WO2006119336B1 - In-line website securing system with html processor and link verification - Google Patents

In-line website securing system with html processor and link verification

Info

Publication number
WO2006119336B1
WO2006119336B1 PCT/US2006/016925 US2006016925W WO2006119336B1 WO 2006119336 B1 WO2006119336 B1 WO 2006119336B1 US 2006016925 W US2006016925 W US 2006016925W WO 2006119336 B1 WO2006119336 B1 WO 2006119336B1
Authority
WO
WIPO (PCT)
Prior art keywords
data
request
original
response
server
Prior art date
Application number
PCT/US2006/016925
Other languages
French (fr)
Other versions
WO2006119336A3 (en
WO2006119336A2 (en
Inventor
Bill Pennington
Jeremiah Grossman
Robert Stone
Siamak Pazirandeh
Lex Arquette
Original Assignee
Whitehat Security Inc
Bill Pennington
Jeremiah Grossman
Robert Stone
Siamak Pazirandeh
Lex Arquette
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Whitehat Security Inc, Bill Pennington, Jeremiah Grossman, Robert Stone, Siamak Pazirandeh, Lex Arquette filed Critical Whitehat Security Inc
Publication of WO2006119336A2 publication Critical patent/WO2006119336A2/en
Publication of WO2006119336A3 publication Critical patent/WO2006119336A3/en
Publication of WO2006119336B1 publication Critical patent/WO2006119336B1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls

Abstract

A web application firewall (WAFs) used to secure websites from many known and unknown vulnerabilities is described. In one embodiment, the WAF is installed between a server that is serving web content and a network over which clients access the website hosted on the server. The WAF is configured to provide security from external attacks by preventing the website from receiving data that it did not send, and that the data received was not altered by a client. The WAF encodes outbound HTTP response data such that when a client or interloper follows one of the links or other constructs in the response data, the WAF can determine the validity of the next client request. In one embodiment, each universal resource locator link is encrypted and checked for validity when it is returned to the server via the WAF.

Claims

AMENDED CLAIMS received by the International Bureau on 13 August 2007 (13.08.07)ATTACHMENT A'
1. (Currently Amended) A method of securing a server, the method comprising: receiving a first request for data associated with a website stored on a foe server; digitally signing the data transmitted from the server to tho wab oliont with a digital oignaturo in response to the received first request and including at least a first portion of the digital signature with a response to the first request: storing a copy of at least some of the first portion of the digital signature] receiving &e-dφtally signed data as part of a second request wherein the second request includes at least a second portion of the digital signature, the second portion being a part of the first portion; and validating the digitally αipnoturo tha dater#ansmitted matches at least a part of the digital signature against the stored copy of at least some of the first portion of the digital signature of the data-r-eosived to determine whether the data included in the second request is consistent with the data transmitted from the server in response to the first request.
2. (Original) The method of claim 1, wherein digitally signing comprises encrypting the data.
3. (Original) The method of claim 2, wherein encrypting the data comprises encrypting universal resource locator links or cookies.
4. (Original) The method of claim 1 , wherein digitally signing the data comprises parsing a webpage to extract the data.
5. (Original) The method of claim 4, wherein the data comprises universal resource locator links or cookies.
6. (Original) The method of claim 1, wherein validating comprises comparing data representing the digital signature of the data transmitted in response to the first data request to data representing the digital signature of the data received from the second data request.
AMENDED SHEET (ARTICLE 19)
29
7. (Original) The method of claim 1 , wherein validating comprises comparing data representing the digital signature of the data transmitted in response to the first data request to data representing the digital signature of the data received from the second data request.
8. (Original) The method of claim 1, wherein validating comprises comparing encrypted universal resource locator links transmitted in response to the first data request to encrypted universal resource locator links received from the second data request.
9. (Original) A computer readable medium, computational apparatus, or server computer comprising computer code for performing the method of claim 1.
10. (Currently Amended) An apparatus for securing a server, the apparatus comprising: an encryption engine configured to digitally sign data transmitted from the server sent in response to a first data request, the response including at least a first portion of the digital signature: storage for a copy of at least some of the first. portion of the digital signature: and a validation engine configured to validate at least part of determinej&aS the digital signature against the stored copy of the data traBflmitted-matcheg to determine whether data included in the second request is consistent with the data transmitted from the server in response to the first request a digital signature of-data rocoivod ao part of a socond data request aoαociated with the data-transmitted.
11. (Original) The apparatus of claim 10, further comprising a parsing engine capable of extracting universal resource locator links, or cookies, or code, from the data transmitted in response to the first data request.
12. (Original) The apparatus of claimlO, wherein the encryption engine is configured to encrypt universal resource locator links.
13. (Original) The apparatus of claim 10, wherein the encryption engine is configured to encrypt cookies.
14. (Original) The apparatus of claim 10, further comprising a data analyzer engine configured to verify the format of data received as part of the second data request.
30
15. (Original) The apparatus of claim 10, wherein the validation engine is configured to decrypt encrypted universal resource locator links,
16. (Original) The apparatus of claim 10, wherein the encryption engine is configured to decrypt encrypted cookies.
17. (Currently Amended) A system for securing servers, the system comprising: a server; and a firewall coupled between the server and a network, wherein the firewall is configured to digitally sign data transmitted from the server to the network in response to a first data request received from the network, and validate at least part of the digital signature against a stored copy to determine whether data included in the second request is consistent with the data transmitted from the server in response to the first rggagsj vorify that data rocoived from the network in response to-a-socond data roquost associated withtho data transmitted hαa the flamo digital oignaturo.
18. (Original) The system of claim 17, wherein the server comprises a web server hosting the data.
19. (Original) The system of claim 17, wherein the firewall comprises a data analyzer engine capable of detecting format errors in the data received from the network in response to the second data request.
20. (Original) The system of claim 17, wherein the firewall comprises a data encryption engine capable of encrypting data transmitted in response to the first data request.
21. (Original) The system of claim 17, wherein the firewall comprises a data validation engine capable of decrypting data received from the second data request.
22. (Original) The system of claiml7, wherein the firewall is configured to digitally sign data in response to the first data request in a selective manner.
23. (Original) The system of claim 17, wherein the firewall ia configured to validate data from the second data request in a selective manner.
24. (Original) The system of claim 17, further comprising one or more directives employed to enable or disable the firewall from digitally signing at least some of the data associated with the first data request.
25. (Original) The system of claim 17, further comprising one or more directives employed to enable or disable the firewall from validating at least some of the data associated with the second data request.
32
PCT/US2006/016925 2005-05-02 2006-05-02 In-line website securing system with html processor and link verification WO2006119336A2 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US67720705P 2005-05-02 2005-05-02
US60/677,207 2005-05-02
US11/415,794 2006-05-01
US11/415,794 US20060288220A1 (en) 2005-05-02 2006-05-01 In-line website securing system with HTML processor and link verification

