Detecting web browser based attacks using browser digest compute tests launched from a remote source
First Claim
Patent Images
1. A method performed in a security gateway coupled between an HTTP (Hypertext Transfer Protocol) client and a web application installed on a server, the method comprising:
- receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content;
computing a digest based on the content of the HTTP response message;
modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway;
sending to the HTTP client the modified HTTP response message;
receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser;
analyzing the test result message for an indication of malware on the HTTP client; and
taking defensive measures responsive to the analyzing.
5 Assignments
0 Petitions
Accused Products
Abstract
The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.
-
Citations
19 Claims
-
1. A method performed in a security gateway coupled between an HTTP (Hypertext Transfer Protocol) client and a web application installed on a server, the method comprising:
-
receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content; computing a digest based on the content of the HTTP response message; modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway; sending to the HTTP client the modified HTTP response message; receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser; analyzing the test result message for an indication of malware on the HTTP client; and taking defensive measures responsive to the analyzing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a network element including; a security gateway module to receive an HTTP (Hypertext Transfer Protocol) response message from a web application server for delivery to an HTTP client, the response message including content; wherein the security gateway module is further to perform a test with the HTTP client responsive to the received HTTP request message and a policy, wherein the performing includes; computing a digest based on the content of the HTTP response message; modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway; sending to the HTTP client the modified HTTP response message; and receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser; wherein the security gateway module is further to analyze the test result for an indication of malware on the HTTP client; and wherein the security gateway module is further to take defensive measures responsive to the analyzing. - View Dependent Claims (12, 13, 14)
-
-
15. A non-transitory machine-readable medium storing instructions that, when executed by the machine, cause the machine to perform operations comprising:
-
receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content; computing a digest based on the content of the HTTP response message; modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway; sending to the HTTP client the modified HTTP response message; receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser; analyzing the test result message for an indication of malware on the HTTP client; and taking defensive measures responsive to the analyzing. - View Dependent Claims (16, 17, 18, 19)
-
Specification