Determining whether a web page displayed on an endpoint client includes malicious content may be accomplished by scanning elements of the web page, for example, document object model (DOM) elements of an HTML page or JavaScript file attached to the web page. For example, some malicious web pages employ phishing techniques to illicitly obtain sensitive information such as, usernames, passwords, and credit card details, from users.
Since the web page elements change dynamically over the lifecycle of the web page, such scanning techniques are typically employed via web browser add-ons, previously installed on the endpoint client. However, such add-ons are web browser and operating system specific, and require installation and periodic software upgrades. Alternatively, a gateway coupling the endpoint client to a web server may inject JavaScript code into the web page received from the web server. However, the programming features of JavaScript allow hackers and originators of malicious content on web pages to override or disable such injected JavaScript code.