System for detecting vulnerabilities in web applications using client-side application interfaces
First Claim
1. A method for analyzing security vulnerabilities in web-based applications, the method comprising:
- executing one or more client-side applications in a monitored environment at a client, wherein at least one of the client-side applications is written such that not all entry points to the web-based applications being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the web-based applications;
extracting path parameters and data parameters, using tools of the monitored environment, from the one or more client-side applications wherein the path parameters and data parameters refer to web servers servicing the one or more client-side applications;
modifying the path parameters or data parameters with user-defined data to generate test data;
transmitting the test data to the web servers; and
determining if any responses received in response to the test data are indicative of security vulnerabilities in the web-based applications being analyzed for security vulnerabilities.
10 Assignments
0 Petitions
Accused Products
Abstract
An improved method and apparatus for client-side web application analysis is provided. Client-side web application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. A security vulnerability analyzer can analyze web page content for client-side application files, such as Flash files and Java applets, extract web addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective web server used to service the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the web server.
-
Citations
24 Claims
-
1. A method for analyzing security vulnerabilities in web-based applications, the method comprising:
-
executing one or more client-side applications in a monitored environment at a client, wherein at least one of the client-side applications is written such that not all entry points to the web-based applications being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the web-based applications; extracting path parameters and data parameters, using tools of the monitored environment, from the one or more client-side applications wherein the path parameters and data parameters refer to web servers servicing the one or more client-side applications; modifying the path parameters or data parameters with user-defined data to generate test data; transmitting the test data to the web servers; and determining if any responses received in response to the test data are indicative of security vulnerabilities in the web-based applications being analyzed for security vulnerabilities. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of detecting security vulnerabilities in web-based applications, the method comprising:
-
executing one or more client-side applications in a monitored environment at a client, wherein at least one of the client-side applications is written such that not all entry points to the web-based applications being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the web-based applications; extracting data from the one or more client-side applications, using tools of the monitored environment, to locate data entry points to web servers used to service the one or more client-side applications; and applying user-defined test criteria to the data entry points, wherein the user-defined testing data is configured to cause a web server to respond with one or more predetermined responses configured to expose security vulnerabilities in client-server interfaces associated with the data entry points. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer-implemented security analyzer for detecting security vulnerabilities in client-server interfaces, the security analyzer comprising:
-
a program code monitor that is at least partially implemented in the form of control logic in hardware and is configured to initiate execution of one or more client-side applications and monitor its execution in a monitored environment, wherein at least one of the client-side applications is written such that not all entry points to the client-server interfaces being analyzed for security vulnerabilities are determinable from a scan of application code of the at least one client-side application provided to the client, wherein the monitored environment isolates at least a part of the at least one of the client-side applications from the client-side interfaces; a security analyzer engine that is at least partially implemented in the form of control logic in hardware and is configured to extract client-server interface data from the monitoring of execution of the one or more client-side applications, and to generate user-defined testing data from the client-server interface data, wherein the user-defined testing data is configured to cause a web server to respond with one or more predetermined responses that are used to expose security vulnerabilities in client-server interfaces associated with the one or more client-side applications. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
Specification