Abstract: A method includes receiving a scan request requesting to scan a set of network-connected assets designated for a network scan. For each respective network-connected asset, the method includes scanning, at a network security scanner using a first scanning privilege level, the respective network-connected asset. The method includes determining, based on the scan using the first scanning privilege level, whether the respective network-connected asset has a vulnerability. In response, the method includes scanning, at the network security scanner using a second scanning privilege level, the respective network-connected asset. The second scanning privilege level defines a lower level of access the network security scanner has than the first scanning privilege level. The method includes determining, based on the scans, an exposure level of the vulnerability. The method includes reporting the exposure level of the vulnerability to a user of the respective network-connected asset.

Abstract: A method for minimizing scan disruptions includes receiving a scan request requesting to scan a set of network-connected assets. Each network-connected asset is associated with corresponding network characteristics. The method includes partitioning the set of network-connected assets into a plurality of groups based on the corresponding network characteristics. For each respective group, simultaneously, the method includes determining an ordered list for scanning each network-connected asset in the respective group, scanning a first network-connected asset of the respective group based on the ordered list, and, after scanning the first network-connected asset, determining a post-scan health status of the first network-connected asset. The method includes determining, using the post-scan health status, that a health of the first network-connected asset is degraded.

Abstract: A method for detecting an injection vulnerability of a client-side templating system includes receiving a web page, determining that the web page implements an interpreted programming language framework with client-side templating, and extracting a version of the interpreted programming language framework and an interpolation sign from the web page. The method also includes generating an attack payload for at least one injection vulnerability context of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.

Abstract: A method includes receiving a scan request requesting to scan a set of network-connected assets designated for a network scan. For each respective network-connected asset, the method includes scanning, at a network security scanner using a first scanning privilege level, the respective network-connected asset. The method includes determining, based on the scan using the first scanning privilege level, whether the respective network-connected asset has a vulnerability. In response, the method includes scanning, at the network security scanner using a second scanning privilege level, the respective network-connected asset. The second scanning privilege level defines a lower level of access the network security scanner has than the first scanning privilege level. The method includes determining, based on the scans, an exposure level of the vulnerability. The method includes reporting the exposure level of the vulnerability to a user of the respective network-connected asset.

Abstract: This technology is directed to a rules based engine for managing network-based scanning of devices on a network to minimize disruptions to the network. One or more processors may identify an initial group of network devices from a set of network devices, the initial group of network devices being identified in accordance with a rule set, and initiate a scan of the initial group of network devices. The one or more processors may determine, in accordance with the rule set, an additional group of network devices from the set of network devices to be scanned and initiate a scan of the additional group of network devices. The steps may be repeated until all network devices in the set of network devices are scanned in accordance with the rule set.

Abstract: A method for detecting an injection vulnerability of a client-side templating system includes receiving a web page, determining that the web page implements an interpreted programming language framework with client-side templating, and extracting a version of the interpreted programming language framework and an interpolation sign from the web page. The method also includes generating an attack payload for at least one injection vulnerability context of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.

Abstract: A method (800) for detecting an injection vulnerability of a client-side templating system includes receiving a web page (200), determining that the web page implements an interpreted programming language framework (142) with client-side templating, and extracting a version (144) of the interpreted programming language framework and an interpolation sign (146) from the web page. The method also includes generating an attack payload (152a) for at least one injection vulnerability context (210) of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.

Abstract: A method includes receiving a scan request requesting to scan a set of network-connected assets designated for a network scan. For each respective network-connected asset, the method includes scanning, at a network security scanner using a first scanning privilege level, the respective network-connected asset. The method includes determining, based on the scan using the first scanning privilege level, whether the respective network-connected asset has a vulnerability. In response, the method includes scanning, at the network security scanner using a second scanning privilege level, the respective network-connected asset. The second scanning privilege level defines a lower level of access the network security scanner has than the first scanning privilege level. The method includes determining, based on the scans, an exposure level of the vulnerability. The method includes reporting the exposure level of the vulnerability to a user of the respective network-connected asset.

Abstract: A method for minimizing scan disruptions includes receiving a scan request requesting to scan a set of network-connected assets. Each network-connected asset is associated with corresponding network characteristics. The method includes partitioning the set of network-connected assets into a plurality of groups based on the corresponding network characteristics. For each respective group, simultaneously, the method includes determining an ordered list for scanning each network-connected asset in the respective group, scanning a first network-connected asset of the respective group based on the ordered list, and, after scanning the first network-connected asset, determining a post-scan health status of the first network-connected asset. The method includes determining, using the post-scan health status, that a health of the first network-connected asset is degraded.

Abstract: A method for detecting an injection vulnerability of a client-side templating system includes receiving a web page, determining that the web page implements an interpreted programming language framework with client-side templating, and extracting a version of the interpreted programming language framework and an interpolation sign from the web page. The method also includes generating an attack payload for at least one injection vulnerability context of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.

