GB2582703A - Injection attack mitigation - Google Patents
Injection attack mitigation Download PDFInfo
- Publication number
- GB2582703A GB2582703A GB2003657.0A GB202003657A GB2582703A GB 2582703 A GB2582703 A GB 2582703A GB 202003657 A GB202003657 A GB 202003657A GB 2582703 A GB2582703 A GB 2582703A
- Authority
- GB
- United Kingdom
- Prior art keywords
- web server
- request
- server
- components
- stored
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
A computer implemented security method to protect a web server, the web server having associated a plurality of intercommunicating server components each providing a facility for the webserver. The server components maybe authentication, database, file store, email or network components for example. The method involves storing requests received for the web server providing a software component for each pair of communicating server components. The software component is adapted to receive messages communicated between the server components. In response to a determination that a received message includes a potential security threat, searching the stored requests to identify a stored request including at least part of the received message and flagging at least a portion of the identified stored request as a malicious request. Responsive to a subsequent request directed to the web server including the flagged portion, preventing processing of the subsequent request by the web server which may involve preventing receipt of the subsequent request by the web server.
Description
Injection Attack Mitigation The present invention relates to mitigating injection attacks of web servers.
Web servers are susceptible to injection attacks such as cross-site scripting and structured query language (SQL) injection. These attacks involve malicious entities communicating, for example, scripts to a web server that are not detected by the web server per se and can result in malicious messages communicated to web server components such as database, identity server, authentication server or other components operating with the web server. For example, SQL scripts can be embedded within POST or GET data contents, entry field contents, image uniform resource locators (URLs), "SRC" components of hypertext markup language (HTML) tags such as <IMG> tags, reference components of HTML tags such as <A> tags and the like. The transformation, interpretation, breaking down, dissemination and onward propagation of all or part of a request to a web server can result in parts of a request being constituted in messages to other web server components that have malicious effect.
While techniques can be employed to monitor requests to web servers by scanning or searching, the opportunity to conceal malicious scripts and the like within requests can render such monitoring ineffective.
Thus, there is a requirement to address such challenges.
According to a first aspect of the present invention, there is a provided a computer implemented security method to protect a web server, the web server having associated a plurality of intercommunicating server components each providing a facility for the webserver, the method comprising: storing requests received for the web server; providing a software component for each pair of communicating server components, the software component being adapted to receive messages communicated between the server components; in response to a determination that a received message includes a potential security threat, searching the stored requests to identify a stored request including at least part of the received message; flagging at least a portion of the identified stored request as a malicious request; responsive to a subsequent request directed to the web server including the flagged portion, preventing processing of the subsequent request by the web server.
Preferably, the determination that a received message includes a potential security threat is made based on a repository of known security threat message portions.
Preferably, the at least a portion of the identified stored request is a portion of the stored request including the at least part of the received message.
Preferably, preventing processing of the subsequent request by the web server includes preventing receipt of the subsequent request by the web server.
Preferably, one or more of the server components include one or more of: an authentication component; a database; a file store; an email component; an identity management component; a network application; and a middleware.
According to a second aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the 10 steps of the method set out above.
According to a third aspect of the present invention, there is a provided a computer system including a processor and memory storing computer program code for performing the steps of the method set out above.
Embodiments of the present invention will now be described, by way of example only, with 15 reference to the accompanying drawings, in which: Figure 1 is a block diagram a computer system suitable for the operation of embodiments of the present invention; Figure 2 is a component diagram of an arrangement of a security method to protect a web server according to embodiments of the present invention; and Figure 3 is a flowchart of a security method to protect a web server according to embodiments of the present invention.
Figure 1 is a block diagram of a computer system suitable for the operation of embodiments of the present invention. A central processor unit (CPU) 102 is communicatively connected to a storage 104 and an input/output (I/O) interface 106 via a data bus 108. The storage 104 can be any read/write storage device such as a random-access memory (RAM) or a non-volatile storage device. An example of a non-volatile storage device includes a disk or tape storage device. The I/O interface 106 is an interface to devices for the input or output of data, or for both input and output of data. Examples of I/O devices connectable to I/O interface 106 include a keyboard, a mouse, a display (such as a monitor) and a network connection.
