Security for WAP servers

US 7,472,413 B1
Filed: 08/11/2004
Issued: 12/30/2008
Est. Priority Date: 08/11/2003
Status: Active Grant

- Alert
- Pin

First Claim

Patent Images

1. A method of managing a communication over a network, comprising:

generating an application model based on interactions with an application over the network;

intercepting a request to the application from a client to the application residing on a server over the network;

comparing the request to the application model;

if the request is compliant with the application model, forwarding the request to the application;

receiving a response to the request;

examining the response for state data, including at least a hidden field value within the response;

storing the hidden field value;

generating an encrypted state token associated with the stored hidden field value;

inserting the encrypted state token into the response, wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;

within a query string of the response, if the response includes a link;

or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL; and

allowing a subsequent request from the client to be forwarded to the application if the subsequent request includes the encrypted state token.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Accused Products

Abstract

A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.

78 Citations

View as Search Results

24 Claims

1. A method of managing a communication over a network, comprising:
- generating an application model based on interactions with an application over the network;
  
  intercepting a request to the application from a client to the application residing on a server over the network;
  
  comparing the request to the application model;
  
  if the request is compliant with the application model, forwarding the request to the application;
  
  receiving a response to the request;
  
  examining the response for state data, including at least a hidden field value within the response;
  
  storing the hidden field value;
  
  generating an encrypted state token associated with the stored hidden field value;
  
  inserting the encrypted state token into the response, wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;
  
  within a query string of the response, if the response includes a link;
  
  or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL; and
  
  allowing a subsequent request from the client to be forwarded to the application if the subsequent request includes the encrypted state token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - transmitting application state data to the client;
      
      receiving in the intercepted request from the client another application state data; and
      
      if the transmitted application state data and the other application state data are inconsistent, blocking the intercepted request from being forwarded to the application.
  - 3. The method of claim 2, wherein application state data includes at least one hidden field value.
  - 4. The method of claim 1, wherein the application model further comprises at least one of an allowable navigation path, an allowable value, and application state data.
  - 5. The method of claim 1, further comprising determining if the request is inconsistent by determining if the request includes a non-allowable selection based on information in the application model.
  - 6. The method of claim 1, wherein the application model is automatically generated employing a web crawler to probe the application.
  - 7. The method of claim 1, further comprising:
    - operating the application model in a training mode such that each request is evaluated to identify if the request is compliant to the application model;
      
      forwarding each request to the application independent of whether the request is complaint; and
      
      based on a result of the training mode modifying the application model.
  - 8. The method of claim 1, wherein the application model is automatically generated by examining a request to the application, monitoring, and recording the application'"'"'s response to the request.
  - 9. The method of claim 1, wherein the application model further comprises a list of at least one allowable request to the application.
  - 10. The method of claim 1, wherein the application further comprises at least one of a web application process, a web application, a web service, a web page, a wireless application protocol service, a Multimedia Messaging Service (MMS) application, a service-oriented architecture, an Extensible Markup Language—
    - Remote Procedure Call (XML-RPC), and Simple Object Access Protocol (SOAP).
  - 11. The method of claim 1, wherein comparing the request to the application model further comprises determining if application state data associated with the request is consistent with another application state data transmitted to the client.

12. A method of managing a communication over a network, comprising:
- automatically generating an application model, in part, by probing an application;
  
  intercepting a request for the application from a client;
  
  if the request is compliant with the application model, forwarding the request to the application receiving a response to the request;
  
  examining the response for state data, including at least a hidden field value within the response;
  
  storing the hidden field value;
  
  generating an encrypted state token associated with the stored hidden field value;
  
  inserting the encrypted state token into the response wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;
  
  within a query string of the response, if the response includes a link;
  
  or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL; and
  
  allowing a subsequent request from the client to be forwarded to the application if the subsequent request includes the encrypted state token.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, wherein automatically generating the application model further comprises employing a web crawler to make a request to the application and monitoring a response from the application.
  - 14. The method of claim 12, wherein the application model further comprises at least one of an allowable navigation path in the application, a hidden field value, and an allowable response.
  - 15. The method of claim 12, further comprising, operating the application model in a training mode, wherein the application model is modifiable by adding at least one request, based, at least in part, on a result of the training mode, and wherein during the training mode each request is forwarded to the application independent of whether the request is compliant with the application model.

