III III V IIDI DID IID IIII DD IID III IDI DII DID III Dliv II DI II
`
`US 20030051142A1
`
`(19) United States
`(12) Patent Application Publication (1
`(43) Pub. Date: (cid:9) rvlar.IJ~i00J ii
`
`Hidalgo et at. (cid:9)
`
`(54) FIREWALLS FOR PROVIDING SECURITY
`IN HTTP NETWORKS AND APPLICATIONS
`
`(76) Inventors: Lluis Mora Hidalgo, Martorell (ES);
`Xabier Panadero Lleonart, Terrasa
`(ES)
`
`Correspondence Address:
`JOHN S. PRATT, ESQ
`KILPATRICK STOCKTON, LLP
`1100 PEACHTREE STREET
`SUITE 2800
`ATLANTA, GA 30309 (US)
`(21) Appl. No. (cid:9)
`(22) Filed: (cid:9)
`
`May 16, 2001
`
`09/859,123
`
`Publication Classification
`
`(51) (cid:9)
`
`Int. Cl.7 ....................................................... H04L 9/00
`
`(52) (cid:9) U.S. Cl . (cid:9)
`
`.............................................................. 713/176
`
`(57) (cid:9)
`
`ABSTRACT
`
`Systems and methods provide security to HTTP applica-
`tions. Responses sent from a server, such as a web server, are
`analyzed and a signature is generated for each HTML object
`in that page. The signature is encrypted and sent to a client
`along with the contents of the page. When a client later sends
`a request, the system checks the signature associated with
`that request with the contents of the request itself. If the
`values, variables, lengths, and cardinality of the request are
`validated, then the request is forwarded to the web server. If,
`on the other hand, the request is invalidated, the request is
`blocked from reaching the web server, thereby protecting the
`web server from malicious attacks. The systems and meth-
`ods offer security without being limited to a session or user.
`
`RECEIVE CONTENT BEING
`SENT TO CLIENT
`
`30
`
`(cid:9) L,
`
`32
`
`33
`
`ANALYZE CONTENT
`
`ABSTRACT CONTENT
`
`GENERATE ENCRYPTED
`SIGNATURE
`
`DELIVER CONTENT WITH
`ENCRYPTED SIGNATURE TO
`CLIENT
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 1 of 24 (cid:9)
`
`US 2003/0051142 Al
`
`The client requests service
`from the content server by
`indicating a method and a
`URL that will receive the re
`
`V/ m
`
`m
`
`r
`
`z W_
`J
`0
`
`The server responds with
`the result of the processing
`of the URL
`
`FIGURE 1
`
`..',.J (cid:9)
`
`bi (cid:9)
`
`,JF (cid:9)
`
`,• (cid:9)
`
`_ ;;_1
`
`ddres>
`
`Cuestionario
`
`Evalue el q o de Seguridad 7elen-,M que ne csrta su empn (cid:9)
`
`contestando a ete
`
`I (cid:9) C ontienen sus srstemas datos cuya dwvulgacnen supondria perdidas emnornlcas, de
`imagen a la vulneraci6n de as leyes de protecadn de datns1
`
`
`
`..-
`
`Fie (cid:9) Edit (cid:9) Format (cid:9) Help
`
`t= 1b' (cid:9) alt= rheigh'
`
`<td beco1cr="#CCcccc"><b><font face-
`"
`"2" (cid:9)
`dana, Arial, (cid:9) Helvetica, (cid:9) sans-serif" size=color=#0
`&nbsp;&nbsp;</font></b></td>
`<td><img src="../../img/general/home/titu_dch.
`
`iheight="16" (cid:9) alt="
`
`</table>
`</td>
`
`
`<tr>
`<td>&nbsp;
`<r>
`<tr align="center">
`<td>
`<form method="post" action="envcuest.php3" name="
`<rable width="100%" border= "0" cellspacing="0"
`<tr becolor="#003366">
`<td>
`<table width="100%" border="o" cellspacing
`
`C.
`C No
`
`2 cPued
`s
`
`No
`
`-
`
`___________
`3 En el pear de lus
`rolongarad rants
`
`C Mane
`C (cid:9) canfidsrb1si
`
`. (cid:9)
`
`C (cid:9)
`
`Incalcula6les
`
`de t
`
`a s (cid:9)
`f (cid:9)
`
`eaJa
`
`C Medana
`
`FIGURE 2
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 2 of 24 (cid:9)
`
`US 2003/0051142 Al
`
`ion
`
`14
`
`HTTP
`Application
`
`12
`
`FIGURE 3
`
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 3 of 24
`
`US 2003/0051142 Al
`
`V
`W
`
`ry
`
`V
`H
`
`Co
`N
`
`a
`J
`
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 4 of 24 (cid:9)
`
`US 2003/0051142 Al
`
`30 (cid:9)
`
`RECEIVE CONTENT BEING
`SENT TO CLIENT
`
`32
`
`33
`
`ANALYZE CONTENT
`
`ABSTRACT CONTENT
`
`GENERATE ENCRYPTED
`SIGNATURE
`
`DELIVER CONTENT WITH
`ENCRYPTED SIGNATURE TO
`CLIENT
`
`FIGURE 5(A)
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 5 of 24 (cid:9)
`
`US 2003/0051142 Al
`
`FIGURE 5(B)
`
`

