WO2006119336B1 - In-line website securing system with html processor and link verification - Google Patents
In-line website securing system with html processor and link verificationInfo
- Publication number
- WO2006119336B1 WO2006119336B1 PCT/US2006/016925 US2006016925W WO2006119336B1 WO 2006119336 B1 WO2006119336 B1 WO 2006119336B1 US 2006016925 W US2006016925 W US 2006016925W WO 2006119336 B1 WO2006119336 B1 WO 2006119336B1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- request
- original
- response
- server
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
Abstract
A web application firewall (WAFs) used to secure websites from many known and unknown vulnerabilities is described. In one embodiment, the WAF is installed between a server that is serving web content and a network over which clients access the website hosted on the server. The WAF is configured to provide security from external attacks by preventing the website from receiving data that it did not send, and that the data received was not altered by a client. The WAF encodes outbound HTTP response data such that when a client or interloper follows one of the links or other constructs in the response data, the WAF can determine the validity of the next client request. In one embodiment, each universal resource locator link is encrypted and checked for validity when it is returned to the server via the WAF.
Claims
1. (Currently Amended) A method of securing a server, the method comprising: receiving a first request for data associated with a website stored on a foe server; digitally signing the data transmitted from the server to tho wab oliont with a digital oignaturo in response to the received first request and including at least a first portion of the digital signature with a response to the first request: storing a copy of at least some of the first portion of the digital signature] receiving &e-dφtally signed data as part of a second request wherein the second request includes at least a second portion of the digital signature, the second portion being a part of the first portion; and validating the digitally αipnoturo tha dater#ansmitted matches at least a part of the digital signature against the stored copy of at least some of the first portion of the digital signature of the data-r-eosived to determine whether the data included in the second request is consistent with the data transmitted from the server in response to the first request.
2. (Original) The method of claim 1, wherein digitally signing comprises encrypting the data.
3. (Original) The method of claim 2, wherein encrypting the data comprises encrypting universal resource locator links or cookies.
4. (Original) The method of claim 1 , wherein digitally signing the data comprises parsing a webpage to extract the data.
5. (Original) The method of claim 4, wherein the data comprises universal resource locator links or cookies.
6. (Original) The method of claim 1, wherein validating comprises comparing data representing the digital signature of the data transmitted in response to the first data request to data representing the digital signature of the data received from the second data request.
AMENDED SHEET (ARTICLE 19)
29
7. (Original) The method of claim 1 , wherein validating comprises comparing data representing the digital signature of the data transmitted in response to the first data request to data representing the digital signature of the data received from the second data request.
8. (Original) The method of claim 1, wherein validating comprises comparing encrypted universal resource locator links transmitted in response to the first data request to encrypted universal resource locator links received from the second data request.
9. (Original) A computer readable medium, computational apparatus, or server computer comprising computer code for performing the method of claim 1.
10. (Currently Amended) An apparatus for securing a server, the apparatus comprising: an encryption engine configured to digitally sign data transmitted from the server sent in response to a first data request, the response including at least a first portion of the digital signature: storage for a copy of at least some of the first. portion of the digital signature: and a validation engine configured to validate at least part of determinej&aS the digital signature against the stored copy of the data traBflmitted-matcheg to determine whether data included in the second request is consistent with the data transmitted from the server in response to the first request a digital signature of-data rocoivod ao part of a socond data request aoαociated with the data-transmitted.
11. (Original) The apparatus of claim 10, further comprising a parsing engine capable of extracting universal resource locator links, or cookies, or code, from the data transmitted in response to the first data request.
12. (Original) The apparatus of claimlO, wherein the encryption engine is configured to encrypt universal resource locator links.
13. (Original) The apparatus of claim 10, wherein the encryption engine is configured to encrypt cookies.
14. (Original) The apparatus of claim 10, further comprising a data analyzer engine configured to verify the format of data received as part of the second data request.
30
15. (Original) The apparatus of claim 10, wherein the validation engine is configured to decrypt encrypted universal resource locator links,
16. (Original) The apparatus of claim 10, wherein the encryption engine is configured to decrypt encrypted cookies.
17. (Currently Amended) A system for securing servers, the system comprising: a server; and a firewall coupled between the server and a network, wherein the firewall is configured to digitally sign data transmitted from the server to the network in response to a first data request received from the network, and validate at least part of the digital signature against a stored copy to determine whether data included in the second request is consistent with the data transmitted from the server in response to the first rggagsj vorify that data rocoived from the network in response to-a-socond data roquost associated withtho data transmitted hαa the flamo digital oignaturo.
