Firewalls for providing security in HTTP networks and applications

US 8,689,295 B2
Filed: 03/13/2012
Issued: 04/01/2014
Est. Priority Date: 05/16/2001
Status: Active Grant

First Claim

Patent Images

1. A method for validating a communication sent from a client computer to an application server, the method comprising the steps of:

a security server intercepting a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, the security server generating a signature based on session information that is contained in the first HTML document but is not displayed during rendering of the first HTML document, and forwarding the first HTML document with the signature to the application server;

in response to the first HTML document forwarded from the security server, the application server processing the first form, and returning to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and

the security server intercepting the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, the security server determining that the signature in the second HTML document matches the signature from the first HTML document, and in response, the security server forwarding to the application server the second HTML document for the related form for processing by the application server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods provide security to HTTP applications. Responses sent from a server, such as a web server, are analyzed and a signature is generated for each HTML object in that page. The signature is encrypted and sent to a client along with the contents of the page. When a client later sends a request, the system checks the signature associated with that request with the contents of the request itself. If the values, variables, lengths, and cardinality of the request are validated, then the request is forwarded to the web server. If, on the other hand, the request is invalidated, the request is blocked from reaching the web server, thereby protecting the web server from malicious attacks. The systems and methods offer security without being limited to a session or user.

24 Citations

View as Search Results

14 Claims

1. A method for validating a communication sent from a client computer to an application server, the method comprising the steps of:
- a security server intercepting a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, the security server generating a signature based on session information that is contained in the first HTML document but is not displayed during rendering of the first HTML document, and forwarding the first HTML document with the signature to the application server;
  
  in response to the first HTML document forwarded from the security server, the application server processing the first form, and returning to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and
  
  the security server intercepting the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, the security server determining that the signature in the second HTML document matches the signature from the first HTML document, and in response, the security server forwarding to the application server the second HTML document for the related form for processing by the application server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 wherein the session information comprises a name of a log file to which each transaction of a session is written.
  - 3. The method of claim 1, wherein before the step of the security server determining that the signature in the second HTML document matches the signature from the first HTML document, further comprising the step of the security server determining that the related form is not exempt from preventing the related form intercepted by the security server from being forwarded to the application server.
  - 4. The method of claim 1 wherein the signature included with the related form and addressed by the client computer to the application server is encrypted.
  - 5. The method of claim 1, comprising:
    - the security server intercepting messages sent by the client computer to the application server; and
      
      the security server intercepting messages sent by the application server to the client computer.

6. A computer program product for validating a communication sent from a client computer to an application server, the computer program product comprising:
- one or more computer-readable storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising;
  
  program instructions, for execution in a security server, to intercept a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, generate a signature based on session information that is contained in the first HTML document but is not displayed during rendering of the first HTML document, and forward the first HTML document with the signature to the application server;
  
  program instructions, for execution in the application server, responsive to the first HTML document forwarded from the security server, to process the first form, and return to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and
  
  program instructions, for execution in the security server, to intercept the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, determine that the signature in the second HTML document matches the signature from the first HTML document, and in response, forward to the application server the second HTML document for the related form for processing by the application server.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer program product of claim 6 further comprising program instructions, for execution in the security server before the execution of the program instructions which determine that the signature in the second HTML document matches the signature from the first HTML document, to determine that the related form does not automatically pass to the application irrespective of the signature included with the related form.
  - 8. The computer program product of claim 6 wherein the signature included with the related form and addressed by the client computer to the application server is encrypted.
  - 9. The computer program product of claim 6, wherein the program instructions comprise:
    - program instructions, for execution in the security server, to intercept messages sent by the client computer to the application server; and
      
      program instructions, for execution in the security server, to intercept messages sent by the application server to the client computer.
  - 10. The computer program product of claim 6, wherein the session information comprises a name of a log file to which each transaction of a session is written.

11. A computer program product for validating a communication sent from a client computer to an application server, the computer program product comprising:
- one or more computer-readable storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising;
  
  program instructions, for execution in a security server, to intercept a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, generate a signature based on information with the form specifying a permitted maximum length of data in a field of the form, and forward the first HTML document with the signature to the application server;
  
  program instructions, for execution in the application server, responsive to the first HTML document forwarded from the security server, to process the first form, and return to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and
  
  program instructions, for execution in the security server, to intercept the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, determine that the signature in the second HTML document matches the signature from the first HTML document, and in response, forward to the application server the second HTML document for the related form for processing by the application server.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product of claim 11 further comprising program instructions, for execution in the security server before the execution of the program instructions which determine that the signature in the second HTML document matches the signature from the first HTML document, to determine that the related form does not automatically pass to the application irrespective of the signature included with the related form.
  - 13. The computer program product of claim 11 wherein the signature included with the related form and addressed by the client computer to the application server is encrypted.
  - 14. The computer program product of claim 11, wherein the program instructions comprise:
    - program instructions, for execution in the security server, to intercept messages sent by the client computer to the application server; and
      
      program instructions, for execution in the security server, to intercept messages sent by the application server to the client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hidalgo, Llius Mora, Lleonart, Xabier Panadero
Primary Examiner(s)
Khoshnoodi, Nadia

Application Number

US13/418,725
Publication Number

US 20120260315A1
Time in Patent Office

749 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 63/04 for providing a confidentia...

Firewalls for providing security in HTTP networks and applications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

24 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Firewalls for providing security in HTTP networks and applications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links