Security for WAP servers
DCFirst Claim
1. A method of managing a communication over a network, comprising:
- generating an application model based on interactions with an application over the network;
intercepting a request to the application from a client to the application residing on a server over the network;
comparing the request to the application model;
if the request is compliant with the application model, forwarding the request to the application;
receiving a response to the request;
examining the response for state data, including at least a hidden field value within the response;
storing the hidden field value;
generating an encrypted state token associated with the stored hidden field value;
inserting the encrypted state token into the response, wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;
within a query string of the response, if the response includes a link;
or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL; and
allowing a subsequent request from the client to be forwarded to the application if the subsequent request includes the encrypted state token.
2 Assignments
Litigations
2 Petitions
Accused Products
Abstract
A method and system for improving the security and control of internet/network web application processes, such as web applications. The invention enables validation of requests from web clients before the request reaches a web application server. Incoming web client requests are compared to an application model that may include an allowed navigation path within an underlying web application. Requests inconsistent with the application model are blocked before reaching the application server. The invention may also verify that application state data sent to application servers has not been inappropriately modified. Furthermore, the invention enables application models to be automatically generated by employing, for example, a web crawler to probe target applications. Once a preliminary application model is generated it can be operated in a training mode. An administrator may tune the application model by adding a request that was incorrectly marked as non-compliant to the application model.
78 Citations
24 Claims
-
1. A method of managing a communication over a network, comprising:
-
generating an application model based on interactions with an application over the network; intercepting a request to the application from a client to the application residing on a server over the network; comparing the request to the application model; if the request is compliant with the application model, forwarding the request to the application; receiving a response to the request; examining the response for state data, including at least a hidden field value within the response; storing the hidden field value; generating an encrypted state token associated with the stored hidden field value; inserting the encrypted state token into the response, wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;
within a query string of the response, if the response includes a link;
or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL; andallowing a subsequent request from the client to be forwarded to the application if the subsequent request includes the encrypted state token. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method of managing a communication over a network, comprising:
-
automatically generating an application model, in part, by probing an application; intercepting a request for the application from a client; if the request is compliant with the application model, forwarding the request to the application receiving a response to the request; examining the response for state data, including at least a hidden field value within the response; storing the hidden field value; generating an encrypted state token associated with the stored hidden field value; inserting the encrypted state token into the response wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;
within a query string of the response, if the response includes a link;
or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL; andallowing a subsequent request from the client to be forwarded to the application if the subsequent request includes the encrypted state token. - View Dependent Claims (13, 14, 15)
-
-
16. A network device for managing a communication over a network, comprising:
-
a transceiver configured to intercept an incoming message from a client and an outgoing message from a server, wherein the server comprises an application; a memory configured to store an application model; and a processor configured to perform actions including; probing the application with at least one request; receiving a response to the request; determining the application model based, in part, on the request and the response; intercepting from the client the incoming message being sent towards the application; determining if the incoming message is complaint with the application model; if the incoming message is complaint, forwarding the incoming message to the server; if the incoming message is non-complaint, blocking the incoming message from going to the application in response to the incoming message, receiving an outgoing message from the server destined towards the client; and embedding within the response a state token within a hidden form field of the response, if the response includes a form;
within a query string of the response, if the response includes a link;
or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL, such that the state token is employable to determine compliance of another incoming message from the client, and wherein the state token is generated based on the hidden field value within the response. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A computer-readable storage medium configured to store data and instructions thereon, wherein execution of the instructions on a computing device enable the computing device to perform actions for managing a message between a client and a server over a network, comprising:
-
enabling a probing of an application on the server; enabling an automatic generation of an application model based, in part, on the probing of the application; enabling an interception of a request for the application from the client; while in a training mode; determining if a request is compliant with the application model; modifying the application model based on the determination; and forwarding the request to the application independent of the determination; and while in a security mode; if the request is compliant with the application model, enabling a forwarding of the request to the application; and if the request is non-complaint with the application model, blocking the forwarding of the request to the application; receiving a response to the compliant request from the application; examining the response for state data, including at least a hidden field value within the response; generating an encrypted state token associated with the stored hidden field value; inserting the encrypted state token into the response, wherein the encrypted state token and response is sent to the client within a hidden form field of the response, if the response includes a form;
within a query string of the response, if the response includes a link;
or within a Uniform Resource Locator (URL) path within the response, if the response includes a URL, such that a subsequent request from the client is examined for compliance based at least on the encrypted state token. - View Dependent Claims (24)
-
Specification