公开(公告)号：CA2694326A1

公开(公告)日：2010-05-18

申请号：CA2694326

申请日：2010-03-10

Applicant: IBM CANADA

Inventor： PODJARNY GUY ,  AMIT YAIR ,  SHARABANI ADI

IPC: H04L9/32 ,  G06F21/00 ,  G06Q20/40

Abstract: A method and system for preventing Cross-Site Request Forgery (CSRF) security attacks on a server in a client-server environment. The method includes embedding a nonce and a script to all responses from the server to the client wherein when executed the script will add the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each said request from the client includes the nonce sent by the server from the server to the client. The script modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and confirms the request with the client if the value is not the same as the value previously sent by the server. Server-side aspects of the invention might be embodied in the server or a proxy between the server and the client.

公开(公告)号：CA2704863A1

公开(公告)日：2010-08-16

申请号：CA2704863

申请日：2010-06-10

Applicant: IBM CANADA

Inventor： PODJARNY GUY ,  SHARABANI ADI

IPC: H04L12/26 ,  H04L29/06

Abstract: A method for preventing malicious code being embedded within a scripting language of a web application accessed by a web browser (308), the method comprising: monitoring all incoming traffic (310), generated by the web browser, and outgoing traffic (326) generated by a server (318) to form monitored traffic; determining whether a unique element, defined in a configuration file, is matched with an input value of the monitored traffic to form a matched input value; responsive to a determination that the unique element is matched with an input value of the monitored traffic, saving the matched input value, determining whether an output contains the matched input value in an expected location; responsive to a determination that the output contains the matched input value in an expected location, encoding the matched input value using a respective definition from the configuration file; and returning the output (330) to the requester.

公开(公告)号：CA2680609A1

公开(公告)日：2009-12-23

申请号：CA2680609

申请日：2009-10-19

Applicant: IBM CANADA

Inventor： IONESCU PAUL ,  SHARABANI ADI ,  MIRMOVITCH GIL ,  SAKIN ARIEL ,  SEGAL ORI ,  PODJARNY GUY

IPC: G06F11/30 ,  G06F21/00 ,  H04L9/32

Abstract: A method of configuring a login session is provided. The method includes performing on a processor, obtaining login sequence data; selectively removing pages from the login sequence data; selectively tracking at least one of parameters and cookies of the log in sequence data; and modifying a login configuration used in a login session based on the modifie d login sequence data.