Abstract: A method, non-transitory compute r readable medium, device, and system that receives telemetry data collected based on instrumentation code executed at one of a plurality of client computing devices with a requested transaction with one of a plurality of web server systems. Identifying signal data (IDSD) usable to identify the one of client computing devices is determined based on the received telemetry data. Any matching telemetry data in a telemetry data set for a plurality of prior transactions between one or more of the client computing devices and one or more of the web server systems is identified based on any stored IDSDs that match the received IDSD. A security score associated with the one of the client computing devices is generated based on the identified matching telemetry data. A response to the requested transaction to the one of client computing devices is managed based on the generated security score.

Abstract: Techniques are provided for request modification for web security challenge. Data corresponding to a web page request by a client computing device for a web page is received. The web page comprises web code that allows a user to submit a request to initiate a web transaction with a web server system. Challenge code is generated that determines one or more values that are a valid solution to a challenge. The challenge code is provided for integrated code to be served in response to the web page request. The integrated code comprises the challenge code and modified web code that adds one or more parameters for the valid solution to the request. A particular request is received to initiate the web transaction. It is determined that the one or more parameter values are not a valid solution. In response, the web server system is prevented from processing the particular request.

Abstract: Techniques are provided for detecting a malicious script in a web page. Instrumentation code is provided for serving to a client computing device with a web page. The instrumentation code is configured to monitor web code execution at the client computing device when a script referenced by the web page is processed. Script activity data generated by the instrumentation code is received. The script activity data describes one or more script actions detected by the instrumentation code at the client computing device. Prior script activity data generated by a prior instance of the instrumentation code is obtained. A malicious change in the script is detected based on comparing the script activity data and the prior script activity data. In response to detecting the malicious change in the script, a threat response action is performed.

Abstract: Techniques are provided for evaluating and modifying countermeasures based on aggregate transaction status. A first expression pattern is determined that occurs in each of first response messages served by the web server system in response to successful transactions of the transaction type. A second expression pattern is determined that occurs in each of second response messages served by the web server system in response to non-successful transactions of the transaction type requested. Aa status is determined for each of a plurality of transactions of the transaction type based on matching the first expression pattern or the second expression pattern to response messages served by the web server system. Aggregate status information for the transaction type based on the status for the set of operations is updated. Based on a change in the aggregate status information, a set of one or more security countermeasures is updated.

Abstract: Techniques are provided for security code for integration with an application. A first request associated with a request by an application to an application server is received. The application includes security code that performs a set of one or more operations on one or more input parameters. The application is provided one or more parameter values, wherein the security code generates a secret cryptographic key based on the one or more parameter values. A security key is received that includes encrypted client data collected at the client device that is encrypted using the secret cryptographic key. The secret cryptographic key is generated based on the one or more parameter values and knowledge of the set of one or more operations. It is determined that the decrypted client data matches a pattern of data associated with malware. The application server is prevented from processing a second request.

Abstract: Unsupervised or supervised machine learning (“ML”) techniques discussed herein can be used to classify browsers as one or more types of browser or within one or more browser groups.

Abstract: Techniques are provided for proof-of-work based on runtime compilation. Key generation code is partitioned into a set of code blocks. The key generation code generates an expected key value when compiled and executed. A shuffled set of code blocks is generated by reordering the set of code blocks. A client computing device is provided the shuffled set of code blocks and problem-solving code that, when executed at the client computing device, reconstructs the key generation code to generate a submission value by performing one or more compiling iterations. Each compiling iteration comprising reordering the shuffled set of code blocks to generate test code, and attempting to compile and execute the test code to generate the submission value. It is determined that the client computing device fully executed the problem-solving code based on the verifying the submission value.

Abstract: In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define one or more objects and one or more operations that are based, at least in part, on the one or more objects; generating, in memory, one or more data structures that correspond to the one or more objects; performing the one or more operations on the one or more data structures; updating the one or more data structures, in response to performing the one or more operations, to produce one or more updated data structures; rendering a second set of instructions, which when executed by a remote client computer cause the remote client computer to generate the updated data structures in memory on the remote client computer, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the remote client computer.

Abstract: Techniques are described for delayed serving of protected content. A request has been made by a client computing device for a requested resource comprising a first portion and a second portion that is initially withheld from the client computing device. First content comprising the first portion of the requested resource and reconnaissance code is served for execution on the client computing device. When executed at the client computing device, the reconnaissance code gathers data at the client computing device that indicates whether the client computing device is human-controlled or bot-controlled. The data gathered by the reconnaissance code is received. Based on the data, it is determined that the client computing device is not bot-controlled. In response to determining that the client computing device is not bot-controlled, the second portion of the requested resource is served to the client computing device.

Abstract: Techniques are provided for detecting compromised credentials in a credential stuffing attack. A set model is trained based on a first set of spilled credentials. The set model does not comprise any credential of the first set of spilled credentials. A first request is received from a client computer with a first candidate credential to login to a server computer. The first candidate credential is tested for membership in the first set of spilled credentials using the set model. In response to determining the first set of spilled credentials includes the first candidate credential using the set model, one or more negative actions is performed.

