APPLICATION SECURITY TESTING

US 20140082739A1
Filed: 05/31/2011
Published: 03/20/2014
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a server hosting an application under test (AUT);

an observer configured to monitor instructions executed by the AUT; and

a computing device communicatively coupled to the AUT and the observer through a common communication channel, the computing device comprising a processor and a memory device for storing computer-readable instructions configured to direct the processor to;

send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT;

receive an application response from the AUT in accordance with the AUT'"'"'s programming;

send a service request to the observer; and

receive a service response from the observer that contains information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides a system that includes a server hosting an application under test (AUT), an observer configured to monitor instructions executed by the AUT, and a computing device communicatively coupled to the AUT and the observer through a common communication channel. The computing device may be configured to send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT. The computing device may receive an application response from the AUT in accordance with the AUT'"'"'s programming. The computing device may send a service request to the observer, and receive a service response from the observer that contains information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.

Citations

15 Claims

1. A system, comprising:
- a server hosting an application under test (AUT);
  
  an observer configured to monitor instructions executed by the AUT; and
  
  a computing device communicatively coupled to the AUT and the observer through a common communication channel, the computing device comprising a processor and a memory device for storing computer-readable instructions configured to direct the processor to;
  
  send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receive an application response from the AUT in accordance with the AUT'"'"'s programming;
  
  send a service request to the observer; and
  
  receive a service response from the observer that contains information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the observer is configured to generate a trace identifying the instructions executed by the AUT as a result of the application request, and send the trace to the computing device in the body of the service response.
  - 3. The system of claim 1, wherein the observer is configured to communicate with the computing device, at least in part, by adding a custom header to the application response.
  - 4. The system of claim 1, the memory device comprising computer-readable instructions configured to direct the processor to receive trace information from the observer, the trace information comprising a plurality of vulnerability trace nodes, each vulnerability trace node containing code locations corresponding to a vulnerability detected by the observer.
  - 5. The system of claim 4, the memory device comprising computer-readable instructions configured to direct the processor to group the plurality of vulnerability trace nodes based on the vulnerability trace nodes containing the same code locations.
  - 6. The system of claim 1, wherein the observer is configured to monitor the AUT to identify new uniform resource locators (URLs) that are generated dynamically during runtime of the AUT, and return an update field in a header of the application response, the update field configured to inform the computing device that an attack surface of the AUT has changed.
  - 7. The system of claim 1, wherein the observer is configured to:
    - receive a request from the computing device and analyze a header of the request;
      
      identify the request as the application request or the service request based on the analysis of the header;
      
      pass the application request to the AUT; and
      
      process the service request without passing the service request to the AUT.

8. A method, comprising:
- sending an application request to an application under test (AUT), wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receiving an application response from the AUT in accordance with the AUT'"'"'s programming;
  
  sending a service request to an observer that monitors instructions executed by the AUT; and
  
  receiving a service response from the observer that contains information corresponding to instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT;
  
  wherein the application request, application response, service request, and service response are communicated over a same network channel.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, comprising receiving a file-not-found header in the application response, the file-not-found header added to the application response by the observer to indicate a file-not-found error generated by the AUT.
  - 10. The method of claim 8, wherein the service request is a trace service request, the method comprising receiving a stack trace in a body of the service response received from the observer.
  - 11. The method of claim 8, comprising receiving a vulnerability trace node in the body of the service response, wherein the vulnerability trace node identifies a vulnerability detected by the observer.
  - 12. The method of claim 8, wherein the service request is an attack surface service request, the method comprising receiving information about the attack surface of the AUT in a body of the service response, the attack surface comprising static URLs and dynamic URLs that are generated by the AUT during runtime.

13. A non-transitory, computer readable medium, comprising code configured to direct a processor to:
- send an application request to an application under test (AUT), wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receive an application response from the AUT in accordance with the AUT'"'"'s programming;
  
  send a service request to an observer that monitors instructions executed by the AUT; and
  
  receive a service response from the observer that contains information corresponding to instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT;
  
  wherein the application request, application response, service request, and service response are communicated over a same network channel.
- View Dependent Claims (14, 15)
- - 14. The non-transitory, computer readable medium of claim 13, comprising code configured to direct the processor to add a request ID to a header of the application request that uniquely identifies the application request, wherein the service response received from the observer includes the request ID.
  - 15. The non-transitory, computer readable medium of claim 13, wherein the service response includes a database trace node that includes information corresponding to a database query performed by the AUT as a result of the application request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Chess, Brian V., Ragoler, Iftach, Hamer, Philip Edward, Fay, Sean Patrick, Spitler, Russell Andrew, Jagdate, Prajakta Subbash

Granted Patent

US 9,215,247 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 11/0727   in a storage system, e.g. i...

G06F 11/0793   Remedial or corrective acti...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

APPLICATION SECURITY TESTING

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

APPLICATION SECURITY TESTING

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links