`

`b
`
`1
`
` Ui
`
`N
`
`P~rcnr
`
`Signature
`
`Crypt
`
`FIGURE 6(A)
`
`

`

`b
`
`24
`
`66
`
`REQUEST INTERCEPTION
`UNIT
`
`Request
`
`-- 67
`
`68
`
`SIGNATURE CHECKING
`UNIT
`
`Signa
`
`►
`
`DECRYPTION
`UNIT
`
`Crypt
`
`ERROR
`UNIT
`
`Error
`
`WEB SERVER
`
`FIGURE 6(B)
`
`(cid:9)
`

`

`RESPONSE
`
`<Process Name> (cid:9)
`Step 1
`
`26
`
`HIVE
`
`O
`
`S~p 2
`
`Step 4
`
`WEB SERVER (cid:9)
`
`~L~
`
`Return
`
`RESPONSE
`
`
`
`Return (cid:9)
`
`F11e P
`
`PARSER_parsea
`
`63
`
`SIG Structure
`
`\ Decrypted StG
`
`SIGNATURE StaG
`
`64
`
`Decrypted SIG string
`
`
`
`Cryple\ d SIG slang
`
`Cf2Y~T encrlpf
` F
`
`65
`
`URL
`
`Return (cid:9)
`
`CONFIG_ is_signahle
`-- (cid:9)
`
`Return
`
`URL
`
`CONFIG_is_startpage
`
`FIGURE 7(A)
`
`b
`
`H
`Z
`w Z
`z O w
`C- C-
`
`U,
`IJJ
`
`O
`
`