Abstract: Techniques are provided for detecting compromised web pages in a runtime environment. A first version of a web page is retrieved and loaded in a browser comprising a browser extension configured to detect event listeners added when web pages are loaded by the browser. First data is generated describing a first set of event listeners detected by the browser extension when the first version of the web page is loaded. At a second time a second version of the web page is retrieved and loaded in the browser. Second data is generated describing a second set of event listeners detected by the browser extension when the second version of the web page is loaded. It is determined that the web page is compromised based on comparing the first data and the second data. In response to determining that the web page is compromised, a threat response action is performed.

Abstract: An API call filtering system filters responses to API call requests received, via a network, from UEs. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique UE identifier (“UEIN”) of the UE making the request. Using the UEIN, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue UEs while allowing for ordinary volumes of requests of requests the UEs, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.

Abstract: Techniques are provided for security measures for extended sessions. Request data for a request is received from a client computing device to a web server system. The request comprises a session identifier (ID) for a session between an authenticated user and the web server system. It is determined, based on the request data, that the client computing device is a single-user device. It is determined, based on the request data, that the client computing device is not compromised. In response to determining that the client computing device is a single-user device and that the client computing device is not compromised, extension of the session between the authenticated user on the client computing device and the web server system is caused.

Abstract: Techniques are provided for secure detection and management of compromised credentials. A first candidate credential is received, comprising a first username and a first password, wherein the first candidate credential was sent in a first request from a first client computer to log in to a first server computer. A first salt associated with the first username in a salt database is obtained. A first hashed credential is generated based on the first password and the first salt. The first hashed credential is transmitted to a set model server computer, wherein the set model server computer is configured to maintain a set model that represents a set of spilled credentials, determine whether the first hashed credential is represented in the set model, and in response to determining that the first hashed credential is represented in the set model, performing additional processing on the first hashed credential.

Abstract: In an embodiment, a computer system is configured to improve security of server computers interacting with client computers through an intermediary computer, and comprising: a memory comprising processor logic; one or more processors coupled to the memory, wherein the one or more processors execute the processor logic, which causes the one or more processors to: intercept, from a server computer, one or more original instructions to be sent to a browser being executed on a client computer; inject, into the one or more original instructions, one or more browser detection instructions, which when executed cause one or more operations to be performed by an execution environment on the client computer and send a result that represents an internal state of the execution environment after performing the one or more operations to the intermediary computer; send the one or more original instructions with the one or more browser detection instructions to the browser; receive the result and determine whether the browse

Abstract: In an approach, an apparatus comprises: one or more processors; a processor logic coupled to the one or more processors and configured to: intercept, from a client computer, a request directed to a server computer that identifies a purported user agent executing on the client computer; send, to the server computer, the request from the client computer; intercept, from the server computer, one or more original instructions to be executed by the purported user agent of the client computer; determine one or more features supported by the purported user agent that are not utilized by the one or more original instructions; transform the one or more original instructions into one or more revised instructions which, when executed by the purported user agent, cause the purported user agent to utilize the one or more features; send, to the client computer, the one or more revised instructions.

Abstract: In an embodiment, a computer system configured to improve security of client computer interacting with server computers comprises one or more processors; a digital electronic memory storing a set of program instructions which when executed using the one or more processors cause the one or more processors to: process a first set of original instructions that produce a first set of outputs or effects; generate a first set of interpreter instructions that define a first interpreter; generate a first set of alternate instructions from the first set of original instructions, wherein the first set of alternate instructions is functionally equivalent to the first set of original instructions when the first set of alternate instructions is executed by the first interpreter; send, to the first client computer, the first set of alternate instructions and the first set of interpreter instructions.

Abstract: Application programming interfaces (APIs) can be unintentionally exposed and allow for potentially undesirable use of corporate resources. An API call filtering system configured to monitor API call requests received via an endpoint and API call responses received via a supporting service of an API or web service. The API call filtering system enables enterprises to improve their security posture by identifying, studying, reporting, and securing their APIs within their enterprise network.

Abstract: In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define a user interface; executing, using a headless browser, the first set of instructions without presenting the user interface; rendering a second set of instructions, which when executed by a client application on a client computer, cause the client computer to present the user interface, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the client computer.

Abstract: Techniques are provided for a security policy for browser extensions. A first pattern is determined that is present in requests from client computing devices when a first browser extension is operating on the client computing devices. The first pattern is identified in a first request from a first client computing device to a first web server system. It is determined, based on identifying the first pattern in the first request, that the first browser extension is associated with the first request. It is determined that the first browser extension associated with the first request is whitelisted with respect to the first web server system based on a security policy. In response to determining that the first browser extension is whitelisted with respect to the first web server system, a first automated response is performed that causes the first web server system to process the first request.