Abstract: In an embodiment, a method comprises rendering a first image of a first user interface based on a first set of instructions; rendering a second image of a second user interface based on a second set of instructions; generating a first mask comprising a plurality of points, wherein each point in the first mask indicates whether a first point in the first image and a second point in the second image are different; rendering a third image of a third user interface based on a third set of instructions, wherein the first set of instructions are different than the third set of instructions and the first image is different than the third image; determining that the first image is equivalent to the third image based on the first image, the first mask, and the third image.

Abstract: A computer-implemented method includes providing, for use by a third-party, injectable computer code that is capable of being served with other code provided by the third-party to client computing devices; receiving data from client computing devices that have been served the code by the third-party, the data including data that characterizes (a) the client computing devices and (b) user interaction with the client computing devices; classifying the client computing devices as controlled by actual users or instead by automated software based on analysis of the received data from the client computing devices; and providing to the third party one or more reports that characterize an overall level of automated software activity among client computing devices that have been served code by the third party.

Abstract: Techniques are provided for detecting compromised credentials in a credential stuffing attack. A set model is trained based on a first set of spilled credentials. The set model does not comprise any credential of the first set of spilled credentials. A first request is received from a client computer with a first candidate credential to login to a server computer. The first candidate credential is tested for membership in the first set of spilled credentials using the set model. In response to determining the first set of spilled credentials includes the first candidate credential using the set model, one or more negative actions is performed.

Abstract: Methods and apparatus are described for automatically modifying web page source code to address a variety of security vulnerabilities such as, for example, vulnerabilities that are exploited by mixed content attacks.

Abstract: Techniques are provided for secure detection and management of compromised credentials. A first candidate credential is received, comprising a first username and a first password, wherein the first candidate credential was sent in a first request from a first client computer to log in to a first server computer. A first salt associated with the first username in a salt database is obtained. A first hashed credential is generated based on the first password and the first salt. The first hashed credential is transmitted to a set model server computer, wherein the set model server computer is configured to maintain a set model that represents a set of spilled credentials, determine whether the first hashed credential is represented in the set model, and in response to determining that the first hashed credential is represented in the set model, performing additional processing on the first hashed credential.

Abstract: An API call filtering system filters responses to API call requests received, via a network, from UEs. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique UE identifier (“UEIN”) of the UE making the request. Using the UEIN, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue UEs while allowing for ordinary volumes of requests of requests the UEs, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.

Abstract: In an embodiment, a method comprises rendering a first image of a first user interface based on a first set of instructions; rendering a second image of a second user interface based on a second set of instructions; generating a first mask comprising a plurality of points, wherein each point in the first mask indicates whether a first point in the first image and a second point in the second image are different; rendering a third image of a third user interface based on a third set of instructions, wherein the first set of instructions are different than the third set of instructions and the first image is different than the third image; determining that the first image is equivalent to the third image based on the first image, the first mask, and the third image.

Abstract: Computer systems and methods for improving security or performance of one or more client computers interacting with a plurality of server computers. In an embodiment, a computer system comprises a first server computer and a second server computer; wherein the first server computer is configured to: generate a challenge nonce, wherein the challenge nonce corresponds to a challenge state; generate the challenge state based on the challenge nonce, wherein the challenge state corresponds to a response state; send, to a first client computer, the challenge nonce and the challenge state, but not the response state; wherein the second server computer is configured to: receive, from the first client computer, a test nonce and a test response state; determine whether the test response state matches the response state based on the test nonce, without: receiving the challenge state from the first server computer; receiving the challenge state from the first client computer.

Abstract: In an embodiment, a method comprises intercepting, using a server computer, a first set of instructions that define a user interface and a plurality of links, wherein each link in the plurality of links is associated with a target page, and the plurality of links includes a first link; determining that the first link, which references a first target page, is protected; in response to determining the first link is protected: generating a first decoy link that corresponds to the first link, wherein the first decoy link includes data that references a first decoy page which includes false information; rendering a second set of instructions that defines the first decoy link, wherein the second set of instructions is configured to cause a first client computer to hide the first decoy link from the user interface; sending the second set of instructions to the first client computer.

