Automatic response culling for web application security scan spidering process
First Claim
1. A method of testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, the method comprising:
- determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application;
determining, for each web application of the subset of web applications, if more than a threshold of the URIs are present for the web application;
selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and
using, for each web application of the subset of web applications, a test suite that executes electronic interactions with the web application to perform a security scan on the web application using the selected subset of URIs, the electronic interactions including the web application sending HTTP client requests to the web application and evaluating a response to identify vulnerabilities in the web application.
10 Assignments
0 Petitions
Accused Products
Abstract
A method of testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, wherein further the web application accepts parameters that define results generated from the web application, the method comprising determining which web application uniform resource identifiers (URIs) are used to access various web applications on a system, determining if more than a threshold of the URIs are for a common web application, selecting a subset of less than all of the URIs for the common web application when the threshold is exceeded for that common web application, wherein the subset is selected at least in part independently of the order generated and performing a security scan on the selected subset.
-
Citations
12 Claims
-
1. A method of testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, the method comprising:
-
determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application; determining, for each web application of the subset of web applications, if more than a threshold of the URIs are present for the web application; selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and using, for each web application of the subset of web applications, a test suite that executes electronic interactions with the web application to perform a security scan on the web application using the selected subset of URIs, the electronic interactions including the web application sending HTTP client requests to the web application and evaluating a response to identify vulnerabilities in the web application. - View Dependent Claims (2, 3, 4)
-
-
5. A computing device for testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, the computing device comprising:
-
a computer processor configured to read machine-readable instructions from a tangible, non-transitory computer-readable medium; the machine-readable instructions comprising; (a) program code for determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application; (b) program code for determining, for each web application of the subset of web applications, if more than a threshold of the URIs present are for the web application; (c) program code for selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and (d) program code for performing, for each web application of the subset of web applications, a security scan on the selected subset of URIs, the security scan including sending HTTP client requests to web applications and evaluating responses to identify vulnerabilities in the web applications. - View Dependent Claims (6, 7, 8)
-
-
9. A non-transitory computer-readable medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus having stored thereon instructions configured to test a web application, the computer-readable medium being electronically readable, comprising:
-
program code for determining which web application uniform resource identifiers (URIs) are used to access each of a subset of web applications on a system, each web application being operable to accept parameters that define results generated from the web application; program code for determining, for each web application of the subset of web applications, if more than a threshold of the URIs present are for the web application; program code for selecting, for each web application of the subset of web applications, a subset of less than all of the URIs for the web application when the threshold is exceeded for that web application, wherein the subset of URIs is selected in a manner that is partly independent of an order generated; and program code for performing, for each web application of the subset of web applications, a security scan on the selected subset of URIs, the security scan including sending HTTP client requests to web applications and evaluating responses to identify vulnerabilities in the web applications. - View Dependent Claims (10, 11, 12)
-
Specification