-
公开(公告)号:US10083024B2
公开(公告)日:2018-09-25
申请号:US14956129
申请日:2015-12-01
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan
CPC classification number: G06F8/65 , H04L63/1433 , H04L67/02 , H04L67/34
Abstract: The technology disclosed relates to thwarting attempts in between software releases to take advantage of security holes in web applications. A virtual patch is a data object comprising an identifier that indicates a relevant local context for the patch and may be created while the application is running. One or more conditions included in the patch are evaluated using data from a service request or from the local context. A patch directive specifies an action to perform when the one or more conditions are satisfied. A virtual patch may be applied to the running application without requiring replacing the application code. Responsive to a request for a web service, a web application may execute code in multiple distinct local contexts such as session management, authorization, and application-specific business logic. The code for each local context may independently retrieve a set of virtual patches relevant to its particular local context.
-
公开(公告)号:US20170153882A1
公开(公告)日:2017-06-01
申请号:US14956129
申请日:2015-12-01
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan
CPC classification number: G06F8/65 , H04L63/1433 , H04L67/02 , H04L67/34
Abstract: The technology disclosed relates to thwarting attempts in between software releases to take advantage of security holes in web applications. A virtual patch is a data object comprising an identifier that indicates a relevant local context for the patch and may be created while the application is running. One or more conditions included in the patch are evaluated using data from a service request or from the local context. A patch directive specifies an action to perform when the one or more conditions are satisfied. A virtual patch may be applied to the running application without requiring replacing the application code. Responsive to a request for a web service, a web application may execute code in multiple distinct local contexts such as session management, authorization, and application-specific business logic. The code for each local context may independently retrieve a set of virtual patches relevant to its particular local context.
-
公开(公告)号:US20170324742A1
公开(公告)日:2017-11-09
申请号:US15145484
申请日:2016-05-03
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan
IPC: H04L29/06
CPC classification number: H04L63/168 , H04L63/0428 , H04L63/102 , H04L63/1483
Abstract: A web application receives a request for a web site's login page. The web application sends, via a domain name, a response including the login page, a first token in a first field in the login page's header, and a second token in a second field in the login page's header, wherein the first field is modifiable only via a related domain name which is related to the domain name, and wherein the first token is a function of the second token. The web application receives a request to login to the site from a client, wherein the request to login includes a header that includes the first field and the second field. The web application establishes a session with the client if the first field in the header includes a token which is the function of a token in the second field in the header.
-
Patent Agency Ranking
公开(公告)号:US20170243014A1
公开(公告)日:2017-08-24
申请号:US15050636
申请日:2016-02-23
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan
CPC classification number: G06F21/606 , H04L63/0428 , H04L63/168 , H04L67/02 , H04L67/141 , H04L67/146
Abstract: A 1st domain makes a request to a 2nd domain using a URI including the name of the 2nd domain, a public path for the domains, and a cryptographically secure path generated by the 1st domain. The 2nd domain makes a request to the 1st domain using a URI including the name of the 1st domain, the pre-defined public path, and the cryptographically secure path. The 1st domain or the 2nd domain sets a cookie including a message (the cookie's path scope includes the pre-defined public path and the cryptographically secure path, the cookie's domain scope includes all sub-domains of the nearest common ancestor for the 1st and 2nd domains), and makes a request to the other domain using a URI including the name of the other domain, the pre-defined public path, and the cryptographically secure path, which causes a web browser to send the cookie to the other domain.
-
公开(公告)号:US10187403B2
公开(公告)日:2019-01-22
申请号:US14957490
申请日:2015-12-02
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan , Angel Prado , Sun Hwan Kim , Omkar Ramesh Kulkarni , Harsimranjit Singh Chabbewal
IPC: H04L29/06
Abstract: A system detects a security attack through a network-based application. The system receives a runtime request for invocation of a function and dynamically determines if the request for invocation of the function is associated with a cross-site scripting attack. In response to determine the function is associated with a cross-site scripting attack, the system stores information associated with the request, which is used for determining if the request is a legitimate request or a cross-site scripting attack.
-
公开(公告)号:US10178125B2
公开(公告)日:2019-01-08
申请号:US15145484
申请日:2016-05-03
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan
Abstract: A web application receives a request for a web site's login page. The web application sends, via a domain name, a response including the login page, a first token in a first field in the login page's header, and a second token in a second field in the login page's header, wherein the first field is modifiable only via a related domain name which is related to the domain name, and wherein the first token is a function of the second token. The web application receives a request to login to the site from a client, wherein the request to login includes a header that includes the first field and the second field. The web application establishes a session with the client if the first field in the header includes a token which is the function of a token in the second field in the header.
-
公开(公告)号:US09864867B2
公开(公告)日:2018-01-09
申请号:US15050636
申请日:2016-02-23
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan
CPC classification number: G06F21/606 , H04L63/0428 , H04L63/168 , H04L67/02 , H04L67/141 , H04L67/146
Abstract: A 1st domain makes a request to a 2nd domain using a URI including the name of the 2nd domain, a public path for the domains, and a cryptographically secure path generated by the 1st domain. The 2nd domain makes a request to the 1st domain using a URI including the name of the 1st domain, the pre-defined public path, and the cryptographically secure path. The 1st domain or the 2nd domain sets a cookie including a message (the cookie's path scope includes the pre-defined public path and the cryptographically secure path, the cookie's domain scope includes all sub-domains of the nearest common ancestor for the 1st and 2nd domains), and makes a request to the other domain using a URI including the name of the other domain, the pre-defined public path, and the cryptographically secure path, which causes a web browser to send the cookie to the other domain.
-
公开(公告)号:US20170163663A1
公开(公告)日:2017-06-08
申请号:US14957490
申请日:2015-12-02
Applicant: salesforce.com, inc.
Inventor: Amalkrishnan Chemmany Gopalakrishnan , Angel Prado , Sun Hwan Kim , Omkar Ramesh Kulkarni , Harsimranjit Singh Chabbewal
IPC: H04L29/06
CPC classification number: H04L63/1416 , H04L63/1483 , H04L67/02
Abstract: A system detects a security attack through a network-based application. The system receives a runtime request for invocation of a function and dynamically determines if the request for invocation of the function is associated with a cross-site scripting attack. In response to determine the function is associated with a cross-site scripting attack, the system stores information associated with the request, which is used for determining if the request is a legitimate request or a cross-site scripting attack.
-
-
-
-
-
-
-
Search Results
8
records
(took 0.016 seconds)
