1. Field of the Invention
The present invention relates to the field of accessing web applications, and more particularly, to a method and a system for reconstructing a response message when a violation is detected in a server-side Web Application Firewall (WAF).
2. Description of the Related Art
With the rapid development of web applications, requirements for WAFs are increasing. Compared with the traditional firewall, the WAF can fend off the attack to server-side web applications caused by malicious HTTP accessing requests (generally called error HTTP access requests). However, a False Positive is an inherent problem of the WAF and it is difficult to solve. Under many circumstances, if a user submits a HTTP request to a server-side web application and the submitted HTTP request is confirmed to be a malicious request by the WAF, the WAF will return an error message to the user instead of transmitting the HTTP request to the server-side web application. As a result, the user's experience is seriously affected because the submitted HTTP requests can be considered malicious requests due to, for example, incorrectly inputted “sensitive characters” by users.
A first existing solution to the above problem is to reconstruct the response web pages provided by the WAF when malicious HTTP requests are detected by the WAF by modifying the source code of the HTTP Server Container. One disadvantage of this solution is that it is a requirement to modify the source code of the HTTP Server Container, that is, based on comprehensive analysis and tests to the source code of the HTTP Server Container, which is not easy to do. The HTTP server container is a universal component in the web application environment and the core component of the HTTP server. The main roles of the HTTP server container are fending off HTTP requests and HTTP responses, recording the requests and responses and transmitting such requests and responses. Therefore, the function of the HTTP server container in detecting whether HTTP requests are malicious is not perfect.
A second existing solution involves transmitting the malicious HTTP requests (confirmed by the WAF) directly to server-side web applications instead of generating an error status code even if the malicious HTTP requests are detected by the WAF, then server-side web applications reconstruct the HTTP responses to return to users. There are two main disadvantages of this solution: one is that transmitting malicious HTTP requests to server-side applications can cause an actual attack (if they are real malicious HTTP requests); the other is that this solution requires the modification of the source code of server-side web applications with high cost and is difficult to accomplish.
A third existing solution (shown in FIG. 1) involves customizing more friendly static error response messages in the HTTP server to replace the error response messages incorporated in the HTTP server. The HTTP server can be understood as the HTTP server container plus various function modules developed by users based on the HTTP server container. Therefore, unlike the first solution above, this solution does not require modification of the source code of the HTTP server container. Instead, this solution enables the customization of several static error response pages according to different error status codes respectively. The code below is inserted into the source code of the HTTP server container at the same time (for example):
# ErrorDocument 500/customize500.html
# ErrorDocument 403/customize403.html
The meaning of the above HTTP configuration code (HTTPd) is: if the error status code is 500, return the customized page of customize500.html to the user, and if the error status code is 403, return the customized page of customize403.html to the user. One of the disadvantages is that only static error pages can be returned for malicious HTTP requests, so there is less flexibility. Furthermore, based on the characteristics of the HTTP server, under the Java Script (JS) environment of the end user, the customized static error pages that are returned normally may not be listed if only the content of error pages is modified other than the error status code of HTTP responses, which could result in an error.
FIG. 1 shows the block diagram of system for reconstructing error response messages under the web application environment with an existing WAF. The system is referred to number 100 generally in FIG. 1. Blocks 101-104 within the real line block represent necessary components of the traditional web application accessing system, without a function for reconstructing error response messages. The existing system 100 enables the return of more friendly static error pages to the HTTP requests submitted by users that are deemed to be malicious in the case of a web application environment with a WAF. The system 100 includes a client module 101, a WAF module 102, an HTTP server module 103, a web application module 104 and a static error response configuration module 105.
The client module 101 submits the HTTP requests for accessing web applications to the HTTP server module 103. The HTTP server module 103 transmits the received HTTP requests to the WAF module 102 so that the WAF module 102 can analyze the HTTP requests. If the HTTP requests are normal HTTP requests, a successful status code 200 will be sent to the HTTP server module 103 and then the HTTP server module 103 transmits the normal HTTP requests to the web application module 104 so that the client 101 is able to access the web application module 104. If the HTTP requests are malicious requests, the WAF module 102 will send an analyzed error status code (such as status 500 representing “internal error of HTTP server”) of the malicious requests to the HTTP server module 103. Next, the HTTP server module 103 will invoke the static error response pages stored in the static error response configuration module 105 as a response to the malicious HTTP requests submitted by the client 101, which will be returned to the client 101 via the HTTP server module 103. The error status codes are coded by the WAF module 102 to identify the error status of the malicious HTTP requests.
Besides the error status codes, the WAF module 102 can also identify the successful status codes, such as the status code 200 described above. The HTTP server module 103 can take on different operations according to the status codes analyzed and sent by the WAF module 102. Error status codes and successful status codes are generally called status codes. Normal error status codes include: 400, error requests; 405, forbidden ways of requests; 403, forbidden access; 404, requested pages are not found; 500, internal error of HTTP server.