Methodology, system and computer readable medium for analyzing target web-based applications

US 20060069671A1
Filed: 09/29/2004
Published: 03/30/2006
Est. Priority Date: 09/29/2004
Status: Abandoned Application

First Claim

Patent Images

1. A computerized method for analyzing a target web-based application to identify design characteristics which render the target application susceptible to exploit, said computerized method comprising:

a. establishing a set of search items pertaining to sensitive data categories of interest;

b. launching a web browser application on a first network computer;

c. accessing the target application via said web browser application, whereby the target application is hosted by a second network computer;

d. navigating through hypertext links within the target application to obtain a listing of web pages associated with the target application, each web page being characterized by associated HTML traffic; and

e. sequentially, for each respective web page within said listing;

(i) downloading the respective web page from the second network computer;

(ii) parsing the respective web page'"'"'s HTML traffic to extract traffic data which matches any of said search items; and

(iii) storing said traffic data within a sensitive data storage location, thereby to identify a compilation of said design characteristics.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method, a computer-readable medium and a computerized test system are provided for analyzing target web-based applications, for example, to identify design characteristics of the application which render it susceptible to exploit. Hypertext links within the application are navigated to obtain a listing of associated web pages. Each web page may then be parsed to extract associated traffic data which matches any search items pertaining to sensitive data categories of interest. The extracted traffic data is stored within a storage location to identify a compilation of potentially exploitable design characteristics.

Citations

23 Claims

1. A computerized method for analyzing a target web-based application to identify design characteristics which render the target application susceptible to exploit, said computerized method comprising:
- a. establishing a set of search items pertaining to sensitive data categories of interest;
  
  b. launching a web browser application on a first network computer;
  
  c. accessing the target application via said web browser application, whereby the target application is hosted by a second network computer;
  
  d. navigating through hypertext links within the target application to obtain a listing of web pages associated with the target application, each web page being characterized by associated HTML traffic; and
  
  e. sequentially, for each respective web page within said listing;
  
  (i) downloading the respective web page from the second network computer;
  
  (ii) parsing the respective web page'"'"'s HTML traffic to extract traffic data which matches any of said search items; and
  
  (iii) storing said traffic data within a sensitive data storage location, thereby to identify a compilation of said design characteristics.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A computerized method according to claim 1 whereby the sensitive data categories of interest are selected from a group of data categories consisting of:
    - usernames, passwords, user IDs, social security numbers, credit card numbers, phone numbers, names and addresses.
  - 3. A computerized method according to claim 2 whereby said search items include a plurality of keywords each corresponding to a respective one of said sensitive data categories.
  - 4. A computerized method according to claim 1 whereby said search items include a plurality of keywords.
  - 5. A computerized method according to claim 4 whereby said HTML traffic includes an associated HTML header and associated HTML code, and whereby each associated HTML code is parsed to ascertain an existence of any of said keywords therein.
  - 6. A computerized method according to claim 5 comprising parsing each associated HTML header to extract cookie data corresponding to each cookie present therein.
  - 7. A computerized method according to claim 1 comprising parsing said HTML traffic to extract any session data therein that is used to maintain state.
  - 8. A computerized method according to claim 1 whereby said HTML traffic includes an associated HTML header and associated HTML code, and whereby parsing of the HTML traffic is accomplished by sequentially analyzing each line within both the HTML header and the HTML code to ascertain presence of any of the search items therein.
  - 9. A computerized method according to claim 1 comprising extracting image data corresponding to each image file that is present within said HTML traffic and storing said image data within an image data storage location.
  - 10. A computerized method according to claim 1 comprising extracting cookie data corresponding to each cookie that is present within said HTML traffic and storing said cookie data within a cookie data storage location.
  - 11. A computerized method according to claim 1 comprising automatically navigating to all hypertext links associated with the target application and storing URL data corresponding to each hypertext link within a URL storage location.
  - 12. A computerized method according to claim 1 comprising manually navigating through hypertext links within the target application.
  - 13. A computerized method according to claim 1 comprising storing navigation of the hypertext links as a navigation sequence whereby to create a mapping of the target application.

