Asymmetrical challenges for web security

US 10,567,419 B2
Filed: 07/06/2016
Issued: 02/18/2020
Est. Priority Date: 07/06/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving, at a computing system, first code corresponding to a web page requested by a client computing device, the first code comprising code that, when executed, allows a user to submit a request to initiate a web transaction presented by the web page;

generating second code that defines a challenge to be solved by the client computing device, the second code comprising code that, when executed, determines a valid solution to the challenge;

generating modified first code corresponding to the web page by embedding the second code into the first code so that the challenge is solved when the modified first code executes, and generating a modified request by modifying the request to require values for one or more parameters that are a solution to the challenge so that submission of any request initiating the web transaction is delayed until the challenge is solved;

providing, to the client computing device, the modified first code;

receiving a modified request from the client computing device to initiate the web transaction, the modified request including a possible solution to the challenge comprising values for the one or more parameters;

determining whether the possible solution is a valid solution to the challenge; and

taking action to initiate the particular web transaction or to not initiate the particular web transaction based on whether the possible solution is a valid solution to the challenge;

wherein the method is performed by one or more computing devices.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This document describes, among other things, a computer-implemented method for improving the security of one or more computing systems. The method can include receiving, at a computing system, first code that defines at least a portion of an electronic resource that is to be served to a client computing device. The method can include generating code that defines a challenge to be solved by the client computing device, in which the code is arranged to cause the client computing device to determine values for one or more parameters that comprise a solution to the challenge, and the values for the one or more parameters that comprise the solution to the challenge may be required for the client computing device to make valid requests to initiate one or more web-based transactions. The computing system can determine whether particular values for the parameters comprise a valid solution to the challenge.

243 Citations

38 Claims

1. A computer-implemented method, comprising:
- receiving, at a computing system, first code corresponding to a web page requested by a client computing device, the first code comprising code that, when executed, allows a user to submit a request to initiate a web transaction presented by the web page;
  
  generating second code that defines a challenge to be solved by the client computing device, the second code comprising code that, when executed, determines a valid solution to the challenge;
  
  generating modified first code corresponding to the web page by embedding the second code into the first code so that the challenge is solved when the modified first code executes, and generating a modified request by modifying the request to require values for one or more parameters that are a solution to the challenge so that submission of any request initiating the web transaction is delayed until the challenge is solved;
  
  providing, to the client computing device, the modified first code;
  
  receiving a modified request from the client computing device to initiate the web transaction, the modified request including a possible solution to the challenge comprising values for the one or more parameters;
  
  determining whether the possible solution is a valid solution to the challenge; and
  
  taking action to initiate the particular web transaction or to not initiate the particular web transaction based on whether the possible solution is a valid solution to the challenge;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The computer-implemented method of claim 1, wherein the second code, when executed, determines a valid solution to the challenge by iteratively testing different candidate values in search of values that satisfy one or more constraints associated with the challenge.
  - 3. The computer-implemented method of claim 1, wherein:
    - the challenge to be solved by the client computing device is to determine a particular message that yields a pre-defined hash value when the particular message is hashed using a particular hash function.
  - 4. The computer-implemented method of claim 1, wherein the second code comprises at least one script that is written in JavaScript that is interpreted and executed at the client computing device.
  - 5. The computer-implemented method of claim 1, wherein, when the modified first code is executed at the client computing device, the client computing device determines a solution to the challenge in the background while a user interacts with the web page after the web page is loaded at the client computing device.
  - 6. The computer-implemented method of claim 1, wherein determining whether the possible solution is a valid solution to the challenge comprises:
    - identifying a pre-defined output value of a function, the pre-defined output value provided to the client computing device with the second code;
      
      identifying a pre-defined value provided with the second code for a first input parameter to the function;
      
      calculating a second output value of the function using the pre-defined value for the first input parameter and the possible solution included in the request; and
      
