Preventing cross-site request forgery attacks on a server
US8495137B2 · kind B2 · utility
Assignee
Inventors
Key dates
| Filing date | Mar 4, 2012 |
| Grant date | Jul 23, 2013 |
| Priority date | — |
| Expiry date | Mar 4, 2032 |
Classification
- Technology area (CPC G)Physics
- CPC primaryG06F2221/2129
- WIPO fieldComputer technology
- WIPO sectorElectrical engineering
Abstract
Preventing Cross-Site Request Forgery security attacks on a server in a client-server environment. In one aspect, this comprises embedding a nonce and a script in all responses from the server to the client wherein, when executed, the script adds the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce sent by the server to the client. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value differs from the value previously sent. Server-side aspects might be embodied in the server or a proxy.
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.