DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The Preliminary Amendment filed 15 September 2020 has been received and considered.
Claims 39-76 are pending.
This Action is Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 15 September 2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 39, 43, 44, 46-53, 57, 58, 60-76 are rejected under 35 U.S.C. 103 as being unpatentable over Amit et al. (US 20100299754) in view of Winch (“AngularJS - Escaping the Expression Sandbox for XSS”).
As per claims 39 and 53, Amit et al. discloses a system and method comprising: receiving, at data processing hardware, a web page; determining, by the data processing hardware, that the web page implements an interpreted programming language framework (see paragraphs [0035]-[0036] and [0044] where JavaScript is an interpreted language); 
extracting, by the data processing hardware, information about the interpreted programming language; generating, by the data processing hardware, an attack payload for at least one injection vulnerability context of the web page based on the information of the interpreted programming language (see paragraphs [0035]-[0038] and paragraph [0044] e.g. identifying the functions); 
instrumenting, by the data processing hardware, the web page to inject the attack payload into the at least one injection vulnerability context of the web page; and executing, by the data processing hardware, the instrumented web page (see paragraphs [0036]-[0042] and [0044] where the data is manipulated to include attack data in the webpage).
Amit et al. fails to explicitly disclose the inclusion of client-side templating and using a version of the interpreted programming language framework and an interpolation sign from the web page to generate the attack payload.
However, Winch teaches the determination of client-side templating and using a version of the interpreted programming language framework and an interpolation sign from the web page to generate the attack payload (see pages 2-4 where AngularJS uses client-side templating and the example generates the attack payload using the specific version 1.4.8 and interpolation sign, i.e. “{{…}}”).
At a time before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to include the exploit of Winch in the testing of the Amit et al. system.
Motivation, as recognized by one of ordinary skill in the art, to do so would have been to allow the system to test for and notify about additional vulnerabilities in the web page.
As per claims 43, 44, 57, and 58, the modified Amit et al. and Winch system discloses the attack payload comprises a validation function configured to validate execution of the validation function to the data processing hardware, catching, by the data processing hardware, a response of the validation function triggered by the attack payload during execution of the instrumented web page; and identifying, by the data processing hardware, a vulnerability of the web page based on the response (see Winch pages 3-4 and Amit et al. paragraphs [0035]-[0044] where the functions that are part of the attack payload are validated by the system prior to execution and the attack output is caught by the system to detect the vulnerability).
As per claims 46 and 60, the modified Amit et al. and Winch system discloses generating the attack payload comprises generating a single attack payload configured for instrumentation into the web page for each injection vulnerability context of the web page (see Amit et al. paragraphs [0035]-[0044] and Winch pages 2-4).
As per claims 47 and 61, the modified Amit et al. and Winch system discloses instrumenting the web page to inject the attack payload comprises injecting, by the data processing hardware, the attack payload into a possible input vector of the web page (see Amit et al. paragraphs [0036]-[0040] and Winch pages 2-4).
As per claims 48, 49, 62, and 63, the modified Amit et al. and Winch system discloses instrumenting the web page to inject the attack payload comprises: generating, by the data processing hardware, a separate test case for each possible input vector of the web page; and injecting, by the data processing hardware, the attack payload into the respective possible input vector of each test case and executing the instrumented web page comprises executing the instrumented web page for each test case (see Amit et al. paragraphs [0035]-[0044] and Winch pages 2-4 where each system test different vulnerabilities using different tests).
As per claims 50 and 64, the modified Amit et al. and Winch system discloses determining, by the data processing hardware, whether a vulnerability of the web page is identified during execution of the web page; when the vulnerability of the web page is identified: generating, by the data processing hardware, a second attack payload based on the version of the interpreted programming language framework and the vulnerability of the web page, the second attack payload comprising a user notification indicating the vulnerability of the web page; injecting, by the data processing hardware, the second attack payload into the web page; and transmitting the web page having the injected second attack payload from the data processing hardware to a user device requesting the web page, the web page when received by the user device, causing the user device to execute the web page and display the user notification on a user interface executing on the user device (see Amit et al. paragraphs [0035]-[0044] and Winch pages 2-4 where each system is testing a vulnerability on a web page).
As per claims 51 and 65, the modified Amit et al. and Winch system discloses instrumenting the web page to inject the attack payload comprises injecting the attack payload using prototypical inheritance (see Winch page 3 where the JavaScript uses prototypical inheritance).
As per claims 52 and 66, the modified Amit et al. and Winch system discloses the interpreted programming language comprises JavaScript (see Amit et al. paragraphs [0036]-[0039] and Winch pages 1-4).
As per claims 67 and 72, the modified Amit et al. and Winch system discloses requesting, at data processing hardware, a web page; receiving, at the data processing hardware, the web page having an attack payload injected into a vulnerability context of the web page (see Amit et al. paragraphs [0025]-[0044] and Winch pages 2-4); 
determining, by the data processing hardware, that the web page implements a interpreted programming language framework with client-side templating (see Winch pages 2-4); executing, by the data processing hardware, the web page; and generating, by the data processing hardware, a notification triggered by the attack payload, the notification indicating a vulnerability of the web page (see Amit et al paragraph [0041]).
As per claims 68 and 73, the modified Amit et al. and Winch system discloses the attack payload is based on a version of the interpreted programming language framework and an interpolation sign from the web page (see Winch pages 2-4).
As per claims 69 and 74, the modified Amit et al. and Winch system discloses the attack payload is injected into the vulnerability context of the web page using prototypical inheritance (see Winch page 3 where the JavaScript uses prototypical inheritance).
As per claims 70 and 75, the modified Amit et al. and Winch system discloses the vulnerability is based on the vulnerability context of the web page (see Amit et al. paragraphs [0036]-[0044] and Winch pages 2-4).
As per claims 71 and 76, the modified Amit et al. and Winch system discloses the interpreted programming language comprises JavaScript (see Amit et al. paragraphs [0036]-[0039] and Winch pages 1-4).
Claims 45 and 59 are rejected under 35 U.S.C. 103 as being unpatentable over the modified Amit et al. and Winch system as applied to claims 39 and 53 above, and further in view of Yang et al. (US 20190303584).
As per claims 45 and 49, the modified Amit et al. and Winch system fails to disclose executing, by the data processing hardware, the web page to expose an Application Programming Interface of the interpreted programming language framework; modifying, by the data processing hardware, the API; and intercepting, by the data processing hardware, a reconfiguration of the interpolation sign using at least the modified API.
However, Yang et al. teaches executing, by the data processing hardware, the web page to expose an Application Programming Interface of the interpreted programming language framework; modifying, by the data processing hardware, the API; and intercepting, by the data processing hardware, a reconfiguration of the interpolation sign using at least the modified API (see paragraphs [0037]-[0042] the use of hooking the JavaScript API).
At a time before the effective filing date of the invention it would have been obvious to one of ordinary skill in the art to include the API of Yang et al. in the modified Amit et al. and Winch system.
Motivation to do so would have been to allow for monitoring of the trace of execution of the JavaScript (see Yang et al. paragraphs [0037]-[0042]).

Allowable Subject Matter
Claims 40-42 and 54-56 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:  The prior art generally teaches the use of catching exceptions, but fails to teach the use of the identifying the type of vulnerability based on the caught exception in combination with the intervening claim limitations.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: the remaining references put forth on the PTO-892 form are directed to detecting vulnerabilities in web pages.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J PYZOCHA whose telephone number is (571)272-3875. The examiner can normally be reached Monday-Thursday 7:30am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hadi Armouche can be reached on (571) 270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/Michael Pyzocha/               Primary Examiner, Art Unit 2419