Patents by Inventor Sebastian Lekies
Sebastian Lekies has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Publication number: 20240056473Abstract: A method includes receiving a scan request requesting to scan a set of network-connected assets designated for a network scan. For each respective network-connected asset, the method includes scanning, at a network security scanner using a first scanning privilege level, the respective network-connected asset. The method includes determining, based on the scan using the first scanning privilege level, whether the respective network-connected asset has a vulnerability. In response, the method includes scanning, at the network security scanner using a second scanning privilege level, the respective network-connected asset. The second scanning privilege level defines a lower level of access the network security scanner has than the first scanning privilege level. The method includes determining, based on the scans, an exposure level of the vulnerability. The method includes reporting the exposure level of the vulnerability to a user of the respective network-connected asset.Type: ApplicationFiled: October 26, 2023Publication date: February 15, 2024Applicant: Google LLCInventors: Sebastian Lekies, Jean-Baptiste Cid
-
Patent number: 11870798Abstract: A method for minimizing scan disruptions includes receiving a scan request requesting to scan a set of network-connected assets. Each network-connected asset is associated with corresponding network characteristics. The method includes partitioning the set of network-connected assets into a plurality of groups based on the corresponding network characteristics. For each respective group, simultaneously, the method includes determining an ordered list for scanning each network-connected asset in the respective group, scanning a first network-connected asset of the respective group based on the ordered list, and, after scanning the first network-connected asset, determining a post-scan health status of the first network-connected asset. The method includes determining, using the post-scan health status, that a health of the first network-connected asset is degraded.Type: GrantFiled: April 23, 2021Date of Patent: January 9, 2024Assignee: Google LLCInventors: Claudio Criscione, David Aslanian, Sebastian Lekies, Joseph Nelson
-
Patent number: 11847231Abstract: A method for detecting an injection vulnerability of a client-side templating system includes receiving a web page, determining that the web page implements an interpreted programming language framework with client-side templating, and extracting a version of the interpreted programming language framework and an interpolation sign from the web page. The method also includes generating an attack payload for at least one injection vulnerability context of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.Type: GrantFiled: October 7, 2021Date of Patent: December 19, 2023Assignee: Google LLCInventors: Sebastian Lekies, Nicolas Golubovic
-
Patent number: 11824886Abstract: A method includes receiving a scan request requesting to scan a set of network-connected assets designated for a network scan. For each respective network-connected asset, the method includes scanning, at a network security scanner using a first scanning privilege level, the respective network-connected asset. The method includes determining, based on the scan using the first scanning privilege level, whether the respective network-connected asset has a vulnerability. In response, the method includes scanning, at the network security scanner using a second scanning privilege level, the respective network-connected asset. The second scanning privilege level defines a lower level of access the network security scanner has than the first scanning privilege level. The method includes determining, based on the scans, an exposure level of the vulnerability. The method includes reporting the exposure level of the vulnerability to a user of the respective network-connected asset.Type: GrantFiled: April 29, 2021Date of Patent: November 21, 2023Assignee: Google LLCInventors: Sebastian Lekies, Jean-Baptiste Cid
-
Patent number: 11750635Abstract: This technology is directed to a rules based engine for managing network-based scanning of devices on a network to minimize disruptions to the network. One or more processors may identify an initial group of network devices from a set of network devices, the initial group of network devices being identified in accordance with a rule set, and initiate a scan of the initial group of network devices. The one or more processors may determine, in accordance with the rule set, an additional group of network devices from the set of network devices to be scanned and initiate a scan of the additional group of network devices. The steps may be repeated until all network devices in the set of network devices are scanned in accordance with the rule set.Type: GrantFiled: July 20, 2020Date of Patent: September 5, 2023Assignee: Google LLCInventors: Sebastian Lekies, David Aslanian, Claudio Criscione
-
Publication number: 20230259637Abstract: A method for detecting an injection vulnerability of a client-side templating system includes receiving a web page, determining that the web page implements an interpreted programming language framework with client-side templating, and extracting a version of the interpreted programming language framework and an interpolation sign from the web page. The method also includes generating an attack payload for at least one injection vulnerability context of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.Type: ApplicationFiled: April 19, 2023Publication date: August 17, 2023Applicant: Google LLCInventors: Sebastian Lekies, Nicolas Golubovic
-
