples, a warning is displayed if the received content identifier and the local content identifier indicate an injection in the received content. In typical examples, the received content identifier includes a hash of at least a portion of web page content to be provided and a digital signature associated with the content provider, so as to determine if the digital signature corresponds to the content provider. In other alternatives, the received content identifier is a digitally signed hash of at least a portion of a web page to be provided.
Systems comprise a network interface configured to transmit a request for content over a wide-area network. A processor is configured to receive content in response to the request and a hash of at least a portion of the received content, compute a local hash based on a corresponding portion of the received content, and compare the local hash and the received hash. In some examples, the processor is configured to communicate an indication of the comparison to the content provider. In other examples, systems comprise a display device, and the processor is configured to produce a display at the display device based on the comparison.
These and other features of the disclosed technology are described below with reference to the accompanying drawings.