Security for WAP servers

US 9,003,509 B1
Filed: 12/10/2008
Issued: 04/07/2015
Est. Priority Date: 08/11/2003
Status: Expired

First Claim

Patent Images

1. A network device for managing a communication over a network, comprising:

a transceiver configured to intercept an incoming message from a client device and an outgoing message from a server device, wherein an application resides on the server device; and

a processor configured to perform actions including;

intercepting a request from the client device to the application residing on the server device for content from the application;

determining when the request for content is compliant based on a comparison of hidden fields by performing actions, comprising;

examining the request for an encrypted state token;

decrypting the encrypted state token;

extracting from the state token a hidden field;

comparing the extracted hidden field to values of hidden fields from an application state data store; and

when the extracted hidden field is determined to be non-compliant based on the comparison, blocking the request from being forwarded to the application; and

determining whether the request for content is compliant by comparing the request to a list of allowable compliant requests determined by a current state of the client device with the application and an application model of the application, the application model being automatically generated in part based on a probe of interactions with the application, the probe of interactions being separately generated by the network device absent use of the incoming message from the client device or a response from the server device to the incoming message to obtain responses to the probes that are used to identify at least the list of allowable compliant requests including allowable navigation paths within the application;

when the request for content is determined to be compliant based on the comparison of the request, forwarding the request for the content to the application; and

when the request is determined to be non-compliant based on the comparison of the request, blocking the request from being forwarded to the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

Citations

16 Claims

1. A network device for managing a communication over a network, comprising:
- a transceiver configured to intercept an incoming message from a client device and an outgoing message from a server device, wherein an application resides on the server device; and
  
  a processor configured to perform actions including;
  
  intercepting a request from the client device to the application residing on the server device for content from the application;
  
  determining when the request for content is compliant based on a comparison of hidden fields by performing actions, comprising;
  
  examining the request for an encrypted state token;
  
  decrypting the encrypted state token;
  
  extracting from the state token a hidden field;
  
  comparing the extracted hidden field to values of hidden fields from an application state data store; and
  
  when the extracted hidden field is determined to be non-compliant based on the comparison, blocking the request from being forwarded to the application; and
  
  determining whether the request for content is compliant by comparing the request to a list of allowable compliant requests determined by a current state of the client device with the application and an application model of the application, the application model being automatically generated in part based on a probe of interactions with the application, the probe of interactions being separately generated by the network device absent use of the incoming message from the client device or a response from the server device to the incoming message to obtain responses to the probes that are used to identify at least the list of allowable compliant requests including allowable navigation paths within the application;
  
  when the request for content is determined to be compliant based on the comparison of the request, forwarding the request for the content to the application; and
  
  when the request is determined to be non-compliant based on the comparison of the request, blocking the request from being forwarded to the application.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The network device of claim 1, wherein the processor is configured to perform actions, further including:
    - receiving a response to the request from the application;
      
      storing information about selected hidden fields that are not visible within a display of the response;
      
      forwarding the response to the client device;
      
      receiving another request from the client device, the other request being in response to the received response;
      
      examining the other request to determine when it includes the selected hidden fields and when the included selected hidden fields are modified from the stored selected hidden fields;
      
      when the other request is absent of the selected hidden fields or when one of the hidden fields in modified from the stored selected hidden fields, determining that the other request is noncompliant; and
      
      when the other request is noncompliant, blocking forwarding of the other request to the application.
  - 3. The network device of claim 1, wherein comparing the request further comprises:
    - examining the request to determine when a field within the request has been altered improperly; and
      
      when a field is determined to be altered improperly, determining that the request is noncompliant, and inhibiting forwarding of the request to the application.
  - 4. The network device of claim 1, wherein the application model is tunable during a training period based on a collection of non-compliant requests obtained during the training period.
  - 5. The network device of claim 1, wherein comparing the request further comprises:
    - examining the request for selected visible fields;
      
      comparing values in the selected visible fields to values obtained by the network device from a prior communication to the client device from the application; and
      
      when the values in the selected visible fields are determined to be non-compliant based on the comparison, blocking the request from being forwarded to the application.

