Application aware virtual patching
First Claim
1. A computer-implemented method for patching code for web apps in between software releases, the method comprising:
- receiving a particular web application request comprising request data;
retrieving by a filter implemented by one of a plurality of application components, the filter for processing virtual patches that access a private state of the one of the plurality of application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises;
a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch;
a condition applying to the request data and referencing;
a value of one or more parameters in an http request message that invokes an interface in the web application; and
a value of a local state variable in the particular application-specific local context; and
a directive that specifies at least one action to be performed when the condition is satisfied;
in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and
responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive.
1 Assignment
0 Petitions
Accused Products
Abstract
The technology disclosed relates to thwarting attempts in between software releases to take advantage of security holes in web applications. A virtual patch is a data object comprising an identifier that indicates a relevant local context for the patch and may be created while the application is running. One or more conditions included in the patch are evaluated using data from a service request or from the local context. A patch directive specifies an action to perform when the one or more conditions are satisfied. A virtual patch may be applied to the running application without requiring replacing the application code. Responsive to a request for a web service, a web application may execute code in multiple distinct local contexts such as session management, authorization, and application-specific business logic. The code for each local context may independently retrieve a set of virtual patches relevant to its particular local context.
171 Citations
19 Claims
-
1. A computer-implemented method for patching code for web apps in between software releases, the method comprising:
-
receiving a particular web application request comprising request data; retrieving by a filter implemented by one of a plurality of application components, the filter for processing virtual patches that access a private state of the one of the plurality of application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises; a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch; a condition applying to the request data and referencing; a value of one or more parameters in an http request message that invokes an interface in the web application; and a value of a local state variable in the particular application-specific local context; and a directive that specifies at least one action to be performed when the condition is satisfied; in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable memory storing instructions for patching code for web apps in between software releases, wherein the instructions perform:
-
receiving a particular web application request comprising request data; retrieving by a filter implemented by one of a plurality of application components on the same side of a firewall as the one of the plurality of application components, the filter for processing virtual patches that access a private state of the one of the application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises; a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch; a condition applying to the request data and referencing; a value of one or more parameters in an http request message that invokes an interface in the web application; and a value of a local state variable in the particular application-specific local context; and a directive that specifies at least one action to be performed when the condition is satisfied; in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive.
-
-
19. A web server that patches code for web apps in between software releases, the web server comprising:
a processor coupled to a network interface and a memory storing instructions that perform; receiving a particular web application request comprising request data; retrieving by a filter implemented by one of a plurality of application components on the same side of a firewall as the one of the plurality of application components, the filter for processing virtual patches that access a private state of the one of the plurality of application components implementing the filter, a set of virtual patches relevant to a particular application-specific local context of a distinct application component within a web application partitioned into a plurality of distinct application components, wherein a virtual patch of the set of retrieved virtual patches is a data object that comprises; a particular context specification that identifies a protected logic component to which control may be returned of the web application that will apply test input against the virtual patch; a condition applying to the request data and referencing; a value of one or more parameters in an http request message that invokes an interface in the web application; and a value of a local state variable in the particular application-specific local context; and a directive that specifies at least one action to be performed when the condition is satisfied; in the filter of the one of the plurality of application components that implements the filter, using portions of the request data referenced by the condition to satisfy the condition; and responsive to satisfying the condition, applying by the filter, the virtual patch to at most the one of the plurality of application components that implements the filter and having a current application-specific local context that matches the retrieving virtual patches by performing the directive.
Specification