Abstract: Computer systems and methods in various embodiments are configured for improving the security and efficiency of server computers interacting through an intermediary computer with client computers that may be executing malicious and/or autonomous headless browsers or “bots”.

Abstract: A computer-implemented method involves identifying an initial element for serving by a web server system to a client device and recoding the element by creating a plurality of different elements that each represent a portion of the initial element. The different elements are then served in place of the initial element. A response is received form the client device and has portions that correspond to the different elements, and a combined response is created by combining the received portions in a manner that corresponds to a manner in which the initial element was recoded to create the plurality of different elements.

Abstract: A security appliance includes a vulnerable testbed that simulates at least one known vulnerability, and a secure testbed that simulates not having that vulnerability. A testbed monitor monitors run-time behavior of the vulnerable testbed and the secure testbed, obtaining at least one run-time behavior parameter. A comparative evaluator module compares the run-time behavior parameters with respect to the received client request to determine if it is legitimate or illegitimate. The security appliance outputs its determination with a message and/or by forwarding client requests deemed legitimate and dropping client requests deemed illegitimate. The determination can be based, on differences in the run-time behavior parameters. Illegitimate requests can be cached for later matching. The requests can be database data requests, XML formatted requests, operating system requests and/or other types of requests that would be differentially handled by a vulnerable server and a secure server.

Abstract: A coupled set of servers in a server system protect an application programming interface (“API”) from unwanted automation facilitated by unauthorized reverse engineering of an endpoint app or communications channel used by the endpoint app. The server system comprises at least one secure app update server that transforms an app code object received from an enterprise app server into a transferred app code object, and at least one secure application programming interface (“API”) server that interacts with an endpoint device that executes the transformed app code object. The secure API is adapted to convert API requests made by the transformed app code object into renormalized API requests formatted for processing by an enterprise API server. The transforming of the app code object results in API requests from the client that would constitute invalid API requests if presented to the enterprise API server without renormalization.

Abstract: An API call filtering system filters responses to API call requests received, via a network, from user devices. The API call filtering system is configured to require personalized API call requests wherein each API call (except for some minor exceptions) includes a unique endpoint identifier (“UEID”) of the user device making the request. Using the UEID, the web service or other service protected by the API call filtering system can be secured against excessive request iterations from a set of rogue user devices while allowing for ordinary volumes of requests of requests the user devices, wherein one or more boundaries between what is deemed to be an ordinary volume of requests and what is deemed to be excessive request iterations are determined by predetermined criteria.

Abstract: In an embodiment, a method comprises intercepting, from a server computer, a first set of instructions that define a user interface; executing, using a headless browser, the first set of instructions without presenting the user interface; rendering a second set of instructions, which when executed by a client application on a client computer, cause the client computer to present the user interface, wherein the second set of instructions are different than the first set of instructions; sending the second set of instructions to the client computer.

Abstract: A code finder system deployed as a software module, a web service or as part of a larger security system, identifies and processes well-formed code sequences. For a data flow that is expected to be free of executable or interpreted code, or free of one or more known styles of executable or interpreted code, the code finder system can protect participants in the communications network. Examples of payload carried by data flows that can be monitored include, but are not limited to, user input data provided as part of interacting with a web application, data files or entities, such as images or videos, and user input data provided as part of interacting with a desktop application.

Abstract: A code finder system deployed as a software module, a web service or as part of a larger security system, identifies and processes well-formed code sequences. For a data flow that is expected to be free of executable or interpreted code, or free of one or more known styles of executable or interpreted code, the code finder system can protect participants in the communications network. Examples of payload carried by data flows that can be monitored include, but are not limited to, user input data provided as part of interacting with a web application, data files or entities, such as images or videos, and user input data provided as part of interacting with a desktop application.