DEALING WITH WEB ATTACKS USING CRYPTOGRAPHICALLY SIGNED HTTP COOKIES

US 20130055384A1
Filed: 08/25/2011
Published: 02/28/2013
Est. Priority Date: 08/25/2011
Status: Active Grant

First Claim

Patent Images

1. A method in a security gateway (SG), coupled between a hypertext transport protocol (HTTP) client and a web application server, for detecting web attacks, the method comprising:

responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, generating security gateway session security state information (SGI) based on a policy and the first HTTP message;

generating a digital signature (SGS) from the SGI;

creating an SG signed session security state information cookie (SGC) that includes the SGS and not the SGI;

sending the SGC to the HTTP client for storage instead of storing the SGI in the SG, wherein the HTTP client should return the SGC as part of a next HTTP request transmitted from the HTTP client to the web application server as part of the HTTP session; and

responsive to a second HTTP message being transmitted from the HTTP client to the web application server as part of the HTTP session, attempting to validate a claim made in the second HTTP request message using at least the policy and the SGC that is supposed to be returned with the next HTTP request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a security gateway (SG) is coupled between a hypertext transport protocol (HTTP) client and a web application server. Responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, the SG generates security gateway session security state information (SGI) based on a policy. The SG also generates a digital signature (SGS) from the SGI, creates an SG signed session security state information cookie (SGC), and sends the SGC to the HTTP client for storage instead of storing the SGI in the SG. Responsive to a second HTTP message of the HTTP session, the SG attempts to validate a claim made in the second HTTP request using at least the policy and the SGC that is supposed to be returned with the second HTTP message.

Citations

43 Claims

1. A method in a security gateway (SG), coupled between a hypertext transport protocol (HTTP) client and a web application server, for detecting web attacks, the method comprising:
- responsive to a first HTTP message being transmitted between the HTTP client and the web application server as part of an HTTP session, generating security gateway session security state information (SGI) based on a policy and the first HTTP message;
  
  generating a digital signature (SGS) from the SGI;
  
  creating an SG signed session security state information cookie (SGC) that includes the SGS and not the SGI;
  
  sending the SGC to the HTTP client for storage instead of storing the SGI in the SG, wherein the HTTP client should return the SGC as part of a next HTTP request transmitted from the HTTP client to the web application server as part of the HTTP session; and
  
  responsive to a second HTTP message being transmitted from the HTTP client to the web application server as part of the HTTP session, attempting to validate a claim made in the second HTTP request message using at least the policy and the SGC that is supposed to be returned with the next HTTP request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein:
    - the method further includes generating a global digital signature (GSGS) from the SGS and other SGSs to be sent to the HTTP client;
      
      the sending further includes sending the GSGS to the HTTP client for storage in one of the same SGC or a different SGC; and
      
      the attempting to validate further includes attempting to validate any SGSs returned with the second HTTP message using the GSGS that is supposed to be returned with the second HTTP message.
  - 3. The method of claim 2, wherein the attempting to validate any SGSs further includes:
    - generating an expected global digital signature (GSGS′
      
      ) from the SGSs; and
      
      comparing the GSGS′
      
      to the GSGS.
  - 4. The method of claim 1, wherein the first HTTP message is an HTTP request message and the SGI is a request type SGI.
  - 5. The method of claim 1, wherein the first HTTP message is an HTTP response message and the SGI is a response type SGI.
  - 6. The method of claim 1, wherein the policy is for detecting a parameter tampering attack.
  - 7. The method of claim 6, wherein the SGI includes a name of a parameter and a first read only value for the parameter identified by the web application server in the first HTTP message, and the claim in the second HTTP message is that the parameter with the name has a second value, wherein the first and second value are the same if the parameter has not been tampered with.
  - 8. The method of claim 1, wherein the policy is for detecting a forceful browsing attack.
  - 9. The method of claim 8, wherein the SGI includes a prerequisite URL identified by the HTTP client in the first HTTP message, and the claim in the second HTTP message is a URL requiring a prerequisite, wherein the perquisite is that the prerequisite URL was previously visited during the HTTP session.
  - 10. The method of claim 1, wherein the policy is for detecting a cookie poisoning attack.
  - 11. The method of claim 10, wherein the SGI includes a name for a web application cookie and a first value for the web application cookie identified by the HTTP client in the first HTTP message, and the claim in the second HTTP message is that the web application cookie has a second value, wherein the first and second value are the same if the web application cookie has not been tampered with.
  - 12. The method of claim 1, wherein the policy includes creation trigger information that when present in the first HTTP message causes the generating the SGI and the generating the SGS, and wherein the policy includes regeneration trigger information that when present in the second HTTP message causes the attempting to validate.
  - 13. The method of claim 1, wherein the attempting to validate the claim includes:
    - generating an expected security gateway session security state information (SGI′
      
