System for determining web application vulnerabilities
DCFirst Claim
Patent Images
1. A method for detecting security vulnerabilities in a web application executing on a web server or web application server, the method comprising:
- actuating the application in order to discover pre-defined elements of the application'"'"'s interface with external clients;
generating client requests having unauthorized values for said elements in order to generate exploits unique to the application;
attacking the application using the exploits; and
evaluating the results of the attack.
5 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A method for detecting security vulnerabilities in a web application includes analyzing the client requests and server responses resulting therefrom in order to discover pre-defined elements of the application'"'"'s interface with external clients and the attributes of these elements. The client requests are then mutated based on a pre-defined set of mutation rules to thereby generate exploits unique to the application. The web application is attacked using the exploits and the results of the attack are evaluated for anomalous application activity.
-
Citations
72 Claims
-
1. A method for detecting security vulnerabilities in a web application executing on a web server or web application server, the method comprising:
-
actuating the application in order to discover pre-defined elements of the application'"'"'s interface with external clients;
generating client requests having unauthorized values for said elements in order to generate exploits unique to the application;
attacking the application using the exploits; and
evaluating the results of the attack. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
sending an authorized client request in order to receive a server response;
parsing the response in order to discover links encapsulated therein; and
actuating discovered links in accordance with authorized client functionality in order to generate additional authorized client requests.
-
-
5. The method according to claim 4, including comparing discovered links to a filter and not generating authorized client requests for links matching the filter.
-
6. The method according to claim 4, including logging the client requests.
-
7. The method according to claim 4, wherein said application interface elements are discovered by parsing at least one of the authorized client requests and server responses resulting therefrom.
-
8. The method according to claim 7, including analyzing the server responses in order to extract attributes of said application interface elements.
-
9. The method according to claim 8, wherein the discovery of said application interface elements is based on a pre-defined set of detection rules.
-
10. The method according to claim 9, wherein the generation of the unauthorized client requests is based on a pre-defined set of mutation rules.
-
11. The method according to claim 10, wherein the evaluation of the attack results is based on recognition of a keyword in the results of the attack indicating an error in the application activity.
-
12. The method according to claim 11, including assigning each mutation rule a probability of success and scoring the results of said attack based on the probability of the corresponding mutation rule.
-
13. A method for detecting security vulnerabilities in a hypertext-based web application installed on a web server or web application server, the method comprising:
-
traversing the application in order to discover and actuate links therein;
analyzing messages that flow or would flow between an authorized client and the web server in order to discover elements of the application'"'"'s interface with external clients and attributes of said elements;
generating unauthorized client requests in which said elements are mutated;
sending the mutated client requests to the server; and
receiving server responses to the unauthorized client requests and evaluating the results thereof. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
sending an authorized client request in order to receive a server response;
parsing the response in order to discover links encapsulated therein; and
actuating discovered links in accordance with authorized client functionality in order to receive authorized server responses from which additional authorized client requests can be generated.
-
-
18. The method according to claim 17, including comparing discovered links to a filter and not generating authorized client requests for links matching the filter.
-
19. The method according to claim 17, wherein, in the event the authorized client request requires user-interactive parameters, supplying pre-configured values therefor.
-
20. The method according to claim 17, wherein, in the event the authorized client request requires user-interactive selection of an option within a set of options, enumerating over all the options in order to generate a separate client request in respect of each option.
-
21. The method according to claim 17, including logging the authorized client requests.
-
22. The method according to claim 21, including logging the authorized sever responses.
-
23. The method according to claim 17, wherein said application interface elements are discovered by parsing at least one of the authorized client requests and server responses resulting therefrom.
-
24. The method according to claim 23, including analyzing the server responses in order to extract attributes of said application interface elements.
-
25. The method according to claim 24, wherein the discovery of said application interface elements is based on a pre-defined set of detection rules.
-
26. The method according to claim 25, wherein the generation of the mutated client requests is based on a pre-defined set of mutation rules.
-
27. The method according to claim 26, wherein the evaluation of the server response in reply to the mutated requests is based on recognition of a keyword in the results of the attack indicating an error in the application activity.
-
28. The method according to claim 27, including assigning each mutation rule a probability of success and scoring the results of the server response based on the probability of the corresponding mutation rule.
-
29. The method according to claim 13, including parsing the messages sent by the server for any suspicious code based on the recognition of pre-defined keywords and reporting the suspicious code.
-
30. A scanner system, provided on a computer, for detecting security vulnerabilities in a HTML-based web application installed on a web server or web application server, the scanner system comprising:
-
a crawling engine for traversing the application in order to discover and actuate links therein;
an analysis engine for analyzing messages that flow or would flow between an authorized client and the web server in order to discover elements of the application'"'"'s interface with external clients and attributes of said elements and for generating unauthorized client requests in which said elements are mutated; and
an attack engine for sending the mutated client requests to the server;
receiving server responses to the unauthorized client requests and evaluating the results thereof. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
sends an authorized client request in order to receive a server response;
invokes the parsing engine to parse the response in order to discover links encapsulated therein; and
actuates discovered links in accordance with authorized client functionality in order to receive authorized server responses from which additional authorized client requests can be generated.
-
-
32. The scanner system according to claim 31, wherein the crawling engine compares discovered links to a filter and does not generate authorized client requests for filtered links.
-
33. The scanner system according to claim 31, wherein, in the event the authorized client request requires user-interactive parameters, the crawling engine supplies pre-configured values therefor.
-
34. The scanner system according to claim 31, wherein, in the event the authorized client request requires user-interactive selection of an option within a set of options, the crawling engine enumerates over all the options in order to generate a separate client request in respect of each option.