Publications (3)

Publication Number Publication Date
WO2006119336A2 WO2006119336A2 (en) 2006-11-09
WO2006119336A3 WO2006119336A3 (en) 2007-08-09
WO2006119336B1 true WO2006119336B1 (en) 2007-09-27

Family

ID=37308656

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/016925 WO2006119336A2 (en) 2005-05-02 2006-05-02 In-line website securing system with html processor and link verification

Country Status (2)

Country Link
US (1) US20060288220A1 (en)
WO (1) WO2006119336A2 (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8161538B2 (en) * 2004-09-13 2012-04-17 Cisco Technology, Inc. Stateful application firewall
US8650214B1 (en) * 2005-05-03 2014-02-11 Symantec Corporation Dynamic frame buster injection
US8819049B1 (en) 2005-06-01 2014-08-26 Symantec Corporation Frame injection blocking
US7734722B2 (en) * 2005-06-02 2010-06-08 Genius.Com Incorporated Deep clickflow tracking
US8996715B2 (en) * 2006-06-23 2015-03-31 International Business Machines Corporation Application firewall validation bypass for impromptu components
US8060916B2 (en) * 2006-11-06 2011-11-15 Symantec Corporation System and method for website authentication using a shared secret
US8613096B2 (en) * 2007-11-30 2013-12-17 Microsoft Corporation Automatic data patch generation for unknown vulnerabilities
US20090144828A1 (en) * 2007-12-04 2009-06-04 Microsoft Corporation Rapid signatures for protecting vulnerable browser configurations
ATE514274T1 (en) * 2008-07-07 2011-07-15 Barracuda Networks Ag SECURITY FILTERING FOR AN INTERNET APPLICATION
US8266687B2 (en) * 2009-03-27 2012-09-11 Sophos Plc Discovery of the use of anonymizing proxies by analysis of HTTP cookies
US20120117569A1 (en) * 2010-11-08 2012-05-10 Kwift SAS Task automation for unformatted tasks determined by user interface presentation formats
US20130019314A1 (en) * 2011-07-14 2013-01-17 International Business Machines Corporation Interactive virtual patching using a web application server firewall
US8862868B2 (en) 2012-12-06 2014-10-14 Airwatch, Llc Systems and methods for controlling email access
US8826432B2 (en) 2012-12-06 2014-09-02 Airwatch, Llc Systems and methods for controlling email access
US9787686B2 (en) 2013-04-12 2017-10-10 Airwatch Llc On-demand security policy activation
US9231915B2 (en) 2013-10-29 2016-01-05 A 10 Networks, Incorporated Method and apparatus for optimizing hypertext transfer protocol (HTTP) uniform resource locator (URL) filtering
CN104935551B (en) * 2014-03-18 2018-09-04 杭州迪普科技股份有限公司 A kind of webpage tamper protective device and method
GB2524497A (en) * 2014-03-24 2015-09-30 Vodafone Ip Licensing Ltd User equipment proximity requests
CN104301302B (en) * 2014-09-12 2017-09-19 深信服网络科技(深圳)有限公司 Go beyond one's commission attack detection method and device
CN108712430A (en) * 2018-05-24 2018-10-26 网宿科技股份有限公司 A kind of method and apparatus sending form request
US10965659B2 (en) * 2018-11-09 2021-03-30 International Business Machines Corporation Real-time cookie format validation and notification
CN110034922B (en) * 2019-04-22 2022-09-20 湖南快乐阳光互动娱乐传媒有限公司 Request processing method, processing device, request verification method and verification device
US11356275B2 (en) * 2020-05-27 2022-06-07 International Business Machines Corporation Electronically verifying a process flow
CN111984989B (en) * 2020-09-01 2024-04-12 上海梅斯医药科技有限公司 Method, device, system and medium for self-checking publishing and accessing URL