`

`Step 1
`
`REQUEST
`
`24
`
`WEB CLIENT'
`
`HIVE
`
`b
`
`Step 2
`
`Step 3
`
`Step 4
`
`Return
`
`66 (cid:9)
`
`Error Code (cid:9) Error_Code
`Descnpcion (cid:9) Descnpaon
`Eslructura_ (cid:9) Estructura_error
`
`L
`
`REQUEST (cid:9)
`_
`
`Servidor (cid:9)
`URL (cid:9)
`Vaid (cid:9)
`
`Seceder
`URL
`Void
`
`IMP_HTTP_err
`or
`
`(~
`Return
`
`___
`
`Retu n \`
`
`URL
`
`Return
`
`\
`
`SIGNATURE check_signature- ____) 7
`string
`
`69~
`
`Error Code
`Dessnpoon
`Estrudura_ error
`P
`Se-dor
`URL
`Void
`
`Relorn
`
`URL TO
`
`Return
`
`CONFIG-is staripoge
`
`w
`J
`
`0
`2
`
`Encrypted SIG string
`
`Decrypted SIG slang
`
`CYPTderfpt„
`
`68
`
`Li
`
`ar Structure
`
`Ver string
`
`SIGNATURE GenLlsVa
`
`Decrypted SIG string
`
`–
`
`SIGNATURE_ Cto
`
`SIG structure
`
`URL--TO
`VAR
`SIG
`URL-FORM
`
`Return
`
`SIGNATURE_check_si
`gnature
`
`FIGURE 7(B)
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 10 of 24 US 2003/0051142 Al
`
`You are ordering CsCOUNT (cid:9)
`az a price of caPRICE©.
`
`of GaNAMEB
`
`/ (cid:9)
`ReadParemeters
`
`c
`
`Checkout
`
`<FORM ACTION="/cgi-nil/cart.cgi">
`<INPVT TYPE="hidden"
`VALUE="@NAnNE@">
`NAME= (cid:9)
`<INPUT TYPE="hrddefl
`NSME="count" VALUE= 'COUNT @">
`<INPUT TYPE="hidden"
`NAME= 'price" VALUE="®PRICED">
`<INPUT TYPE="hidden"
`NAME="action" V2.LUE="2">
`,INPUT TYPE="hidden"
`NAME= "file" VALUE="bi1'1.txt">
`<INPtrr TYPE="hidden"
`NAMF="destination"
`VALUE="store©example.com">
`<INPUT TYPE=^submit" NAN.E="Checkout">
`</FORM>
`
`Actionl / DoShowCart
`
`oper.(FILE> @FILE@"); (cid:9)
`
`L
`
`ShowCart
`
`WriteReceiptToDisk
`
`
`
`ShowReceipt
`
`print FILE "@NAME@";
`print FILE "®COUNTW
`print FILE "@PRICE®";
`
`open (MAIL
`"j sendsai1 ®DESTINATION®");
`
`print MAIL "@NAME®";
`print MAIL "®COUN^C";
`print MAIL 'PRICE
`
`FIGURE 8
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 11 of 24 US 2003/0051142 Al
`
`File (cid:9)
`
`it (cid:9)
`
`View (cid:9)
`
`Favorites (cid:9)
`.) (cid:9)
`
`T ols (cid:9)
`
`Help
`
`} (cid:9)
`
`rrh jJFa orit (cid:9)
`
`3Hi tor
`
`Add es
`
`>Go (cid:9)
`
`Links >
`
`John Doe
`1321 47th Street
`New City
`E-mail:
`Credit Card: VISA 1a3-5678-9012-3456-7890
`Total; $55.00
`
`Mary Doe
`13 47th Street
`New City
`E-mail: mdoe9examPle.org
`Credit Card: AMEX 455-6677-8899--0011-2233
`Total: $361.00
`
`
`Dcri-
`
`Nly Computer
`
`FIGURE 9
`
`File Edit (cid:9)
`
`Address
`
`Favorites Tools Help
`J (cid:9)
`
`• (cid:9)
`
`ea chjFori s
`
`
`
`LWikS
`
`Signature not found!
`
`This resource can only be accessed by providing a signature.
`
`Done
`
`Inerna
`
`FIGURE 10
`
`(cid:9)
`(cid:9)
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 12 of 24 US 2003/0051142 Al
`
`cit (cid:9)
`
`siie+ i (cid:9)
`
`Thcl (cid:9)
`
`delp (cid:9)
`
`-
`
`Adores (cid:9)
`
`ittp /I w .e sn FIe (cid:9)
`
`Unknown signature!
`
`J l Go (cid:9)
`
`
`
`Lnk
`
`This signature doesnt decrypt or pass the integrity checks Please don't modify signatures.