Embodiments of the present invention provide detection of, and protection against, injection attacks on websites. Injection attacks include cross-site scripting (XSS) attacks, cross-site request forgery (CSRF) and SQL injection attacks. Injection attacks involve the introduction of script or HTML content into a website environment such as in a persistent manner by way of storage in a file or database. Such attacks can be used to carry out sophisticated and/or dangerous malicious use of website components affecting other clients/users of a website and potentially exposing other clients to, inter alia: mis-or redirection attacks; session theft; cookie access and theft; phishing; data theft; keylogging; and other attacks as will be apparent to those skilled in the art. The paper "Cross-SiteScripting Attacks and Their Prevention during Development" (Kaur et al, International Journal of Engineering Development and Research, IJEDR1703023, 2017) describes such attacks 10 and existing measures for protection.
Embodiments of the present invention operate to address a challenge with detecting such attacks that injected scripting can be concealed, obfuscated and/or otherwise hidden within conventional website requests in a manner that is not readily detected by a security service. Figure 2 is a component diagram of an arrangement of a security method to protect a web server 202 according to embodiments of the present invention. The web server 202 is a suitable web server such software component capable of serving, for example, HTML, PHP and other conventional and emerging web technologies. The web server 202 executes in conjunction with a plurality of intercommunicating server components 204 that each intercommunicate with at least one other component including the webserver 202 to provide a website. The website as constituted by the combination of the web server 202 and the components 204 is accessible to client components 208 via a communications network such as a wired or wireless network. The clients 208 can include, for example, computer systems operating with web browser software applications or other suitable devices and software combinations as will be apparent to those skilled in the art. In use, a user or software at a client 208 sends requests to, and receives responses from, the web server 202. Such requests are, for example, formed as hypertext transport protocol (HTTP) requests including, for example, arguments, script references and adjuncts as will be apparent to those skilled in the art.
The server components 204 can include, for example, inter alia, one or more of: an authentication component; a database; a file store; an email component; an identity management component; a network application; and a middleware. Thus, in conjunction with the web server 202, the software components provide services such as might be available for web applications and the like.
The arrangement of Figure 2 further includes a monitoring service 200 as a hardware, 35 software, firmware or combination component arranged to provide security services according to embodiments of the present invention. The monitoring service 200 communicates with one or more monitor software components 206 each being provided for a pair of communicating server components 204. Each monitor 206 is operable to receive, access, intercept or otherwise observe messages communicated between a pair of communicating server components 204. Thus, a pair of components including a database component communicating with a network application component will be provided with a monitor 206 operable to, for example, access messages communicated therebetween.
The arrangement of Figure 2 is operable to determine if a message between communicating server components 204 constitutes a potential security threat. Such determination can be made by, for example, a monitor 206 or the monitoring service 200. For example, security threats can be detected based on a pre-existing security service such as, inter alia: an intrusion detection service; a virus detection service; a malware detection service; and other services as will be apparent to those skilled in the art. Additionally or alternatively, a determination of a potential security threat in a message communicated between server components 204 can be identified based on a repository, database or other record of portions of messages that are determined to constitute potential security threats. For example, a portion of a message including an SQL script, query or instruction that is considered high-risk or potentially malicious can be recorded in a repository of potentially malicious message portions. Thus, an SQL fragment in which, for example, sensitive database columns are included in an "SQL SELECT" or "SQL INSERT" statement might be identified by only column identifiers for such a statement, if, for example, it is known that legitimate communications between server components 204 would never refer to such columns.
In use, the monitoring service 200 receives communications from the monitors 206.
Where the monitoring service 200 is responsible for checking for threats in messages communicated between server components 204 then the communications from monitors 206 can include whole messages or portions of messages for the service 200 to analyse. Alternatively, where threat checking is undertaken by the monitors 206 themselves then the communications from monitors 206 can include identifications of potentially malicious messages.
