Technique for determining web services vulnerabilities and compliance

US 7,849,448 B2
Filed: 05/23/2006
Issued: 12/07/2010
Est. Priority Date: 06/01/2005
Status: Active Grant

First Claim

Patent Images

1. A method for detecting vulnerabilities of an application, the method comprising:

identifying interfaces associated with the application from a Web Services Description Language (WSDL) description of the interfaces;

generating a mutant request based on the identified interfaces wherein the request contains one or more mutations driven by the WSDL description;

attacking the application by forwarding the mutant request to the application; and

detecting a vulnerability in the application as a result of the attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique for testing applications for vulnerabilities that may be as a result of loosely defined criteria and restrictions associated with interfacing to the applications. Interfaces associated with an application to be tested are identified. The interfaces may include the names of services provided by the application as well as parameters that are passed to the services. One or more mutant requests containing one or more mutations are then generated based on the identified interfaces. The application is then attacked by forwarding the mutant requests to the application. Vulnerabilities of the application that were exposed as a result of the attack are then detected.

48 Citations

View as Search Results

29 Claims

1. A method for detecting vulnerabilities of an application, the method comprising:
- identifying interfaces associated with the application from a Web Services Description Language (WSDL) description of the interfaces;
  
  generating a mutant request based on the identified interfaces wherein the request contains one or more mutations driven by the WSDL description;
  
  attacking the application by forwarding the mutant request to the application; and
  
  detecting a vulnerability in the application as a result of the attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method as defined in claim 1 further comprising:
    - loading a description of the interfaces; and
      
      determining interfaces associated with the application from the loaded description.
  - 3. A method as defined in claim 2 wherein the description of the interfaces is contained in a file.
  - 4. A method as defined in claim 1 wherein generating a mutant request includes, for each data structure defined by the WSDL, modifying the data type and value of each element of the data structure.
  - 5. A method as defined in claim 1 wherein a mutation contained in the request is generated from a schema definition mutator.
  - 6. A method as defined in claim 1 wherein a mutation contained in the request is generated from a profile mutator.
  - 7. A method as defined in claim 1 wherein a mutation contained in the request is generated from a custom mutator.
  - 8. A method as defined in claim 1 further comprising:
    - capturing a response from the application; and
      
      evaluating the results to determine a result of the attack.
  - 9. A method as defined in claim 8 further comprising:
    - analyzing the response; and
      
      assigning a severity level to the response.

10. A method for detecting vulnerabilities in an application, the method comprising:
- identifying interfaces associated with the application from one or more requests for services provided by the application;
  
  generating a Web Services Description Language (WSDL) description from the identified interfaces;
  
  generating a mutant request based on the identified interfaces wherein the request contains one or more mutations driven by the WSDL description;
  
  attacking the application by forwarding the mutant request to the application; and
  
  determining results of the attack.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. A method as defined in claim 10 further comprising:
    - loading a description of the interfaces; and
      
      determining interfaces associated with the application from the loaded description.
  - 12. A method as defined in claim 11 wherein the description of the interfaces is contained in a file.
  - 13. A method as defined in claim 10 wherein generating a mutant request includes, for each data structure defined by the WSDL, modifying the data type and value of each element of the data structure.
  - 14. A method as defined in claim 10 wherein a mutation contained in the request is generated from a schema definition mutator.
  - 15. A method as defined in claim 10 wherein a mutation contained in the request is generated from a profile mutator.
  - 16. A method as defined in claim 10 wherein a mutation contained in the request is generated from a custom mutator.
  - 17. A method as defined in claim 10 further comprising:
    - capturing a response from the application; and
      
      evaluating the results to determine a result of the attack.
  - 18. A method as defined in claim 17 further comprising:
    - analyzing the response; and
      
      assigning a severity level to the response.

19. An apparatus for detecting vulnerabilities in an application, the apparatus comprising:
- a memory; and
  
  a processor coupled to the memory, the processor configured to;
  
  (a) identify interfaces associated with the application from a Web Services Description Language (WSDL) description of the interfaces,(b) generate a mutant request based on the identified interfaces wherein the request contains one or more mutations driven by the WSDL description,(c) attack the application by forwarding the mutant request to the application, and(d) detect a vulnerability in the application as a result of the attack.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. An apparatus as defined in claim 19 wherein the processor is further configured to:
    - load a description of the interfaces, anddetermine interfaces associated with the application from the loaded description.
  - 21. An apparatus as defined in claim 20 wherein the description of the interfaces is contained in a file.
  - 22. An apparatus as defined in claim 19 wherein the processor is configured to generate the mutant request by, for each data structure defined by the WSDL, modifying the data type and value of each element of the data structure.
  - 23. An apparatus as defined in claim 19 wherein a mutation contained in the request is generated from a schema definition mutator.
  - 24. An apparatus as defined in claim 19 wherein a mutation contained in the request is generated from a profile mutator.
  - 25. An apparatus as defined in claim 19 wherein a mutation contained in the request is generated from a custom mutator.
  - 26. An apparatus as defined in claim 19 wherein the processor is further configured to:
    - capture a response from the application; and
      
      evaluate the results to determine a result of the attack.
  - 27. An apparatus as defined in claim 26 wherein the processor is further configured to:
    - analyze the response; and
      
      assign a severity level to the response.

28. An apparatus for detecting vulnerabilities in an application, the apparatus comprising:
- a memory; and
  
  a processor coupled to the memory, the processor configured to;
  
  (a) identify interfaces associated with the application from one or more requests for services provided by the application,(b) generate a Web Services Description Language (WSDL) description from the identified interfaces;
  
  (c) generate a mutant request based on the identified interfaces wherein the request contains one or more mutations driven by the WSDL description,(d) attack the application by forwarding the mutant request to the application, and(e) determine results of the attack.

29. A method for detecting vulnerabilities of an application, the method comprising:
- identifying interfaces associated with the application from a Web Services Description Language (WSDL) description of the interfaces;
  
  generating a mutant request based on the identified interfaces wherein the request contains one or more mutations driven by the WSDL description;
  
  attacking the application by forwarding the mutant request to the application;
  
  capturing a response from the application;
  
  analyzing the response; and
  
  assigning a severity level to the response.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crosscheck Networks
Original Assignee
Crosscheck Networks
Inventors
Yunus, Mamoon, Mallal, Rizwan
Primary Examiner(s)
Dam; Tuan Q
Assistant Examiner(s)
TECKLU, ISAAC TUKU

Application Number

US11/438,961
Publication Number

US 20060277606A1
Time in Patent Office

1,659 Days
Field of Search

None
US Class Current

717/126
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1433   Vulnerability analysis

Technique for determining web services vulnerabilities and compliance

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

Technique for determining web services vulnerabilities and compliance

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others