`
`Also, if your connection has been idle for a long time, the system might have expired your session Please start again
`
`onG (cid:9)
`
`Internet
`
`FIGURE 11
`
`(cid:9)
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 13 of 24 US 2003/0051142 Al
`
`6k Ed
`
`H.
`
`F1ry/1721G 1
`
`
`
`•+~.. Bzl
`
`(cid:9) ul
`
`(cid:9) F:; (cid:9)
`
`Ispda~e (cid:9) ~' ~.. Iw'e
`
`Tr HTTP 7 Layer Fir rwaM
`
`Login
`
`Password
`
`
`
`FIGURE 12
`
`<
`
`
`
`71r;tsA ldessace (cid:9)
`
`......_. (cid:9)
`
`- (cid:9)
`
`,-:1• (cid:9)
`
`~.-- (cid:9)
`
`_ (cid:9)
`
`.,. ...., (cid:9)
`
`_ (cid:9)
`
`, (cid:9)
`
`. (cid:9)
`
`...,-, (cid:9)
`
`_
`
`......
`
`T7 {&t H"P 7 LaMar Fir wag
`
`iKt IN
`
`FIGURE 13
`
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 14 of 24 US 2003/0051142 Al
`
`atl (cid:9)
`3s r (cid:9)
`j B..ca~rsk~ ..ls.. ..•, 1i (cid:9)
`
`-,
`
`I
`
`fBSta~
`
`[TQtAt, (cid:9)
`
`.._ ch he xac (cid:9)
`
`-1 r (cid:9)
`lao 1r2lF?161/ (cid:9)
`'
`
`..
`
`.~
`
`Seiv cy (cid:9)
`
`9FnN
`
`
`
`
`
`-WE Lx7NFG (cid:9)
`
`--
`
`Master_ood
`
`TtE HTTP I Layer F
`
`r (cid:9)
`
`r
`r
`r
`r
`r
`
`r
`r
`r
`
`ri
`
`t ~ (cid:9)
`5~ y 'Srl:d
`
`FIGURE 14
`
`H(V E (cid:9)
`
`,
`
`Cretraral Cusr~mEtur` Nett' NcK
`
`fl X m (cid:9)
`
`Cfi"ijlt At InMIWll User
`
`C itilis Srttin^s
`
`Car
`
`FIGURE 15
`
`(cid:9)
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 15 of 24 US 2003/0051142 Al
`
`WE E
`
`G1211Fr CL&wmErrtr Hdlg. NoC&B Qo.n ri 5'tartpageS ExCvFIfjgBS DeP9Lo A[$nin Marl USar
`
`Coiifi Naiu,
`
`Ctmfig Settuigs
`
`Sa4e on`y (cid:9)
`
`Cancel
`
`FIGURE 16
`
`
`fZZINFE
`
`£gflt I CU--;L7mErrar New (cid:9)
`
`Exr.4 Cpk392 (cid:9) Q r t~JL Ar (cid:9)
`
`!3&'8r.
`
` 1
`
`Custom I rror
`
`URI, I':rror
`
`icec'~o.l:r;
`
`Sicziatvre Nut Found (Etror)
`
`Signature =`1nt 1'Iisinattli Il r orj
`
`Taira }ref (cid:9) Fit ii
`
`Save Config (cid:9)
`
`Dance
`
`FIGURE 17
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 16 of 24 US 2003/0051142 Al
`
`ever J CuSGnmEr r r Hey NadeS Ooma;ns Stare.Fti; EXC PBQ85 QOFZ1Vt AesminhUO Ur
`
`Generate (cid:9)
`
`K v
`
`Actual FCev
`
`Old It ey
`
`save roniig j Cancel I
`
`FIGURE 18
`
`Cgr rat L 'wmErrar li®y NC®s Llama+ns Stec -Pa Ga?s Excep.F~ges CL AMVnPMI USBr
`
`Generate ev: Key
`
`\ ualF;ev
`
`it— -.- .
`
`Lir
`
`FIGURE 19
`
`C- !'f1 CUritf]lrE-1-rQ HoL~' NQ 3?$P LJ0X"~ ri
`
`BrC - ?w Sr EJICYptF1i9 ZJBl-BL!It ALYli!fJAEi1 Ur
`
`
`
`Genetate New Ki v
`
`i _. (cid:9)
`
`P~_ ~ (cid:9)
`
`of (cid:9) -- (cid:9)
`
`i (cid:9) ~t. , -,: r (cid:9)
`
`lour
`
`.'kraal I-N (cid:9)
`
`].: (cid:9)
`
`it: wid-.~~ (cid:9)
`
`11,- u ,_ (cid:9)
`
`fe'1'it (cid:9)
`
`'1 d y
`1week
`month
`= r rever
`
`FIGURE 20
`
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 17 of 24 US 2003/0051142 Al
`
`Cwn".0 JwmErrcr (cid:9)
`
`Noa¢s C1arr+aui (cid:9)
`
`4 .nh~e11 Usar
`
`NewwwNnde
`
`A ailihl tiodes
`
`ire C-Qntig (cid:9)
`
`Cartcel
`
`FIGURE 21
`
