The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves can also correspond to implementations of the technology disclosed.
Web applications are vulnerable to a variety of security issues. Because of the rapid nature of the development of the Web, several of these issues exist as specification weaknesses within fundamental web abstractions. For instance, all state changing web application operations are vulnerable to a Cross-site Request Forgery attack unless the web developer has defenses in place to prevent such an attack. Unprocessed user input when displayed could be vulnerable to Cross-site Scripting. The Web is a platform that is vulnerable by default unless special care has been made to ensure that security vulnerabilities are not introduced. The most common web vulnerabilities like Injection issues, Cross-site Scripting (XSS), and XML External Entity attacks (XXE) exist between abstraction layers as layer integration problems. XSS occurs when the data layer supplies improperly encoded or un-sanitized raw input to the HTML presentation layer. Because of how common web application vulnerabilities are and how devastating they can be for the enterprise, techniques to effectively and efficiently address them is vital for highly evolved web applications.
Virtual Patching is a technique that has been used to address vulnerabilities that can be detected and corrected before executing application-specific code. Many Web Application Firewalls (WAF) have the ability to virtual patch issues by assigning rules to HTTP traffic. For example, a detected denial of service attack can be address by installing a rule to reject HTTP requests sent to a particular IP address and port number having particular identifying information in the message. Such a rule can be applied when requesting any web application because an IP address and port number are known outside of the application (not private/local within the application). However, because a WAF is not contextually aware of the application that it is protecting, it is not possible to patch issues that require a deeper, integrated understanding of the application requirements or current state. For example, it is not possible to write a WAF rule to reject requests from users who have not already established a session because a user's session state is unknown outside of the application (and thus is application-specific). Application aware virtual patching hence allows applying rules that depend on application-specific state.