Search

US-12627709-B2 - Detecting compromised web pages in a runtime environment

US12627709B2US 12627709 B2US12627709 B2US 12627709B2US-12627709-B2

Abstract

Techniques are provided for detecting compromised web pages in a runtime environment. A first version of a web page is retrieved and loaded in a browser comprising a browser extension configured to detect event listeners added when web pages are loaded by the browser. First data is generated describing a first set of event listeners detected by the browser extension when the first version of the web page is loaded. At a second time a second version of the web page is retrieved and loaded in the browser. Second data is generated describing a second set of event listeners detected by the browser extension when the second version of the web page is loaded. It is determined that the web page is compromised based on comparing the first data and the second data. In response to determining that the web page is compromised, a threat response action is performed.

Inventors

  • Wesley Hales
  • Jarrod Overson

Assignees

  • SHAPE SECURITY, INC.

Dates

Publication Date
20260512
Application Date
20240617

Claims (20)

  1. 1 . A non-transitory computer readable medium having stored thereon instructions for managing servers comprising executable code which when executed by processors, causes the processors to: at a first time, retrieve and load baseline data comprising a first version of a web page hosted on a web server system in a browser in a clean environment, wherein the browser comprises a browser extension without additional browser extensions and browser modifications; receive a notification from the web server system when a new version of the web page is published; in response to receiving the notification, at a second time after the first time, generate subsequent data describing a set of event listeners detected by the browser extension when a second version of the web page is retrieved and loaded in the browser; determine whether the web page is compromised by comparing the baseline data and the subsequent data to identify a change in the set of event listeners; and in response to determining that the web page is compromised, perform a threat response action.
  2. 2 . The medium of claim 1 , wherein the executable code which when executed by the processors, further causes the processors to: periodically retrieve and load subsequent versions of the web page in the browser and retrieving subsequent data describing event listeners detected by the browser extension when the subsequent versions of the web page are loaded; and compare the subsequent data with baseline data to determine whether the web page is compromised.
  3. 3 . The medium of claim 1 , wherein the threat response action comprises notifying the web server system that the web page is compromised.
  4. 4 . The medium of claim 1 , wherein the threat response action comprises preventing a client computing device that requests the web page from receiving the web page from the web server system.
  5. 5 . The medium of claim 1 , wherein the executable code which when executed by the processors, further causes the processors to: retrieve and load an updated version of the web page in the browser; generate updated data describing an updated set of event listeners detected by the browser extension when the updated version of the web page is loaded; and update the baseline data with the updated data.
  6. 6 . A method implemented by one or more computer systems, server devices, or client devices, the method comprising: at a first time, retrieving and loading baseline data comprising a first version of a web page hosted on a web server system in a browser in a clean environment, wherein the browser comprises a browser extension without additional browser extensions and browser modifications; receiving a notification from the web server system when a new version of the web page is published; in response to receiving the notification, at a second time after the first time, generating subsequent data describing a set of event listeners detected by the browser extension when a second version of the web page is retrieved and loaded in the browser; determining whether the web page is compromised by comparing the baseline data and the subsequent data to identify a change in the set of event listeners; and in response to determining that the web page is compromised, performing a threat response action.
  7. 7 . The method of claim 6 , further comprising: periodically retrieving and loading subsequent versions of the web page in the browser and retrieving subsequent data describing event listeners detected by the browser extension when the subsequent versions of the web page are loaded; and comparing the subsequent data with baseline data to determine whether the web page is compromised.
  8. 8 . The method of claim 6 , wherein the threat response action comprises notifying the web server system that the web page is compromised.
  9. 9 . The method of claim 6 , wherein the threat response action comprises preventing a client computing device that requests the web page from receiving the web page from the web server system.
  10. 10 . The method of claim 6 , further comprising: retrieving and loading an updated version of the web page in the browser; generating updated data describing an updated set of event listeners detected by the browser extension when the updated version of the web page is loaded; and updating the baseline data with the updated data.
  11. 11 . An apparatus, comprising memory comprising programmed instructions stored in the memory and processors configured to be capable of executing the programmed instructions stored in the memory to: at a first time, retrieve and load baseline data comprising a first version of a web page hosted on a web server system in a browser in a clean environment, wherein the browser comprises a browser extension without additional browser extensions and browser modifications; receive a notification from the web server system when a new version of the web page is published; in response to receiving the notification, at a second time after the first time, generate subsequent data describing a set of event listeners detected by the browser extension when a second version of the web page is retrieved and loaded in the browser; determine whether the web page is compromised by comparing the baseline data and the subsequent data to identify a change in the set of event listeners; and in response to determining that the web page is compromised, perform a threat response action.
  12. 12 . The device as set forth in claim 11 , wherein the processors are further configured to be capable of executing the programmed instructions stored in the memory to: periodically retrieve and load subsequent versions of the web page in the browser and retrieving subsequent data describing event listeners detected by the browser extension when the subsequent versions of the web page are loaded; and compare the subsequent data with baseline data to determine whether the web page is compromised.
  13. 13 . The device as set forth in claim 11 , wherein the threat response action comprises notifying the web server system that the web page is compromised.
  14. 14 . The device as set forth in claim 11 , wherein the threat response action comprises preventing a client computing device that requests the web page from receiving the web page from the web server system.
