Automatic response culling for web application security scan spidering process

US 8,370,929 B1
Filed: 09/28/2007
Issued: 02/05/2013
Est. Priority Date: 09/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method of testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, the method comprising:

determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application;

determining, for each web application of the subset of web applications, if more than a threshold of the URIs are present for the web application;

selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and

using, for each web application of the subset of web applications, a test suite that executes electronic interactions with the web application to perform a security scan on the web application using the selected subset of URIs, the electronic interactions including the web application sending HTTP client requests to the web application and evaluating a response to identify vulnerabilities in the web application.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, wherein further the web application accepts parameters that define results generated from the web application, the method comprising determining which web application uniform resource identifiers (URIs) are used to access various web applications on a system, determining if more than a threshold of the URIs are for a common web application, selecting a subset of less than all of the URIs for the common web application when the threshold is exceeded for that common web application, wherein the subset is selected at least in part independently of the order generated and performing a security scan on the selected subset.

Citations

12 Claims

1. A method of testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, the method comprising:
- determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application;
  
  determining, for each web application of the subset of web applications, if more than a threshold of the URIs are present for the web application;
  
  selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and
  
  using, for each web application of the subset of web applications, a test suite that executes electronic interactions with the web application to perform a security scan on the web application using the selected subset of URIs, the electronic interactions including the web application sending HTTP client requests to the web application and evaluating a response to identify vulnerabilities in the web application.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the subset of URIs is selected in a manner that is partly random.
  - 3. The method of claim 2, wherein determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications comprises using a spidering process.
  - 4. The method of claim 3, wherein the subset of URIs is selected using an exponential decay function.

5. A computing device for testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, the computing device comprising:
- a computer processor configured to read machine-readable instructions from a tangible, non-transitory computer-readable medium;
  
  the machine-readable instructions comprising;
  
  (a) program code for determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application;
  
  (b) program code for determining, for each web application of the subset of web applications, if more than a threshold of the URIs present are for the web application;
  
  (c) program code for selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and
  
  (d) program code for performing, for each web application of the subset of web applications, a security scan on the selected subset of URIs, the security scan including sending HTTP client requests to web applications and evaluating responses to identify vulnerabilities in the web applications.
- View Dependent Claims (6, 7, 8)
- - 6. The computing device of claim 5, wherein the subset of URIs is selected in a manner that is partly random.
  - 7. The computing device of claim 6, wherein determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications comprises using a spidering process.
  - 8. The computing device of claim 7, wherein the subset of URIs is selected using an exponential decay function.

9. A non-transitory computer-readable medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus having stored thereon instructions configured to test a web application, the computer-readable medium being electronically readable, comprising:
- program code for determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application;
  
  program code for determining, for each web application of the subset of web applications, if more than a threshold of the URIs present are for the web application;
  
  program code for selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and
  
  program code for performing, for each web application of the subset of web applications, a security scan on the selected subset of URIs, the security scan including sending HTTP client requests to web applications and evaluating responses to identify vulnerabilities in the web applications.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-readable medium of claim 9, wherein the subset of URIs is selected in a manner that is partly random.
  - 11. The computer-readable medium of claim 10, wherein determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications comprises using a spidering process.
  - 12. The computer-readable medium of claim 11, wherein the subset of URIs is selected using an exponential decay function.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Black Duck Software, Inc. (Synopsys Incorporated)
Original Assignee
Whitehat Security Incorporated (Synopsys Incorporated)
Inventors
Pennington, William, Grossman, Jeremiah, Stone, Robert, Pazirandeh, Siamak
Primary Examiner(s)
Gelagay, Shewaye

Application Number

US11/864,749
Time in Patent Office

1,957 Days
Field of Search

726/22
US Class Current

726/22
CPC Class Codes

G06F 11/3672   Test management

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

Automatic response culling for web application security scan spidering process

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic response culling for web application security scan spidering process

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links