DETAILED ACTION
Notice of Pre-AIA or AIA Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2. Claims 1-20 are pending on this application. Claims 1, 8, and 15 are in independent forms.
Priority
3. Foreign priority has been claimed to CN application # 202211673956.9 filed on 12/26/2022.
Information Disclosure Statement
4. The information disclosure statements (IDS's) submitted on 04/16/2025 and 09/30/2025 are in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Drawings
5. The drawings filed on 12/04/2024 are accepted by the examiner.
Claim Rejections - 35 USC § 103
6. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
7. Claims 1-5, 5, 8-12, 12, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Niu CN Application No. 113849817 (hereinafter Niu) in view of Stefan et al. US Patent Application Publication No. 2019/0095617 (hereinafter Stefan).
Regarding claim 1, a computer-implemented method for prototype chain pollution vulnerability protection (Page 1, a detection method and device of JavaScript prototype chain pollution vulnerability), comprising:
“detecting whether a request interface receives a request” (see Niu page 5, lines 4-7, analyzing and determining the stain source of the JavaScript prototype chain pollution vulnerability; for the web application, the data input by the user is transmitted to the service end through the web request);
“if the request interface receives the request, starting an aspect proxy function pre-injected into the request interface” (see Niu page 5, lines 7-11, the web request parameter is the user controllable point, namely the stain source; In addition, the file, Cookie, database and so on user controllable or indirect controllable place is also stain source. and because the JavaScript prototype chain pollution vulnerability does not relate to file, Cookie, database and so on information, key analysis web request parameter, corresponding to the JavaScript, responsible for receiving user input parameter of the function are stain source); and
“detecting, by the aspect proxy function, whether the request contains a prototype property, and, if the request contains the prototype property, intercepting the request” (see Niu page 5, lines 12-20, S2, mining the risk function in the user-defined code based on the fuzzy test; In the JavaScript application development, in addition to invoking the function in the external library, user-defined function may also store prototype chain pollution. for the called external library function, can through daily collecting and finishing the risk function; for the function defined by the user, by analyzing the common characteristic of prototype chain pollution, by means of fuzzy testing, determining whether it is a risk function. Fuzzy test is a method of discovering software faults by providing an unintended input and monitoring the abnormal results, typically an automatic or semi-automatic process that includes repeatedly manipulating the target software and providing processing data for it); but does not explicitly discloses intercepting the request.
However, in analogues art, Stefan discloses intercepting the request (see Stefan par. 0043, the policy enforcement module 150 may perform any technique whenever an object becomes accessible to a sandboxed execution context 140. However, intercepting object sharing in this manner has some difficulties. For example, if a trusted execution context 130 and sandboxed execution context 140 share an object, the trusted execution context 130 may at any point assign a property of the object, making it and its prototype available to the sandboxed execution context 140. Intercepting and moving assigned properties is possible (e.g., via the use of ES6 proxies) but may cause significant performance hits).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to Incorporate the teachings of Stefan into the system of Niu to include one or more of intercepting prototypes named as values, isolating object prototypes, restricting object prototypes, isolating objects, and freezing prototypes (see Stefan par. 0060).
Regarding claims 2, 9, and 16, Niu in view of Stefan discloses the computer-implemented method of claim 1, the non-transitory, computer-readable medium of claim 8, the computer-implemented system of claim 15,
Niu further discloses when an object recursive merge class function receives an input parameter: starting an aspect proxy function pre-injected into the object recursive merge class function, wherein the aspect proxy function detects whether the input parameter contains a prototype property, and, if the input parameter contains the prototype property, intercepts an object copy operation of the object recursive merge class function (see Niu page 7, lines 37-41, In addition, the invention further claims a computer readable storage medium, the computer readable storage medium is stored with a computer program, the computer program is executed by a processor to realize the step of detecting method of the JavaScript prototype chain pollution vulnerability. The detailed implementation steps can refer to the above method, device or device, which will not be repeated here).