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6804778B1 (en) * 1999-04-15 2004-10-12 Gilian Technologies, Ltd. Data quality assurance
US6351811B1 (en) * 1999-04-22 2002-02-26 Adapt Network Security, L.L.C. Systems and methods for preventing transmission of compromised data in a computer network
US20020112162A1 (en) * 2001-02-13 2002-08-15 Cocotis Thomas Andrew Authentication and verification of Web page content
US20030051142A1 (en) * 2001-05-16 2003-03-13 Hidalgo Lluis Mora Firewalls for providing security in HTTP networks and applications
US7100049B2 (en) * 2002-05-10 2006-08-29 Rsa Security Inc. Method and apparatus for authentication of users and web sites
US20060005237A1 (en) * 2003-01-30 2006-01-05 Hiroshi Kobata Securing computer network communication using a proxy server
US8819419B2 (en) * 2003-04-03 2014-08-26 International Business Machines Corporation Method and system for dynamic encryption of a URL
US7395428B2 (en) * 2003-07-01 2008-07-01 Microsoft Corporation Delegating certificate validation

Also Published As

Publication number Publication date
WO2006119336A3 (en) 2007-08-09
US20060288220A1 (en) 2006-12-21
WO2006119336A2 (en) 2006-11-09

Similar Documents

Publication Publication Date Title
WO2006119336B1 (en) In-line website securing system with html processor and link verification
JP6625211B2 (en) Key exchange through partially trusted third parties
US8904558B2 (en) Detecting web browser based attacks using browser digest compute tests using digest code provided by a remote source
CN108462581B (en) Method and device for generating network token, terminal equipment and storage medium
CN107209830B (en) Method for identifying and resisting network attack
US9673984B2 (en) Session key cache to maintain session keys
US7685425B1 (en) Server computer for guaranteeing files integrity
US9294479B1 (en) Client-side authentication
Thakur et al. Content sniffing attack detection in client and server side: A survey
US8689339B2 (en) Method, system and apparatus for game data transmission
CN103634114B (en) The verification method and system of intelligent code key
US10348701B2 (en) Protecting clients from open redirect security vulnerabilities in web applications
US7765310B2 (en) Opaque cryptographic web application data protection
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
IL193975A (en) Method for providing web application security
WO2010003261A1 (en) Web application security filtering
CN109714370B (en) HTTP (hyper text transport protocol) -based cloud security communication implementation method
CN107016074B (en) Webpage loading method and device
Kumar et al. XML wrapping attack mitigation using positional token
CN110071937B (en) Login method, system and storage medium based on block chain
CN113542274A (en) Cross-domain data transmission method, device, server and storage medium
CN112699374A (en) Integrity checking vulnerability security protection method and system
WO2007078037A1 (en) Web page protection method employing security appliance and set-top box having the security appliance built therein
JP2010250791A (en) Web security management device and method for monitoring communication between web server and client
CN104506518A (en) Identity authentication method for access control of MIPS (Million Instructions Per Second) platform network system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 06758970

Country of ref document: EP

Kind code of ref document: A2