`Edrug-Nude
`
`Or (cid:9)
`
`U. A (cid:9)
`
`iW Lfr:
`
`Se :Gonfig
`
`(cid:9) anc~t I
`
`FIGURE 22
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 18 of 24 US 2003/0051142 Al
`
`ryUflQr8I (cid:9)
`
`iErrr (cid:9)
`
`lvQa (cid:9)
`
`rtcgHS Exccnc.peg s rt 8Jk A=;n)MV usar
`
`Nei ' Domain
`
`F
`
`Available Domains
`
`- (cid:9)
`
`,
`
`
`
`FIGURE 23
`
`GarJwrEI M wm rrtr Kart' NW s (cid:9)
`
`ExJe L)~ atuJt 4c ffi U Lf r€
`
`Editing D omaizi
`
`1 (cid:9)
`
`H_ J (cid:9)
`
`.~
`
`la;e uy
`
`
`
`FIGURE 24
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 19 of 24 US 2003/0051142 Al
`
`Gw r-er eusmrrf f-t-oi - y NW05 aomw n StartPUgHS XUWLPaagUZ DEF72Y L A4
` !14J LJ
`Naw Start Page
`
`r:.
`
`Available Sta11 Pa 1
`
`-
`
`Sa;e-Config (cid:9)
`
`Cnnce,
`
`FIGURE 25
`
`Garver&1 C7j (cid:9)
`
`U rnr Hey Nod (cid:9)
`
`a[&nrr7P, User
`
`Editing $tart Page
`
`httF
`
`Save Con;ig
`
`
`
`i (cid:9)eVl
`
`J
`
`(cid:9) r ::..,1
`
`FIGURE 26
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 20 of 24 US 2003/0051142 Al
`
`Cenerai CustnarErr-ur N®y Ns t7ama rTS SEar-r..G-ages ExcaprFegvs LteFauJt .4anArhbtl U.5gr.
`
`'re,w Except Yage
`
`httF (cid:9)
`
`~ ~- (cid:9)
`
`Availahle Er pt Pagps
`
`it
`
`(cid:9) t (cid:9)
`
`ir.t_ti_Jt (cid:9)
`
`_-
`
`~ri! iJ
`
`Sala Conng (cid:9)
`
`Cai~tt-
`
`FIGURE 27
`
`wet?I2ra! QJStc7?CJ-1-Lr N1.4lVC @S numarnY StartPEigUb axCep g# neFau/ AamnmmN User
`
`Editing Except Pave
`r, -
`
`FIGURE 28
`
``-Gid{'f81-91 EZ9ta P,)E7'I`w' Hwq NoOa5 QL)m21f1} (cid:9)
`
`1Jsur
`
`New Default
`
`Availahl Defaults
`
`5dve Cortfg (cid:9)
`
`Cancel
`
`FIGURE 29
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 21 of 24 US 2003/0051142 Al
`
`Ctrnnraf CusromErr' kow Ntx1P Dnmains star? Pages ExL2PL 0gas t]eca" A=ji7kWd User
`
`Admiti Lail
`
`Save Cen(u
`
`
`
`FIGURE 30
`
`awrw- I.arst-omErra (cid:9)
`User
`
`Nodes £om.a n st.artcages ExcapLPages CaFau AaninMarl User
`
`_r
`
`
`
`FIGURE 31
`
`FIIL
`
`Zandlr81 CU3wjnErrc7" F42y AILXf8S (cid:9)
`
`dT1 (cid:9)
`
`JElgGS ExLvaL $4@5 CIEFHUIL Ai3VWn 11Od Lsar-
`
`Save CTnfi (cid:9)
`
`Cancel
`
`FIGURE 32
`
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 22 of 24 US 2003/0051142 Al
`
`rag1r Cu wr, rrgr ;4.y NOaes o=a riS lik- ' fbgas excuptFvgas Du auk. At.~"hftN LI
`
`Fditing L s Br
`
`
`
`.-OL I 1 (cid:9) ['~1 s.G
`
`
`
`i~ - -'.-
`
`FIGURE 33
`
`~~;e Confif Gancef
`
`FIGURE 34
`
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 23 of 24 US 2003/0051142 Al
`
`Date when
`it be produced
`'p
`
`Server name
`URL requested
`Kind of error
`
`Descr1/l.11111 Vl U1%r 111VD0GCsG
`
`FIGURE 35
`
`re.0
`
`_ ., : .~
`
`er-w~;~a~x
`
`Tliq HTTP 7 1..t7Fyar l! waM
`
`fE~l'~FZ^ ®®®
`rrr.erm" uzo as (cid:9)
`a~~] (cid:9)
`-jai:5sa~ea N:n+s.o
`
`gain
`
`'s~o~n~.. ~oerouna
`~. ~.ri•a ~o ,ow.,
`
`.S1 (cid:9)
`
`FIGURE 36
`
`See 1,
`
`FIGURE 37 Las
`
`Last 10
`Last 60
`t ~D
`Last 100
`
`(cid:9)
`(cid:9)
`(cid:9)
`

