主权项 |
1. A runtime validation apparatus for applying a validation policy to output of an application during runtime in order to prevent an attack, the runtime validation apparatus comprising:
at least one processor; a non-transitory computer-readable storage medium including instructions executable by the at least one processor, the instructions configured to implement, a runtime interceptor configured to intercept a server request for a requested web resource of the application from a client device to a server and a response to be transmitted from the server to the client device, the response including server response data generated by the server; an output validation policy identifier configured to identify an output validation policy from a database storing a plurality of output validation policies based on the requested web resource, the identified output validation policy representing a template that encompasses allowed server responses for the requested web resource, the template including a document structure identifying at least one static portion, the template identifying at least one dynamic portion, the at least one dynamic portion being assigned a data type; a validation evaluator configured to apply the identified output validation policy to an output of the application executing on the server including comparing the server response data with the template of the identified output validation policy to determine whether the server response data complies with the template of the identified output validation policy, the validation evaluator configured to compare the server response data with the template includes,
first comparing a first portion of the server response data with the document structure, the first comparing including determining whether the at least one static portion of the template is equivalent to the first portion of the server response data,second comparing a second portion of the server response data with the at least one dynamic portion if the at least one static portion is determined as equivalent to the first portion of the server response data, the second comparing including determining whether the second portion of the server response data has the data type of the at least one dynamic portion; and a validation controller configured to permit the response to be transmitted to the client device if the response data complies with the template, the validation controller configured to block the response if at least a portion of the response data does not comply with the template. |