The Internet is by far the largest, most extensive publicly available network of interconnected computer networks that transmit data by packet switching using a standardized Internet Protocol (IP) and many other protocols. The Internet has become an extremely popular source of virtually all kinds of information. Increasingly sophisticated computers, software, and networking technology have made Internet access relatively straightforward for end users. Applications such as electronic mail, online chat and web browser allow the users to access and exchange information almost instantaneously.
The World Wide Web (WWW) is one of the most popular means used for retrieving information over the Internet. WWW can cope with many types of data which may be stored on computers, and is used with an Internet connection and a web browser. The WWW is made up of millions of interconnected pages or documents which can be displayed on a computer or other interface. Each page may have connections to other pages which may be stored on any computer connected to the Internet. Uniform Resource Identifiers (URI) is an identifying system in WWW, and typically consists of three parts: the transfer format (also known as the protocol type), the host name of the machine which holds the file (may also be referred to as the web server name) and the path name to the file. The transfer format for standard web pages is Hypertext Transfer Protocol (HTTP). Hyper Text Markup Language (HTML) is a method of encoding the information so it can be displayed on a variety of devices.
HTTP is the underlying transactional protocol for transferring files (text, graphic images, sound, video, and other multimedia files) between clients and servers. HTTP defines how messages are formatted and transmitted, and what actions web servers and browsers should take in response to various commands. A web browser as an HTTP client, typically initiates a request by establishing a TCP/IP connection to a particular port on a remote host. An HTTP server monitoring that port waits for the client to send a request string. Upon receiving the request string (and message, if any), the server may complete the protocol by sending back a response string, and a message of its own, in the form of the requested file, an error message, or any other information. Web pages regularly reference to pages on other servers, whose selection will elicit additional transfer requests. When the browser user enters file requests by either “opening” a web file by typing in a Uniform Resource Locator (URL), or clicking on a hypertext link, the browser builds an HTTP request. In actual applications, web clients may need to be distinguished and authenticated, or a session which holds a state across a plurality of HTTP protocols may need to be maintained by using “state” called cookie.
An HTTP request may have following syntax: http://hostname/path?query
The hostname may be the name or IP address of a server, optionally followed by a colon and a port number. It may further include information on username and password for authenticating to the server. The path is a specification of a location in some hierarchical structure, using a slash (“/”) as delimiter between components, for example, “/directory/subdirectory/file”. The query part is typically intended to express parameters of a dynamic query to some database residing on the server, for example “?search=business”.
To respond to the request from a web browser, Common Gateway Interface (CGI) programs may be run on the web server. CGI is a specification for transferring information between a web server and a web browser. Other interface may include ISAPI (Internet Service Application Programming Interface), an application programming interface (API) for Microsoft's Internet Information Server (IIS), The request from the web server may also pass-through a web server and reach the web application directly
Dynamic feedback for web browser clients can also be provided to include scripts or programs that execute on the user's machine rather than on the web server, for example by way of Java applets, Javascript™, or ActiveX™ controls.
To determine the appropriate capability or permissions a web user can read from, write to or execute a given object in a web application, an Access Control List (ACL) can be implemented. An access control list may be in the form of a table, containing entries that specify individual user or group rights to specific objects, such as a program, a file directory, or a file.
An elevation of privilege is a term for a type of security vulnerability that allows a user to get more permissions than normally assigned, sometimes by using malicious means. For example, in a successful elevation of privilege attack, a malicious user manages to get administrative privileges to the web application, enabling the attacker to take control over web application. Elevation of privilege vulnerabilities may also include inadvertent security violations, e.g. the client application is able to access a service for which they are not authorized because the web application fails to implement the properly security checks.
Implementations of access control list may be complex as access control list applies to objects, directories, and for the objects and the sub directories within the directories. When an elevation of privilege is found, web application security may be compromised. To ensure the security of the web application, either the entire request may need to be blocked, or fixed through the change of the web application's architecture, which tend to be time consuming and complex.
US Application 20050015674 describes a portable access control list (PACL) model. The PACL is a global representation of the access control list including a tuple of identifiers, permissions and/or actions, and application rules. The portable ACL model is a superset of all existing identifiers, permissions, and actions. However, the PCAL does not provide a solution to provide security for release of web applications on a web server, nor does it check with a remote system.
US Application 20040193906 describes a system for use in a network implementing service applications. The system has an access control list with sets of associated client identification and destination service identification. The system analyzes an incoming service-access request, for source identification associated with a source of the service-access request; and destination service identification associated with an intended destination of the server-access request; the identification is based on service address and port number. The system then determines whether indicia of the source identification and of the destination service identification from the service-access request is included in the access control list in a manner that indicates that the source of the service-access request is authorized for access to a service associated with the destination service identification. While elevation of privilege violations, either inadvertent or malicious, may be avoided. This system is based on pairings of client-application combinations and services.
Similarly, US Application 20040064721 describes a namespace management module utilizing a persistent reservation store that associates URI namespaces with one or more permissions. The reservation store can contain a number of reservation entries that each include a URI identifying a URI namespace and a corresponding access control list that includes permissions for the identified URI namespace. When a request to register a URI namespace is received, the permissions of an appropriate access control list can be checked to determine if the registration is approved. When a resource request is received, permissions of the access control lists can also be checked to determine if the resource request should be routed to a registered process. The disclosed method only look at different web applications in different locations, it does not check the permission inside an application. This method also does not utilize rule based syntax, relying on an external system to register URI namespaces with the application.
Therefore, there is a need for an improved method and system to provide security to web applications. More specifically, there is a need to provide a method and system to dynamically check the permission and capability in an access control list (ACL) independently of the web application.