`

`Patent Application Publication Mar. 13, 2003 Sheet 24 of 24 US 2003/0051142 Al
`
`fvar!Bblapachetbinfapachectl graceful: htfpd gracefully restarted
`
`FIGURE 38
`
`

`

`US 2003/0051142 Al
`
`Mar. 13, 2003
`
`FIREWALLS FOR PROVIDING SECURITY IN
`HTTP NETWORKS AND APPLICATIONS
`
`FIELD OF THE INVENTION
`
`[0001] The invention relates generally to systems and
`methods for providing security in a network and, more
`particularly, to systems and methods for providing security
`in hyper-text transfer protocol (HTTP) networks and appli-
`cations, such as over Internet.
`
`BACKGROUND OF THE INVENTION
`
`[0002] A great variety of devices exist which provide data
`and/or communication capabilities. One of the most com-
`mon device for transmitting and receiving data is a com-
`puter. Computers include conventional desk top and lap-top
`computers as well as Personal Digital Assistants (PDAs) and
`other hand held devices, such as the Palm Pilot PocketPC,
`and Visor. Other types of devices are also used to transmit
`and receive data. For instance, some mobile radiotelephones
`and two way pagers not only provide voice communication
`capabilities but also enable the transfer and receipt of text
`messages and can be used to surf the Internet. In addition to
`mobile radiotelephones and pagers, enhanced television,
`WebTV, and other interactive television devices provide data
`capabilities in addition to displaying television programs.
`These devices are just some examples of devices which are
`currently available and which can communicate with other
`devices.
`[0003] To enable communications between any two
`devices, a protocol is employed which defines the manner in
`which the two devices can communicate. In fact, in a
`network of devices, a plurality of protocols may be
`employed at various layers within the network. These layers
`include the physical layer, the data link layer, network layer,
`transport layer, session layer, presentation layer, and appli-
`cation layer. For instance, depending the particular layers,
`the protocol can govern the transmission of bits, handle
`errors in transmission, define routing of messages within a
`network, ensure reliability of transmissions, or define the
`format of the message.
`[0004] A common protocol associated with the Internet is
`the Hyper Text Transfer Protocol (HTTP). HTTP is an
`application layer protocol that allows devices to transfer
`information over the Internet. For example, web browsers
`and servers operate HTTP and allow a user to access the
`World Wide Web (WWW) and a content provider to offer
`information to end users through a web site in the WWW.
`HTTP is not specific to any language, although most content
`providers use hyper-text mark-up language (HTML). Thus,
`HTTP also encompasses the Wireless Application Protocol
`(WAP) browsers and servers. For WAP devices, however,
`the devices use wireless mark-up language (WML) as
`opposed to HTML.
`[0005] HTTP is a transactional protocol, meaning that it is
`based on requests from a client, such as a web browser, and
`responses from a server, such as a web server. With reference
`to FIG. 1, a client sends a request to a server with this
`request identifying a method and a universal resource loca-
`tor (URL). The server receives the request and processes the
`URL, such as by obtaining information associated with the
`URL. For each request from a client, there is a response from
`the server. Thus, if the request was a request for data
`
`associated with a URL, the server would respond by obtain-
`ing that data and sending it to the client. The requests include
`reading a web page, submitting a form, etc. As can be seen
`from FIG. 1, HTTP is very well defined, has a very simple
`syntax, and provides a foundation upon which applications
`can be built to provide services.
`[0006] Servers may have a number of HTTP applications.
`Often, content providers need to offer services through their
`content servers, be it a simple application that will collect
`feedback from visitors, or a more complex one like a
`shopping cart or an e-commerce application. All these
`applications share a common interface based on HTTP that
`allows a remote client to interact with the underlying
`resources, such as files, databases, etc., via a web browser.
`These applications are called HTTP applications, and often
`are referred to as WWW or Web Applications. Information
`is passed to HTTP applications in the request, usually setting
`parameters or cookies with the information provided by the
`user when filling in a form.
`[0007] FIG. 2 shows an example web page and its corre-
`sponding HTML. The background of this figure depicts a
`form, a questionnaire, available from a server hosting the
`domain with the URL http://www.s2lsec.com/caste/cues-
`tionario/cuestionario.htm. When a client enters this URL or
`selects a link associated with the URL, the request is routed
`to the server, the server retrieves content associated with that
`URL and possibly performs some additional actions, and
`then routes a response back to the client. This response
`includes the html depicted in the notepad. The client browser
`interprets the html and renders the interface shown in the
`background.
`[0008] The HTTP application receives the parameters and
`process them, sending a response back to the client with the
`result of the processing. HTTP applications do not depend
`on the programming languages, just in the interface (HTTP).
`AHTTP application can therefore be coded in any language,
`such as but not limited to C, C++, Visual Basic, Perl, or Java.
`There are well-known mechanisms of interacting with
`HTTP, such as Common Gateway Interface (CGI), Active
`Server Pages (ASP), Servlets, PHP, etc, but all of them rely
`on HTTP for communication between the client and the
`application.
`[0009] A network environment is beneficial in that devices
`can communicate with each other but it exposes the devices
`and systems connected to the network to security risks.
`Network security is often regarded as protecting network
`resources from being accessed to ultimately prevent break-
`ins into company systems. A firewall is commonly located
`between the network and a company's system in order to
`prevent such break-ins. When installing a firewall, a main
`concern is to filter out ports that could be vulnerable to
`attacks from the outside.
`
`[0010] As mentioned above, HTTP applications enable
`devices to gain access to a server's resources. For instance,
`HTTP applications may involve some kind of interaction
`between the end user and the backend of the company, be it
`a database server, file access to the server or just access to
`an email server. These HTTP applications consequently
`need privileges over these resources so that they can pass
`through the firewall, access the database, interact with the
`underlying operation system, etc. Because HTTP applica-
`tions can provide access to sensitive areas of a company's
`
`(cid:9)
`

