Integrated interactive application security testing

US 10,387,656 B2
Filed: 03/09/2017
Issued: 08/20/2019
Est. Priority Date: 03/21/2016
Status: Active Grant

First Claim

Patent Images

1. A method for testing a software application program, comprising:

recording a sequence of functional tests that are applied to the program;

automatically identifying and collapsing sessions within the recorded functional tests;

creating modified tests by replacing parameters in the collapsed sessions with malicious inputs; and

applying the modified tests to the program in order to detect security vulnerabilities in the program,wherein applying the modified tests comprises;

adding instrumentation to a version of the program; and

while running the program and applying the modified tests to the version of the program, calling a security handler when the instrumentation generates an event,wherein the security handler detects a suspected vulnerability in the program by analyzing the event and responses of the program to the modified tests.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for testing a software application program includes recording a sequence of functional tests that are applied to the program and automatically identifying and collapsing sessions within the recorded functional tests. Modified tests are created by replacing parameters in the collapsed sessions with malicious inputs. The modified tests are applied to the program in order to detect security vulnerabilities in the program.

Citations

24 Claims

1. A method for testing a software application program, comprising:
- recording a sequence of functional tests that are applied to the program;
  
  automatically identifying and collapsing sessions within the recorded functional tests;
  
  creating modified tests by replacing parameters in the collapsed sessions with malicious inputs; and
  
  applying the modified tests to the program in order to detect security vulnerabilities in the program,wherein applying the modified tests comprises;
  
  adding instrumentation to a version of the program; and
  
  while running the program and applying the modified tests to the version of the program, calling a security handler when the instrumentation generates an event,wherein the security handler detects a suspected vulnerability in the program by analyzing the event and responses of the program to the modified tests.
- View Dependent Claims (2, 3, 5, 6, 7)
- - 2. The method according to claim 1, wherein recording the sequence of the functional tests comprises capturing test traffic conveyed over a network between a test station and a server running the program.
  - 3. The method according to claim 2, wherein the software application program is a Web application, and wherein capturing the test traffic comprises intercepting Hypertext Transfer Protocol (HTTP) requests sent by the test station and responses returned by the server.
  - 5. The method according to claim 1, wherein collapsing the sessions comprises representing resource identifiers in each session by corresponding numbers, and eliminating repeating numbers and repeating sequences of the numbers in order to derive the collapsed sessions.
  - 6. The method according to claim 1, wherein each of the collapsed sessions comprises at least one request submitted from a client to a server running the program, and the at least one request comprises multiple parameters, andwherein applying the modified tests comprises applying a sequence of the modified tests, such that a different one of the multiple parameters is replaced with an attack payload in each of the modified tests in the sequence.
  - 7. The method according to claim 1, wherein each of the collapsed sessions comprises at least one request submitted from a client to a server running the program, and the at least one request comprises multiple parameters, andwherein applying the modified tests comprises replacing all of the multiple parameters with attack payloads in one of the modified tests.

4. A method for testing a software application program, comprising:
- recording a sequence of functional tests that are applied to the program, wherein recording the sequence of the functional tests comprises capturing test traffic conveyed over a network between a test station and a server running the program;
  
  automatically identifying and collapsing sessions within the recorded functional tests;
  
  creating modified tests by replacing parameters in the collapsed sessions with malicious inputs; and
  
  applying the modified tests to the program in order to detect security vulnerabilities in the program,wherein the software application program is a Web application, and wherein capturing the test traffic comprises intercepting Hypertext Transfer Protocol (HTTP) requests sent by the test station and responses returned by the server,wherein intercepting the HTTP requests and responses comprises identifying a correlation between a variable value of a request parameter in an HTTP request and a response parameter in an HTTP response previous to the HTTP request, andwherein applying the modified tests comprises generating test requests to the server while using the correlation to set the variable value of the request parameter in the test requests, based on the responses sent by the server during the modified tests.
- View Dependent Claims (8)
- - 8. The method according to claim 4, wherein applying the modified tests comprises:
    - adding instrumentation to a version of the program; and
      
      while running the program and applying the modified tests to the version of the program, calling a security handler when the instrumentation generates an event,wherein the security handler detects a suspected vulnerability in the program by analyzing the event and responses of the program to the modified tests.

9. Apparatus for testing a software application program, comprising:
- a memory, configured to store a recorded sequence of functional tests that are applied to the program; and
  
  a processor, which is configured to automatically identify and collapse sessions within the recorded functional tests, to create modified tests by replacing parameters in the collapsed sessions with malicious inputs, and to apply the modified tests to the program in order to detect security vulnerabilities in the program, andwherein the processor is configured to add instrumentation to a version of the program, wherein the instrumentation generates events in response to applying the modified tests while running the version of the program, and wherein the processor is configured to detect a suspected vulnerability in the program by analyzing the event and responses of the program to the modified tests.
- View Dependent Claims (10, 11, 13, 14, 15)
- - 10. The apparatus according to claim 9, and comprising a network interface configured to be coupled to a network, wherein the processor is configured to record the sequence of the functional tests by capturing, via the network interface, test traffic conveyed over the network between a test station and a server running the program.
  - 11. The apparatus according to claim 10, wherein the software application program is a Web application, and wherein the test traffic comprises Hypertext Transfer Protocol (HTTP) requests sent by the test station and responses returned by the server.
  - 13. The apparatus according to claim 9, wherein collapsing the sessions comprises representing resource identifiers in each session by corresponding numbers, and eliminating repeating numbers and repeating sequences of the numbers in order to derive the collapsed sessions.
  - 14. The apparatus according to claim 9, wherein each of the collapsed sessions comprises at least one request submitted from a client to a server running the program, and the at least one request comprises multiple parameters, and wherein the processor is configured to apply a sequence of the modified tests to the server running the program, such that a different one of the multiple parameters is replaced with an attack payload in each of the modified tests in the sequence.
  - 15. The apparatus according to claim 9, wherein each of the collapsed sessions comprises at least one request submitted from a client to a server running the program, and the at least one request comprises multiple parameters, and wherein the processor is configured to replace all of the multiple parameters with attack payloads in one of the modified tests.