Regarding claims 3, 10, and 17, Niu in view of Stefan discloses the computer-implemented method of claim 1, the non-transitory, computer-readable medium of claim 8, the computer-implemented system of claim 15,
Niu further discloses when a path-defined property class function receives a specified path that is input by a user: starting an aspect proxy function pre-injected into the path-defined property class function, wherein the aspect proxy function detects whether the specified path contains a prototype property, and, if the specified path contains the prototype property, intercepts a path valuation operation of the path-defined property class function (see Niu page 6, line 43-page 7, line 3, In summary, the embodiment of the invention claims a JavaScript prototype chain pollution vulnerability detection method, by analyzing the JavaScript prototype chain pollution vulnerability characteristic, using fuzzy test mining user-defined risk function in the JavaScript code, then combining the stain analysis technology, by tracking and analyzing the flow of the stain information in the program, realizing automatic detection of JavaScript prototype chain pollution vulnerability).
Regarding claims 4, 11, and 18, Niu in view of Stefan discloses the computer-implemented method of claim 1, the non-transitory, computer-readable medium of claim 8, the computer-implemented system of claim 15,
Stefan further discloses wherein an injection point of the aspect proxy function at the request interface is a code position after the request interface receives the request and before logic of the request is executed (see Stefan par. 0017, The trusted execution context 130 functions to execute code trusted to have unrestricted access to a set of system resources, and in doing so, manage the access of code executed in sandboxed execution contexts 140 to those resources. Of the execution contexts of the system 100, the trusted execution context 130 preferably has the greatest access to system resources (i.e., more than that of any individual sandboxed execution context 140, though the trusted execution context 130 may not necessarily have full access to all resources of a given computer (e.g., code running on a web server that is running in a virtual machine may not have access to the server's BIOS, even if executed in the trusted execution context 130).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to Incorporate the teachings of Stefan into the system of Niu to include one or more of intercepting prototypes named as values, isolating object prototypes, restricting object prototypes, isolating objects, and freezing prototypes (see Stefan par. 0060).
Regarding claims 5, 12, and 19, Niu in view of Stefan discloses the computer-implemented method of claim 1, the non-transitory, computer-readable medium of claim 8, the computer-implemented system of claim 15,
Niu further discloses wherein an injection point of the aspect proxy function at the request interface is a corresponding code position after logic of the request is executed and before the request interface returns a parameter to a sender of the request (see Niu claim 5, wherein the risk function in the user-defined code based on fuzzy testing is used; the method comprises the following steps: constructing a fuzzy test case; executing fuzzy test script, judging whether the function has prototype chain pollution; marking the function marked with prototype chain pollution as danger function).
Regarding claim 8, Niu discloses a non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform one or more operations for prototype chain pollution vulnerability protection (page 4, lines 6-9, a computer readable storage medium, the computer readable storage medium is stored with a computer program, the computer program is executed by a processor to realize the first aspect of the JavaScript prototype chain pollution vulnerability), comprising:
“detecting whether a request interface receives a request” (see Niu page 5, lines 4-7, analyzing and determining the stain source of the JavaScript prototype chain pollution vulnerability; for the web application, the data input by the user is transmitted to the service end through the web request);
“if the request interface receives the request, starting an aspect proxy function pre-injected into the request interface” (see Niu page 5, lines 7-11, the web request parameter is the user controllable point, namely the stain source; In addition, the file, Cookie, database and so on user controllable or indirect controllable place is also stain source. and because the JavaScript prototype chain pollution vulnerability does not relate to file, Cookie, database and so on information, key analysis web request parameter, corresponding to the JavaScript, responsible for receiving user input parameter of the function are stain source); and
“detecting, by the aspect proxy function, whether the request contains a prototype property, and, if the request contains the prototype property, intercepting the request” (see Niu page 5, lines 12-20, S2, mining the risk function in the user-defined code based on the fuzzy test; In the JavaScript application development, in addition to invoking the function in the external library, user-defined function may also store prototype chain pollution. for the called external library function, can through daily collecting and finishing the risk function; for the function defined by the user, by analyzing the common characteristic of prototype chain pollution, by means of fuzzy testing, determining whether it is a risk function. Fuzzy test is a method of discovering software faults by providing an unintended input and monitoring the abnormal results, typically an automatic or semi-automatic process that includes repeatedly manipulating the target software and providing processing data for it); but does not explicitly discloses intercepting the request.
