Patent application number | Description | Published |
20110289546 | Method and apparatus for protecting markup language document against cross-site scripting attack - A method for decomposing a web application into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain. | 11-24-2011 |
20110289556 | Method and Apparatus for Serving Content Elements of a Markup Language Document Protected Against Cross-Site Scripting Attack - A web application decomposed into one or more domain sandboxes ensures that the contents of each sandbox are protected from attacks on the web application outside that sandbox. Sandboxing is achieved on a per-element basis by identifying content that should be put under protection, generating a secure domain name for the identified content, and replacing the identified content with a unique reference (e.g., an iframe) to the generated secure domain. The identified content is then served only from the generated secure domain using a content handler. | 11-24-2011 |
20120023394 | Method and apparatus for context-aware output escaping using dynamic content marking - A technique to provide runtime output sanitization filtering of web application content that contains multiple contexts in which dynamic output is included. To facilitate this operation, dynamically-generated content is prepared for sanitization in advance, preferably by being “marked” by the web application itself (or by middleware used by or associated with the application). Preferably, given dynamically-generated content is marked by enclosing it between dynamic content indicators. Then, after the document generation is completed but before it is output (delivered), the application-generated content is processed by a content sanitization filter. The filter uses the dynamic content identifiers to identify and locate the content that needs output escaping. The filter detects the appropriate context within which the dynamically-generated content has been placed, and it then applies the appropriate escaping. In this manner, the output content is fully prepared for escaping in advance even if it is being assembled from multiple input sources that do not operate in the same runtime environment. In this approach, escaping is added after all other application processing is finished and the complete document is ready for delivery to the requesting end user. | 01-26-2012 |
20120023395 | Method and apparatus for dynamic content marking to facilitate context-aware output escaping - A technique to provide runtime output sanitization filtering of web application content that contains multiple contexts in which dynamic output is included. To facilitate this operation, dynamically-generated content is prepared for sanitization in advance, preferably by being “marked” by the web application itself (or by middleware used by or associated with the application). Preferably, given dynamically-generated content is marked by enclosing it between dynamic content indicators. Then, after the document generation is completed but before it is output (delivered), the application-generated content is processed by a content sanitization filter. The filter uses the dynamic content identifiers to identify and locate the content that needs output escaping. The filter detects the appropriate context within which the dynamically-generated content has been placed, and it then applies the appropriate escaping. In this manner, the output content is fully prepared for escaping in advance even if it is being assembled from multiple input sources that do not operate in the same runtime environment. In this approach, escaping is added after all other application processing is finished and the complete document is ready for delivery to the requesting end user. | 01-26-2012 |
20140032921 | Protecting data on a mobile device - A password protection application is executed on a mobile device and provides an interface by which an authorized user can define and configure a “data protection profile” for the device. This profile defines at least one security event (criteria or condition) associated with the device, and at least one protection action that should occur to protect data on the device upon the triggering of the event. Once defined in a profile, the application monitors for the occurrence of the security event. Upon the occurrence of the specified event, the protection action is enforced on the device to protect the data. | 01-30-2014 |
Patent application number | Description | Published |
20130047235 | Authenticating a rich client from within an existing browser session - A user authenticates to a Web- or cloud-based application from a browser-based client. The browser-based client has an associated rich client. After a session is initiated from the browser-based client (and a credential obtained), the user can discover that the rich client is available and cause it to obtain the credential (or a new one) for use in authenticating the user to the application (using the rich client) automatically, i.e., without additional user input. An application interface provides the user with a display by which the user can configure the rich client authentication operation, such as specifying whether the rich client should be authenticated automatically if it detected as running, whether and what extent access to the application by the rich client is to be restricted, if and when access to the application by the rich client is to be revoked, and the like. | 02-21-2013 |
20130178190 | MOBILE DEVICE IDENTIFICATION FOR SECURE DEVICE ACCESS - An embodiment of the invention includes initially registering information with a data system, wherein the registered information pertains to a user of a mobile device and includes credential information, and further includes a message address associated with the user. An enrollment request, together with the specified credential information, is sent to a management server. Responsive thereto, the server sends a message of specified type to the message address associated with the user, wherein such message includes a pin code. The pin code is then sent from the device to the server, and responsive to receiving the pin code, the server is operated to deliver a security token, for use in authenticating the mobile device to selectively access the particular data processing system. | 07-11-2013 |