Patent number: 11640471Abstract: A method (800) for detecting an injection vulnerability of a client-side templating system includes receiving a web page (200), determining that the web page implements an interpreted programming language framework (142) with client-side templating, and extracting a version (144) of the interpreted programming language framework and an interpolation sign (146) from the web page. The method also includes generating an attack payload (152a) for at least one injection vulnerability context (210) of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.Type: GrantFiled: May 4, 2018Date of Patent: May 2, 2023Assignee: Google LLCInventors: Sebastian Lekies, Nicolas Golubovic
-
Publication number: 20220353287Abstract: A method includes receiving a scan request requesting to scan a set of network-connected assets designated for a network scan. For each respective network-connected asset, the method includes scanning, at a network security scanner using a first scanning privilege level, the respective network-connected asset. The method includes determining, based on the scan using the first scanning privilege level, whether the respective network-connected asset has a vulnerability. In response, the method includes scanning, at the network security scanner using a second scanning privilege level, the respective network-connected asset. The second scanning privilege level defines a lower level of access the network security scanner has than the first scanning privilege level. The method includes determining, based on the scans, an exposure level of the vulnerability. The method includes reporting the exposure level of the vulnerability to a user of the respective network-connected asset.Type: ApplicationFiled: April 29, 2021Publication date: November 3, 2022Applicant: Google LLCInventors: Sebastian Lekies, Jean-Baptiste Cid
-
Publication number: 20220345478Abstract: A method for minimizing scan disruptions includes receiving a scan request requesting to scan a set of network-connected assets. Each network-connected asset is associated with corresponding network characteristics. The method includes partitioning the set of network-connected assets into a plurality of groups based on the corresponding network characteristics. For each respective group, simultaneously, the method includes determining an ordered list for scanning each network-connected asset in the respective group, scanning a first network-connected asset of the respective group based on the ordered list, and, after scanning the first network-connected asset, determining a post-scan health status of the first network-connected asset. The method includes determining, using the post-scan health status, that a health of the first network-connected asset is degraded.Type: ApplicationFiled: April 23, 2021Publication date: October 27, 2022Applicant: Google LLCInventors: Joseph Nelson, David Aslanian, Claudio Criscione, Sebastian Lekies
-
Publication number: 20220030028Abstract: A method for detecting an injection vulnerability of a client-side templating system includes receiving a web page, determining that the web page implements an interpreted programming language framework with client-side templating, and extracting a version of the interpreted programming language framework and an interpolation sign from the web page. The method also includes generating an attack payload for at least one injection vulnerability context of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.Type: ApplicationFiled: October 7, 2021Publication date: January 27, 2022Applicant: Google LLCInventors: Sebastian Lekies, Nicolas Golubovic
-
Publication number: 20220021696Abstract: This technology is directed to a rules based engine for managing network-based scanning of devices on a network to minimize disruptions to the network. One or more processors may identify an initial group of network devices from a set of network devices, the initial group of network devices being identified in accordance with a rule set, and initiate a scan of the initial group of network devices. The one or more processors may determine, in accordance with the rule set, an additional group of network devices from the set of network devices to be scanned and initiate a scan of the additional group of network devices. The steps may be repeated until all network devices in the set of network devices are scanned in accordance with the rule set.Type: ApplicationFiled: July 20, 2020Publication date: January 20, 2022Inventors: Sebastian Lekies, David Aslanian, Claudio Criscione
-
Publication number: 20210044617Abstract: A method (800) for detecting an injection vulnerability of a client-side templating system includes receiving a web page (200), determining that the web page implements an interpreted programming language framework (142) with client-side templating, and extracting a version (144) of the interpreted programming language framework and an interpolation sign (146) from the web page. The method also includes generating an attack payload (152a) for at least one injection vulnerability context (210) of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.Type: ApplicationFiled: May 4, 2018Publication date: February 11, 2021Applicant: Google LLCInventors: Sebastian Lekies, Nicolas Golubovic
-
Patent number: 10397243Abstract: A widget generator may be configured to provide, to a browser application, a widget that is executable to be rendered in conjunction with a page rendered by the browser application. A protection manager may be configured to provide, to the browser application and in conjunction with the widget, a protection script that is executable within a page context of the page and separate from a widget context of the widget. The protection script, during execution, validates a condition associated with a frame of the page that is used to render the widget, and enables functionality of the widget within the page, based on validation of the condition.Type: GrantFiled: July 25, 2014Date of Patent: August 27, 2019Assignee: SAP SEInventors: Martin Johns, Sebastian Lekies
-