14. A computerized method for analyzing a target web-based application for potentially exploitable design characteristics, said computerized method comprising:
- a. examining HTML traffic that is respectively associated with each of a plurality of navigable web pages of the target application;
  
  b. extracting from said HTML traffic any matching traffic data which satisfies pre-established search criteria; and
  
  c. storing said matching traffic data within a common data storage location thereby to identify the potentially exploitable design characteristics.
- View Dependent Claims (15, 16)
- - 15. A computerized method according to claim 14 whereby satisfaction of the pre-established search criteria occurs if any of a plurality of keywords is present in the HTML traffic.
  - 16. A computerized method according to claim 15 whereby each of said keywords pertains to a sensitive data category that is selected from a group of data categories consisting of:
    - usernames, passwords, user IDs, social security numbers, credit card numbers, phone numbers, names and addresses.

17. A computerized method according to claim whereby said HTML traffic includes an associated HTML header and associated HTML code, and whereby examination of the HTML traffic is accomplished by sequentially analyzing each line within both the HTML header and the HTML code to assess satisfaction of the pre-established search criteria.

18. A computer-readable medium having executable instructions for performing a method comprising:
- a. launching a web browser application on a first network computer;
  
  b. accessing a target application hosted by a second network computer via said web browser application;
  
  c. navigating through hypertext links within the target application to obtain a listing of web pages associated with the target application, each web page being characterized by associated HTML traffic; and
  
  d. sequentially, for each respective web page within said listing;
  
  (i) downloading the respective web page from the second network computer;
  
  (ii) parsing the respective web page'"'"'s HTML traffic to extract traffic data which matches any of a plurality of pre-established search items; and
  
  (iii) storing said traffic data within a data storage location, thereby to identify a compilation of said design characteristics.
- View Dependent Claims (19, 20, 21, 22)
- - 19. A computer-readable medium according to claim 18 wherein said method comprises parsing said HTML traffic to extract cookie data corresponding to each cookie present therein.
  - 20. A computer-readable medium according to claim 18 wherein said method comprises parsing said HTML traffic to extract any session data therein that is used to maintain state.
  - 21. A computer-readable medium according to claim 18 wherein said HTML traffic includes an associated HTML header and associated HTML code, and whereby parsing of the HTML traffic is accomplished by sequentially analyzing each line within both the HTML header and the HTML code to ascertain presence of any of the search items therein.
  - 22. A computer-readable medium according to claim 18 wherein said method comprises automatically navigating to all hypertext links associated with the target application, and storing a navigation sequence whereby to create a mapping of the target application.

23. A computerized test system for analyzing a target web-based application, comprising:
- a. a storage device;
  
  b. a processor programmed to;
  
  i. launch a web browser application on a first network computer;
  
  ii. access a target application hosted by a second network via said web browser application;
  
  iii. navigate through hypertext links within the target application to obtain a listing of web pages associated with the target application, each web page being characterized by associated HTML traffic; and
  
  iv. sequentially, for each respective web page within said listing;
  
  (a) download the respective web page from the second network computer;
  
  (b) parse the respective web page'"'"'s HTML traffic to extract traffic data which matches any of a plurality of keyword search items; and
  
  (c) store said traffic data within a sensitive data storage location, thereby to identify a compilation of said design characteristics; and
  
  c. an output device for displaying said compilation of design characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sytex, Inc. (Leidos Holdings, Inc.)
Original Assignee
Sytex, Inc. (Leidos Holdings, Inc.)
Inventors
Cole, Eric B., Conley, James W.

Application Number

US10/955,009
Publication Number

US 20060069671A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/9566 URL specific, e.g. using al...

Methodology, system and computer readable medium for analyzing target web-based applications

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Methodology, system and computer readable medium for analyzing target web-based applications

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links