Automated security threat testing of web pages

US 7,975,296 B2
Filed: 02/06/2003
Issued: 07/05/2011
Est. Priority Date: 02/07/2002
Status: Active Grant

First Claim

Patent Images

1. A method of security testing a web application comprising:

identifying a web application to be tested;

generating one or more functional test scripts that are configured to access the web application and to simulate user interaction with the web application;

executing the one or more functional test scripts on the web application and storing responses from the web application;

identifying potential security vulnerabilities of the web application based at least in part on the stored responses, wherein said potential security vulnerabilities include session management vulnerability, and authentication/access control vulnerability;

generating at least one security test script based at least in part from the functional test scripts, where the security test script tests said potential vulnerabilities;

executing said security test script on said web application;

logging session identifiers obtained during the execution of the security test script and determining whether the session identifiers are secure;

analyzing results of said executing said security test script; and

using the results of said executing said security test script to modify and provide increased security of said web application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of security testing a web application is presented. The method identifies a web application to be tested, determines potential security vulnerabilities of the web application, generates one or more security tests for testing the potential vulnerabilities, and executes the security test on the web application. The results of the security testing are then used to make the web application less vulnerable to security attacks.

60 Citations

View as Search Results

20 Claims

1. A method of security testing a web application comprising:
- identifying a web application to be tested;
  
  generating one or more functional test scripts that are configured to access the web application and to simulate user interaction with the web application;
  
  executing the one or more functional test scripts on the web application and storing responses from the web application;
  
  identifying potential security vulnerabilities of the web application based at least in part on the stored responses, wherein said potential security vulnerabilities include session management vulnerability, and authentication/access control vulnerability;
  
  generating at least one security test script based at least in part from the functional test scripts, where the security test script tests said potential vulnerabilities;
  
  executing said security test script on said web application;
  
  logging session identifiers obtained during the execution of the security test script and determining whether the session identifiers are secure;
  
  analyzing results of said executing said security test script; and
  
  using the results of said executing said security test script to modify and provide increased security of said web application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein said identifying potential security vulnerabilities includes analyzing a path through the web application.
  - 3. The method of claim 1 wherein said web application comprises one or more web pages.
  - 4. The method of claim 1 wherein said potential security vulnerabilities further comprises cookie manipulation.
  - 5. The method of claim 1 wherein said potential security vulnerabilities further comprises default accounts/passwords.
  - 6. The method of claim 1 wherein said potential security vulnerabilities further comprises input validation vulnerability that includes determining buffer overflow.
  - 7. The method of claim 1 wherein said potential security vulnerabilities further comprises parameter tampering vulnerability that includes reordering parameters, deleting parameters and adding parameters.
  - 8. The method of claim 1 wherein said potential security vulnerabilities further comprises hidden parameter manipulation vulnerability that includes changing parameters manipulating parameters, and manipulating script parameters.
  - 9. The method of claim 1 wherein said potential security vulnerabilities further comprises script corruption.
  - 10. The method of claim 1 wherein said potential security vulnerabilities further comprises file/application enumeration vulnerability further which comprises directory indexing and backup files.

11. A non-transitory computer-readable medium storing computer executable instructions, comprising:
- instructions for identifying a web application to be tested;
  
  instructions for generating one or more functional test scripts that are configured to access the web application and to simulate user interaction with the web application;
  
  instructions for executing the one or more functional test scripts on the web application and storing responses from the web application;
  
  instructions for identifying potential security vulnerabilities of the web application based at least in part on the stored responses, wherein said potential security vulnerabilities include session management vulnerability, and authentication/access control vulnerabilityinstructions for generating at least one security test script based at least in part from the functional test scripts, where the security test script tests said potential vulnerabilities;
  
  instructions for executing said security test script on said web application;
  
  instructions for logging session identifiers obtained during the execution of the security test script and determining whether the session identifiers are secure;
  
  instructions for analyzing results of said executing said security test script; and
  
  instructions for using the results of said executing said security test script to provide increased security of said web application.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer-readable medium of claim 11 wherein said instructions for identifying potential security vulnerabilities includes instructions for analyzing a path through the web application.
  - 13. The non-transitory computer-readable medium of claim 11 wherein said web application comprises one or more web pages.
  - 14. The non-transitory computer-readable medium of claim 11 wherein said potential security vulnerabilities further comprises cookie manipulation.
  - 15. The non-transitory computer-readable medium of claim 11 wherein said potential security vulnerabilities further comprises default accounts/passwords.
  - 16. The non-transitory computer-readable medium of claim 11 wherein said potential security vulnerabilities includes input validation vulnerability which includes determining buffer overflow.
  - 17. The non-transitory computer-readable medium of claim 11 wherein said potential security vulnerabilities further comprises parameter tampering vulnerability that includes reordering parameters, deleting parameters and adding parameters.
  - 18. The non-transitory computer-readable medium of claim 11 wherein said potential security vulnerabilities further comprises hidden parameter manipulation vulnerability that includes changing parameters, manipulating parameters, and manipulating script parameters.
  - 19. The non-transitory computer-readable medium of claim 11 wherein said potential security vulnerabilities further comprises script corruption.
  - 20. The non-transitory computer-readable medium of claim 11 wherein said potential security vulnerabilities further comprises file/application enumeration vulnerability which comprises directory indexing and backup files.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Friedman, George, Mayberry, Thomas, Apfelbaum, Larry, Houh, Henry
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US10/360,572
Publication Number

US 20030159063A1
Time in Patent Office

3,071 Days
Field of Search

726/22, 726/25
US Class Current

726/22
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/14   for detecting or protecting...

H04L 67/02   based on web technology, e....

Automated security threat testing of web pages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated security threat testing of web pages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links