`

`US 2003/0051142 Al
`
`Mar. 13, 2003
`
`2
`
`system, a malicious user can subvert a vulnerable HTTP
`application and break into the company's resources and
`compromise their complete business.
`
`[0011] A firewall may be ineffective in stopping such
`attacks. HTTP applications use the same network resources
`used by content servers, in fact they delegate on the web
`server to handle network transactions. As long as you need
`to offer HTTP access to any server, no current firewall can
`stop a HTTP application level attack. A traditional firewall
`works at the network and transport layers, but does not offer
`any kind of application protection. For example, FIG. 3
`shows a diagram of a typical firewall 10 installed within a
`network. The firewall 10 is positioned between a server 12
`and clients 8. The firewall 10 provides security to the server
`12 on the Telnet and HTTP layers but does not offer any
`protection to an HTTP application 14.
`
`[0012] A traditional approach to application security has
`been source code review and auditing. Source code review
`occurs after an application has been finished and involves
`having someone, often a third party, reviewing all the code
`and fixing any security problems that are discovered. This
`process is a never-ending task, as the auditor can overlook
`security bugs that will end up in the reviewed application, so
`it is not an assurance of full security. As more and more
`complex applications are being developed and the time-to-
`market shrinks in order to be the first to offer a service to
`customers, source code review is no longer an option, as
`freezing the deployment of an application for days or weeks
`means lost of business and revenue. A need therefore exists
`for systems and methods of providing security in a network,
`especially with HTTP applications.
`
`SUMMARY OF THE INVENTION
`
`[0013] The present invention addresses the problems
`described above by providing systems and methods offering
`security on a network. The systems and methods involve
`signing transmissions sent from a system and then checking
`return transmissions to make sure that a signature associated
`with those transmissions match the content in the transmis-
`sions. The systems and methods according to the invention
`generate a signature unique for the transmission based on
`important features of that transmission. For example, the
`signature may be based on fields within the transmission,
`values of those fields, acceptable lengths of variables, etc.
`The invention is well suited for use over the Internet at
`servers providing content to users. In this setting, responses
`sent from the server are analyzed, abstracted, and then
`signed before being sent to the users. Requests received
`from the users include the signature and these requests are
`intercepted prior to being sent to the server. The signature in
`these requests are decrypted and then compared to the actual
`contents within the request. If the signature corresponds
`with the request itself, the request is forwarded to the server.
`On the other hand, if the contents of the request do not match
`the signature, the request is blocked from reaching the
`server.
`
`[0014] The systems and methods according to the inven-
`tion can therefore provide security to IP networks, such as
`the Internet. Among other things, the invention can be used
`to block attacks to vulnerable sample applications, content
`server implementation problems, cookie poisoning, input
`validation, hidden field tampering, buffer overflows, cross-
`
`site scripting, and back door attacks. The invention does not
`rely upon user sessions whereby the invention does not
`require significant resources of a server and can be easily
`added to any server. The invention is not limited to a single
`server but can be employed in a multiple server environment
`with other network elements, such as load balancers. The
`invention can also be used with other security measures,
`such as secure socket layer (SSL). In the preferred embodi-
`ment, the system can be configured according to the desires
`of its end-user. The user can designate certain pages as start
`pages, meaning that no signature is required to access those
`pages. The user can also designate certain pages as Except
`pages, which is especially beneficial in an ISP setting where
`multiple domains are hosted on a server and where users
`need to modify those pages. The system preferably logs all
`errors and blocks and provides this log in an interface to the
`user.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0015] The accompanying drawings, which are incorpo-
`rated in and form a part of the specification, illustrate
`preferred embodiments of the present invention and,
`together with the description, disclose the principles of the
`invention. In the drawings:
`[0016] FIG. 1 is a diagram illustrating communications
`between a client and a server;
`[0017] FIG. 2 illustrates an exemplary web page form
`along with its underlying HTML code;
`[0018] FIG. 3 is a diagram of a typical firewall installa-
`tion;
`[0019] FIG. 4 is a diagram with a security system accord-
`ing to a preferred embodiment of the invention;
`[0020] FIGS. 5(A) and 5(B) are flow charts of methods for
`processing responses to clients and requests to servers,
`respectively;
`[0021] FIGS. 6(A) and 6(B) are more detailed block
`diagrams of response processing and request processing,
`respectively;
`[0022] FIGS. 7(A) and 7(B) are process flow diagrams for
`a response and request, respectively;
`[0023] FIG. 8 is a flow diagram of a checkout section of
`an application;
`[0024] FIG. 9 is an example of an interface provided to a
`user obtaining customer details;
`[0025] FIG. 10 is an example of an interface provided to
`a user from a block of an attack seeking customer details;
`[0026] FIG. 11 is an example of an interface provided to
`a user as a result of a block of an attack seeking an arbitrary
`file writing;
`
`[0027] FIG. 12 is an example of a login interface;
`[0028] FIG. 13 is an example of a configuration select
`interface;
`[0029] FIG. 14 is an example of an administrator con-
`figurations select page;
`[0030] FIG. 15 is an example of a general configuration
`page;
`
`(cid:9)
`