      );
      
      generating an expected digital signature (SGS′
      
      ) from the SGI′
      
      ; and
      
      comparing the SGS′
      
      to the SGS.
  - 14. The method of claim 1, wherein the sending the SGC to the HTTP client includes:
    - inserting the SGC into the first HTTP message; and
      
      sending the first HTTP message to the HTTP client.
  - 15. The method of claim 1, wherein the sending the SGC to the HTTP client includes:
    - inserting the SGC into a third HTTP message; and
      
      sending the third HTTP message to the HTTP client.
  - 16. The method of claim 1, wherein the sending the SGC to the HTTP client includes:
    - receiving a forced reference request from the HTTP client for the SGC; and
      
      sending the SGC to the HTTP client.

17. A method in a security gateway (SG) for detecting web attacks, wherein the SG is coupled between a plurality of hypertext transport protocol (HTTP) clients and a set of one or more web application servers, wherein each of the plurality of HTTP clients has with one of the set of web application servers a web application session that involves the exchange of HTTP messages, wherein each of the set of web application servers stores web application session state information for each of its web application sessions, the method comprising:
- responsive to the exchange of HTTP messages, performing the following;
  
  distributively storing in the HTTP clients digital signatures (SGSs) generated by the SG to validate claims that may be made in HTTP requests subsequently transmitted by the HTTP clients to the set of web application servers as part of the web application sessions, wherein the distributively storing comprises;
  
  generating pieces of SG session security state information (SGIs) based on polices and based on certain of the web application session state information the SG can derive from the HTTP messages currently being exchanged;
  
  generating a digital signatures (SGSs) from the SGIs;
  
  transmitting to the HTTP clients their respective SGSs in HTTP cookies (SGCs);
  
  checking for web attacks in those of the HTTP messages that are HTTP requests with information that implicitly claims that the HTTP request conforms with the policies, wherein the checking comprises;
  
  attempting to validate any such claims in each of the HTTP requests based on the policies and any of the SGCs returned with that HTTP request; and
  
  processing according to failure criteria any of the HTTP requests that fail the attempted validation.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. The method of claim 17, wherein the SGIs are generated responsive to HTTP request messages.
  - 19. The method of claim 17, wherein the SGIs are generated responsive to HTTP response messages.
  - 20. The method of claim 17, wherein the policies are for detecting a parameter tampering type of attack.
  - 21. The method of claim 17, wherein the policies are for detecting a forceful browsing type of attack.
  - 22. The method of claim 17, wherein the policies are for detecting a cookie poisoning type of attack.
  - 23. The method of claim 17, wherein the policies include creation trigger information that when present in one of the HTTP messages causes one of the SGSs to be stored in one of the HTTP clients, and wherein the policies include regeneration trigger information that when present in one of the HTTP request messages implicitly claims that the HTTP request conforms with the policy.
  - 24. The method of claim 17, wherein the attempting to validate includes:
    - generating an expected security gateway session security state information (SGI′
      