Abstract: This technology is directed to a rules based engine for managing network-based scanning of devices on a network to minimize disruptions to the network. One or more processors may identify an initial group of network devices from a set of network devices, the initial group of network devices being identified in accordance with a rule set, and initiate a scan of the initial group of network devices. The one or more processors may determine, in accordance with the rule set, an additional group of network devices from the set of network devices to be scanned and initiate a scan of the additional group of network devices. The steps may be repeated until all network devices in the set of network devices are scanned in accordance with the rule set.

Abstract: A method (800) for detecting an injection vulnerability of a client-side templating system includes receiving a web page (200), determining that the web page implements an interpreted programming language framework (142) with client-side templating, and extracting a version (144) of the interpreted programming language framework and an interpolation sign (146) from the web page. The method also includes generating an attack payload (152a) for at least one injection vulnerability context (210) of the web page based on the version of the interpreted programming language framework and the interpolation sign, instrumenting the web page to inject the attack payload into the at least one injection vulnerability context of the web page, and executing the instrumented web page.

Abstract: A widget generator may be configured to provide, to a browser application, a widget that is executable to be rendered in conjunction with a page rendered by the browser application. A protection manager may be configured to provide, to the browser application and in conjunction with the widget, a protection script that is executable within a page context of the page and separate from a widget context of the widget. The protection script, during execution, validates a condition associated with a frame of the page that is used to render the widget, and enables functionality of the widget within the page, based on validation of the condition.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for providing data security in web applications operating offline, and actions include receiving a request from a user of a web application during offline use of the web application in a web browser, the request implicating a data item, receiving an offline password from the user, decrypting an encrypted offline key to provide an offline key, and selectively using the offline key to process the data item based on a data protection policy stored in storage of the web browser and a protection level assigned to the data item.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage media for receiving, by a SSCA module of a server, source code data based on one or more web pages of a website, analyzing, by the SSCA module, the source code data using static analysis to provide initial results, the initial results including identifiers respectively assigned to one or more variables provided in the source code data, transmitting, by the SSCA module, a request to the website through a proxy server, the request being based on the initial results, the proxy server receiving a response and transmitting a rewritten response to a DSCA module executed on a client, receiving, by the SSCA module, updated source code data from the DSCA module, the updated source code data being provided based on the rewritten response, and updating, by the SSCA module, the initial results based on the updated source code data.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage mediums for providing data security in web applications operating offline, and actions include receiving a request from a user of a web application during offline use of the web application in a web browser, the request implicating a data item, receiving an offline password from the user, decrypting an encrypted offline key to provide an offline key, and selectively using the offline key to process the data item based on a data protection policy stored in storage of the web browser and a protection level assigned to the data item.

Abstract: Implementations of the present disclosure include methods, systems, and computer-readable storage media for receiving, by a SSCA module of a server, source code data based on one or more web pages of a website, analyzing, by the SSCA module, the source code data using static analysis to provide initial results, the initial results including identifiers respectively assigned to one or more variables provided in the source code data, transmitting, by the SSCA module, a request to the website through a proxy server, the request being based on the initial results, the proxy server receiving a response and transmitting a rewritten response to a DSCA module executed on a client, receiving, by the SSCA module, updated source code data from the DSCA module, the updated source code data being provided based on the rewritten response, and updating, by the SSCA module, the initial results based on the updated source code data.

Abstract: An aspect identifier of an integrity validation script may be provided to a browser application, that, during execution thereof by the browser application when rendering a page, identifies a document object model (DOM) aspect of a DOM of the page. A copy generator of the integrity validation script may be provided to the browser application that, during execution thereof by the browser application when rendering the page, generates a copy of the identified DOM aspect. The integrity validation script is configured to test an integrity of the DOM based on attempted deletion of the identified DOM aspect, while maintaining the identified DOM aspect through the copy thereof.

Abstract: Techniques for preventing unauthorized access to protected network resources include accessing, from a client appliance connected in a distributed network, a computing appliance through the world wide web, the computing appliance including a DNS server addressed by a particular domain name; receiving, from the computing appliance, a portion of code at the client appliance through a web browser of the client appliance, receiving, to a server appliance connected in the distributed network, a request to access secure content stored on the server appliance by the portion of code; comparing the domain name of the DNS server with a server-origin of the secure content; and based on the domain name of the DNS server being exclusive of a set of server-origin values that includes the server-origin, denying access to the request.

Abstract: An aspect identifier of an integrity validation script may be provided to a browser application, that, during execution thereof by the browser application when rendering a page, identifies a document object model (DOM) aspect of a DOM of the page. A copy generator of the integrity validation script may be provided to the browser application that, during execution thereof by the browser application when rendering the page, generates a copy of the identified DOM aspect. The integrity validation script is configured to test an integrity of the DOM based on attempted deletion of the identified DOM aspect, while maintaining the identified DOM aspect through the copy thereof.