Security for WAP servers
First Claim
1. A network device for managing a communication over a network, comprising:
- a transceiver configured to intercept an incoming message from a client device and an outgoing message from a server device, wherein an application resides on the server device; and
a processor configured to perform actions including;
intercepting a request from the client device to the application residing on the server device for content from the application;
determining when the request for content is compliant based on a comparison of hidden fields by performing actions, comprising;
examining the request for an encrypted state token;
decrypting the encrypted state token;
extracting from the state token a hidden field;
comparing the extracted hidden field to values of hidden fields from an application state data store; and
when the extracted hidden field is determined to be non-compliant based on the comparison, blocking the request from being forwarded to the application; and
determining whether the request for content is compliant by comparing the request to a list of allowable compliant requests determined by a current state of the client device with the application and an application model of the application, the application model being automatically generated in part based on a probe of interactions with the application, the probe of interactions being separately generated by the network device absent use of the incoming message from the client device or a response from the server device to the incoming message to obtain responses to the probes that are used to identify at least the list of allowable compliant requests including allowable navigation paths within the application;
when the request for content is determined to be compliant based on the comparison of the request, forwarding the request for the content to the application; and
when the request is determined to be non-compliant based on the comparison of the request, blocking the request from being forwarded to the application.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.
-
Citations
16 Claims
-
1. A network device for managing a communication over a network, comprising:
-
a transceiver configured to intercept an incoming message from a client device and an outgoing message from a server device, wherein an application resides on the server device; and a processor configured to perform actions including; intercepting a request from the client device to the application residing on the server device for content from the application; determining when the request for content is compliant based on a comparison of hidden fields by performing actions, comprising; examining the request for an encrypted state token; decrypting the encrypted state token; extracting from the state token a hidden field; comparing the extracted hidden field to values of hidden fields from an application state data store; and when the extracted hidden field is determined to be non-compliant based on the comparison, blocking the request from being forwarded to the application; and determining whether the request for content is compliant by comparing the request to a list of allowable compliant requests determined by a current state of the client device with the application and an application model of the application, the application model being automatically generated in part based on a probe of interactions with the application, the probe of interactions being separately generated by the network device absent use of the incoming message from the client device or a response from the server device to the incoming message to obtain responses to the probes that are used to identify at least the list of allowable compliant requests including allowable navigation paths within the application; when the request for content is determined to be compliant based on the comparison of the request, forwarding the request for the content to the application; and when the request is determined to be non-compliant based on the comparison of the request, blocking the request from being forwarded to the application. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system for managing a communication over a network, comprising:
-
a client device configured to provide requests and receive responses over the network; a server device that is configured to host a network based application; and a security server device that is interposed between the client device and server device and is configured to perform actions, including; intercepting a request from the client device to the application residing on the server device for content from the application; selectively forwarding the request to the application based on determining that the request for content is compliant based on a comparison of the request to compliant requests that are determined from a current state of the client device with the application and an application model of the application device, the application model being automatically generated in part based on a probe of interactions with the application, the probe of interactions being separately generated from the intercepted request or a response to the intercepted request to obtain responses to the probe that are used to identify a list of allowable complaint requests usable by the application model including allowable navigation paths within the application; intercepting the response to the request from the application on the server; extracting values from selected fields within the response, at least one selected field being a hidden field that is not currently visible; forwarding the response to the client device forwarding the response to the client device, wherein an extracted value is extracted from the hidden field within the response, and wherein forwarding the response further comprises; generating an encrypted state token associated with the extracted value from the hidden field; and inserting the encrypted state token into the response; within a hidden form field of the response, when the response includes a form; within a query string of the response, when the response includes a link;
orwithin a Uniform Resource Locator (URL) path within the response, when the response includes a URL; and receiving a second request from the client device; and selectively forwarding the second request to the application based on a comparison of information within the second request to the extracted values from the selected fields within the response. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A non-transitory machine readable storage medium that is configured to store instructions and data that when installed on a machine that is interposed between a client device and a server device enable the machine to perform actions, including:
-
intercepting a request from the client device to the application residing on the server device for content from the application; selectively forwarding the request for content to the application based on determining that the request is compliant based on a comparison of the request to allowable requests determined by a current state of the client device with the application and a model of the application;
device, the model being automatically generated in part based on probe interactions with the application, the probe of interactions being separately generated by the machine absent use of the intercepted request or a response to the intercepted request to obtain responses to the probe that are used to identify at least the list of allowable complaint requests usable to generate the model including allowable navigation paths within the application;intercepting the response to the request from the application hosted on the server extracting values from selected fields within the response, the selected fields including at least one hidden field that is not visible; forwarding the response to the client device, wherein an extracted value is extracted from the hidden field within the response, and wherein forwarding the response further comprises; generating an encrypted state token associated with the extracted value from the hidden field; and inserting the encrypted state token into the response; within a hidden form field of the response, when the response includes a form; within a query string of the response, when the response includes a link;
orwithin a Uniform Resource Locator (URL) path within the response, when the response includes a URL; and receiving a second request from the client device; and selectively forwarding the second request to the application based on a comparison of information within the second request to the extracted values from the selected fields within the response. - View Dependent Claims (12, 13, 14, 15, 16)
-
Specification