20130179509 | Identifying guests in web meetings - A technique that identifies registered or guest users in web meetings. Registered and guest users are provided different forms of a meeting invite URL. A guest user receives a unique URL for the meeting that is generated with a nonce value associated with the user's contact information. The nonce value does not expose the contact information. To join the web meeting, each registered user follows a common web meeting link and authenticates. Information obtained during authentication is used to identify the registered user, whose identity is then displayed. Each guest user follows his or her unique URL to join the meeting. The web meeting service receives the nonce in the unique URL and maps it to the guest user's contact details. The service displays the guest user's contact details as the guest user's identity. | 07-11-2013 |
20140122884 | Decoupled cryptographic schemes using a visual channel - A visual data transfer channel is established between a mobile device and a computing entity to facilitate a decoupled cryptographic scheme. The mobile device stores a private key. In operation, a first code is received by the mobile device over the channel. The first code encodes a cryptographic value that secures other information that has been received or generated at the computing entity. The mobile device private key is then applied to the cryptographic value to generate a second cryptographic value, which is encoded to generate a second code. The second code is then rendered on the mobile device display, from which it can then be transmitted back over the visual channel to the computing entity. At the computing entity, the second cryptographic value is recovered from the second code. | 05-01-2014 |
20140189820 | Safe auto-login links in notification emails - A web application user is authenticated directly upon selecting a link in a notification email. In this approach, the user's web browser stores a first data string provided by the web application (e.g., in a cookie) during a prior session. The first data string encodes first data about the user that can be verified by the application. Later, the user receives the notification email that includes the link. The link encodes a second data string from which second data about the user can be verified by the application. When the end user selects the link, an authentication request is transmitted to the application. The authentication request includes both the first and second data strings. If both the first data and the second data (as obtained from their respective data strings) can be verified, the user is authenticated without having to perform any additional steps (e.g., manual entry of credentials). | 07-03-2014 |
20140280883 | Secure URL update for HTTP redirects - A technique to update URLs is provided in an HTTP-based client upon receipt of an HTTP redirect in response to a request-URI. One or more references to the request-URI are saved in or in association with the client. Upon receipt of an HTTP 301 (permanent) redirect, the client automatically re-links the one or more stored references to the request-URI to one or more new references returned by the server (as identified in the HTTP redirect) when the redirect can be verified to originate from the application to which the client is attempting to connect. Preferably, the automatic re-linking is accomplished using a link editing capability for permanent (e.g., HTTP 301) redirects. | 09-18-2014 |
Patent application number | Description | Published |
20110321138 | Mask Based Challenge Response Test - A method for providing a challenge response test associated with a computer resource performed by a physical computing system includes, with the physical computing system, generating a challenge response test image comprising a plurality of well-formed construct elements forming a well-formed construct and a plurality of random construct elements, and providing a number of masks to be placed over the image, one of the number of masks configured to reveal the well-formed construct elements when placed over the image. | 12-29-2011 |
20120005720 | Categorization Of Privacy Data And Data Flow Detection With Rules Engine To Detect Privacy Breaches - A runtime approach receives a request from a target location. Data elements are received from a data store. Privacy data type categories corresponding to retrieved data elements are identified. Data flow category is identified based on the target location. Privacy actions are performed modifying some data elements based on the identified privacy data type categories and the data flow category so that the modified data elements comply with one or more data privacy rules pertaining to the target location. A design-time approach retrieves data types included in a software application data design. Privacy categories are selected that correspond to the retrieved data types. Flow categorization data is retrieved that correspond to software application processes. Privacy categories and flow categorization data are compared to privacy rules. A user is informed if privacy rules are violated to facilitate software application modification in order to comply with the privacy rules. | 01-05-2012 |
20120151568 | Method and system for authenticating a rich client to a web or cloud application - A rich client performs single sign-on (SSO) to access a web- or cloud-based application. According to the described SSO approach, the rich client delegates to its native application server the task of obtaining a credential, such as a SAML assertion. The native server, acting on behalf of the user, obtains an assertion from a federated identity provider (IdP) that is then returned to the rich client. The rich client provides the assertion to a cloud-based proxy, which presents the assertion to an identity manager to attempt to prove that the user is entitled to access the web- or cloud-based application using the rich client. If the assertion can be verified, it is exchanged with a signed token, such as a token designed to protect against cross-site request forgery (CSRF). The rich client then accesses the web- or cloud-based application making a REST call that includes the signed token. The application, which recognizes the request as trustworthy, responds to the call with the requested data. | 06-14-2012 |
20120192266 | Mask Based Challenge Response Test - A method for providing a challenge response test associated with a computer resource performed by a physical computing system includes, with the physical computing system, generating a challenge response test image comprising a plurality of well-formed construct elements forming a well-formed construct and a plurality of random construct elements, and providing a number of masks to be placed over the image, one of the number of masks configured to reveal the well-formed construct elements when placed over the image. | 07-26-2012 |