16. A network device for managing a communication over a network, comprising:
- a transceiver configured to intercept an incoming message from a client and an outgoing message from a server, wherein the server comprises an application;
  
  a memory configured to store an application model; and
  
  a processor configured to perform actions including;
  
  probing the application with at least one request;
  
  receiving a response to the request;
  
  determining the application model based, in part, on the request and the response;
  
  intercepting from the client the incoming message being sent towards the application;
  
  determining if the incoming message is complaint with the application model;
  
  if the incoming message is complaint, forwarding the incoming message to the server;
  
  if the incoming message is non-complaint, blocking the incoming message from going to the application in response to the incoming message, receiving an outgoing message from the server destined towards the client; and
  
  embedding within the response a state token within a hidden form field of the response, if the response includes a form;
  
  within a query string of the response, if the response includes a link;
  
  or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL, such that the state token is employable to determine compliance of another incoming message from the client, and wherein the state token is generated based on the hidden field value within the response.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The network device of claim 16, wherein if the incoming message is non-complaint further comprises:
    - saving information associated with the non-complaint message in the application model; and
      
      providing an error message to the client.
  - 18. The network device of claim 16, wherein the application model further comprises at least one of a rule, and a constraint.
  - 19. The network device of claim 16, wherein the application model further comprises at least one of an indication of an HTML element to be present in the incoming message, a form field to be present, a query string parameter to be present, a value in the form field, a value in a query string field, and a predefined data type.
  - 20. The network device of claim 16, wherein the application model further comprises at least one of a URL, a query path, a query value, a cookie, meta data, a user-agent identification string, a value associated with a non-hidden data field, and a value associated with a hidden data field.
  - 21. The network device of claim 16, wherein probing the application further comprises employing a web crawler.
  - 22. The network device of claim 16, wherein the application model further comprises at least one of an allowable navigation path, an allowable value, and application state data.

23. A computer-readable storage medium configured to store data and instructions thereon, wherein execution of the instructions on a computing device enable the computing device to perform actions for managing a message between a client and a server over a network, comprising:
- enabling a probing of an application on the server;
  
  enabling an automatic generation of an application model based, in part, on the probing of the application;
  
  enabling an interception of a request for the application from the client;
  
  while in a training mode;
  
  determining if a request is compliant with the application model;
  
  modifying the application model based on the determination; and
  
  forwarding the request to the application independent of the determination; and
  
  while in a security mode;
  
  if the request is compliant with the application model, enabling a forwarding of the request to the application; and
  
  if the request is non-complaint with the application model, blocking the forwarding of the request to the application;
  
  receiving a response to the compliant request from the application;
  
  examining the response for state data, including at least a hidden field value within the response;
  
  generating an encrypted state token associated with the stored hidden field value;
  
  inserting the encrypted state token into the response, wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;
  
  within a query string of the response, if the response includes a link;
  
  or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL, such that a subsequent request from the client is examined for compliance based at least on the encrypted state token.
- View Dependent Claims (24)
- - 24. The computer-readable storage medium of claim 23, wherein probing the application further comprises:
    - employing a web crawler to send a message to the application;
      
      receiving a response from the application; and
      
      saving information associated with the sent message and the response in the application model.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
F5 Networks, Inc. (F5 Incorporated)
Original Assignee
F5 Networks, Inc. (F5 Incorporated)
Inventors
Mowshowitz, David
Primary Examiner(s)
Tran; Ellen
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US10/915,951
Time in Patent Office

1,602 Days
Field of Search

None
US Class Current

726/10
CPC Class Codes

G06F 21/31   User authentication

H04L 63/04   for providing a confidentia...

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Security for WAP servers

First Claim

2 Assignments

Litigations

2 Petitions

Accused Products

Abstract

78 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Security for WAP servers

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

78 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links