6. A system for managing a communication over a network, comprising:
- a client device configured to provide requests and receive responses over the network;
  
  a server device that is configured to host a network based application; and
  
  a security server device that is interposed between the client device and server device and is configured to perform actions, including;
  
  intercepting a request from the client device to the application residing on the server device for content from the application;
  
  selectively forwarding the request to the application based on determining that the request for content is compliant based on a comparison of the request to compliant requests that are determined from a current state of the client device with the application and an application model of the application device, the application model being automatically generated in part based on a probe of interactions with the application, the probe of interactions being separately generated from the intercepted request or a response to the intercepted request to obtain responses to the probe that are used to identify a list of allowable complaint requests usable by the application model including allowable navigation paths within the application;
  
  intercepting the response to the request from the application on the server;
  
  extracting values from selected fields within the response, at least one selected field being a hidden field that is not currently visible;
  
  forwarding the response to the client device forwarding the response to the client device, wherein an extracted value is extracted from the hidden field within the response, and wherein forwarding the response further comprises;
  
  generating an encrypted state token associated with the extracted value from the hidden field; and
  
  inserting the encrypted state token into the response;
  
  within a hidden form field of the response, when the response includes a form;
  
  within a query string of the response, when the response includes a link;
  
  orwithin a Uniform Resource Locator (URL) path within the response, when the response includes a URL; and
  
  receiving a second request from the client device; and
  
  selectively forwarding the second request to the application based on a comparison of information within the second request to the extracted values from the selected fields within the response.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system of claim 6, wherein selectively forwarding the second request further comprises:
    - examining the second request for an encrypted state token within the hidden form field; and
      
      when a value of the state token when decrypted is determined to be different from the extracted values, blocking the second request from being forwarded to the application.
  - 8. The system of claim 6, wherein extracting values from selected fields further comprises extracting values from visible fields that includes a user selection from the visible field.
  - 9. The system of claim 6, wherein selectively forwarding the request further comprises:
    - determining when a field within the request is improperly modified based on information stored from a prior response to the client device from the application; and
      
      when the field is determined to be improperly modified, blocking the forwarding of the request to the application.
  - 10. The system of claim 6, selectively forwarding the request further comprise:
    - extracting from a state token within the request a hidden field value;
      
      comparing the extracted hidden field value to a value of hidden fields from an application state data store; and
      
      when the extracted hidden field value is determined to be non-compliant based on the comparison, blocking the request from being forwarded to the application.

11. A non-transitory machine readable storage medium that is configured to store instructions and data that when installed on a machine that is interposed between a client device and a server device enable the machine to perform actions, including:
- intercepting a request from the client device to the application residing on the server device for content from the application;
  
  selectively forwarding the request for content to the application based on determining that the request is compliant based on a comparison of the request to allowable requests determined by a current state of the client device with the application and a model of the application;
  
  device, the model being automatically generated in part based on probe interactions with the application, the probe of interactions being separately generated by the machine absent use of the intercepted request or a response to the intercepted request to obtain responses to the probe that are used to identify at least the list of allowable complaint requests usable to generate the model including allowable navigation paths within the application;
  
  intercepting the response to the request from the application hosted on the serverextracting values from selected fields within the response, the selected fields including at least one hidden field that is not visible;
  
  forwarding the response to the client device, wherein an extracted value is extracted from the hidden field within the response, and wherein forwarding the response further comprises;
  
  generating an encrypted state token associated with the extracted value from the hidden field; and
  
  inserting the encrypted state token into the response;
  
  within a hidden form field of the response, when the response includes a form;
  
  within a query string of the response, when the response includes a link;
  
  orwithin a Uniform Resource Locator (URL) path within the response, when the response includes a URL; and
  
  receiving a second request from the client device; and
  
  selectively forwarding the second request to the application based on a comparison of information within the second request to the extracted values from the selected fields within the response.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory machine readable storage medium of claim 11, wherein selectively forwarding the request further comprises:
    - determining when a field within the request is improperly modified based on information stored from a prior response to the client device from the application; and
      
      when the field is determined to be improperly modified, blocking the forwarding of the request to the application.
  - 13. The non-transitory machine readable storage medium of claim 11, wherein the selected fields comprises at least one visible field.
  - 14. The non-transitory machine readable storage medium of claim 11, wherein the selected fields includes a visible field having at least one user selectable option provided by the application.
  - 15. The non-transitory machine readable storage medium of claim 14, wherein selectively forwarding further comprises:
    - comparing the user selectable option provided by the application to a provided user selected option in the second request, and when the provided user selected option in the second request is determined to be inconsistent with the user selectable option provided by the application, blocking forwarding of the second request to the application.
  - 16. The non-transitory machine readable storage medium of claim 11, wherein the model is automatically generated by:
    - examining a set of test requests to the application;
      
      monitoring responses to the test requests;
      
      recording the test requests, monitored responses, and a current state of another client device with the application based on a sequence of test requests; and
      
      identifying a set of allowable requests for a given state of the other client device with the application based on the test requests and monitored responses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Movshovitz, David
Primary Examiner(s)
Poltorak, Peter

Application Number

US12/332,267
Time in Patent Office

2,309 Days
Field of Search

None
US Class Current

726/11
CPC Class Codes

G06F 21/31   User authentication

H04L 63/04   for providing a confidentia...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Security for WAP servers

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Security for WAP servers

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links