Patent · US Active

Guarding against cross-site request forgery (CSRF) attacks

US10454949B2 · kind B2 · utility

0Cited by

5References

14Claims

0Family size

Assignee

International Business Machines Corporation · US

Inventors

Lewis Lo · Toronto, CA
Ching-Yun Chao · Austin, US
Li Yi · Beijing, CN
Leonardo A. Uzcategui · Westminster, US
John Y. Chang · Mountain View, US
Rohan Gandhi · Pune, IN

Key dates

Filing date	Nov 20, 2015
Grant date	Oct 22, 2019
Priority date	—
Expiry date	Dec 16, 2035

Classification

Technology area (CPC H)Electricity
CPC primaryH04L63/1483
WIPO fieldDigital communication
WIPO sectorElectrical engineering

Abstract

Cross-Site Request Forgery attacks are mitigated by a CSRF mechanism executing at a computing entity. The CSRF mechanism is operative to analyze information associated with an HTTP request for a resource. The HTTP request typically originates as an HTTP redirect from another computing entity, such as an enterprise Web portal. Depending on the nature of the information associated with the HTTP request, the HTTP request may be rejected because the CSRF mechanism determines that the request is or is likely associated with a CSRF attack. To facilitate this determination, the approach leverages a new type of “referer” attribute, a trustedReferer, which indicates that the request originates from a server that has previously established a trust relationship with the site at which the CSRF mechanism executes. The trustedReferer attribute typically is set by the redirecting entity, and in an HTTP request header field dedicated for that attribute.

Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.