GB2582703A - Injection attack mitigation - Google Patents

Injection attack mitigation Download PDF

Info

Publication number
GB2582703A
GB2582703A GB2003657.0A GB202003657A GB2582703A GB 2582703 A GB2582703 A GB 2582703A GB 202003657 A GB202003657 A GB 202003657A GB 2582703 A GB2582703 A GB 2582703A
Authority
GB
United Kingdom
Prior art keywords
web server
request
server
components
stored
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB2003657.0A
Other versions
GB202003657D0 (en
GB2582703B (en
Inventor
El-Moussa Fadi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
British Telecommunications PLC
Original Assignee
British Telecommunications PLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by British Telecommunications PLC filed Critical British Telecommunications PLC
Publication of GB202003657D0 publication Critical patent/GB202003657D0/en
Publication of GB2582703A publication Critical patent/GB2582703A/en
Application granted granted Critical
Publication of GB2582703B publication Critical patent/GB2582703B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

A computer implemented security method to protect a web server, the web server having associated a plurality of intercommunicating server components each providing a facility for the webserver. The server components maybe authentication, database, file store, email or network components for example. The method involves storing requests received for the web server providing a software component for each pair of communicating server components. The software component is adapted to receive messages communicated between the server components. In response to a determination that a received message includes a potential security threat, searching the stored requests to identify a stored request including at least part of the received message and flagging at least a portion of the identified stored request as a malicious request. Responsive to a subsequent request directed to the web server including the flagged portion, preventing processing of the subsequent request by the web server which may involve preventing receipt of the subsequent request by the web server.