Patent number: 9934393Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for providing data security in web applications operating offline, and actions include receiving a request from a user of a web application during offline use of the web application in a web browser, the request implicating a data item, receiving an offline password from the user, decrypting an encrypted offline key to provide an offline key, and selectively using the offline key to process the data item based on a data protection policy stored in storage of the web browser and a protection level assigned to the data item.Type: GrantFiled: April 21, 2015Date of Patent: April 3, 2018Assignee: SAP SEInventors: Martin Johns, Sebastian Lekies
-
Cooperative static and dynamic analysis of web application code for finding security vulnerabilities
Patent number: 9805203Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage media for receiving, by a SSCA module of a server, source code data based on one or more web pages of a website, analyzing, by the SSCA module, the source code data using static analysis to provide initial results, the initial results including identifiers respectively assigned to one or more variables provided in the source code data, transmitting, by the SSCA module, a request to the website through a proxy server, the request being based on the initial results, the proxy server receiving a response and transmitting a rewritten response to a DSCA module executed on a client, receiving, by the SSCA module, updated source code data from the DSCA module, the updated source code data being provided based on the rewritten response, and updating, by the SSCA module, the initial results based on the updated source code data.Type: GrantFiled: April 21, 2015Date of Patent: October 31, 2017Assignee: SAP SEInventors: Martin Johns, Sebastian Lekies, Benjamin Raethlein -
Publication number: 20160314303Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for providing data security in web applications operating offline, and actions include receiving a request from a user of a web application during offline use of the web application in a web browser, the request implicating a data item, receiving an offline password from the user, decrypting an encrypted offline key to provide an offline key, and selectively using the offline key to process the data item based on a data protection policy stored in storage of the web browser and a protection level assigned to the data item.Type: ApplicationFiled: April 21, 2015Publication date: October 27, 2016Inventors: Martin Johns, Sebastian Lekies
-
Cooperative Static and Dynamic Analysis of Web Application Code for Finding Security Vulnerabilities
Publication number: 20160314301Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage media for receiving, by a SSCA module of a server, source code data based on one or more web pages of a website, analyzing, by the SSCA module, the source code data using static analysis to provide initial results, the initial results including identifiers respectively assigned to one or more variables provided in the source code data, transmitting, by the SSCA module, a request to the website through a proxy server, the request being based on the initial results, the proxy server receiving a response and transmitting a rewritten response to a DSCA module executed on a client, receiving, by the SSCA module, updated source code data from the DSCA module, the updated source code data being provided based on the rewritten response, and updating, by the SSCA module, the initial results based on the updated source code data.Type: ApplicationFiled: April 21, 2015Publication date: October 27, 2016Inventors: Martin Johns, Sebastian Lekies, Benjamin Raethlein -
Patent number: 9432383Abstract: An aspect identifier of an integrity validation script may be provided to a browser application, that, during execution thereof by the browser application when rendering a page, identifies a document object model (DOM) aspect of a DOM of the page. A copy generator of the integrity validation script may be provided to the browser application that, during execution thereof by the browser application when rendering the page, generates a copy of the identified DOM aspect. The integrity validation script is configured to test an integrity of the DOM based on attempted deletion of the identified DOM aspect, while maintaining the identified DOM aspect through the copy thereof.Type: GrantFiled: July 25, 2014Date of Patent: August 30, 2016Assignee: SAP SEInventors: Martin Johns, Sebastian Lekies
-
Patent number: 9300687Abstract: Techniques for preventing unauthorized access to protected network resources include accessing, from a client appliance connected in a distributed network, a computing appliance through the world wide web, the computing appliance including a DNS server addressed by a particular domain name; receiving, from the computing appliance, a portion of code at the client appliance through a web browser of the client appliance, receiving, to a server appliance connected in the distributed network, a request to access secure content stored on the server appliance by the portion of code; comparing the domain name of the DNS server with a server-origin of the secure content; and based on the domain name of the DNS server being exclusive of a set of server-origin values that includes the server-origin, denying access to the request.Type: GrantFiled: August 6, 2013Date of Patent: March 29, 2016Assignee: SAP SEInventors: Martin Johns, Sebastian Lekies
-
Publication number: 20160028743Abstract: An aspect identifier of an integrity validation script may be provided to a browser application, that, during execution thereof by the browser application when rendering a page, identifies a document object model (DOM) aspect of a DOM of the page. A copy generator of the integrity validation script may be provided to the browser application that, during execution thereof by the browser application when rendering the page, generates a copy of the identified DOM aspect. The integrity validation script is configured to test an integrity of the DOM based on attempted deletion of the identified DOM aspect, while maintaining the identified DOM aspect through the copy thereof.Type: ApplicationFiled: July 25, 2014Publication date: January 28, 2016Inventors: Martin JOHNS, Sebastian LEKIES