DEALING WITH WEB ATTACKS USING CRYPTOGRAPHICALLY SIGNED HTTP COOKIES
First Claim
1. A method in a security gateway (SG), coupled between a hypertext transport protocol (HTTP) client and a web application server, for detecting web attacks, the method comprising:
- responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, generating security gateway session security state information (SGI) based on a policy and the first HTTP message;
generating a digital signature (SGS) from the SGI;
creating an SG signed session security state information cookie (SGC) that includes the SGS and not the SGI;
sending the SGC to the HTTP client for storage instead of storing the SGI in the SG, wherein the HTTP client should return the SGC as part of a next HTTP request transmitted from the HTTP client to the web application server as part of the HTTP session; and
responsive to a second HTTP message being transmitted from the HTTP client to the web application server as part of the HTTP session, attempting to validate a claim made in the second HTTP request message using at least the policy and the SGC that is supposed to be returned with the next HTTP request.
5 Assignments
0 Petitions
Accused Products
Abstract
According to one embodiment, a security gateway (SG) is coupled between a hypertext transport protocol (HTTP) client and a web application server. Responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, the SG generates security gateway session security state information (SGI) based on a policy. The SG also generates a digital signature (SGS) from the SGI, creates an SG signed session security state information cookie (SGC), and sends the SGC to the HTTP client for storage instead of storing the SGI in the SG. Responsive to a second HTTP message of the HTTP session, the SG attempts to validate a claim made in the second HTTP request using at least the policy and the SGC that is supposed to be returned with the second HTTP message.
-
Citations
43 Claims
-
1. A method in a security gateway (SG), coupled between a hypertext transport protocol (HTTP) client and a web application server, for detecting web attacks, the method comprising:
-
responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, generating security gateway session security state information (SGI) based on a policy and the first HTTP message; generating a digital signature (SGS) from the SGI; creating an SG signed session security state information cookie (SGC) that includes the SGS and not the SGI; sending the SGC to the HTTP client for storage instead of storing the SGI in the SG, wherein the HTTP client should return the SGC as part of a next HTTP request transmitted from the HTTP client to the web application server as part of the HTTP session; and responsive to a second HTTP message being transmitted from the HTTP client to the web application server as part of the HTTP session, attempting to validate a claim made in the second HTTP request message using at least the policy and the SGC that is supposed to be returned with the next HTTP request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method in a security gateway (SG) for detecting web attacks, wherein the SG is coupled between a plurality of hypertext transport protocol (HTTP) clients and a set of one or more web application servers, wherein each of the plurality of HTTP clients has with one of the set of web application servers a web application session that involves the exchange of HTTP messages, wherein each of the set of web application servers stores web application session state information for each of its web application sessions, the method comprising:
responsive to the exchange of HTTP messages, performing the following; distributively storing in the HTTP clients digital signatures (SGSs) generated by the SG to validate claims that may be made in HTTP requests subsequently transmitted by the HTTP clients to the set of web application servers as part of the web application sessions, wherein the distributively storing comprises; generating pieces of SG session security state information (SGIs) based on polices and based on certain of the web application session state information the SG can derive from the HTTP messages currently being exchanged; generating a digital signatures (SGSs) from the SGIs; transmitting to the HTTP clients their respective SGSs in HTTP cookies (SGCs); checking for web attacks in those of the HTTP messages that are HTTP requests with information that implicitly claims that the HTTP request conforms with the policies, wherein the checking comprises; attempting to validate any such claims in each of the HTTP requests based on the policies and any of the SGCs returned with that HTTP request; and processing according to failure criteria any of the HTTP requests that fail the attempted validation. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
31. An apparatus comprising:
a network element including; a security gateway (SG) to detect web attacks in a web application session between a hypertext transport protocol (HTTP) client and a web application server, the security gateway to be coupled to receive HTTP messages being transmitted between the HTTP client and the web application server as part of the web application session, and the security gateway to be coupled to receive a policy that includes information including regeneration trigger information, wherein the security gateway is configured to receive an HTTP response one of the HTTP messages transmitted by the web application server, and configured to transmit a modified version of this HTTP response message to the HTTP client, wherein the modification results in an HTTP cookie that includes a first digital signature being sent by the SG to the HTTP client; wherein the security gateway is configured to receive an HTTP request one of the HTTP messages transmitted by the HTTP client after the HTTP client has received the HTTP cookie, wherein the HTTP request includes the HTTP cookie and the regeneration trigger information; and wherein generating a second digital signature, in the same manner used to generate the first digital signature, from at least one of part of the HTTP request and part of the information included in the policy yields matching digital signatures or different digital signatures respectively depending on whether a web attack has occurred. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
Specification