The monitoring service 200 further stores requests to the web server 202 receives from clients 208. The requests are preferably received by the service 200 before they are communicated to the web server 202, and the service 200 preferably forwards requests to the web server 202. For example, the monitoring service 200 can be provided as a component, feature or part of a firewall facility. When the monitoring service 200 determines or is informed that a potential security threat is detected in a message between server components 204, web server requests received and stored by the monitoring service 200 are searched to identify a request including at least a portion of the message. For example, a message determined to be potentially threatening based on the inclusion of a reference to a sensitive database column can result in a search through all stored web server requests for the sensitive database column identifier. A request identified in the stored web server requests is used to flag at least a portion of the request as a malicious request. A portion can be flagged based on a part of the identified request corresponding to the message between server components 204 determined to be a potential threat.
Flagging portions of web server requests as malicious provides for the monitoring service to subsequently identify such flagged portions in new requests directed to the web server 202 and to prevent processing of such new requests by the web server 202. For example, such requests can be prevented from being received by the web server 202 or can be filtered or amended to remove identified flagged portion(s).
Figure 3 is a flowchart of a security method to protect a web server 200 according to embodiments of the present invention. In the exemplary embodiment of Figure 3, the method is a method of one exemplary arrangement of the monitoring service 200. At step 302, the monitoring service receives a data item and determines if the data item is a web server request or a monitor message from a monitor 206. A web server request is processed at step 304 where the request is stored. At step 306 the method determines if the web server request includes a malicious flagged portion previously identified and, if so, prevents access to the request by the web server at step 308. Monitor messages as messages received by a monitor 206 between a pair of server components 204 are processed by the method at step 310 where a determination is made of whether the message includes a potential security threat. Where a monitor message includes a potential security threat the method identifies a stored web server request including at least part of the monitor message at step 312 and flags a portion of the web server request as malicious at step 314. Thus, in this way, embodiments of the present invention are operable to detect web server requests that have malicious effect when processed by server components 204 even if they are not identifiable as such based on the web server request itself.
Insofar as embodiments of the invention described are implementable, at least in part, using a software-controlled programmable processing device, such as a microprocessor, digital signal processor or other processing device, data processing apparatus or system, it will be appreciated that a computer program for configuring a programmable device, apparatus or system to implement the foregoing described methods is envisaged as an aspect of the present invention. The computer program may be embodied as source code or undergo compilation for implementation on a processing device, apparatus or system or may be embodied as object code, for example.
Suitably, the computer program is stored on a carrier medium in machine or device readable form, for example in solid-state memory, magnetic memory such as disk or tape, optically or magneto-optically readable memory such as compact disk or digital versatile disk etc., and the processing device utilises the program or a part thereof to configure it for operation. The computer program may be supplied from a remote source embodied in a communications medium such as an electronic signal, radio frequency carrier wave or optical 10 carrier wave. Such carrier media are also envisaged as aspects of the present invention.
It will be understood by those skilled in the art that, although the present invention has been described in relation to the above described example embodiments, the invention is not limited thereto and that there are many possible variations and modifications which fall within the scope of the invention.
The scope of the present invention includes any novel features or combination of features disclosed herein. The applicant hereby gives notice that new claims may be formulated to such features or combination of features during prosecution of this application or of any such further applications derived therefrom. In particular, with reference to the appended claims, features from dependent claims may be combined with those of the independent claims and features from respective independent claims may be combined in any appropriate manner and not merely in the specific combinations enumerated in the claims.
Claims (7)
- CLAIMS1. A computer implemented security method to protect a web server, the web server having associated a plurality of intercommunicating server components each providing a facility for the webserver, the method comprising: storing requests received for the web server; providing a software component for each pair of communicating server components, the software component being adapted to receive messages communicated between the server components; in response to a determination that a received message includes a potential security 10 threat, searching the stored requests to identify a stored request including at least part of the received message; flagging at least a portion of the identified stored request as a malicious request; responsive to a subsequent request directed to the web server including the flagged portion, preventing processing of the subsequent request by the web server.
- 2. The method of claim 1 wherein the determination that a received message includes a potential security threat is made based on a repository of known security threat message portions.
- 3. The method of any preceding claim wherein the at least a portion of the identified stored request is a portion of the stored request including the at least part of the received message.
- 4. The method of any preceding claim wherein preventing processing of the subsequent 25 request by the web server includes preventing receipt of the subsequent request by the web server.
- 5. The method of any preceding claim wherein one or more of the server components include one or more of: an authentication component; a database; a file store; an email 30 component; an identity management component; a network application; and a middleware.
