The development and expanded use of the Internet in recent decades has provided both opportunities and risks for users. The same network that enables improved communication, access to information, and more affordable marketing presence is not without hazards. Generally speaking, those hazards include the theft of information, corruption or destruction of information, breach of confidential information, and intentional denial of service.
This invention addresses the risk of data corruption where a server sends parameters out to a user space and expects to receive the same values in a subsequent communication. As an example, consider a Web site that is hosted on a server and is accessible by any number of client users. For purposes here, a client, user, or client user refers to either a computer workstation configured with a Web browser or the user of such a browser, as appropriate. Where the client is doing more than just reading information posted on the Web site, there may be a two-way exchange of data between the Web server and the client. A common implementation of electronic commerce, for instance, is where a Web site contains products that a user can purchase on-line for a specified price. Such a presentation may reasonably be interpreted as an offer for the sale of goods in the contractual sense: it provides terms that can be accepted by a buyer without subsequent action by the seller. Suppose the Uniform Resource Locator (URL) contains not only the location of the Web page, but also a hidden pricing parameter for a product contained on the Web page. There is a risk that, even though hidden, a user might tamper with the value of the price parameter (most likely changing it to a lower value) prior to placing an on-line order. If the transaction is automatically processed using the changed parameter, then the user's alteration could result in economic harm to the seller.
Unfortunately, it is very difficult to detect or prevent this type of tampering. Security measures that restrict users, for example by employing a firewall, provide little utility since the nature of Web-based e-commerce is that new and previously unknown users must have easy access in order to transact business with the Web server. Moreover, encryption, hashing, and other techniques known in the art designed to detect tampering or to secure data as it passes between point A and point B (between a server and client, in this case) are not adapted to detect tampering of data while it resides at point B.
Thus, server applications that pass parameters through user space, and operate on the assumption that the value of one or more parameters will not be changed by a user, are exposed to a vulnerability not effectively managed by known security measures. This and other drawbacks and limitations exist in known approaches to error detection.