Description

Injection Attack Mitigation The present invention relates to mitigating injection attacks of web servers.
Web servers are susceptible to injection attacks such as cross-site scripting and structured query language (SQL) injection. These attacks involve malicious entities communicating, for example, scripts to a web server that are not detected by the web server per se and can result in malicious messages communicated to web server components such as database, identity server, authentication server or other components operating with the web server. For example, SQL scripts can be embedded within POST or GET data contents, entry field contents, image uniform resource locators (URLs), "SRC" components of hypertext markup language (HTML) tags such as <IMG> tags, reference components of HTML tags such as <A> tags and the like. The transformation, interpretation, breaking down, dissemination and onward propagation of all or part of a request to a web server can result in parts of a request being constituted in messages to other web server components that have malicious effect.
While techniques can be employed to monitor requests to web servers by scanning or searching, the opportunity to conceal malicious scripts and the like within requests can render such monitoring ineffective.
Thus, there is a requirement to address such challenges.
According to a first aspect of the present invention, there is a provided a computer implemented security method to protect a web server, the web server having associated a plurality of intercommunicating server components each providing a facility for the webserver, the method comprising: storing requests received for the web server; providing a software component for each pair of communicating server components, the software component being adapted to receive messages communicated between the server components; in response to a determination that a received message includes a potential security threat, searching the stored requests to identify a stored request including at least part of the received message; flagging at least a portion of the identified stored request as a malicious request; responsive to a subsequent request directed to the web server including the flagged portion, preventing processing of the subsequent request by the web server.
Preferably, the determination that a received message includes a potential security threat is made based on a repository of known security threat message portions.
Preferably, the at least a portion of the identified stored request is a portion of the stored request including the at least part of the received message.
Preferably, preventing processing of the subsequent request by the web server includes preventing receipt of the subsequent request by the web server.
Preferably, one or more of the server components include one or more of: an authentication component; a database; a file store; an email component; an identity management component; a network application; and a middleware.
According to a second aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the 10 steps of the method set out above.
According to a third aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
Embodiments of the present invention will now be described, by way of example only, with 15 reference to the accompanying drawings, in which: Figure 1 is a block diagram a computer system suitable for the operation of embodiments of the present invention; Figure 2 is a component diagram of an arrangement of a security method to protect a web server according to embodiments of the present invention; and Figure 3 is a flowchart of a security method to protect a web server according to embodiments of the present invention.
Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random-access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.
Embodiments of the present invention provide detection of, and protection against, injection attacks on websites. Injection attacks include cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) and SQL injection attacks. Injection attacks involve the introduction of script or HTML content into a website environment such as in a persistent manner by way of storage in a file or database. Such attacks can be used to carry out sophisticated and/or dangerous malicious use of website components affecting other clients/users of a website and potentially exposing other clients to, inter alia: mis-or redirection attacks; session theft; cookie access and theft; phishing; data theft; keylogging; and other attacks as will be apparent to those skilled in the art. The paper "Cross-SiteScripting Attacks and Their Prevention during Development" (Kaur et al, International Journal of Engineering Development and Research, IJEDR1703023, 2017) describes such attacks 10 and existing measures for protection.
Embodiments of the present invention operate to address a challenge with detecting such attacks that injected scripting can be concealed, obfuscated and/or otherwise hidden within conventional website requests in a manner that is not readily detected by a security service. Figure 2 is a component diagram of an arrangement of a security method to protect a web server 202 according to embodiments of the present invention. The web server 202 is a suitable web server such software component capable of serving, for example, HTML, PHP and other conventional and emerging web technologies. The web server 202 executes in conjunction with a plurality of intercommunicating server components 204 that each intercommunicate with at least one other component including the webserver 202 to provide a website. The website as constituted by the combination of the web server 202 and the components 204 is accessible to client components 208 via a communications network such as a wired or wireless network. The clients 208 can include, for example, computer systems operating with web browser software applications or other suitable devices and software combinations as will be apparent to those skilled in the art. In use, a user or software at a client 208 sends requests to, and receives responses from, the web server 202. Such requests are, for example, formed as hypertext transport protocol (HTTP) requests including, for example, arguments, script references and adjuncts as will be apparent to those skilled in the art.
The server components 204 can include, for example, inter alia, one or more of: an authentication component; a database; a file store; an email component; an identity management component; a network application; and a middleware. Thus, in conjunction with the web server 202, the software components provide services such as might be available for web applications and the like.
The arrangement of Figure 2 further includes a monitoring service 200 as a hardware, 35 software, firmware or combination component arranged to provide security services according to embodiments of the present invention. The monitoring service 200 communicates with one or more monitor software components 206 each being provided for a pair of communicating server components 204. Each monitor 206 is operable to receive, access, intercept or otherwise observe messages communicated between a pair of communicating server components 204. Thus, a pair of components including a database component communicating with a network application component will be provided with a monitor 206 operable to, for example, access messages communicated therebetween.
The arrangement of Figure 2 is operable to determine if a message between communicating server components 204 constitutes a potential security threat. Such determination can be made by, for example, a monitor 206 or the monitoring service 200. For example, security threats can be detected based on a pre-existing security service such as, inter alia: an intrusion detection service; a virus detection service; a malware detection service; and other services as will be apparent to those skilled in the art. Additionally or alternatively, a determination of a potential security threat in a message communicated between server components 204 can be identified based on a repository, database or other record of portions of messages that are determined to constitute potential security threats. For example, a portion of a message including an SQL script, query or instruction that is considered high-risk or potentially malicious can be recorded in a repository of potentially malicious message portions. Thus, an SQL fragment in which, for example, sensitive database columns are included in an "SQL SELECT" or "SQL INSERT" statement might be identified by only column identifiers for such a statement, if, for example, it is known that legitimate communications between server components 204 would never refer to such columns.
In use, the monitoring service 200 receives communications from the monitors 206.
Where the monitoring service 200 is responsible for checking for threats in messages communicated between server components 204 then the communications from monitors 206 can include whole messages or portions of messages for the service 200 to analyse. Alternatively, where threat checking is undertaken by the monitors 206 themselves then the communications from monitors 206 can include identifications of potentially malicious messages.
The monitoring service 200 further stores requests to the web server 202 receives from clients 208. The requests are preferably received by the service 200 before they are communicated to the web server 202, and the service 200 preferably forwards requests to the web server 202. For example, the monitoring service 200 can be provided as a component, feature or part of a firewall facility. When the monitoring service 200 determines or is informed that a potential security threat is detected in a message between server components 204, web server requests received and stored by the monitoring service 200 are searched to identify a request including at least a portion of the message. For example, a message determined to be potentially threatening based on the inclusion of a reference to a sensitive database column can result in a search through all stored web server requests for the sensitive database column identifier. A request identified in the stored web server requests is used to flag at least a portion of the request as a malicious request. A portion can be flagged based on a part of the identified request corresponding to the message between server components 204 determined to be a potential threat.
Flagging portions of web server requests as malicious provides for the monitoring service to subsequently identify such flagged portions in new requests directed to the web server 202 and to prevent processing of such new requests by the web server 202. For example, such requests can be prevented from being received by the web server 202 or can be filtered or amended to remove identified flagged portion(s).
Figure 3 is a flowchart of a security method to protect a web server 200 according to embodiments of the present invention. In the exemplary embodiment of Figure 3, the method is a method of one exemplary arrangement of the monitoring service 200. At step 302, the monitoring service receives a data item and determines if the data item is a web server request or a monitor message from a monitor 206. A web server request is processed at step 304 where the request is stored. At step 306 the method determines if the web server request includes a malicious flagged portion previously identified and, if so, prevents access to the request by the web server at step 308. Monitor messages as messages received by a monitor 206 between a pair of server components 204 are processed by the method at step 310 where a determination is made of whether the message includes a potential security threat. Where a monitor message includes a potential security threat the method identifies a stored web server request including at least part of the monitor message at step 312 and flags a portion of the web server request as malicious at step 314. Thus, in this way, embodiments of the present invention are operable to detect web server requests that have malicious effect when processed by server components 204 even if they are not identifiable as such based on the web server request itself.
Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical 10 carrier wave. Such carrier media are also envisaged as aspects of the present invention.
It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.
The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.