-
35. The scanner system according to claim 31, wherein the crawling engine logs authorized client requests and authorized sever responses.
-
36. The scanner system according to claim 30, wherein the discovery of said application interface elements is based on a pre-defined set of detection rules.
-
37. The scanner system according to claim 36, wherein the generation of the mutated client requests is based on a pre-defined set of mutation rules.
-
38. The scanner system according to claim 30, wherein the evaluation of the server response in reply to the mutated requests is based on recognition of a keyword in the results of the attack indicating an error in the application activity.
-
39. The scanner system according to claim 38, wherein each mutation rule is assigned a probability of success and the attack engine scores the results of the server response based on the probability of the corresponding mutation rule.
-
40. The scanner system according to claim 30, wherein the attack engine parses the messages sent by the server for any suspicious code based on the recognition of pre-defined keywords and reports the suspicious code.
-
41. A crawling engine, provided on a computer, provided on a computer, for automatically traversing a hypertext-based web site, comprising:
-
means for sending a client request in order to receive a server response;
means for parsing the response in order to discover links encapsulated therein;
means for actuating one or more discovered links in accordance with authorized client functionality in order to receive one or more server responses from which one or more additional client requests are generated; and
means for automatically supplying values to user-interactive parameters in the additional client requests, if required. - View Dependent Claims (42, 43)
-
-
44. A computer program product comprising a computer readable medium having computer readable code embodied therein, the computer readable code, when executed, causing a computer to implement a method for detecting security vulnerabilities in a web application executing on a web server or web application server, the method comprising:
-
actuating the application in order to discover pre-defined elements of the application'"'"'s interface with external clients;
generating client requests having unauthorized values for said elements in order to generate exploits unique to the application;
attacking the application using the exploits; and
evaluating the results of the attack. - View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
sending an authorized client request in order to receive a server response;
parsing the response in order to discover links encapsulated therein; and
actuating discovered links in accordance with authorized client functionality in order to generate additional authorized client requests.
-
-
48. The computer program product according to claim 47, wherein the implemented method includes comparing discovered links to a filter and not generating authorized client requests for links matching the filter.
-
49. The computer program product according to claim 47, wherein the implemented method includes logging the client requests.
-
50. The computer program product according to claim 47, wherein, in the implemented method, said application interface elements are discovered by parsing at least one of the authorized client requests and server responses resulting therefrom.
-
51. The computer program product according to claim 50, wherein the implemented method includes analyzing the server responses in order to extract attributes of said application interface elements.
-
52. The computer program product according to claim 51, wherein, in the implemented method, the discovery of said application interface elements is based on a pre-defined set of detection rules.
-
53. The computer program product according to claim 52, wherein, in the implemented method, the generation of the unauthorized client requests is based on a pre-defined set of mutation rules.
-
54. The computer program product according to claim 53, wherein, in the implemented method, the evaluation of the attack results is based on recognition of a keyword in the results of the attack indicating an error in the application activity.
-
55. The computer program product according to claim 54, wherein the implemented method includes assigning each mutation rule a probability of success and scoring the results of said attack based on the probability of the corresponding mutation rule.
-
56. A computer program product comprising a computer readable medium having computer readable code embodied therein, the computer readable code, when executed, causing a computer to implement a method for detecting security vulnerabilities in a hypertext-based web application installed on a web server or web application server, the method comprising:
-
traversing the application in order to discover and actuate links therein;
analyzing messages that flow or would flow between an authorized client and the web server in order to discover elements of the application'"'"'s interface with external clients and attributes of said elements;
generating unauthorized client requests in which said elements are mutated;
sending the mutated client requests to the server; and
receiving server responses to the unauthorized client requests and evaluating the results thereof. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
sending an authorized client request in order to receive a server response;
parsing the response in order to discover links encapsulated therein; and
actuating discovered links in accordance with authorized client functionality in order to receive authorized server responses from which additional authorized client requests can be generated.
-
-
61. The computer program product according to claim 60, wherein the implemented method includes comparing discovered links to a filter and not generating authorized client requests for links matching the filter.
-
62. The computer program product according to claim 60, wherein, in the implemented method, in the event the authorized client request requires user-interactive parameters, supplying pre-configured values therefor.
-
63. The computer program product according to claim 60, wherein, in the implemented method, in the event the authorized client request requires user-interactive selection of an option within a set of options, enumerating over all the options in order to generate a separate client request in respect of each option.
-
64. The computer program product according to claim 60, wherein the implemented method includes logging the authorized client requests.
-
65. The computer program product according to claim 64, wherein the implemented method includes logging the authorized sever responses.
-
66. The computer program product according to claim 60, wherein, in the implemented method, said application interface elements are discovered by parsing at least one of the authorized client requests and server responses resulting therefrom.
-
67. The computer program product according to claim 66, wherein the implemented method includes analyzing the server responses in order to extract attributes of said application interface elements.
-
68. The computer program product according to claim 67, wherein, in the implemented method, the discovery of said application interface elements is based on a pre-defined set of detection rules.
-
69. The computer program product according to claim 68, wherein, in the implemented method, the generation of the mutated client requests is based on a pre-defined set of mutation rules.
-
70. The computer program product according to claim 69, wherein, in the implemented method, the evaluation of the server response in reply to the mutated requests is based on recognition of a keyword in the results of the attack indicating an error in the application activity.
-
71. The computer program product according to claim 70, wherein the implemented method includes assigning each mutation rule a probability of success and scoring the results of the server response based on the probability of the corresponding mutation rule.
-
72. The computer program product according to claim 56, wherein the implemented method includes parsing the messages sent by the server for any suspicious code based on the recognition of pre-defined keywords and reporting the suspicious code.
Specification