Sap Se

Sap Ag

Martin Johns

Sebastian Lekies

Martin Haerterich

Christoph Haefner

Florian Loch

Thomas Barber

David Klein

Benny Rolle

Patrick Spiegel

Stephan Pfistner

Benjamin Raethlein

Marius Musch

Code injection is a type of security vulnerability in which an attacker injects client-side scripts modifying the content being delivered. A sanitizer function may provide defense against such attacks by removing certain characters (e.g., characters causing state transitions in HTML). A string sanitizer may be modeled in order to determine its effectiveness by obtaining data flow information indicating string operations that used an input string or information derived therefrom, including a string sanitizer function. A deterministic finite automata representing string values of the output parameter may be generated based on a graph generated from the data flow information, where the automata accepts possible output string values of the sanitizer. It can be determined whether there is a non-empty intersection between the automata for the sanitizer output and an automata representing a security exploit, which would indicate that the sanitizer function is vulnerable to the exploit.

String sanitizer modeling

Various examples are directed to systems and methods for executing a web application with client-side encryption. A web application may execute in a web browser at a client computing device. The web browser may generate a document comprising a secure display element. The web browser may request to render the document at the client computing device. A cryptographic tool of the web browser may decrypt the first encrypted value to generate a first clear value. The web browser may render the document at an output device of the client computing device using the clear value. The web browser may also be programmed to prevent the web application from accessing the first clear value.

Web application execution with secure elements

Various embodiments of systems and methods to track tainting information via non-intrusive bytecode instrumentation are described herein. The described techniques include, at one aspect, defining a taint-aware class to shadow an original data class. The taint-aware class includes a payload field to store objects of the original data class, a metadata field to store tainting information corresponding to the objects of the original data class, and a method proxying a corresponding method of the original data class. In another aspect, the instances of the original data class are replaced with corresponding instances of the taint-aware class in an application bytecode. Further, in a yet another aspect, when executing the application in a runtime environment, the method propagates the content of the metadata filed and calls the corresponding method of the original data class to manage the content of the payload field.

Taint tracking via non-intrusive bytecode instrumentation

Various examples are directed to systems and methods for executing a web application with client-side encryption. A web browser can receive a document comprising a plurality of data elements including a secure element that comprises an encrypted value. An extension component may generate a secure container element to replace the secure element. The extension component can also insert a subdocument into the secure container element. The web browser may be configured to prevent web applications from accessing the subdocument. The extension component may also decrypt the encrypted value to generate a clear value and write the clear value to the subdocument. The web browser may render the document using the clear value.

Web application execution with secure element extension

Methods, systems, and computer-readable storage media for receiving, by a database connector having a taint extension, a SQL request from an application, sending, by the taint extension, the SQL request to a SQL parser, receiving, by the taint extension, a structural representation of the SQL request from the SQL parser, adding, by the taint extension, taint information corresponding to data within the SQL request to provide an enhanced SQL statement, and transmitting, by the database connector, the enhanced SQL statement to a database for storing the taint information with the data.

Robust and transparent persistence of taint information to enable detection and mitigation of injection attacks

Methods, systems, and computer-readable storage media for receiving, by a web browser executing on a client-side device, a response from a server, the response provided in a taint-enhanced data format, processing, by a Javascript framework executed by the web browser, the response to parse data within the response and, for any data values marked as tainted, providing respective taint string Javascript objects as sanitized data, and providing the sanitized data to a document object model (DOM).

Client-side taint-protection using taint-aware javascript

Various examples are directed to systems and methods for secure communication sessions between a web application and a server. A session vault routine executing at a computing device may receive a first request message directed to a server computing device. The first request message may comprise a client session identifier at a session identifier field of the first request message. The session vault routine may access supplemental session identifier data from a session vault persistence at the data storage. The session vault routine may write the supplemental session identifier data to a second field of the first request message, and initiate sending the first request message to the server computing device.

