Firewalls for providing security in HTTP networks and applications
First Claim
1. A method for validating a communication sent from a client computer to an application server, the method comprising the steps of:
- a security server intercepting a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, the security server generating a signature based on session information that is contained in the first HTML document but is not displayed during rendering of the first HTML document, and forwarding the first HTML document with the signature to the application server;
in response to the first HTML document forwarded from the security server, the application server processing the first form, and returning to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and
the security server intercepting the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, the security server determining that the signature in the second HTML document matches the signature from the first HTML document, and in response, the security server forwarding to the application server the second HTML document for the related form for processing by the application server.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods provide security to HTTP applications. Responses sent from a server, such as a web server, are analyzed and a signature is generated for each HTML object in that page. The signature is encrypted and sent to a client along with the contents of the page. When a client later sends a request, the system checks the signature associated with that request with the contents of the request itself. If the values, variables, lengths, and cardinality of the request are validated, then the request is forwarded to the web server. If, on the other hand, the request is invalidated, the request is blocked from reaching the web server, thereby protecting the web server from malicious attacks. The systems and methods offer security without being limited to a session or user.
24 Citations
14 Claims
-
1. A method for validating a communication sent from a client computer to an application server, the method comprising the steps of:
-
a security server intercepting a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, the security server generating a signature based on session information that is contained in the first HTML document but is not displayed during rendering of the first HTML document, and forwarding the first HTML document with the signature to the application server; in response to the first HTML document forwarded from the security server, the application server processing the first form, and returning to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and the security server intercepting the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, the security server determining that the signature in the second HTML document matches the signature from the first HTML document, and in response, the security server forwarding to the application server the second HTML document for the related form for processing by the application server. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer program product for validating a communication sent from a client computer to an application server, the computer program product comprising:
-
one or more computer-readable storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising; program instructions, for execution in a security server, to intercept a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, generate a signature based on session information that is contained in the first HTML document but is not displayed during rendering of the first HTML document, and forward the first HTML document with the signature to the application server; program instructions, for execution in the application server, responsive to the first HTML document forwarded from the security server, to process the first form, and return to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and program instructions, for execution in the security server, to intercept the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, determine that the signature in the second HTML document matches the signature from the first HTML document, and in response, forward to the application server the second HTML document for the related form for processing by the application server. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A computer program product for validating a communication sent from a client computer to an application server, the computer program product comprising:
-
one or more computer-readable storage devices and program instructions stored on at least one of the one or more storage devices, the program instructions comprising; program instructions, for execution in a security server, to intercept a first HTML document describing a first electronic form sent by the client computer addressed to the application server before the first form is processed by the application server, and in response, generate a signature based on information with the form specifying a permitted maximum length of data in a field of the form, and forward the first HTML document with the signature to the application server; program instructions, for execution in the application server, responsive to the first HTML document forwarded from the security server, to process the first form, and return to the client computer a second HTML document for a second, related form, the second HTML document for the related form having the session information which was the basis for the signature, the signature not being displayed during rendering of the related form; and program instructions, for execution in the security server, to intercept the second HTML document for the related form with the signature subsequently sent by the client computer addressed to the application server before the related form is processed by the application server, the related form having data entered by the user, and in response, determine that the signature in the second HTML document matches the signature from the first HTML document, and in response, forward to the application server the second HTML document for the related form for processing by the application server. - View Dependent Claims (12, 13, 14)
-
Specification