However, in analogues art, Stefan discloses intercepting the request (see Stefan par. 0043, the policy enforcement module 150 may perform any technique whenever an object becomes accessible to a sandboxed execution context 140. However, intercepting object sharing in this manner has some difficulties. For example, if a trusted execution context 130 and sandboxed execution context 140 share an object, the trusted execution context 130 may at any point assign a property of the object, making it and its prototype available to the sandboxed execution context 140. Intercepting and moving assigned properties is possible (e.g., via the use of ES6 proxies) but may cause significant performance hits).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to Incorporate the teachings of Stefan into the system of Niu to include one or more of intercepting prototypes named as values, isolating object prototypes, restricting object prototypes, isolating objects, and freezing prototypes (see Stefan par. 0060).
Regarding claim 15, Niu discloses a computer-implemented system for prototype chain pollution vulnerability protection, comprising:
one or more computers; and one or more computer memory devices interoperably coupled with the one or more computers and having tangible, non-transitory, machine-readable media storing one or more instructions that, when executed by the one or more computers, perform one or more operations, (see Niu page 7, lines 37-39, In addition, the invention further claims a computer readable storage medium, the computer readable storage medium is stored with a computer program, the computer program is executed by a processor to realize the step of detecting method of the JavaScript prototype chain pollution vulnerability comprising:
“detecting whether a request interface receives a request” (see Niu page 5, lines 4-7, analyzing and determining the stain source of the JavaScript prototype chain pollution vulnerability; for the web application, the data input by the user is transmitted to the service end through the web request);
“if the request interface receives the request, starting an aspect proxy function pre-injected into the request interface” (see Niu page 5, lines 7-11, the web request parameter is the user controllable point, namely the stain source; In addition, the file, Cookie, database and so on user controllable or indirect controllable place is also stain source. and because the JavaScript prototype chain pollution vulnerability does not relate to file, Cookie, database and so on information, key analysis web request parameter, corresponding to the JavaScript, responsible for receiving user input parameter of the function are stain source); and
“detecting, by the aspect proxy function, whether the request contains a prototype property, and, if the request contains the prototype property, intercepting the request” (see Niu page 5, lines 12-20, S2, mining the risk function in the user-defined code based on the fuzzy test; In the JavaScript application development, in addition to invoking the function in the external library, user-defined function may also store prototype chain pollution. for the called external library function, can through daily collecting and finishing the risk function; for the function defined by the user, by analyzing the common characteristic of prototype chain pollution, by means of fuzzy testing, determining whether it is a risk function. Fuzzy test is a method of discovering software faults by providing an unintended input and monitoring the abnormal results, typically an automatic or semi-automatic process that includes repeatedly manipulating the target software and providing processing data for it); but does not explicitly discloses intercepting the request.
However, in analogues art, Stefan discloses intercepting the request (see Stefan par. 0043, the policy enforcement module 150 may perform any technique whenever an object becomes accessible to a sandboxed execution context 140. However, intercepting object sharing in this manner has some difficulties. For example, if a trusted execution context 130 and sandboxed execution context 140 share an object, the trusted execution context 130 may at any point assign a property of the object, making it and its prototype available to the sandboxed execution context 140. Intercepting and moving assigned properties is possible (e.g., via the use of ES6 proxies) but may cause significant performance hits).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to Incorporate the teachings of Stefan into the system of Niu to include one or more of intercepting prototypes named as values, isolating object prototypes, restricting object prototypes, isolating objects, and freezing prototypes (see Stefan par. 0060).
