DETECTING WEB BROWSER BASED ATTACKS USING BROWSER DIGEST COMPUTE TESTS LAUNCHED FROM A REMOTE SOURCE
5 Assignments
0 Petitions
Accused Products
Abstract
The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.
74 Citations
49 Claims
-
1-29. -29. (canceled)
-
30. A method performed in a security gateway coupled between an HTTP (Hypertext Transfer Protocol) client and a web application installed on a server, the method comprising:
-
receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content; computing a digest based on the content of the HTTP response message; modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway; sending to the HTTP client the modified HTTP response message; receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser; analyzing the test result message for an indication of malware on the HTTP client; and taking defensive measures responsive to the analyzing. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. An apparatus comprising:
-
a network element including; a security gateway module to receive an HTTP (Hypertext Transfer Protocol) response message from a web application server for delivery to an HTTP client, the response message including content; wherein the security gateway module is further to perform a test with the HTTP client responsive to the received HTTP request message and a policy, wherein the performing includes; computing a digest based on the content of the HTTP response message; modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway; sending to the HTTP client the modified HTTP response message; and receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser; wherein the security gateway module is further to analyze the test result for an indication of malware on the HTTP client; and wherein the security gateway module is further to take defensive measures responsive to the analyzing.
-
-
42. The apparatus of claim 41, wherein the security gateway module is further to receive an HTTP request message, the HTTP request message being from an HTTP client and directed to a server on which a web application is installed and to determine whether the test is to be performed by detecting content in the request message that is commonly inserted by malware on an HTTP client;
-
43. The apparatus of claim 41, wherein the modified HTTP response further includes an encrypted token generated using the computed digest and wherein the code includes a command to return the encrypted token.
-
44. The apparatus of claim 41, wherein the HTTP client includes a web browser and the test operation is performed by the web browser independent of any malware on the HTTP client.
-
45. A machine-readable medium storing instructions that, when executed by the machine, cause the machine to perform operations comprising:
-
receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content; computing a digest based on the content of the HTTP response message; modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway; sending to the HTTP client the modified HTTP response message; receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser; analyzing the test result message for an indication of malware on the HTTP client; and taking defensive measures responsive to the analyzing. - View Dependent Claims (46, 47, 48, 49)
-
Specification