Detecting web browser based attacks using browser digest compute tests launched from a remote source

US 8,752,208 B2
Filed: 03/23/2012
Issued: 06/10/2014
Est. Priority Date: 05/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method performed in a security gateway coupled between an HTTP (Hypertext Transfer Protocol) client and a web application installed on a server, the method comprising:

receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content;

computing a digest based on the content of the HTTP response message;

modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway;

sending to the HTTP client the modified HTTP response message;

receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser;

analyzing the test result message for an indication of malware on the HTTP client; and

taking defensive measures responsive to the analyzing.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The detection of web browser-based attacks using browser tests launched from a remote source is described. In one example, a digest is computed based on the content of an HTTP response message. The message is modified and sent to a client device that also computes a digest. The digests are compared to determine whether content has been modified by malware on the HTTP client. The results of the test are analyzed and defensive measures are taken.

Citations

19 Claims

1. A method performed in a security gateway coupled between an HTTP (Hypertext Transfer Protocol) client and a web application installed on a server, the method comprising:
- receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content;
  
  computing a digest based on the content of the HTTP response message;
  
  modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway;
  
  sending to the HTTP client the modified HTTP response message;
  
  receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser;
  
  analyzing the test result message for an indication of malware on the HTTP client; and
  
  taking defensive measures responsive to the analyzing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising establishing a session between the HTTP client and the web application server and wherein the taking defensive measures comprises marking the session as compromised.
  - 3. The method of claim 1, further comprising receiving an HTTP request message, the HTTP request message being from the HTTP client and directed to the web application server and wherein the HTTP response message is in response to the HTTP request message.
  - 4. The method of claim 3, further comprising transmitting the HTTP request to the web application server.
  - 5. The method of claim 1, wherein the HTTP client includes a web browser and the computing the locally generated digest is performed by the web browser independent of any malware on the HTTP client.
  - 6. The method of claim 1, wherein the taking defensive measures includes blocking messages from the HTTP client.
  - 7. The method of claim 1, wherein the modified HTTP response message includes a test identifier to uniquely identify the test and wherein the code includes a command to return an indication of the test identifier.
  - 8. The method of claim 7, wherein the test identifier includes an encrypted token generated using the computed digest and wherein the code includes a command to return the encrypted token.
  - 9. The method of claim 1, wherein sending the modified HTTP response message includes sending a command to the HTTP client that when executed by a web browser on the HTTP client causes the web browser to perform the test operation with a remote server and to cause the remote server to forward the test results to the security gateway.
  - 10. The method of claim 9, wherein the modified HTTP response message includes an indication of the digest, and wherein the sending a command includes sending a reference to the remote server and a command to send the indication of the digest to the remote server.

11. An apparatus comprising:
- a network element including;
  
  a security gateway module to receive an HTTP (Hypertext Transfer Protocol) response message from a web application server for delivery to an HTTP client, the response message including content;
  
  wherein the security gateway module is further to perform a test with the HTTP client responsive to the received HTTP request message and a policy, wherein the performing includes;
  
  computing a digest based on the content of the HTTP response message;
  
  modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway;
  
  sending to the HTTP client the modified HTTP response message; and
  
  receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser;
  
  wherein the security gateway module is further to analyze the test result for an indication of malware on the HTTP client; and
  
  wherein the security gateway module is further to take defensive measures responsive to the analyzing.
- View Dependent Claims (12, 13, 14)
- - 12. The apparatus of claim 11, wherein the security gateway module is further to receive an HTTP request message, the HTTP request message being from an HTTP client and directed to a server on which a web application is installed and to determine whether the test is to be performed by detecting content in the request message that is commonly inserted by malware on an HTTP client.
  - 13. The apparatus of claim 11, wherein the modified HTTP response further includes an encrypted token generated using the computed digest and wherein the code includes a command to return the encrypted token.
  - 14. The apparatus of claim 11, wherein the HTTP client includes a web browser and the test operation is performed by the web browser independent of any malware on the HTTP client.

15. A non-transitory machine-readable medium storing instructions that, when executed by the machine, cause the machine to perform operations comprising:
- receiving an HTTP response message from a web application server for delivery to an HTTP client, the response message including content;
  
  computing a digest based on the content of the HTTP response message;
  
  modifying the HTTP response message from the web application server to include code that when executed by a web browser on the HTTP client will cause the web browser to perform a test by computing a locally generated digest based on the HTTP response message it receives and return the locally generated digest to the security gateway;
  
  sending to the HTTP client the modified HTTP response message;
  
  receiving a test result message from the HTTP client, the test result message indicating the locally generated digest computed by the HTTP client wherein the digest and the locally generated digest will not match if malware has modified the content before reaching the web browser;
  
  analyzing the test result message for an indication of malware on the HTTP client; and
  
  taking defensive measures responsive to the analyzing.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The medium of claim 15, the instructions further comprising establishing a session between the HTTP client and the web application server and wherein the taking defensive measures comprises marking the session as compromised.
  - 17. The medium of claim 16, wherein the taking defensive measures includes blocking messages from the HTTP client.
  - 18. The medium of claim 15, wherein sending the modified HTTP response message includes sending a command to the HTTP client that when executed by a web browser on the HTTP client causes the web browser to perform the test operation with a remote server and to cause the remote server to forward the test results to the security gateway.
  - 19. The medium of claim 18, wherein the modified HTTP response message includes an indication of the digest, and wherein the sending a command includes sending a reference to the remote server and a command to send the indication of the digest to the remote server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Imperva Incorporated (Thales SA)
Original Assignee
Imperva Incorporated (Thales SA)
Inventors
Shulman, Amichai, Be'ery, Tal Arieh
Primary Examiner(s)
WILLIAMS, JEFFERY L

Application Number

US13/429,235
Publication Number

US 20120291129A1
Time in Patent Office

809 Days
Field of Search

None
US Class Current

726/30
CPC Class Codes

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/561   Adding application-function...

Detecting web browser based attacks using browser digest compute tests launched from a remote source

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting web browser based attacks using browser digest compute tests launched from a remote source

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links