Secure framework for invoking server-side APIs using AJAX

US 8,332,654 B2
Filed: 12/08/2008
Issued: 12/11/2012
Est. Priority Date: 12/08/2008
Status: Active Grant

First Claim

Patent Images

1. A method for securely invoking a server-side Application Programming Interface (API), the method comprising:

receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server;

wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and

asynchronously sending the request to invoke the API hosted on the server;

in response to receiving the request to invoke the API hosted on the server, invoking a security handler hosted on the server, the security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks;

wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack;

invoking the API on the server; and

sending a response comprising output data generated by the API to the client-side component;

wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securely invoking a server-side API from client-side Web application code using AJAX. In one set of embodiments, a request to invoke a server-side API is received from a client-side component of a Web application, where the request is sent asynchronously using AJAX. One or more security handlers are then invoked to process the request in a manner that mitigates various security attacks. In one embodiment, a security handler is invoked to defend against a plurality of different types of Web application/AJAX security attacks. In another embodiment, authentication and authorization security handlers are invoked to authenticate a user of the Web application that originated the request and determine whether the user is authorized to call the server-side API. In yet another embodiment, configuration is implemented at the data storage tier to enforce user-access and data security on data that is retrieved/stored as a result of invoking the server-side API.

Citations

22 Claims

1. A method for securely invoking a server-side Application Programming Interface (API), the method comprising:
- receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server;
  
  wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and
  
  asynchronously sending the request to invoke the API hosted on the server;
  
  in response to receiving the request to invoke the API hosted on the server, invoking a security handler hosted on the server, the security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks;
  
  wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack;
  
  invoking the API on the server; and
  
  sending a response comprising output data generated by the API to the client-side component;
  
  wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the method is performed by a pluggable server extension running on the server.
  - 3. The method of claim 1, wherein the instructions written in a scripting language run in a Web browser on the client device.
  - 4. The method of claim 1, wherein the API is an API for an object oriented programming language.
  - 5. The method of claim 1, wherein the plurality of security attacks further includes Cross Site Scripting, Cross Site Request Forgery, and injection attacks.
  - 6. The method of claim 5, wherein the injection attacks include SQL injection, PL/SQL injection, XML injection, HTML injection, and scripting language injection.
  - 7. The method of claim 5, wherein the plurality of different types of security attacks further includes illegal redirects and buffer overflows.
  - 8. The method of claim 1, wherein the request includes an API name, a class name, and one or more parameter values for the API.
  - 9. The method of claim 8, wherein processing the request comprises validating the one or more parameter values against a white-list of valid characters or values.
  - 10. The method of claim 8, wherein processing the request comprises escaping code tags in the one or more parameter values.
  - 11. The method of claim 8, wherein processing the request comprises determining whether the one or more parameter values are signed using a context signature.
  - 12. The method of claim 1 further comprising:
    - invoking an authentication security handler configured to authenticate a user of the Web application that originated the request; and
      
      invoking an authorization security handler configured to determine whether the user is authorized to invoke the API.
  - 13. The method of claim 12, wherein the Web application is built using an application framework, and wherein the authentication and authorization security handlers rely on security data specific to the application framework.
  - 14. The method of claim 1, wherein the API is configured to query one or more database tables, and wherein the results of the query are automatically filtered based on an identity of a user that originated the request and user-access permissions defined for the one or more database tables.
  - 15. The method of claim 1, wherein the API is configured to store data into one or more database tables, and wherein the data is automatically encrypted prior to storage.
  - 16. The method of claim 1, wherein a configuration file is maintained at the server including a list of server-side APIs and associated invocation permissions, anddetermining, based on the list, whether the API can be invoked in response to the request.

17. A server system comprising:
- a storage component configured to store code for an Application Programming Interface (API); and
  
  a processing component in communication with the storage component, wherein the processing component is configured to;
  
  receive, from a client-side component of a Web application, a request to invoke the API, wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and
  
  asynchronously sending the request to invoke the API hosted on the server;
  
  in response to receiving the request to invoke the API hosted on the server, invoke a security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks;
  
  wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack;
  
  invoke the API; and
  
  send a response comprising output data generated by the API to the client-side component;
  
  wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display.
- View Dependent Claims (18, 19)
- - 18. The server system of claim 17, wherein the plurality of different types of security attacks further includes Cross Site Scripting, Cross Site Request Forgery, and injection attacks.
  - 19. The server system of claim 18, wherein the injection attacks include SQL injection, PL/SQL injection, XML injection, HTML injection, and scripting language injection.

20. A non-transitory machine-readable storage medium storing instructions which when executed cause one or more processors to securely invoke a server-side Application Programming Interface (API), the instructions comprising instructions for:
- receiving, from a client-side component of a Web application, a request to invoke an API hosted on a server, wherein the request is generated by a client device executing instructions written in a scripting language, the executed instructions displaying a visual presentation for a user on the client device; and
  
  asynchronously sending the request to invoke the API hosted on the server;
  
  in response to receiving the request to invoke the API hosted on the server, invoking a security handler hosted on the server, the security handler configured to process the request in a manner that mitigates a plurality of different types of security attacks;
  
  wherein the plurality of different types of security attacks includes at least replay attacks, and the security handler is configured to prevent a replay attack;
  
  invoking the API on the server; and
  
  sending a response comprising output data generated by the API to the client-side component;
  
  wherein receipt of the response causes only a portion of the visual presentation corresponding to changed data to be updated without refreshing the entire display.
- View Dependent Claims (21, 22)
- - 21. The non-transitory machine-readable storage medium of claim 20, wherein the plurality of different types of security attacks further includes Cross Site Scripting, Cross Site Request Forgery, and injection attacks.
  - 22. The non-transitory machine-readable storage medium of claim 21, wherein the injection attacks include SQL injection, PL/SQL injection, XML injection, HTML injection, and scripting language injection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Anbuselvan, Ananthalakshmi
Primary Examiner(s)
POWERS, WILLIAM S

Application Number

US12/330,008
Publication Number

US 20100146291A1
Time in Patent Office

1,464 Days
Field of Search

713/189, 719/315, 707/781
US Class Current

713/189
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

H04L 63/1441   Countermeasures against mal...

Secure framework for invoking server-side APIs using AJAX

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Secure framework for invoking server-side APIs using AJAX

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links