Software proxy for securing web application business logic

US 20060200566A1
Filed: 03/07/2005
Published: 09/07/2006
Est. Priority Date: 03/07/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for securing web application business logic comprising:

embedding unique keys into an outgoing HTTP response;

sending an incoming HTTP request to access a web server;

determining if the incoming HTTP request is valid using the unique keys; and

responding to the incoming HTTP request if the incoming HTTP request is valid.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention describes a novel method for securing the Business Logic of on-line Internet applications against application manipulation attacks by means of identifying the exact manner in which the application was intended to be used (Intended Use Guidelines) and enforcing said intended use by embedding unique identification keys inside outgoing HTTP (HyperText Transfer Protocol) response headers and/or HTTP response HTML (HyperText Markup Language) streams and validating subsequent HTTP requests before submitting an independent HTTP request to a standard Web Server (HTTP daemon). Each unique identification key is mapped to one or more Intended Use Guidelines. The software is designed to be positioned behind an Internet-facing network firewall and in front of a standard Web Server. The software is further designed to accept TCP/IP (Transmission Control Protocol/Internet Protocol) socket connections from clients (typically standard Web browsers), validate incoming HTTP requests, and submit an independent HTTP request to the Web Server over a separate TCP/IP socket connection. The software is further designed to create an outgoing HTTP response with an appropriate status (error) code to the client before disconnecting the socket connection between the software and the Client in response to invalid HTTP requests. Under such conditions, an HTTP request is not created or sent to the Web Server, thereby avoiding any damage to the Web Server, the operating system on which the Web Server executes, and other internal network resources.

Citations

20 Claims

1. A method for securing web application business logic comprising:
- embedding unique keys into an outgoing HTTP response;
  
  sending an incoming HTTP request to access a web server;
  
  determining if the incoming HTTP request is valid using the unique keys; and
  
  responding to the incoming HTTP request if the incoming HTTP request is valid.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 11)
- - 2. The method of claim 1, further comprising:
    - sending an error message, and disconnecting the client if the incoming HTTP request is not valid.
  - 3. The method of claim 1, wherein determining if the incoming HTTP request is valid comprises validating the incoming HTTP request against an Intended Use Guidelines database.
  - 4. The method of claim 3, further comprising:
    - updating the Intended Use Guidelines database.
  - 5. The method of claim 1, wherein the unique keys are used to index into an Intended Use Guidelines database.
  - 6. The method of claim 4, wherein the Intended Use Guidelines database is stored in the protection proxy.
  - 7. The method of claim 5, wherein the Intended Use Guidelines database is stored on disk.
  - 8. The method of claim 1, wherein embedding the unique keys into an outgoing HTTP response comprises inserting the unique keys into one selected from the group consisting of outgoing HTML content as a URL query string parameter, outgoing HTTP response header as a cookie value, outgoing HTML content as a hidden HTML form field.
  - 9. The method of claim 1, wherein the web server hosts a web application.
  - 11. The system of claim 9, wherein the web server is configured to host a web application.

10. A system for securing web application business logic comprising:
- a client configured to send a request to access a web server; and
  
  a protection proxy configured to;
  
  receive the request from the client;
  
  validate the request from the client using a unique key;
  
  receive a response to the request from the web server;
  
  update an Intended Use Guidelines database based on a response from the web server; and
  
  generate an outgoing response to the client including the unique key.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 10, wherein the unique key is used to index into the Intended Use Guidelines database.
  - 13. The system of claim 12, wherein the Intended Use Guidelines database is stored in the protection proxy.
  - 14. The system of claim 12, wherein the Intended Use Guidelines database is stored on disk.
  - 15. The system of claim 10, wherein the unique key is embedded into the outgoing HTTP response from the web server to the client.
  - 16. The system of claim 15, wherein embedding the unique key comprises inserting the unique keys into one selected from the group consisting of outgoing HTML content as a URL query string parameter, outgoing HTTP response header as a cookie value, outgoing HTML content as a hidden HTML form field.
  - 17. The system of claim 10, wherein validating the request from the client comprises parsing the request to identify an Intended Use Guideline and comparing the Intended Use Guideline against the Intended Use Guidelines database.
  - 18. The system of claim 17, wherein identifying an Intended Use Guideline comprises one selected from the group consisting of parsing HTTP response headers, parsing stylesheet content, parsing HTML content, parsing SWF content, executing in-line and external JavaScript and simulating user actions.
  - 19. The system of claim 10, wherein the protection proxy is further configured to generate an independent HTTP request to the web server and an independent HTTP response to the client.

20. A computer system for securing web application business logic comprising:
- a processor;
  
  a memory;
  
  a storage device; and
  
  software instructions stored in the memory for enabling the computer system under control of the processor, to;
  
  embed unique keys into an outgoing HTTP response;
  
  send an incoming HTTP request to access a web server;
  
  determine if the incoming HTTP request is valid using the unique keys; and
  
  respond to the incoming HTTP request if the incoming HTTP request is valid.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Webscurity, Inc.
Original Assignee
Webscurity, Inc.
Inventors
Ziebarth, Wayne William

Application Number

US11/074,344
Publication Number

US 20060200566A1
Time in Patent Office

Days
Field of Search
US Class Current

709/227
CPC Class Codes

H04L 63/12 Applying verification of th...

Software proxy for securing web application business logic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Software proxy for securing web application business logic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links