Claims (7)

  1. CLAIMS1. A computer implemented security method to protect a web server, the web server having associated a plurality of intercommunicating server components each providing a facility for the webserver, the method comprising: storing requests received for the web server; providing a software component for each pair of communicating server components, the software component being adapted to receive messages communicated between the server components; in response to a determination that a received message includes a potential security 10 threat, searching the stored requests to identify a stored request including at least part of the received message; flagging at least a portion of the identified stored request as a malicious request; responsive to a subsequent request directed to the web server including the flagged portion, preventing processing of the subsequent request by the web server.
  2. 2. The method of claim 1 wherein the determination that a received message includes a potential security threat is made based on a repository of known security threat message portions.
  3. 3. The method of any preceding claim wherein the at least a portion of the identified stored request is a portion of the stored request including the at least part of the received message.
  4. 4. The method of any preceding claim wherein preventing processing of the subsequent 25 request by the web server includes preventing receipt of the subsequent request by the web server.
  5. 5. The method of any preceding claim wherein one or more of the server components include one or more of: an authentication component; a database; a file store; an email 30 component; an identity management component; a network application; and a middleware.
  6. 6. A computer system including a processor and memory storing computer program code for performing the steps of the method of any preceding claim.
  7. 7. A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 5.
GB2003657.0A 2019-03-27 2020-03-13 Injection attack mitigation Active GB2582703B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GBGB1904205.0A GB201904205D0 (en) 2019-03-27 2019-03-27 Injection attack mitigation

Publications (3)

Publication Number Publication Date
GB202003657D0 GB202003657D0 (en) 2020-04-29
GB2582703A true GB2582703A (en) 2020-09-30
GB2582703B GB2582703B (en) 2021-08-18

Family

ID=66381326

Family Applications (2)

Application Number Title Priority Date Filing Date
GBGB1904205.0A Ceased GB201904205D0 (en) 2019-03-27 2019-03-27 Injection attack mitigation
GB2003657.0A Active GB2582703B (en) 2019-03-27 2020-03-13 Injection attack mitigation

Family Applications Before (1)

Application Number Title Priority Date Filing Date
GBGB1904205.0A Ceased GB201904205D0 (en) 2019-03-27 2019-03-27 Injection attack mitigation

Country Status (1)

Country Link
GB (2) GB201904205D0 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100263046A1 (en) * 2009-04-09 2010-10-14 Myspace, Inc. Security wrapper methods and systems
US20120185937A1 (en) * 2011-01-14 2012-07-19 F5 Networks, Inc. System and method for selectively storing web objects in a cache memory based on policy decisions

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100263046A1 (en) * 2009-04-09 2010-10-14 Myspace, Inc. Security wrapper methods and systems
US20120185937A1 (en) * 2011-01-14 2012-07-19 F5 Networks, Inc. System and method for selectively storing web objects in a cache memory based on policy decisions

Also Published As

Publication number Publication date
GB201904205D0 (en) 2019-05-08
GB202003657D0 (en) 2020-04-29
GB2582703B (en) 2021-08-18

Similar Documents

Publication Publication Date Title
US9979726B2 (en) System and method for web application security
CA2946695C (en) Fraud detection network system and fraud detection method
US9154364B1 (en) Monitoring for problems and detecting malware
US8601586B1 (en) Method and system for detecting web application vulnerabilities
Kirda et al. Client-side cross-site scripting protection
EP2550601B1 (en) Executable code validation in a web browser
Akiyama et al. Design and implementation of high interaction client honeypot for drive-by-download attacks
US8850584B2 (en) Systems and methods for malware detection
US20160036849A1 (en) Method, Apparatus and System for Detecting and Disabling Computer Disruptive Technologies
WO2016058489A1 (en) Method and device for providing access page
CN105592017B (en) The defence method and system of cross-site scripting attack
US20100251371A1 (en) Real-time malicious code inhibitor
US8434149B1 (en) Method and apparatus for identifying web attacks
US20110321162A1 (en) Methods And Systems For Providing Security For Page Framing
CN106713318B (en) WEB site safety protection method and system
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
US11539742B2 (en) Application security through multi-factor fingerprinting
Akiyama et al. Active credential leakage for observing web-based attack cycle
Varshney et al. Malicious browser extensions: A growing threat: A case study on Google Chrome: Ongoing work in progress
CN102932353A (en) Method and device for preventing malicious attacks
Tanakas et al. A novel system for detecting and preventing SQL injection and cross-site-script
US8266704B1 (en) Method and apparatus for securing sensitive data from misappropriation by malicious software
GB2582703A (en) Injection attack mitigation
Hadpawat et al. Analysis of prevention of XSS attacks at client side
JP2013069016A (en) Information leakage prevention device and limitation information generation device