- 6. A computer system including a processor and memory storing computer program code for performing the steps of the method of any preceding claim.
- 7. A computer program element comprising computer program code to, when loaded into a computer system and executed thereon, cause the computer to perform the steps of a method as claimed in any of claims 1 to 5.
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GBGB1904205.0A GB201904205D0 (en) | 2019-03-27 | 2019-03-27 | Injection attack mitigation |
Publications (3)
Publication Number | Publication Date |
---|---|
GB202003657D0 GB202003657D0 (en) | 2020-04-29 |
GB2582703A true GB2582703A (en) | 2020-09-30 |
GB2582703B GB2582703B (en) | 2021-08-18 |
Family
ID=66381326
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GBGB1904205.0A Ceased GB201904205D0 (en) | 2019-03-27 | 2019-03-27 | Injection attack mitigation |
GB2003657.0A Active GB2582703B (en) | 2019-03-27 | 2020-03-13 | Injection attack mitigation |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
GBGB1904205.0A Ceased GB201904205D0 (en) | 2019-03-27 | 2019-03-27 | Injection attack mitigation |
Country Status (1)
Country | Link |
---|---|
GB (2) | GB201904205D0 (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100263046A1 (en) * | 2009-04-09 | 2010-10-14 | Myspace, Inc. | Security wrapper methods and systems |
US20120185937A1 (en) * | 2011-01-14 | 2012-07-19 | F5 Networks, Inc. | System and method for selectively storing web objects in a cache memory based on policy decisions |
-
2019
- 2019-03-27 GB GBGB1904205.0A patent/GB201904205D0/en not_active Ceased
-
2020
- 2020-03-13 GB GB2003657.0A patent/GB2582703B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100263046A1 (en) * | 2009-04-09 | 2010-10-14 | Myspace, Inc. | Security wrapper methods and systems |
US20120185937A1 (en) * | 2011-01-14 | 2012-07-19 | F5 Networks, Inc. | System and method for selectively storing web objects in a cache memory based on policy decisions |
Also Published As
Publication number | Publication date |
---|---|
GB201904205D0 (en) | 2019-05-08 |
GB202003657D0 (en) | 2020-04-29 |
GB2582703B (en) | 2021-08-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9979726B2 (en) | System and method for web application security | |
CA2946695C (en) | Fraud detection network system and fraud detection method | |
US9154364B1 (en) | Monitoring for problems and detecting malware | |
US8601586B1 (en) | Method and system for detecting web application vulnerabilities | |
Kirda et al. | Client-side cross-site scripting protection | |
EP2550601B1 (en) | Executable code validation in a web browser | |
Akiyama et al. | Design and implementation of high interaction client honeypot for drive-by-download attacks | |
US8850584B2 (en) | Systems and methods for malware detection | |
US20160036849A1 (en) | Method, Apparatus and System for Detecting and Disabling Computer Disruptive Technologies | |
WO2016058489A1 (en) | Method and device for providing access page | |
CN105592017B (en) | The defence method and system of cross-site scripting attack | |
US20100251371A1 (en) | Real-time malicious code inhibitor | |
US8434149B1 (en) | Method and apparatus for identifying web attacks | |
US20110321162A1 (en) | Methods And Systems For Providing Security For Page Framing | |
CN106713318B (en) | WEB site safety protection method and system | |
US20190222587A1 (en) | System and method for detection of attacks in a computer network using deception elements | |
US11539742B2 (en) | Application security through multi-factor fingerprinting | |
Akiyama et al. | Active credential leakage for observing web-based attack cycle | |
Varshney et al. | Malicious browser extensions: A growing threat: A case study on Google Chrome: Ongoing work in progress | |
CN102932353A (en) | Method and device for preventing malicious attacks | |
Tanakas et al. | A novel system for detecting and preventing SQL injection and cross-site-script | |
US8266704B1 (en) | Method and apparatus for securing sensitive data from misappropriation by malicious software | |
GB2582703A (en) | Injection attack mitigation | |
Hadpawat et al. | Analysis of prevention of XSS attacks at client side | |
JP2013069016A (en) | Information leakage prevention device and limitation information generation device |