WEB APPLICATION SECURITY FILTERING

US 20100332837A1
Filed: 02/09/2010
Published: 12/30/2010
Est. Priority Date: 07/07/2008
Status: Abandoned Application

First Claim

Patent Images

1. A method for operating a Web applications security filtering system, the method comprisinga) receiving from a first computer endpoint content description language comprising at least one request for input data and at least one constrain to the expected input data,b) enriching the content description language sent by the first computer endpoint with at least one security token that is based on the at least one request for input data and comprises at least one constraint to the expected input data,c) sending to a second computer endpoint content description language enriched with the at least one security token,d) receiving from the second computer endpoint input data together with the at least one security token,e) parsing input data and the at least one security token sent by the second computer endpoint,f) verifying the input data against the at least one constraint determined in the security token, andg) blocking the transfer of input data which does not conform to the at least one constraint.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

User inputs and/or Uniform Resource Identifier (URI), historically and popularly referred to as Universal Resource Locator (URL), requests in a content description language are passed through a security service (Web application firewall or a reverse Web proxy server) that is placed in front of Web application servers in order to protect the servers from hacking attempts. For validating Webform user inputs and/or URI requests and parameters the content description language is enriched by the security service with additional security tokens that are dynamically created based on the content being transferred. The user receives the information and returns input with the security tokens. The security service can then verify all provided user input data against the constraints described in the corresponding security token. As a result, the method may block the HTTP request or create log messages or notification events in reaction to violations of the user input data compared to the constraints in the security token.

41 Citations

View as Search Results

15 Claims

1. A method for operating a Web applications security filtering system, the method comprisinga) receiving from a first computer endpoint content description language comprising at least one request for input data and at least one constrain to the expected input data,b) enriching the content description language sent by the first computer endpoint with at least one security token that is based on the at least one request for input data and comprises at least one constraint to the expected input data,c) sending to a second computer endpoint content description language enriched with the at least one security token,d) receiving from the second computer endpoint input data together with the at least one security token,e) parsing input data and the at least one security token sent by the second computer endpoint,f) verifying the input data against the at least one constraint determined in the security token, andg) blocking the transfer of input data which does not conform to the at least one constraint.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method according to claim 1 wherein the system comprisesat least one first computer endpoint comprising at least one Web application serverrver,at least one second computer endpoint comprising a client computer with a Web browser, anda security service installed on a Web application firewall or on a reverse Web proxy server that is placed in front of the at least one Web application server in order to protect the at least one server from hacking attempts by client Web browsers.
  - 3. The method according to claim 1 wherein the transferred content description language comprises hypertext markup language content.
  - 4. The method according to claim 3 wherein parsing content description language comprisesextracting attribute information andcreating at least one security token that is based on the extracted attribute information.
  - 5. The method according to claim 4 wherein attribute information comprises name parameters.
  - 6. The method according to claim 4 wherein attribute information comprises universal resource identifiers.
  - 7. The method according to claim 4 wherein attribute information comprises expected data values.
  - 8. The method according to claim 4 wherein attribute information comprises expected value ranges.
  - 9. The method according to claim 4 wherein attribute information comprises expected value types.
  - 10. The method according to claim 4, wherein enriching contentdescription language with the security token, further comprisesencrypting and digitally signing the security token and after receiving input data and the at least one security token sent by the second computer end point, the security servicedecrypting and verifying the security token.
  - 11. A computer program comprising program code means for performing all the steps of the method of claim 10 by adapting a computer.
  - 12. A computer program comprising program code means for performing all the steps of the method of claim 10 by adapting a Web application firewall.
  - 13. A computer program comprising program code means for performing all the steps of the method of claim 10 by adapting a reverse Web proxy server.
  - 14. A computer program comprising program code means for performing all the steps of the method of claim 10 by adapting a load balancing appliance.

15. A security service apparatus for Web application security filtering, the apparatus comprising:
- a) means for receiving content description language transferred between at least a first and a second computer endpoint through the security service apparatus,b) means for enriching the content description language sent by the first computer endpoint with at least one security token that is based on at least one request for input data and at least one constraint to the expected input data,c) means for sending to the second computer endpoint content description language enriched with the at least one security token,d) means for receiving from the second computer endpoint input data together with the at least one security token,e) means for parsing input data and the at least one security token sent by the second computer endpoint,f) means for verifying the input data against the at least one constraint in the security token, andg) means for blocking the transfer of input data which does not conform to the at least one constraint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Phion AG (Barracuda Networks Incorporated)
Original Assignee
Phion AG (Barracuda Networks Incorporated)
Inventors
OSTERWALDER, CYRILL

Application Number

US12/703,148
Publication Number

US 20100332837A1
Time in Patent Office

Days
Field of Search
US Class Current

713/172
CPC Class Codes

H04L 63/0245   Filtering by information in...

H04L 63/1441   Countermeasures against mal...

H04L 63/168   above the transport layer

WEB APPLICATION SECURITY FILTERING

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

41 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

WEB APPLICATION SECURITY FILTERING

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

41 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links