1. Field of Invention
The present invention relates to the field of computer network security. In particular, the present invention relates to a method, system and an article of manufacture tangibly embodying a computer readable program for protecting Web applications from network attacks.
2. Description of the Related Art
With the advancements of computer and Internet technology, Web applications such as online shopping and Internet banking are becoming increasingly popular. However, attacks on Web applications have become a big threat in the past decade because even if a firewall has a strong set of rules and a server is duly patched all the time, an attacker may walk right into the system through port 80 when Web application developers do not follow secure coding practice. SQL (Structured Query Language) injection and XSS (Cross-site scripting) are two of the most popular types of attacks. Data in a database may be stolen by SQL injection, and even the whole database can be dumped, which may cause a disaster to some applications. Through XSS, secret data of a normal user (e.g. their user identity or session identity) may be stolen.
Some approaches against such attacks are currently available. One approach is to scan an application using some type of black-box testing tool (e.g. AppScan®) and fix the vulnerabilities manually. But this approach cannot always be effective because some applications are not easy to be redeployed quickly and in some cases source code cannot be obtained. Another approach is to use a WAF (Web Application Firewall) to filter malicious requests before a Web server. This method enables filtering rules to be updated at runtime so that an application does not need to be redeployed when a new vulnerability is found. However, this method also has some disadvantages. First, each input filed needs to be manually configured carefully, which may cost much effort. Second, a WAF cannot recognize some request fields because they may have been encoded with script before being submitted.
Besides SQL injection and XSS, another popular threat is tampering with hidden fields. Since junior developers may use hidden fields to keep user information without checking them on the server site, tampering with the hidden fields may break business logic. An approach to solve this problem is to sign these hidden fields before sending them to the client site. When a request containing these fields returns, the signature will be verified to ensure that these fields are not tampered with. However, some forms are hard to be defined statically because they are created at runtime by script in client browser. Furthermore some developers may keep these key user information not only in hidden fields, but also in any tag of an html document and get their value by script at runtime. Therefore, it is very difficult to define which response value should be signed.
In some extreme cases, part of business logic is performed by script on the client site, while verification is neglected on the server site (e.g., a total price may be calculated on the client site by multiplying a unit price with a total count, however the total price is not verified on the server site). Currently there is no good solution to handle this problem.
Another important security issue related to Web applications is unauthorized accessing. By observation, a hacker may guess a link embedded in a Web page, thus getting the access to unauthorized resources.
In general, because script is involved, it is difficult to get a thorough solution to solve these security issues without changing source code.