System for detecting vulnerabilities in web applications using client-side application interfaces

US 8,281,401 B2
Filed: 01/24/2006
Issued: 10/02/2012
Est. Priority Date: 01/25/2005
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing security vulnerabilities in web-based applications, the method comprising:

executing one or more client-side applications in a monitored environment at a client, wherein at least one of the client-side applications is written such that not all entry points to the web-based applications being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the web-based applications;

extracting path parameters and data parameters, using tools of the monitored environment, from the one or more client-side applications wherein the path parameters and data parameters refer to web servers servicing the one or more client-side applications;

modifying the path parameters or data parameters with user-defined data to generate test data;

transmitting the test data to the web servers; and

determining if any responses received in response to the test data are indicative of security vulnerabilities in the web-based applications being analyzed for security vulnerabilities.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An improved method and apparatus for client-side web application analysis is provided. Client-side web application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. A security vulnerability analyzer can analyze web page content for client-side application files, such as Flash files and Java applets, extract web addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective web server used to service the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the web server.

Citations

24 Claims

1. A method for analyzing security vulnerabilities in web-based applications, the method comprising:
- executing one or more client-side applications in a monitored environment at a client, wherein at least one of the client-side applications is written such that not all entry points to the web-based applications being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the web-based applications;
  
  extracting path parameters and data parameters, using tools of the monitored environment, from the one or more client-side applications wherein the path parameters and data parameters refer to web servers servicing the one or more client-side applications;
  
  modifying the path parameters or data parameters with user-defined data to generate test data;
  
  transmitting the test data to the web servers; and
  
  determining if any responses received in response to the test data are indicative of security vulnerabilities in the web-based applications being analyzed for security vulnerabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising parsing web page content to determine locations to client-side applications.
  - 3. The method of claim 1, wherein extracting comprises searching for one or more web application URLs contained within a compiled client-side software application or file associated with the client-side software application.
  - 4. The method of claim 1, wherein transmitting the test data comprises generating HTTP requests for transmission to at least some of the web servers.
  - 5. The method of claim 1, wherein extracting the web addresses comprises simulating the execution process of a client-side application and capturing remote connection attempts to one or more of the web servers.
  - 6. The method of claim 1, wherein determining comprises transmitting an HTTP request derived from at least some of the path parameters and receiving responses from the servers in response to the HTTP request.
  - 7. The method of claim 1, wherein determining comprises searching a database of web server messages and associated security vulnerabilities.

8. A method of detecting security vulnerabilities in web-based applications, the method comprising:
- executing one or more client-side applications in a monitored environment at a client, wherein at least one of the client-side applications is written such that not all entry points to the web-based applications being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the web-based applications;
  
  extracting data from the one or more client-side applications, using tools of the monitored environment, to locate data entry points to web servers used to service the one or more client-side applications; and
  
  applying user-defined test criteria to the data entry points, wherein the user-defined testing data is configured to cause a web server to respond with one or more predetermined responses configured to expose security vulnerabilities in client-server interfaces associated with the data entry points.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method of claim 8, further comprising parsing webpage content to locate the data entry points.
  - 10. The method of claim 8, wherein extracting data comprises parsing a client-side application file to extract the data.
  - 11. The method of claim 8, wherein extracting data comprises operating the client-side application and monitoring the communication between the client-side application and a web server used to service the client-side application.
  - 12. The method of claim 8, wherein extracting data comprises monitoring changes in data parameter byte positions with respect to a plurality of URLs.

13. A computer-implemented security analyzer for detecting security vulnerabilities in client-server interfaces, the security analyzer comprising:
- a program code monitor that is at least partially implemented in the form of control logic in hardware and is configured to initiate execution of one or more client-side applications and monitor its execution in a monitored environment, wherein at least one of the client-side applications is written such that not all entry points to the client-server interfaces being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client-side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the client-side interfaces;
  
  a security analyzer engine that is at least partially implemented in the form of control logic in hardware and is configured to extract client-server interface data from the monitoring of execution of the one or more client-side applications, and to generate user-defined testing data from the client-server interface data, wherein the user-defined testing data is configured to cause a web server to respond with one or more predetermined responses that are used to expose security vulnerabilities in client-server interfaces associated with the one or more client-side applications.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 14. The security analyzer of claim 13, wherein the security analyzer engine is configured to extract the location of the client-side application from webpage content.
  - 15. The security analyzer of claim 13, wherein the security analyzer engine analyzes the one or more client-side applications to determine one or more addresses of web-servers used to service the one or more client-side applications.
  - 16. The security analyzer of claim 13, wherein the security analyzer engine is configured to parse the one or more client-side applications for path parameters or data parameters.
  - 17. The security analyzer of claim 16, wherein the path parameters comprise URLs.
  - 18. The security analyzer of claim 13, wherein the security analyzer engine is configured to monitor changes in data parameter byte positions with respect to a plurality of URLs.
  - 19. The security analyzer of claim 13, wherein the security analyzer engine is configured to monitor client-server communication of at least one client-side application.
  - 20. The security analyzer of claim 13, wherein the user-defined testing data comprises user-defined transformation criteria specifically named or selected by a user.
  - 21. The security analyzer of claim 13, wherein the security analyzer engine replaces extracted path parameters or data parameters with user-defined testing criteria configured to invoke a response from a web server indicative of one or more security vulnerabilities.
  - 22. The security analyzer of claim 21, wherein the user-defined testing criteria comprises a string of alphanumeric characters, or an algorithm, or symbol.
  - 23. The security analyzer of claim 21, wherein the user-defined testing criteria comprises transformation criteria that produces unexpected results recognized by the user as one or more potential security vulnerabilities.
  - 24. The security analyzer of claim 13, wherein the interface data comprises forms, or fixed fields, or hidden fields, or menu options.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Black Duck Software, Inc. (Synopsys Incorporated)
Original Assignee
Whitehat Security Incorporated (Synopsys Incorporated)
Inventors
Pennington, Bill, Grossman, Jeremiah, Stone, Robert, Pazirandeh, Siamak
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SHOLEMAN, ABU S

Application Number

US11/339,373
Publication Number

US 20060195588A1
Time in Patent Office

2,443 Days
Field of Search

726/22, 726/24, 726/25, 726/26, 709/227, 709/229, 713/168, 713/189, 713/194
US Class Current

726/25
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/1433   Vulnerability analysis

System for detecting vulnerabilities in web applications using client-side application interfaces

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System for detecting vulnerabilities in web applications using client-side application interfaces

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links