Web application session security with protected session identifiers

Various examples are directed to systems and methods for secure communication sessions between a web application and a server. A session identifier routine executing at a computing device may receive a first request message comprising a session identifier field, the session identifier field comprising a client session identifier describing a communication session between the web application executing at the computing device and the server computing device. The session identifier routine may transform the client session identifier to a server session identifier using session identifier transformation data accessed from session vault persistence at the computing device. The session identifier routine may write the server session identifier to the session identifier field of the first request message and initiate sending the request message including the server session identifier to the server computing device.

Web application session security

A client comprising a web browser is provided. The client is configured to: run an application in the web browser, the application comprising a sensor including sensor JavaScript code, wherein running the application comprises executing the sensor JavaScript code as the first JavaScript code in the web browser to activate the sensor; and wherein the sensor is configured to: gather data with respect to the application at runtime; and check predetermined application-specific rules against the gathered data for detecting client-side attacks at runtime.

Client-side attack detection in web applications

Various examples are directed to systems and methods for securing a web browser. The web browser may parse web content received from a server and identify a script associated with the web content. The web browser may generate script fingerprint data for the script. The script fingerprint data may comprise script code data describing script code for the script and script syntax data describing the script. The web browser may determine that the script fingerprint data is not described by local known script data and may send an anomalous script report to the server, where the anomalous script report comprising the script fingerprint data. The web browser may also update the local known script data to describe the script fingerprint data.

Web browser script monitoring

Embodiments protect against security vulnerabilities arising from 3party JavaScript code. A browser receives from a server, a document including a first JavaScript. The browser in turn references a list stored in a database to recognize the first JavaScript as originating from other than the server. This recognition process may involve obtaining a stacktrace. The browser then references a second JavaScript in order to instrument a document object model (DOM) feature (e.g., global API, DOM element-attached API, DOM node property) to sanitize the first JavaScript. For instrumenting a global API, this may comprise overwriting a global reference in the first JavaScript with a replacement reference to a sanitization function. For instrumenting the DOM element-attached API or the DOM node property, the instrumenting may comprise altering a prototype of the DOM node element. The browser causes the DOM feature to sanitize the first JavaScript, and passes a sanitized JavaScript for execution.

Protection against third party JavaScript vulnerabilities

Systems and methods are provided herein for dynamic, non-invasive taint tracking using auto-generated datatypes. A proxy entry point component of a taint-aware environment continuously monitors for a request to initiate an application. The application has an associated runtime environment and profile parameters specific to the application. Upon identifying the request, a core component of the taint-aware environment generates a set of augmented classes based on the profile parameters. The set of augmented classes contains taint-tracking functionality. The proxy entry point component modifies an initiation pathway of the application to force the runtime environment to retrieve the set of augmented classes prior to execution of the application. The runtime environment continuously monitors for tainted data or tainted code passed through or contained within the application based on the taint-tracking functionality of the set of augmented classes.

Dynamic, non-invasive taint tracking using auto-generated datatypes

For mitigation of injection security attacks against non-relational databases, a database driver layer is integrated with a security layer. A trigger associated with the security layer is set to implement a learning phase of the security layer. In response to enabling the trigger, queries and query parameters associated with the respective queries are received. For the queries, a previously-stored security pattern is identified based on the query and the associated query parameters. The trigger associated with the security layer is reset to implement an execution of the security patterns. In response to resetting the trigger, an additional query and additional query parameters associated with the additional query is received. A particular security pattern is identified that is associated with the additional query and the additional query parameters. At least one of the additional query parameters is determined to not match a corresponding query parameter of the particular security pattern.

Mitigation of injection security attacks against non-relational databases

WebRTC is vulnerable to malicious JavaScript, injected by cross-site scripting attacks or compromised or malicious script providers. Through these attacks, attackers can access a WebRTC connection and leak or monitor the audio and video data transmitted. By preventing modification of key WebRTC functions and preventing outgoing streams from being used more than once, these attacks can be thwarted.

Growing community of inventors

Karlsruhe, Germany

Martin Johns