The Internet continues to have explosive growth. Virtually every business and service has a World-Wide Web (WWW) site and offers some kind of information over the WWW. In many cases, consumers and employees of enterprises can conduct business and affairs via software applications available over the WWW.
Typically, an enterprise constructs its WWW site as a centrally accessible page where other sites or sub pages are accessible from that main page or site. The pages are often organized hierarchically, such as in a directory. Some sub directories or pages may require authentication or may have different varying levels of security before access is properly granted.
Recognizing that WWW sites are generally constructed this way, hackers have attempted to break out of a controlled WWW session and directly access directories or paths that they should not have access to. This permits hackers to access protected software of an enterprise and/or to execute malicious programs on the WWW sites.
To deal with this, enterprises have developed Uniform Resource Locator (URL) normalization schemes. With this, an URL pattern entered by a user is normalized into a specific WWW directory or path and any needed access control is applied. For example, a request from a user such as, “HTTP GET /validpath/../admin” may get normalized to “HTTP GET /admin.” Once the URL is normalized it can be evaluated to determine if this particular path is allowed for a given user.
The problem with this approach, as it exists today, is that it is largely not flexible and dynamic. In other words, each time a particular pattern is detected it is manually noted in a service that controls the WWW site. Thus, it takes time before the pattern is enforced on the WWW site and requires a specific administrator to implement and hardcode the pattern. Moreover, hackers are regularly developing masking techniques to avoid URL normalization, some of which are difficult to detect and address.
Another problem is that there is no ability to relax normalization for specific users or for specific software services. Moreover, there is no ability to increase pattern recognition in response to a particular software service being requested. Thus, there is little to no customization for URL normalization techniques in the industry.
Accordingly, what are needed are more flexible and customized mechanisms for URL normalization.