12. Apparatus for testing a software application program, comprising:
- a memory, configured to store a recorded sequence of functional tests that are applied to the program;
  
  a processor, which is configured to automatically identify and collapse sessions within the recorded functional tests, to create modified tests by replacing parameters in the collapsed sessions with malicious inputs, and to apply the modified tests to the program in order to detect security vulnerabilities in the program; and
  
  a network interface configured to be coupled to a network, wherein the processor is configured to record the sequence of the functional tests by capturing, via the network interface, test traffic conveyed over the network between a test station and a server running the program,wherein the software application program is a Web application, and wherein the test traffic comprises Hypertext Transfer Protocol (HTTP) requests sent by the test station and responses returned by the server, andwherein the processor is configured to identify a correlation between a variable value of a request parameter in an HTTP request and a response parameter in an HTTP response previous to the HTTP request, and to use the correlation in setting the variable value of the request parameter in test requests submitted to the server, based on the responses sent by the server during the modified tests.
- View Dependent Claims (16)
- - 16. The apparatus according to claim 12, wherein the processor is configured to add instrumentation to a version of the program, wherein the instrumentation generates events in response to applying the modified tests while running the version of the program, and wherein the processor is configured to detect a suspected vulnerability in the program by analyzing the event and responses of the program to the modified tests.

17. A computer software product for testing a software application program, the product comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when ready by a computer, cause the computer to record sequence of functional tests that are applied to the program, to automatically identify and collapse sessions within the recorded functional tests, to create modified tests by replacing parameters in the collapsed sessions with malicious input, and to apply the modified tests to the program in order to detect security vulnerabilities in the program,wherein the instructions cause the computer to add instrumentation to a version of the program, wherein the instrumentation generates events in response to applying the modified tests while running the version of the program, and wherein the instructions cause the computer to detect a suspected vulnerability in the program by analyzing the event and responses of the program to the modified tests.
- View Dependent Claims (18, 19, 21, 22, 23)
- - 18. The product according to claim 17, wherein the instructions cause the computer to record the sequence of the functional tests by capturing test traffic conveyed over a network between a test station and a server running the program.
  - 19. The product according to claim 18, wherein the software application program is a Web application, and wherein the test traffic comprises Hypertext Transfer Protocol (HTTP) requests sent by the test station and responses returned by the server.
  - 21. The product according to claim 17, wherein collapsing the sessions comprises representing resource identifiers in each session by corresponding numbers, and eliminating repeating numbers and repeating sequences of the numbers in order to derive the collapsed sessions.
  - 22. The product according to claim 17, wherein each of the collapsed sessions comprises at least one request submitted from a client to a server running the program, and the at least one request comprises multiple parameters, and wherein the instructions cause the computer to apply a sequence of the modified tests to the server running the program, such that a different one of the multiple parameters is replaced with an attack payload in each of the modified tests in the sequence.
  - 23. The product according to claim 17, wherein each of the collapsed sessions comprises at least one request submitted from a client to a server running the program, and the at least one request comprises multiple parameters, and wherein the instructions cause the computer to replace all of the multiple parameters with attack payloads in one of the modified tests.

20. A computer software product for testing a software application program, the product comprising a non-transitory computer-readable medium in which program instructions are stored, which instructions, when ready by a computer, cause the computer to record sequence of functional tests that are applied to the program, to automatically identify and collapse sessions within the recorded functional tests, to create modified tests by replacing parameters in the collapsed sessions with malicious input, and to apply the modified tests to the program in order to detect security vulnerabilities in the program,wherein the instructions cause the computer to record the sequence of the functional tests by capturing test traffic conveyed over a network between a test station and a server running the program,wherein the software application program is a Web application, and wherein the test traffic comprises Hypertext Transfer Protocol (HTTP) requests sent by the test station and responses returned by the server, andwherein the instructions cause the computer to identify a correlation between a variable value of a request parameter in an HTTP request and a response parameter in an HTTP response previous to the HTTP request, and to use the correlation in setting the variable value of the request parameter in test requests submitted to the server, based on the responses sent by the server during the modified tests.
- View Dependent Claims (24)
- - 24. The product according to claim 20, wherein the instructions cause the computer to add instrumentation to a version of the program, wherein the instrumentation generates events in response to applying the modified tests while running the version of the program, and wherein the instructions cause the computer to detect a suspected vulnerability in the program by analyzing the event and responses of the program to the modified tests.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Checkmarx Ltd.
Original Assignee
Checkmarx Ltd.
Inventors
Roichman, Alexander, Siman, Maty, Eshkenazi, Shimon
Primary Examiner(s)
Rahman, Shawnchoy

Application Number

US15/453,919
Publication Number

US 20170270303A1
Time in Patent Office

894 Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/3668   Software testing software t...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 67/02   based on web technology, e....

Integrated interactive application security testing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Integrated interactive application security testing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links