  15. 15 . The device as set forth in claim 11 , wherein the processors are further configured to be capable of executing the programmed instructions stored in the memory to: retrieve and load an updated version of the web page in the browser; generate updated data describing an updated set of event listeners detected by the browser extension when the updated version of the web page is loaded; and update the baseline data with the updated data.
  16. 16 . A system, comprising traffic management apparatuses, client devices, or server devices, the system comprising memory comprising programmed instructions stored thereon and processors configured to be capable of executing the stored programmed instructions to: at a first time, retrieve and load baseline data comprising a first version of a web page hosted on a web server system in a browser in a clean environment, wherein the browser comprises a browser extension without additional browser extensions and browser modifications; receive a notification from the web server system when a new version of the web page is published; in response to receiving the notification, at a second time after the first time, generate subsequent data describing a set of event listeners detected by the browser extension when a second version of the web page is retrieved and loaded in the browser; determine whether the web page is compromised by comparing the baseline data and the subsequent data to identify a change in the set of event listeners; and in response to determining that the web page is compromised, perform a threat response action.
  17. 17 . The system as set forth in claim 16 , wherein the processors are further configured to be capable of executing the programmed instructions stored in the memory to: periodically retrieve and load subsequent versions of the web page in the browser and retrieving subsequent data describing event listeners detected by the browser extension when the subsequent versions of the web page are loaded; and compare the subsequent data with baseline data to determine whether the web page is compromised.
  18. 18 . The system as set forth in claim 16 , wherein the threat response action comprises notifying the web server system is compromised.
  19. 19 . The system as set forth in claim 16 , wherein the threat response action comprises preventing a client computing device that requests the web page from receiving the web page from the web server system.
  20. 20 . The system as set forth in claim 16 , wherein the processors are further configured to be capable of executing the programmed instructions stored in the memory to: retrieve and load an updated version of the web page in the browser; generate updated data describing an updated set of event listeners detected by the browser extension when the updated version of the web page is loaded; and update the baseline data with the updated data.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application is a continuation of U.S. patent application Ser. No. 16/709,198, filed Dec. 10, 2019, which is referenced herein in its entirety. FIELD OF THE DISCLOSURE The present disclosure generally relates to security techniques applicable to web server systems, and relates more specifically to detecting compromised web pages in a runtime environment. BACKGROUND The approaches described in this section are approaches that could be pursued, but not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated, it should not be assumed that any of the approaches described in this section qualify as prior art merely by virtue of their inclusion in this section. Web servers can host web pages and serve the web pages to users in response to requests. Often, web servers provide web pages with web code that executes at client computing devices. Attackers may gain access to sensitive information by causing malicious code to execute at the client computing devices. For example, an attacker can insert malicious code into a hosted web page at a web server, causing the web serve to serve compromised web pages. The malicious web code may be provided to users along with legitimate content corresponding to the web page, including legitimate web code. A user may visit a trusted web site and download the malicious web code if a web page at the trusted web site is compromised. Such malicious code may gather data in one or more objects defined in the web page, load and run additional malicious web code, and/or transmit data gathered at the user's computing device. For example, when the user enters authentication information and/or credit card information to submit to a trusted web site, the malicious web code may gather and forward the information to a server under control of the attacker, enabling the attacker to use the information for illicit gain. Such activity may occur without being detectable by a typical user. In some instances, the activity is triggered by an actions detected by the malicious web code when the user interacts with the web page in a browser, such as entering or submitting financial information in a web form. Furthermore, when a web page is loaded at a browser, the browser may also load other resources as indicated by the web page. Such resources may include third-party web code for advertising, trackers, social media, or other widgets that can be embedded in web pages. Third-party web code can also load libraries at the client computing devices. The resources, third-party web code, and associated libraries may also be compromised by attackers, causing malicious web code to execute at the user's computing device. Web server administrators may wish to protect their users from such malicious attacks. SUMMARY The appended claims may serve as a summary of the invention. BRIEF DESCRIPTION OF THE DRAWINGS In the drawings: FIG. 1 illustrates a computer system that includes a compromise detection system in an example embodiment; FIG. 2 illustrates a computer system that includes a security server system in an example embodiment; FIG. 3 illustrates an instrumented web page version at a client computing device comprising XMLHttpRequest (XHR) whitelist code in an example embodiment; FIG. 4 is a flow diagram of a process for detecting compromised web pages in a runtime environment in an example embodiment; FIG. 5 is a flow diagram of a process for detecting compromised web pages in a runtime environment for an updated web page in an example embodiment; FIG. 6 illustrates a computer system upon which an embodiment may be implemented. While each of the drawing figures illustrates a particular embodiment for purposes of illustrating a clear example, other embodiments may omit, add to, reorder, or modify any of the elements shown in the drawing figures. For purposes of illustrating clear examples, one or more figures may be described with reference to one or more other figures, but using the particular arrangement illustrated in the one or more other figures is not required in other embodiments. DETAILED DESCRIPTION In the following description, for the purpose of explanation, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be apparent, however, that the present invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to avoid unnecessarily obscuring the present invention. It will be further understood that: the term “or” may be inclusive or exclusive unless expressly stated otherwise; the term “set” may comprise zero, one, or two or more elements; the terms “first”, “second”, “certain”, and “particular” are used as naming conventions to distinguish elements from each other does not imply an ordering, timing, or any other characteristic of the referenced items un