SYSTEMS AND METHODS FOR CROSS SITE FORGERY PROTECTION

US 20110154473A1
Filed: 12/23/2009
Published: 06/23/2011
Est. Priority Date: 12/23/2009
Status: Active Grant

First Claim

Patent Images

1. A method of protecting against forgery of forms, the method comprising:

(a) identifying, by an application firewall executing on an intermediary device deployed between a plurality of clients and one or more servers, that a response to a first request of a client is a first form;

(b) generating, by the application firewall, a form identifier for the first form that is unique and unpredictable among form identifiers transmitted via the intermediary device;

(c) transmitting, by the application firewall to the client, the response comprising the form identifier embedded in the first form;

(d) receiving, by the application firewall, a second request from the client to send form data for the first form to the server; and

(e) determining, by the application firewall, whether to send the second request to the server based on whether the second request identifies the form identifier transmitted with the response.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present solution described herein is directed towards systems and methods to prevent cross-site request forgeries based on web form verification using unique identifiers. The present solution tags each form from a server that is served out in the response with a unique and unpredictable identifier. When the form is posted, the present solution enforces that the identifier being returned is the same as the one that was served out to the user. This prevents malicious unauthorized third party users from submitting a form on a user'"'"'s behalf since they cannot guess the value of this unique identifier that was inserted.

Citations

22 Claims

1. A method of protecting against forgery of forms, the method comprising:
- (a) identifying, by an application firewall executing on an intermediary device deployed between a plurality of clients and one or more servers, that a response to a first request of a client is a first form;
  
  (b) generating, by the application firewall, a form identifier for the first form that is unique and unpredictable among form identifiers transmitted via the intermediary device;
  
  (c) transmitting, by the application firewall to the client, the response comprising the form identifier embedded in the first form;
  
  (d) receiving, by the application firewall, a second request from the client to send form data for the first form to the server; and
  
  (e) determining, by the application firewall, whether to send the second request to the server based on whether the second request identifies the form identifier transmitted with the response.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein step (a) further comprises receiving, by the intermediary device, a response comprising the first form and a second form, each of the first form and the second form comprising an application layer form.
  - 3. The method of claim 2, wherein step (b) further comprises generating at least one form identifier for each of the first form and the second form, each of the at least one form identifier unique and unpredictable among form identifiers embedded in the response transmitted by the intermediary device.
  - 4. The method of claim 1, wherein step (c) further comprises embedding, by the application firewall, the form identifier into a hidden field in the first form.
  - 5. The method of claim 1, wherein step (c) further comprises embedding, by the application firewall, the form identifier into an attribute value of the first form.
  - 6. The method of claim 1, wherein step (d) further comprises receiving, by the application firewall, the second request comprising a POST request of the first form to the server.
  - 7. The method of claim 1, wherein step (d) further comprises receiving, by the application firewall, the second request comprising a GET request with form data for the first form.
  - 8. The method of claim 1, wherein step (e) further comprises determining, by the application firewall, that the second request does not have any form identifier and responsive to this determination, not sending the second request to the server.
  - 9. The method of claim 1, wherein step (e) further comprises determining, by the application firewall, that the second request'"'"'s form identifier does not match the form identifier of the response and responsive to this determination, not sending the second request to the server.
  - 10. The method of claim 1, wherein step (e) further comprises determining, by the application firewall, that the second request'"'"'s form identifier does match the form identifier of the response and responsive to this determination, sending the second request to the server.
  - 11. The method of claim 1, further comprising receiving, by the application firewall, a third request from one of the client or a second client, the third request sending form data for a form for which the application firewall has not generated the form identifier and not sending the third request to the server.

12. A system for protecting against forgery of forms comprising:
- an application firewall executing on an intermediary device deployed between a plurality of clients and one or more servers comprising;
  
  a form verification engine of an application firewall executing on the intermediary device identifying that a response to a first request of a client has a first form;
  
  an identifier generator of the application firewall generating a form identifier for the first form that is unique and unpredictable among form identifiers transmitted via the intermediary device;
  
  wherein the form verification engine transmits to the client the response comprising the form identifier embedded in the first form, receives a second request from the client to send form data for the first form to the server, and determines whether to send the second request to the server based on whether the second request identifies the form identifier transmitted with the response.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the form verification engine receives a response comprising the first form and a second form, each of the first form and the second form comprising an application layer form.
  - 14. The system of claim 13, wherein the identifier generator generates at least one form identifier for each of the first form and the second form, each of the at least one form identifier unique and unpredictable among form identifiers embedded in the response transmitted by the intermediary device.
  - 15. The system of claim 12, wherein the form verification engine embeds the form identifier into a hidden field in the first form.
  - 16. The system of claim 12, wherein the form verification engine embeds the form identifier into an attribute value of the first form.
  - 17. The system of claim 12, wherein the form verification engine receives the second request comprising a POST request of the first form to the server.
  - 18. The system of claim 12, wherein the form verification engine receives the second request comprising a GET request with form data for the first form.
  - 19. The system of claim 12, wherein the form verification engine determines that the second request does not have any form identifier and responsive to this determination, does not send the second request to the server.
  - 20. The system of claim 12, wherein the form verification engine determines that the second request'"'"'s form identifier does not match the form identifier of the response and responsive to this determination, does not send the second request to the server.
  - 21. The system of claim 12, wherein the form verification engine determines that the second request'"'"'s form identifier matches the form identifier of the response and responsive to this determination, sends the second request to the server.
  - 22. The system of claim 12, wherein the form verification engine receives a third request from one of the client or a second client, the third request sending form data for a form for which the identifier generator has not generated the form identifier and not sending the third request to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Keinan, Yariv, Anderson, Craig, Reddy, Anoop

Granted Patent

US 8,640,216 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/11
CPC Class Codes

G06F 21/64   Protecting data integrity, ...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/0209   Architectural arrangements,...

H04L 63/0272   Virtual private networks

H04L 63/08   for authentication of entit...

H04L 63/1466   Active attacks involving in...

H04L 63/1483   service impersonation, e.g....

SYSTEMS AND METHODS FOR CROSS SITE FORGERY PROTECTION

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR CROSS SITE FORGERY PROTECTION

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links