20130014239 | Authenticating a rich client from within an existing browser session - A user authenticates to a Web- or cloud-based application from a browser-based client. The browser-based client has an associated rich client. After a session is initiated from the browser-based client (and a credential obtained), the user can discover that the rich client is available and cause it to obtain the credential (or a new one) for use in authenticating the user to the application (using the rich client) automatically, i.e., without additional user input. An application interface provides the user with a display by which the user can configure the rich client authentication operation, such as specifying whether the rich client should be authenticated automatically if it detected as running, whether and what extent access to the application by the rich client is to be restricted, if and when access to the application by the rich client is to be revoked, and the like. | 01-10-2013 |
20130179941 | Identifying guests in web meetings - A technique that identifies registered or guest users in web meetings of the type wherein users must follow a supplied URL to attend the meeting. Registered and guest users are provided different forms of the meeting invite URL. Each registered user receives a common web meeting link (a URL) that he must follow to join the meeting. This link forces the registered user to authenticate to the service when used. A guest user invitee receives a unique URL for the meeting that is generated with a nonce value associated with the guess user's contact information. The nonce value does not expose the contact information. To join the meeting, each registered user must follow the common web meeting link and authenticate to the service. True identities of the web meeting participants are displayed. | 07-11-2013 |
20130324083 | Authentication Request Management - The different illustrative embodiments provide a method, computer program product, and apparatus for managing an authentication request. A determination is made whether additional authentication is to be performed responsive to receiving the authentication request to access an application from a mobile device. A phone number to call is sent to the mobile device responsive to a determination that the additional authentication is to be performed. A determination is made whether an incoming call to the phone number is from the mobile device and within a selected period of time. The authentication request to access the application from the mobile device is granted responsive to a determination that the incoming call to the phone number is from the mobile device and within the selected period of time. | 12-05-2013 |
20130324086 | Authentication Request Management - The different illustrative embodiments provide a method, computer program product, and apparatus for managing an authentication request. A determination is made whether additional authentication is to be performed responsive to receiving the authentication request to access an application from a mobile device. A phone number to call is sent to the mobile device responsive to a determination that the additional authentication is to be performed. A determination is made whether an incoming call to the phone number is from the mobile device and within a selected period of time. The authentication request to access the application from the mobile device is granted responsive to a determination that the incoming call to the phone number is from the mobile device and within the selected period of time. | 12-05-2013 |
20140033299 | Protecting data on a mobile device - A password protection application is executed on a mobile device and provides an interface by which an authorized user can define and configure a “data protection profile” for the device. This profile defines at least one security event (criteria or condition) associated with the device, and at least one protection action that should occur to protect data on the device upon the triggering of the event. Once defined in a profile, the application monitors for the occurrence of the security event. Upon the occurrence of the specified event, the protection action is enforced on the device to protect the data. | 01-30-2014 |
20140282939 | Increasing Chosen Password Strength - An approach is provided to increase password strength in a group of users. The approach detects a password event corresponding to one of the users. In response to the detected password event, the approach identifies a strength of the user's password and compares it to one or more password strength metrics that correspond to the group of users. The password strength comparison data is then transmitted as feedback back to the user. | 09-18-2014 |
20140337953 | Cross-platform authentication from within a rich client - An un-authenticated user attempts to access a protected resource at a Web- or cloud-based application from within a rich client. The client has an associated local HTTP server. Upon being refused access, a browser-based login dialog is opened automatically within an embedded browser panel. After receipt of the user's login credential in the panel, the browser passes the credential server application. If the user is authenticated, the browser-based dialog receives a cookie establishing that the user is authenticated for a session. The browser then automatically makes a request to the HTTP server, passing the cookie. Upon receipt of the request at the rich client HTTP server, the rich client saves the cookie in an associated data store, shuts down the login dialog, and re-issues the original request to the server, this time passing the cookie. The rich client, having provided the cookie, is then permitted to access the resource. | 11-13-2014 |
20150081876 | Cross-domain inactivity tracking for integrated web applications - In a cloud computing environment, a user authenticates to multiple cloud services concurrently. A master service has knowledge of or tracks the cloud service(s) to which a user is authenticated. Each cloud service may enforce its own inactivity period, and the inactivity period of at least first and second cloud services may be distinct from one another. When the master service receives an indication that the authenticated user is attempting to take an action at a first cloud service despite an activity timeout there, the master service issues a status request to at least the second cloud service to determine whether the user is still active at the second cloud service (despite its different inactivity period). If the user is still active at the second cloud service, the master service provides a response, selectively overriding (re-setting) the activity timeout at the first cloud service to permit the action. | 03-19-2015 |