Application security testing

US 9,215,247 B2
Filed: 05/31/2011
Issued: 12/15/2015
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a server hosting an application under test (AUT);

an observer configured to i) monitor instructions executed by the AUT, ii) generate a trace identifying instructions executed by the AUT as a result of an application request, and iii) send the trace to a requesting computing device in a body of a service response; and

a computing device communicatively coupled to the AUT and the observer through a common communication channel, the computing device comprising a processor and a memory device for storing computer-readable instructions configured to direct the processor to;

send the application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT;

receive an application response from the AUT in accordance with the AUT'"'"'s programming;

send a service request to the observer; and

receive the service response from the observer, the service response containing information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides a system that includes a server hosting an application under test (AUT), an observer configured to monitor instructions executed by the AUT, and a computing device communicatively coupled to the AUT and the observer through a common communication channel. The computing device may be configured to send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT. The computing device may receive an application response from the AUT in accordance with the AUT'"'"'s programming. The computing device may send a service request to the observer, and receive a service response from the observer that contains information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.

33 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a server hosting an application under test (AUT);
  
  an observer configured to i) monitor instructions executed by the AUT, ii) generate a trace identifying instructions executed by the AUT as a result of an application request, and iii) send the trace to a requesting computing device in a body of a service response; and
  
  a computing device communicatively coupled to the AUT and the observer through a common communication channel, the computing device comprising a processor and a memory device for storing computer-readable instructions configured to direct the processor to;
  
  send the application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receive an application response from the AUT in accordance with the AUT'"'"'s programming;
  
  send a service request to the observer; and
  
  receive the service response from the observer, the service response containing information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the observer is configured to communicate with the computing device, at least in part, by adding a custom header to the application response.
  - 3. The system of claim 1, the memory device comprising computer-readable instructions configured to direct the processor to receive trace information from the observer, the trace information comprising a plurality of vulnerability trace nodes, each vulnerability trace node containing code locations corresponding to a vulnerability detected by the observer.
  - 4. The system of claim 3, the memory device comprising computer-readable instructions configured to direct the processor to group the plurality of vulnerability trace nodes based on the vulnerability trace nodes containing the same code locations.
  - 5. The system of claim 1, wherein the observer is configured to monitor the AUT to identify new uniform resource locators (URLs) that are generated dynamically during runtime of the ALT, and return an update field in a header of the application response, the update field configured to inform the computing device that an attack surface of the AUT has changed.
  - 6. The system of claim 1, wherein the observer is configured to:
    - receive a request from the computing device and analyze a header of the request;
      
      identify the request as the application request or the service request based on the analysis of the header;
      
      pass the application request to the AUT; and
      
      process the service request without passing the service request to the AUT.

7. A method, comprising:
- sending an application request to an application under test (AUT), wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receiving an application response from the AUT in accordance with the AUT'"'"'s programming;
  
  sending a service request to an observer that i) monitors instructions executed by the AUT, ii) generates a trace identifying instructions executed by the AUT as a result of the application request, and iii) sends the trace in a body of a service response; and
  
  receiving the service response from the observer, the service response containing information corresponding to instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT;
  
  wherein the application request, application response, service request, and service response are communicated over a same network channel.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The method of claim 7, comprising receiving a file-not-found header in the application response, the file-not-found header added to the application response by the observer to indicate a file-not-found error generated by the AUT.
  - 9. The method of claim 7, wherein the service request is a trace service request, the method comprising receiving a stack trace in a body of the service response received from the observer,
  - 10. The method of claim 7, comprising receiving a vulnerability trace node in the body of the service response, wherein the vulnerability trace node identifies a vulnerability detected by the observer.
  - 11. The method of claim 7, wherein the service request is an attack surface service request, the method comprising receiving information about the attack surface of the AUT in a body of the service response, the attack surface comprising static URLs and dynamic URLs that are generated by the AUT during runtime.
  - 12. The method of claim 7, further comprising:
    - communicating, by the observer, by adding a custom header to the application response.
  - 13. The method of claim 7, further comprising:
    - receiving, by the observer, a request and analyzes a header of the request;
      
      identifying, by the observer, the request as the application request or the service request based on the analysis of the header;
      
      passing, by the observer, the application request to the AUT; and
      
      processing, by the observer, the service request without passing the service request to the AUT.
  - 14. The method of claim 7, wherein the trace includes trace information comprising a plurality of vulnerability trace nodes, each vulnerability trace node containing code locations corresponding to a vulnerability detected by the observer.

15. A non-transitory, compute le medium, comprising code configured to direct a processor to:
- send an application request to an application under test (AUT), wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receive an application response from the AUT in accordance with the ALT'"'"'s programming;
  
  send a service request to an observer that i) monitors instructions executed by the AUT, ii) generates a trace identifying instructions executed by the AUT as a result of the application request, and iii) sends the trace in a body of a service response; and
  
  receive the service response from the observer, the service response containing information corresponding to instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT;
  
  wherein the application request, application response, service request, and service response are communicated over a same network channel.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory, computer readable medium of claim 15, comprising code configured to direct the processor to add a request ID to a header of the application request that uniquely identifies the application request, wherein the service response received from the observer includes the request ID.
  - 17. The non-transitory, computer readable medium of claim 15, wherein the service response includes a database trace node that includes information corresponding to a database query performed by the AUT as a result of the application request.
  - 18. The non-transitory, computer readable medium of claim 15, wherein the observer communicates, at least in part, by adding a custom header to the application response.
  - 19. The non-transitory, computer readable medium of claim 15, wherein the observer:
    - receives a request and analyzes a header of the request;
      
      identifies the request as the application request or the service request based on the analysis of the header;
      
      passes the application request to the AUT; and
      
      processes the service request without passing the service request to the AUT.
  - 20. The non-transitory, computer readable medium of claim 15, wherein:
    - the service request is an attack surface service request, andinformation about the attack surface of the AUT is included in the body of the service response, and the attack surface comprises static URLs and dynamic URLs that are generated by the AUT during runtime.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Chess, Brian V., Ragoler, Iftach, Hamer, Philip Edward, Spitler, Russell Andrew, Fay, Sean Patrick, Jagdate, Prajakta Subbash
Primary Examiner(s)
Bayou, Yonas

Application Number

US14/116,000
Publication Number

US 20140082739A1
Time in Patent Office

1,659 Days
Field of Search

726/25
US Class Current

1/1
CPC Class Codes

G06F 11/0727   in a storage system, e.g. i...

G06F 11/0793   Remedial or corrective acti...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/1433   Vulnerability analysis

Application security testing

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Application security testing

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links