18. (Original) The system of claim 17, wherein the server comprises a web server hosting the data.
19. (Original) The system of claim 17, wherein the firewall comprises a data analyzer engine capable of detecting format errors in the data received from the network in response to the second data request.
20. (Original) The system of claim 17, wherein the firewall comprises a data encryption engine capable of encrypting data transmitted in response to the first data request.
21. (Original) The system of claim 17, wherein the firewall comprises a data validation engine capable of decrypting data received from the second data request.
22. (Original) The system of claiml7, wherein the firewall is configured to digitally sign data in response to the first data request in a selective manner.
23. (Original) The system of claim 17, wherein the firewall ia configured to validate data from the second data request in a selective manner.
24. (Original) The system of claim 17, further comprising one or more directives employed to enable or disable the firewall from digitally signing at least some of the data associated with the first data request.
25. (Original) The system of claim 17, further comprising one or more directives employed to enable or disable the firewall from validating at least some of the data associated with the second data request.
32
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US67720705P | 2005-05-02 | 2005-05-02 | |
US60/677,207 | 2005-05-02 | ||
US11/415,794 | 2006-05-01 | ||
US11/415,794 US20060288220A1 (en) | 2005-05-02 | 2006-05-01 | In-line website securing system with HTML processor and link verification |
Publications (3)
Publication Number | Publication Date |
---|---|
WO2006119336A2 WO2006119336A2 (en) | 2006-11-09 |
WO2006119336A3 WO2006119336A3 (en) | 2007-08-09 |
WO2006119336B1 true WO2006119336B1 (en) | 2007-09-27 |
Family
ID=37308656
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2006/016925 WO2006119336A2 (en) | 2005-05-02 | 2006-05-02 | In-line website securing system with html processor and link verification |
Country Status (2)
Country | Link |
---|---|
US (1) | US20060288220A1 (en) |
WO (1) | WO2006119336A2 (en) |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8161538B2 (en) * | 2004-09-13 | 2012-04-17 | Cisco Technology, Inc. | Stateful application firewall |
US8650214B1 (en) * | 2005-05-03 | 2014-02-11 | Symantec Corporation | Dynamic frame buster injection |
US8819049B1 (en) | 2005-06-01 | 2014-08-26 | Symantec Corporation | Frame injection blocking |
US7734722B2 (en) * | 2005-06-02 | 2010-06-08 | Genius.Com Incorporated | Deep clickflow tracking |
US8996715B2 (en) * | 2006-06-23 | 2015-03-31 | International Business Machines Corporation | Application firewall validation bypass for impromptu components |
US8060916B2 (en) * | 2006-11-06 | 2011-11-15 | Symantec Corporation | System and method for website authentication using a shared secret |
US8613096B2 (en) * | 2007-11-30 | 2013-12-17 | Microsoft Corporation | Automatic data patch generation for unknown vulnerabilities |
US20090144828A1 (en) * | 2007-12-04 | 2009-06-04 | Microsoft Corporation | Rapid signatures for protecting vulnerable browser configurations |
ATE514274T1 (en) * | 2008-07-07 | 2011-07-15 | Barracuda Networks Ag | SECURITY FILTERING FOR AN INTERNET APPLICATION |
US8266687B2 (en) * | 2009-03-27 | 2012-09-11 | Sophos Plc | Discovery of the use of anonymizing proxies by analysis of HTTP cookies |
US20120117569A1 (en) * | 2010-11-08 | 2012-05-10 | Kwift SAS | Task automation for unformatted tasks determined by user interface presentation formats |
US20130019314A1 (en) * | 2011-07-14 | 2013-01-17 | International Business Machines Corporation | Interactive virtual patching using a web application server firewall |
US8862868B2 (en) | 2012-12-06 | 2014-10-14 | Airwatch, Llc | Systems and methods for controlling email access |
US8826432B2 (en) | 2012-12-06 | 2014-09-02 | Airwatch, Llc | Systems and methods for controlling email access |
US9787686B2 (en) | 2013-04-12 | 2017-10-10 | Airwatch Llc | On-demand security policy activation |
US9231915B2 (en) | 2013-10-29 | 2016-01-05 | A 10 Networks, Incorporated | Method and apparatus for optimizing hypertext transfer protocol (HTTP) uniform resource locator (URL) filtering |
CN104935551B (en) * | 2014-03-18 | 2018-09-04 | 杭州迪普科技股份有限公司 | A kind of webpage tamper protective device and method |
GB2524497A (en) * | 2014-03-24 | 2015-09-30 | Vodafone Ip Licensing Ltd | User equipment proximity requests |
CN104301302B (en) * | 2014-09-12 | 2017-09-19 | 深信服网络科技(深圳)有限公司 | Go beyond one's commission attack detection method and device |