`

`US 2003/0051142 Al
`
`Mar. 13, 2003
`
`3
`
`[0031] FIG. 16 is an example of an edit page for general
`options;
`[0032] FIG. 17 is an example of a customer error page;
`[0033] FIG. 18 is an example of a key options interface;
`[0034] FIG. 19 is an example of the size of the key in
`drop-down menu in the key options interface;
`[0035] FIG. 20 is an example of the life time key drop-
`down menu in the key options interface;
`[0036] FIG. 21 is an example of a node configuration
`interface;
`[0037] FIG. 22 is an example of an edit node configura-
`tion interface;
`[0038] FIG. 23 is an example of a domain's main page
`interface;
`[0039] FIG. 24 is an example of a domain's edit page;
`[0040] FIG. 25 is an example of a start page main page;
`[0041] FIG. 26 is an example of a start page edit page;
`[0042] FIG. 27 is an example of an accept page interface;
`[0043] FIG. 28 is an example of an accept pages edit page;
`[0044] FIG. 29 is an example of a default main page
`interface;
`[0045] FIG. 30 is an example of an administrative mail
`page interface;
`[0046] FIG. 31 is an example of a user page of a new
`configuration;
`[0047] FIG. 32 is an example of a user main page;
`[0048] FIG. 33 is an example of a user edit page interface;
`[0049] FIG. 34 is an example of configuration control
`buttons;
`[0050] FIG. 35 is an example of a legend provided in a
`logs interface;
`[0051] FIG. 36 is an example of a logs page interface;
`[0052] FIG. 37 is an example of a drop-down menu with
`the logs page interface; and
`[0053] FIG. 38 is an example of a restarting page inter-
`face.
`
`DETAILED DESCRIPTION
`
`[0054] Reference will now be made in detail to preferred
`embodiments of the invention, non-limiting examples of
`which are illustrated in the accompanying drawings.
`[0055]
`I. Overview
`[0056] The invention relates generally to systems and
`methods for providing security in a network and with
`applications. The systems and methods intercept at least
`some of the requests from clients to a server and also
`intercept at least some of the responses from the servers to
`the clients. In general, the systems and methods generate
`signatures of communications from the server to the client
`and then check the requests from the client against those
`signatures. If the requests from the client matches the
`signature, then the requests are forwarded to the server. On
`
`the other hand, when the responses do not match the
`signatures, the responses are blocked from reaching the
`server.
`
`[0057] For the purposes of this description, the invention
`will be described with reference to systems and methods that
`provide an HTTP application firewall. For example, the
`systems provide security to applications hosted on a server
`and interfaced to a network via HTTP. Thus, the systems and
`methods provide security to servers and applications on the
`World Wide Web (WWW). The invention, however, is not
`limited to strictly HTTP applications nor to servers con-
`nected to the Internet. The invention encompasses systems
`and methods on other types of networks, the use of protocols
`other than HTTP, and other types of applications. As other
`examples, the invention encompasses the Wireless Applica-
`tion Protocol (WAP), Intranets, XML applications, and
`HDML applications.
`
`[0058] By intercepting the responses and requests, the
`systems and methods enforce the HTTP protocol as defined
`in Internet standards, disallowing anybody from trying to
`break the protected applications, such as by malforming
`requests or modifying legitimate requests. The preferred
`systems sit between the client and the server and intercept
`both the HTTP requests and responses and verify that the
`contents of the request are not malicious. This verification is
`based in information derived from the content, such as in
`HTML, derived from FORM fields, etc. Networks and
`applications can potentially be vulnerable to a number and
`variety of attacks. The systems and methods according to the
`invention prevent and provide assistance in deterring many
`of such attacks.
`
`[0059] For example, the systems and methods can protect
`vulnerable sample applications. A WWW server default
`installations often include sample pages and applications
`targeted at showing the server capabilities to a new user.
`These applications are sometimes vulnerable to attacks, and
`are actively exploited by crackers. The systems and methods
`stop access to those pages not directly referred in the
`website, such as sample applications or files not meant to be
`published, such as database files, website log files, private
`documents, etc. too often found on publicly available serv-
`ers.
`
`[0060] As another example, the invention can address
`content server implementation problems. WWW servers can
`have implementation problems, such as the recently found
`IIS Unicode bug or the Iplanet 4.0 shtml buffer overflow.
`These and other problems can, as will be apparent to those
`skilled in the art, be addressed by the systems and methods
`of the invention.
`
`[0061] The invention can be used to prevent cookie poi-
`soning. Applications often rely on cookies in order to keep
`track of user sessions, or to store transient information, such
`as login or passwords. Modification of these values can lead
`to security problems, and are stopped by the systems and
`methods by using the content signing.
`
`[0062]
`Input validation is another example of an applica-
`tion of the invention. Often, an application has to validate all
`the input it receives from a customer. For example, say an
`application accepts an email address in a field, but an
`attacker sends commands that will get executed in the
`content server. The application has to filter out any bad
`
`(cid:9)
`

`

`US 2003/0051142 Al
`
`Mar. 13, 2003
`
`0
`
`character by identifying every single point of entry to the
`application then verifying the client values. The systems and
`methods of the invention make this task easy and safer by
`embedding information on the expected values in the page
`content and by automatically verifying the values when
`receiving the request from the client.
`
`[0063] Hidden field tampering is yet another example of
`an application of the invention. Applications store session
`information on "hidden" form fields. These fields are not
`displayed to an end user but are accessible in the HTML
`page source code or in the URL bar of the browser so they
`are easily modified by a malicious user. The systems and
`methods protect modification of these fields by using the
`content signatures so th