8. Claims 6-7, 13-14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Niu CN Application No. 113849817 (hereinafter Niu) in view of Stefan et al. US Patent Application Publication No. 2019/0095617 (hereinafter Stefan) in further view of Madou et al. US Patent Application Publication No. 2013/0160131 (hereinafter Madou).
Regarding claims 6 and 13, Niu in view of Stefan discloses the computer-implemented method of claim 1, the non-transitory, computer-readable medium of claim 8,
Niu in view of Stefan does not explicitly discloses wherein the request interface is a hypertext transfer protocol (HTTP) request interface and a remote procedure call (RPC) request interface.
However, in analogues art, Madou discloses wherein the request interface is a hypertext transfer protocol (HTTP) request interface and a remote procedure call (RPC) request interface (see Madou par. 0031, The requests and responses can conform to a variety of formats, protocols, or interfaces. In other words, application 214 can be accessible via a variety of formats, protocols, or interfaces implemented at one or more of operating system 211, application server 212, framework 213, and/or application 214. For example, application 214 can be accessible via HTTP, a RESTful interface, Simple Object Access Protocol (SOAP), a Remote Procedure Call (RPC) interface, some other interface, protocol, or format, or a combination thereof).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to Incorporate the teachings of Madou into the system of Niu and Stefan for application to be accessible via HTTP, a RESTful interface, Simple Object Access Protocol (SOAP), a Remote Procedure Call (RPC) interface, some other interface, protocol, or format, or a combination thereof (see Madou par. 0031).
Regarding claims 7, 14, and 20, Niu in view of Stefan discloses the computer-implemented method of claim 1, the non-transitory, computer-readable medium of claim 8, the computer-implemented system of claim 15,
Niu in view of Stefan does not explicitly discloses wherein the request interface is hypertext transfer protocol (HTTP) request interface or a remote procedure call (RPC) request interface (see Madou par. 0031, The requests and responses can conform to a variety of formats, protocols, or interfaces. In other words, application 214 can be accessible via a variety of formats, protocols, or interfaces implemented at one or more of operating system 211, application server 212, framework 213, and/or application 214. For example, application 214 can be accessible via HTTP, a RESTful interface, Simple Object Access Protocol (SOAP), a Remote Procedure Call (RPC) interface, some other interface, protocol, or format, or a combination thereof).
Therefore it would have been obvious to a person of ordinary skill in the art before the effective filing date of the application to Incorporate the teachings of Madou into the system of Niu and Stefan for application to be accessible via HTTP, a RESTful interface, Simple Object Access Protocol (SOAP), a Remote Procedure Call (RPC) interface, some other interface, protocol, or format, or a combination thereof (see Madou par. 0031).
Conclusion
9. The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Johns (US 2018/0349602 A1): discloses A web application security testing framework includes a HTTP browser engine replaying recorded sessions to identify candidate traces indicative of attack. A mutation engine changes values in the attack candidate traces to generate additional traces posed against a virtualized server-side platform. The virtualized server-side platform creates snapshots of application state for testing, avoiding permanent damage to application persistence. The virtualized server-side platform includes persistence monitoring sensors (e.g., at connectors to the database or file system) for detecting vulnerability classes including Cross-Site Request Forgery (CSRF) and SQL injection attacks. For remote command execution attack detection, a server-side vulnerability validation interface records strings passed to code generating application program interfaces (APIs). For possible Cross-Site Scripting (XSS) attacks, the mutation engine may detect HTTP responses for examination of generated web code, and the HTTP browser may be extended to include a vulnerability validation API that is automatically called by successfully injected attack payloads.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SAMUEL AMBAYE whose telephone number is (571)270-7635. The examiner can normally be reached M-F 9:00 AM - 6:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached at (571) 272-6798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SAMUEL AMBAYE/Examiner, Art Unit 2433
/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433