CN108712430A (en) * | 2018-05-24 | 2018-10-26 | 网宿科技股份有限公司 | A kind of method and apparatus sending form request |
US10965659B2 (en) * | 2018-11-09 | 2021-03-30 | International Business Machines Corporation | Real-time cookie format validation and notification |
CN110034922B (en) * | 2019-04-22 | 2022-09-20 | 湖南快乐阳光互动娱乐传媒有限公司 | Request processing method, processing device, request verification method and verification device |
US11356275B2 (en) * | 2020-05-27 | 2022-06-07 | International Business Machines Corporation | Electronically verifying a process flow |
CN111984989B (en) * | 2020-09-01 | 2024-04-12 | 上海梅斯医药科技有限公司 | Method, device, system and medium for self-checking publishing and accessing URL |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6804778B1 (en) * | 1999-04-15 | 2004-10-12 | Gilian Technologies, Ltd. | Data quality assurance |
US6351811B1 (en) * | 1999-04-22 | 2002-02-26 | Adapt Network Security, L.L.C. | Systems and methods for preventing transmission of compromised data in a computer network |
US20020112162A1 (en) * | 2001-02-13 | 2002-08-15 | Cocotis Thomas Andrew | Authentication and verification of Web page content |
US20030051142A1 (en) * | 2001-05-16 | 2003-03-13 | Hidalgo Lluis Mora | Firewalls for providing security in HTTP networks and applications |
US7100049B2 (en) * | 2002-05-10 | 2006-08-29 | Rsa Security Inc. | Method and apparatus for authentication of users and web sites |
US20060005237A1 (en) * | 2003-01-30 | 2006-01-05 | Hiroshi Kobata | Securing computer network communication using a proxy server |
US8819419B2 (en) * | 2003-04-03 | 2014-08-26 | International Business Machines Corporation | Method and system for dynamic encryption of a URL |
US7395428B2 (en) * | 2003-07-01 | 2008-07-01 | Microsoft Corporation | Delegating certificate validation |
-
2006
- 2006-05-01 US US11/415,794 patent/US20060288220A1/en not_active Abandoned
- 2006-05-02 WO PCT/US2006/016925 patent/WO2006119336A2/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
WO2006119336A3 (en) | 2007-08-09 |
US20060288220A1 (en) | 2006-12-21 |
WO2006119336A2 (en) | 2006-11-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2006119336B1 (en) | In-line website securing system with html processor and link verification | |
JP6625211B2 (en) | Key exchange through partially trusted third parties | |
US8904558B2 (en) | Detecting web browser based attacks using browser digest compute tests using digest code provided by a remote source | |
CN108462581B (en) | Method and device for generating network token, terminal equipment and storage medium | |
CN107209830B (en) | Method for identifying and resisting network attack | |
US9673984B2 (en) | Session key cache to maintain session keys | |
US7685425B1 (en) | Server computer for guaranteeing files integrity | |
US9294479B1 (en) | Client-side authentication | |
Thakur et al. | Content sniffing attack detection in client and server side: A survey | |
US8689339B2 (en) | Method, system and apparatus for game data transmission | |
CN103634114B (en) | The verification method and system of intelligent code key | |
US10348701B2 (en) | Protecting clients from open redirect security vulnerabilities in web applications | |
US7765310B2 (en) | Opaque cryptographic web application data protection | |
CN103179134A (en) | Single sign on method and system based on Cookie and application server thereof | |
IL193975A (en) | Method for providing web application security | |
WO2010003261A1 (en) | Web application security filtering | |
CN109714370B (en) | HTTP (hyper text transport protocol) -based cloud security communication implementation method | |
CN107016074B (en) | Webpage loading method and device | |
Kumar et al. | XML wrapping attack mitigation using positional token | |
CN110071937B (en) | Login method, system and storage medium based on block chain | |
CN113542274A (en) | Cross-domain data transmission method, device, server and storage medium | |
CN112699374A (en) | Integrity checking vulnerability security protection method and system | |
WO2007078037A1 (en) | Web page protection method employing security appliance and set-top box having the security appliance built therein | |
JP2010250791A (en) | Web security management device and method for monitoring communication between web server and client | |
CN104506518A (en) | Identity authentication method for access control of MIPS (Million Instructions Per Second) platform network system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
NENP | Non-entry into the national phase |
Ref country code: RU |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06758970 Country of ref document: EP Kind code of ref document: A2 |