DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS

US 20120311713A1
Filed: 03/15/2012
Published: 12/06/2012
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

storing a test payload to a persistent state of an application;

performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data; and

performing a dynamic analysis to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, including storing a test payload to a persistent state of an application and performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data. A dynamic analysis is then performed to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path.

51 Citations

View as Search Results

7 Claims

1. A method, comprising:
- storing a test payload to a persistent state of an application;
  
  performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data; and
  
  performing a dynamic analysis to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein storing the test payload comprises performing an initial dynamic analysis.
  - 3. The method according to claim 2, and comprising, prior to performing the initial dynamic analysis, executing an instrumentation application configured to monitor the persistent state of the application.
  - 4. The method according to claim 3, wherein the static analysis is initiated upon the instrumentation application detecting the stored test payload.
  - 5. The method according to claim 1, wherein the entry point comprises a Uniform Resource Locator (URL) of the application.
  - 6. The method according to claim 1, wherein the test payload comprises a malware application configured to perform a persistent cross-site scripting (XSS) attack.
  - 7. The method according to claim 6, wherein the dynamic analysis performs and verifies the persistent XSS attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Amit, Yair, Tripp, Omer

Granted Patent

US 8,949,994 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/563   by source code analysis

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links