      determining whether the pre-defined output value matches the second output value.
  - 7. The computer-implemented method of claim 1, wherein determining whether the possible solution is a valid solution to the challenge comprises verifying that the possible solution was generated by the client computing device within a particular period of time after the second code was provided to the client computing device.
  - 8. The computer-implemented method of claim 1, wherein determining whether the possible solution is a valid solution to the challenge is performed at least in part by one or more computers at an edge of a network, the one or more computers being separate and geographically remote from a web server system from which the first code was originally served.
  - 9. The computer-implemented method of claim 8, further comprising taking action to not initiate the particular web-based transaction, including choosing to not communicate, from the one or more computers at the edge of the network and to the web server system, the request from the client computing device to initiate the web transaction.
  - 10. The computer-implemented method of claim 8, wherein the second code is generated by the web server system or by a proxy computing system that is arranged as a proxy to the web server system.
  - 11. The computer-implemented method of claim 1, wherein the modified first code includes a reference to the second code.
  - 12. The computer-implemented method of claim 1, further comprising, for each of a plurality of instances of the web page to be served to one or more client computing devices, generating code that defines a challenge that is unique to the respective instance of the web page.
  - 13. The computer-implemented method of claim 1, further comprising re-coding the first code so as to obscure an operational design of a computing system that generated the first code, wherein the re-coding does not substantially affect a visual presentation of the web page when the modified first code is executed at the client computing device.
  - 14. The computer-implemented method of claim 1, wherein the web transaction presented by the web page is one of a transaction to modify a listing of items in an online shopping cart, a transaction to create an account, a transaction to login to an account, or a transaction to modify settings associated with an account.
  - 15. The computer-implemented method of claim 1, wherein determining whether the possible solution is a valid solution to the challenge comprises:
    - parsing the modified request to identify a pre-defined hash value that was provided to the client computing device along with the challenge;
      
      using a pre-defined hash function to compute a second hash value based on the possible solution included in the request; and
      
      determining whether the second hash value matches the pre-defined hash value.
  - 16. The computer-implemented method of claim 1, wherein the possible solution is specified in a universal resource indicator (URI) of the modified request.
  - 17. The computer-implemented method of claim 1, further comprising:
    - receiving a second request from the client computing device to initiate the web transaction, the second request including a second possible solution to the challenge;
      
      determining whether the second possible solution is a valid solution to the challenge; and
      
      taking action to initiate the particular web-based transaction or not to initiate the second web transaction based on whether the second possible solution is a second valid solution to the challenge.
  - 18. The computer-implemented method of claim 17, wherein determining whether the second possible solution is a valid solution to the challenge comprises:
    - when the second possible solution is the same as the possible solution, determining that the second possible solution is not valid in response to a determination that the number of times that the possible solution has been received in requests exceeds a replay limit value that identifies a maximum number of times that a solution is permitted to be accepted as a valid solution to the challenge.
  - 19. The computer-implemented method of claim 1, wherein the modified first code does not begin working on the challenge until the user selects a control in the web page that triggers the challenge to be run.

20. A computer system comprising:
- one or more hardware processors;
  
  at least one memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors to;
  
  receive, at a computing system, first code corresponding to a web page requested by a client computing device, the first code comprising code that, when executed, allows a user to submit a request to initiate a web transaction presented by the web page;
  
  generate second code that defines a challenge to be solved by the client computing device, the second code comprising code that, when executed, determines a valid solution to the challenge;
  
  generate modified first code corresponding to the web page by embedding the second code into the first code so that the challenge is solved when the modified first code executes, and generating a modified request by modifying the request to require values for one or more parameters that are a solution to the challenge so that submission of any request initiating the web transaction is delayed until the challenge is solved;
  
  provide, to the client computing device, the modified first code;
  
  receive a modified request from the client computing device to initiate the web transaction, the modified request including a possible solution to the challenge comprising values for the one or more parameters;
  
  determine whether the possible solution is a valid solution to the challenge; and
  
  take action to initiate the particular web transaction or to not initiate the particular web transaction based on whether the possible solution is a valid solution to the challenge.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The computer system of claim 20, wherein the second code, when executed, determines a valid solution to the challenge by iteratively testing different candidate values in search of values that satisfy one or more constraints associated with the challenge.
  - 22. The computer system of claim 20, wherein:
    - the challenge to be solved by the client computing device is to determine a particular message that yields a pre-defined hash value when the particular message is hashed using a particular hash function.
  - 23. The computer system of claim 20, wherein the second code comprises at least one script that is written in JavaScript that is interpreted and executed at the client computing device.
  - 24. The computer-implemented method of claim 20, wherein, when the modified first code is executed at the client computing device, the client computing device determines a solution to the challenge in the background while a user interacts with the web page after the web page is loaded at the client computing device.
  - 25. The computer system of claim 20, wherein determining whether the possible solution is a valid solution to the challenge comprises:
    - identifying a pre-defined output value of a function, the pre-defined output value provided to the client computing device with the second code;
      