      );
      
      generating an expected digital signature (SGS′
      
      ) from the SGI′
      
      ; and
      
      comparing the SGS′
      
      one of the returned SGSs.
  - 25. The method of claim 17, wherein the transmitting to the HTTP clients their respective SGSs in HTTP cookies (SGCs) includes:
    - inserting the SGCs into HTTP response ones of the HTTP messages.
  - 26. The method of claim 25, wherein the inserting includes fully buffering the HTTP responses before sending them to their respective HTTP clients.
  - 27. The method of claim 25, wherein the inserting is performed as the HTTP responses are being passed through without being fully buffered.
  - 28. The method of claim 25, wherein the inserting includes inserting the SGCs into response headers of the HTTP responses.
  - 29. The method of claim 25, wherein the inserting includes inserting the SGCs into response trailers of the HTTP responses.
  - 30. The method of claim 17, wherein the transmitting to the HTTP clients their respective SGSs in HTTP cookies (SGCs) includes:
    - receiving forced reference requests from the HTTP clients for their respective SGCs; and
      
      sending the SGCs to the HTTP clients accordingly.

31. An apparatus comprising:
- a network element including;
  
  a security gateway (SG) to detect web attacks in a web application session between a hypertext transport protocol (HTTP) client and a web application server, the security gateway to be coupled to receive HTTP messages being transmitted between the HTTP client and the web application server as part of the web application session, and the security gateway to be coupled to receive a policy that includes information including regeneration trigger information,wherein the security gateway is configured to receive an HTTP response one of the HTTP messages transmitted by the web application server, and configured to transmit a modified version of this HTTP response message to the HTTP client, wherein the modification results in an HTTP cookie that includes a first digital signature being sent by the SG to the HTTP client;
  
  wherein the security gateway is configured to receive an HTTP request one of the HTTP messages transmitted by the HTTP client after the HTTP client has received the HTTP cookie, wherein the HTTP request includes the HTTP cookie and the regeneration trigger information; and
  
  wherein generating a second digital signature, in the same manner used to generate the first digital signature, from at least one of part of the HTTP request and part of the information included in the policy yields matching digital signatures or different digital signatures respectively depending on whether a web attack has occurred.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 32. The network element of claim 31, wherein the modification also results in a third digital signature being sent by the SG to the HTTP client, the third digital signature being generated from the first digital signature and other digital signatures, wherein the HTTP request also includes the third digital signature, and wherein generating a fourth digital signature, in the same manner used to generate the third digital signature, from any and all of the first digital signature and the other digital signatures included in the HTTP request yields matching digital signatures or different digital signatures respectively depending on whether a web attack has occurred.
  - 33. The network element of claim 31, wherein the modification the HTTP cookie in the HTTP response message.
  - 34. The network element of claim 31, wherein the modification in the HTTP cookie in the header section of the HTTP response message.
  - 35. The network element of claim 31, wherein the modification is the HTTP cookie in a response trailer of the HTTP response message.
  - 36. The network element of claim 31, wherein the modification is a forced reference in a body section of the HTTP response message, wherein the forced reference will cause the HTTP client to request the HTTP cookie.
  - 37. The network element of claim 31, wherein the policy is for detecting a parameter tampering attack.
  - 38. The network element of claim 31, wherein the policy is for detecting a forceful browsing attack.
  - 39. The network element of claim 31, wherein the policy is for detecting a cookie poisoning attack.
  - 40. The network element of claim 31, wherein the policy also includes creation trigger information that is also in the HTTP response.
  - 41. The network element of claim 31, wherein the policy also includes creation trigger information and wherein the SG is also configured to receive an earlier HTTP response that includes the creation trigger information.
  - 42. The apparatus of claim 31, wherein the network element is coupled to a client end station executing the HTTP client and is also coupled to server hardware executing the web application server.
  - 43. The apparatus of claim 42, wherein the network element is also coupled to a management server having stored therein the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Amichai Shulman, Be'Ery, Tal Arieh
Inventors
SHULMAN, AMICHAI, BE'ERY, TAL ARIEH

Granted Patent

US 8,448,233 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

DEALING WITH WEB ATTACKS USING CRYPTOGRAPHICALLY SIGNED HTTP COOKIES

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

DEALING WITH WEB ATTACKS USING CRYPTOGRAPHICALLY SIGNED HTTP COOKIES

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links