APPLICATION SECURITY TESTING

US 20130160130A1
Filed: 12/20/2011
Published: 06/20/2013
Est. Priority Date: 12/20/2011
Status: Abandoned Application

First Claim

Patent Images

1. A processor-readable medium storing code representing instructions that when executed at a processor cause the processor to:

identify an interface mapping of an application hosted at an application server;

generate an interface description of the application based on the interface mapping; and

provide the interface description to a scanner.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one implementation, an attack surface identification system defines an interface description of an application during execution of the application. The interface description is then provided to a scanner.

286 Citations

20 Claims

1. A processor-readable medium storing code representing instructions that when executed at a processor cause the processor to:
- identify an interface mapping of an application hosted at an application server;
  
  generate an interface description of the application based on the interface mapping; and
  
  provide the interface description to a scanner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The processor-readable medium of claim 1, wherein the interface mapping is a RESTful interface mapping identified based on reflection at the application.
  - 3. The processor-readable medium of claim 1, wherein the interface mapping is a RESTful interface mapping identified based on metadata associated with the application.
  - 4. The processor-readable medium of claim 1, wherein the interface mapping is a RESTful interface mapping identified during runtime of the application.
  - 5. The processor-readable medium of claim 1, wherein the interface description is provided to the scanner via a communications channel between the application and the scanner.
  - 6. The processor-readable medium of claim 1, wherein the application is in a bytecode representation.
  - 7. The processor-readable medium of claim 1, wherein the interface mapping is a Java API for RESTful Web Services annotation.
  - 8. The processor-readable medium of claim 1, further comprising code representing instructions that when executed at a processor cause the processorreceive a request for the interface description within a Hypertext Transfer Protocol request header provided to the application by the scanner.
  - 9. The processor-readable medium of claim 1, further comprising code representing instructions that when executed at a processor cause the processor to:
    - recognize a framework of the application, identifying the interface mapping of the application based on the framework of the application.
  - 10. The processor-readable medium of claim 1, further comprising code representing instructions that when executed at a processor cause the processor to:
    - identify at runtime of the application a context path of the application and a plurality of resources of the application, each resource from the plurality of resources having a filesystem path; and
      
      define a plurality of uniform resource identifiers, each uniform resource identifier based on the context path of the application and the filesystem path of a resource from the plurality of resources.

11. A processor-readable medium storing code representing instructions that when executed at a processor cause the processor to:
- determine a context path of the application;
  
  identify a plurality of resources of the application, each resource from the plurality of resources having a filesystem path;
  
  define an interface description for the application including a plurality of uniform resource identifiers, each uniform resource identifier based on the context path and the filesystem path of a resource from the plurality of resources; and
  
  provide the interface description to a scanner via a communications channel between the scanner and the application.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The processor-readable medium of claim 11, further comprising code representing instructions that when executed at a processor cause the processor to:
    - intercept execution of an application, the context path of the application is determined in response to intercepting execution of the application.
  - 13. The processor-readable medium of claim 11, further comprising code representing instructions that when executed at a processor cause the processor to:
    - receive a request for the interface description within a Hypertext Transfer Protocol request header provided to the application by a scanner in communication with the application,the interlace description is provided to the scanner in response to the request.
  - 14. The processor-readable medium of claim 11, wherein:
    - the context path of the application is determined at runtime; and
      
      the plurality of resources of the application are identified by traversing a filesystem path of the application at runtime of the application.
  - 15. The processor-readable medium of claim 11, further comprising code representing instructions that when executed at a processor cause the processor to:
    - identify RESTful interface mappings of the application,the interface description for the application is based on the RESTful interface mappings.

16. An attack surface identification system, comprising:
- a recognition module to identify a first framework of a first application hosted at an application server and a second framework of a second application hosted at the application server, the second framework different from the first framework;
  
  a first identification module to identify RESTful interfaces at the first application;
  
  a second identification module to identify RESTful interfaces at the second application; and
  
  a description module to define a first interface description for the first application and a second interface description for the second interface description.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, further comprising:
    - a delivery module to provide the first interface description to a first scanner in communication with the first application and the second interface description to a second scanner in communication with the second application.
  - 18. The system of claim 16, wherein:
    - the first identification module identifies the RESTful interfaces at the first application based on RESTful interface mappings of the first application; and
      
      the second identification module identifies the RESTful interfaces at the second application based on RESTful interface mappings of the second application.
  - 19. The system of claim 16, wherein:
    - the first identification module identifies the RESTful interfaces at the first application during execution of the first application and based on RESTful interface mappings of the first application; and
      
      the second identification module identifies the RESTful interfaces at the second application during execution of the first application and based on RESTful interface mappings of the second application.
  - 20. The system of claim 16, further comprising:
    - a path module to determine a context path of the first application and a plurality of resources of the first application, each resource from the plurality of resources having a filesystem path,the description module operable to define a plurality of uniform resource identifiers for the first application, each uniform resource identifier based on the context path and the filesystem path of a resource from the plurality of resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Micro Focus LLC (Open Text Corporation)
Inventors
Chess, Brian V., Mendelev, Kirill, Ragoler, Iftach, Firestone, Spencer James, Kfir, Yaron

Application Number

US13/331,777
Publication Number

US 20130160130A1
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/56 Computer malware detection ...

APPLICATION SECURITY TESTING

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

286 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION SECURITY TESTING

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

286 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links