SECURE FRAMEWORK FOR INVOKING SERVER-SIDE APIS USING AJAX

US 20100146291A1
Filed: 12/08/2008
Published: 06/10/2010
Est. Priority Date: 12/08/2008
Status: Active Grant

First Claim

Patent Images

1. A method for securely invoking a server-side Application Programming Interface (API), the method comprising:

receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server, wherein the request is sent asynchronously by the client-side component using AJAX;

invoking a security handler configured to process the request in a manner that mitigates a plurality of different types of Web application or AJAX security attacks;

invoking the API on the server; and

sending a response comprising output data generated by the API to the client-side component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securely invoking a server-side API from client-side Web application code using AJAX. In one set of embodiments, a request to invoke a server-side API is received from a client-side component of a Web application, where the request is sent asynchronously using AJAX. One or more security handlers are then invoked to process the request in a manner that mitigates various security attacks. In one embodiment, a security handler is invoked to defend against a plurality of different types of Web application/AJAX security attacks. In another embodiment, authentication and authorization security handlers are invoked to authenticate a user of the Web application that originated the request and determine whether the user is authorized to call the server-side API. In yet another embodiment, configuration is implemented at the data storage tier to enforce user-access and data security on data that is retrieved/stored as a result of invoking the server-side API.

161 Citations

22 Claims

1. A method for securely invoking a server-side Application Programming Interface (API), the method comprising:
- receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server, wherein the request is sent asynchronously by the client-side component using AJAX;
  
  invoking a security handler configured to process the request in a manner that mitigates a plurality of different types of Web application or AJAX security attacks;
  
  invoking the API on the server; and
  
  sending a response comprising output data generated by the API to the client-side component.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the method is performed by a Java servlet running on the server.
  - 3. The method of claim 1, wherein the client-side component is JavaScript code running in a Web browser.
  - 4. The method of claim 1, wherein the API is a Java API.
  - 5. The method of claim 1, wherein the plurality of different types of Web application or AJAX security attacks include Cross Site Scripting, Cross Site Request Forgery, injection attacks, and replay attacks.
  - 6. The method of claim 5, wherein the injection attacks include SQL injection, PL/SQL injection, XML injection, HTML injection, and JavaScript injection.
  - 7. The method of claim 5, wherein the plurality of different types of Web application or AJAX security attacks further include illegal redirects and buffer overflows.
  - 8. The method of claim 1, wherein the request includes an API name, a class name, and one or more parameter values for the API.
  - 9. The method of claim 8, wherein processing the request comprises validating the one or more parameter values against a white-list of valid characters or values.
  - 10. The method of claim 8, wherein processing the request comprises escaping code tags in the one or more parameter values.
  - 11. The method of claim 8, wherein processing the request comprises determining whether the one or more parameter values are signed using a context signature.
  - 12. The method of claim 1 further comprising:
    - invoking an authentication security handler configured to authenticate a user of the Web application that originated the request; and
      
      invoking an authorization security handler configured to determine whether the user is authorized to invoke the API.
  - 13. The method of claim 12, wherein the Web application is built using the Oracle Applications (OA) Framework, and wherein the authentication and authorization security handlers rely on security data specific to the OA Framework.
  - 14. The method of claim 1, wherein the API is configured to query one or more database tables, and wherein the results of the query are automatically filtered based on an identity of a user that originated the request and user-access permissions defined for the one or more database tables.
  - 15. The method of claim 1, wherein the API is configured to store data into one or more database tables, and wherein the data is automatically encrypted prior to storage.
  - 16. The method of claim 1, wherein a configuration file is maintained at the server including a list of server-side APIs and associated invocation permissions, anddetermining, based on the list, whether the API can be invoked in response to the request.

17. A server system comprising:
- a storage component configured to store code for an Application Programming Interface (API); and
  
  a processing component in communication with the storage component, wherein the processing component is configured to;
  
  receive, from a client-side component of a Web application, a request to invoke the API, wherein the request is sent asynchronously by the client-side component using AJAX;
  
  invoke a security handler configured to process the request in a manner that mitigates a plurality of different types of Web application or AJAX security attacks;
  
  invoke the API; and
  
  send a response comprising output data generated by the API to the client-side component.
- View Dependent Claims (18, 19)
- - 18. The server system of claim 17, wherein the plurality of different types of Web application or AJAX security attacks include Cross Site Scripting, Cross Site Request Forgery, injection attacks, and replay attacks.
  - 19. The server system of claim 18, wherein the injection attacks include SQL injection, PL/SQL injection, XML injection, HTML injection, and JavaScript injection.

20. A machine-readable medium for a computer system, the machine-readable medium having stored thereon program code for securely invoking a server-side Application Programming Interface (API), the program code comprising:
- code for receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server, wherein the request is sent asynchronously by the client-side component using AJAX;
  
  code for invoking a security handler configured to process the request in a manner that mitigates a plurality of different types of Web application or AJAX security attacks;
  
  code for invoking the API on the server; and
  
  code for sending a response comprising output data generated by the API to the client-side component.
- View Dependent Claims (21, 22)
- - 21. The machine-readable medium of claim 20, wherein the plurality of different types of Web application or AJAX security attacks include Cross Site Scripting, Cross Site Request Forgery, injection attacks, and replay attacks.
  - 22. The machine-readable medium of claim 21, wherein the injection attacks include SQL injection, PL/SQL injection, XML injection, HTML injection, and JavaScript injection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Anbuselvan, Ananthalakshmi

Granted Patent

US 8,332,654 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/189
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/1441   Countermeasures against mal...

SECURE FRAMEWORK FOR INVOKING SERVER-SIDE APIS USING AJAX

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

161 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE FRAMEWORK FOR INVOKING SERVER-SIDE APIS USING AJAX

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links