      identifying a pre-defined value provided with the second code for a first input parameter to the function;
      
      calculating a second output value of the function using the pre-defined value for the first input parameter and the possible solution included in the request; and
      
      determining whether the pre-defined output value matches the second output value.
  - 26. The computer system of claim 20, wherein the one or more instructions, when executed by the one or more hardware processors, cause the one or more processors to:
    - receive a second request from the client computing device to initiate the web transaction, the request including a second possible solution to the challenge;
      
      determine whether the second possible solution is a valid solution to the challenge; and
      
      take action to initiate the particular web-based transaction or not to initiate the second web transaction based on whether the second possible solution is a second valid solution to the challenge.
  - 27. The computer-implemented method of claim 26, wherein determining whether the second possible solution is a valid solution to the challenge comprises:
    - when the second possible solution is the same as the possible solution, determining that the second possible solution is not valid in response to a determination that the number of times that the possible solution has been received in requests exceeds a replay limit value that identifies a maximum number of times that a solution is permitted to be accepted as a valid solution to the challenge.
  - 28. The computer system of claim 20, wherein determining whether the possible solution is a valid solution to the challenge comprises verifying that the possible solution was generated by the client computing device within a particular period of time after the second code was provided to the client computing device.
  - 29. The computer system of claim 20, wherein the step of determining whether the possible solution is a valid solution to the challenge is performed at least in part by one or more computers at an edge of a network, the one or more computers being separate and geographically remote from a web server system from which the first code was originally served.
  - 30. The computer-implemented method of claim 29, wherein the one or more instructions, when executed by the one or more hardware processors, cause the one or more processors to:
    - take action to not initiate the particular web-based transaction, including choosing to not communicate, from the one or more computers at the edge of the network and to the web server system, the request from the client computing device to initiate the web transaction.
  - 31. The computer-implemented method of claim 29, wherein the second code is generated by the web server system or by a proxy computing system that is arranged as a proxy to the web server system.
  - 32. The computer system of claim 20, wherein the modified first code includes a reference to the second code.
  - 33. The computer system of claim 20, wherein the one or more instructions, when executed by the one or more hardware processors, cause the one or more processors to:
    - for each of a plurality of instances of the web page to be served to one or more client computing devices, generate code that defines a challenge that is unique to the respective instance of the web page.
  - 34. The computer system of claim 20, wherein the one or more instructions, when executed by the one or more hardware processors, cause the one or more processors to:
    - re-code the first code so as to obscure an operational design of a computing system that generated the first code, wherein the re-coding does not substantially affect a visual presentation of the web page when the web page is executed at the client computing device.
  - 35. The computer system of claim 20, wherein the web transaction presented by the web page is one of a transaction to modify a listing of items in an online shopping cart, a transaction to create an account, a transaction to login to an account, or a transaction to modify settings associated with an account.
  - 36. The computer system of claim 20, wherein determining whether the possible solution is a valid solution to the challenge comprises:
    - parsing the modified request to identify a pre-defined hash value that was provided to the client computing device along with the challenge;
      
      using a pre-defined hash function to compute a second hash value based on the possible solution included in the request; and
      
      determining whether the second hash value matches the pre-defined hash value.
  - 37. The computer system of claim 20, wherein the possible solution is specified in a universal resource indicator (URI) of the modified request.
  - 38. The computer system of claim 20, wherein the modified first code does not begin working on the challenge until the user selects a control in the web page that triggers the challenge to be run.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Hansen, Marc R.
Primary Examiner(s)
Lagor, Alexander
Assistant Examiner(s)
Tran, Vu V

Application Number

US15/202,755
Publication Number

US 20170013012A1
Time in Patent Office

1,322 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

G06Q 20/382   insuring higher security of...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 67/01   Protocols

Asymmetrical challenges for web security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

243 Citations

38 Claims

Specification

Use Cases

Quick Links

Others

Asymmetrical challenges for web security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

243 Citations

38 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others