Automated security testing

US 9,276,952 B2
Filed: 05/31/2011
Issued: 03/01/2016
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system for automated security testing, comprising:

a processor that is adapted to execute stored instructions; and

a memory device that stores instructions, the memory device comprising processor-executable code, that when executed by the processor, is adapted to;

record a macro;

play the recorded macro while intercepting traffic from a web browser;

intercept a web request while playing the macro;

attack the web request;

send the web request to a web server;

receive a response from the web server based on the web request; and

process the response of the web server to determine any vulnerabilities.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of automated security testing includes recording a macro. The recorded macro is played and a web request is intercepted while playing the macro. The web request may be attacked and sent to a web server. A response from the web server based on the web request is received, and the response of the web server is processed to determine any vulnerabilities.

Citations

15 Claims

1. A system for automated security testing, comprising:
- a processor that is adapted to execute stored instructions; and
  
  a memory device that stores instructions, the memory device comprising processor-executable code, that when executed by the processor, is adapted to;
  
  record a macro;
  
  play the recorded macro while intercepting traffic from a web browser;
  
  intercept a web request while playing the macro;
  
  attack the web request;
  
  send the web request to a web server;
  
  receive a response from the web server based on the web request; and
  
  process the response of the web server to determine any vulnerabilities.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system recited in claim 1, wherein the memory device comprises computer-executable code, that when executed by the processor, is adapted to process the response of the web server to determine any vulnerabilities by:
    - executing scripts in the response with the web browser;
      
      hooking a document object model method to application code executed during the script execution; and
      
      determining vulnerabilities based on the document object model method called during script execution as noted by the execution of the application code.
  - 3. The system recited in claim 1, wherein the memory device comprises computer-executable code that, when executed by the processor, is adapted to record a macro by recording a user'"'"'s interactions with the web browser.
  - 4. The system recited in claim 1, wherein the memory device comprises computer-executable code, that when executed by the processor, is adapted to attack the web request during playback of the macro.
  - 5. The system recited in claim 1, wherein the memory device comprises computer-executable code, that when executed by the processor, is adapted to record a macro by:
    - including an element of a document object model in the macro; and
      
      finding the element in the document object model after the document object model has been changed based on the element'"'"'s location relative to the other elements in the document object model, a tag name, an element ID, an element name, or any combinations thereof.

6. A method for automated security testing, comprising:
- recording a macro;
  
  playing the recorded macro while a proxy server intercepts traffic from a web browser;
  
  intercepting a web request while playing the macro;
  
  attacking the web request;
  
  sending the web request to a web server;
  
  receiving a response from the web server based on the web request; and
  
  processing the response of the web server to determine any vulnerabilities.
- View Dependent Claims (7, 8, 9, 10, 11, 12)
- - 7. The method recited in claim 6, wherein processing the response of the web server to determine any vulnerabilities comprises:
    - executing scripts in the response with the web browser;
      
      hooking a document object model method to application code; and
      
      determining vulnerabilities based on the document object model method called during script execution as noted by the execution of the application code.
  - 8. The method recited in claim 6, wherein attacking the web request comprises injecting malicious code into the web request.
  - 9. The method recited in claim 6, wherein recording a macro comprises defining an element for recording, the element being indicative of a logged out state, a logged in state, or a set of questions and answers.
  - 10. The method recited in claim 6, wherein recording a macro comprises recording an element of a web page using an event handler.
  - 11. The method recited in claim 6, wherein the web request is sent to the web server that is an original destination of the of the web request before it is intercepted.
  - 12. The method recited in claim 6, wherein attacking the web request includes a corresponding rule as to what constitutes a vulnerability.

13. A non-transitory, computer-readable medium, comprising code configured to direct a processor to:
- record a macro;
  
  play the recorded macro while intercepting traffic from a web browser;
  
  intercept a web request while playing the macro;
  
  attack the web request;
  
  send the web request to a web server;
  
  receive a response from the web server based on the web request; and
  
  process the response of the web server to determine any vulnerabilities.
- View Dependent Claims (14, 15)
- - 14. The non-transitory, computer-readable medium recited in claim 13, comprising code configured to direct a processor to process the response of the Web server to determine any vulnerabilities by:
    - executing scripts in the response with the web browser;
      
      hooking a document object model method to application code executed during the script execution; and
      
      determining vulnerabilities based on the document object model method called during script execution as noted by the execution of the application code.
  - 15. The non-transitory, computer-readable medium recited in claim 13, comprising code configured to direct a processor to attack a web request by injecting malicious code into the web request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Simpson, Shawn Morgan, Hamer, Philip Edward
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US14/115,648
Publication Number

US 20140075563A1
Time in Patent Office

1,736 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04B 17/102   Power radiated at antenna

H04B 17/17   Detection of non-compliance...

H04B 17/318   Received signal strength

H04L 63/1433   Vulnerability analysis

H04L 63/1466   Active attacks involving in...

H04W 24/04   Arrangements for maintainin...

H04W 88/08   Access point devices

Automated security testing

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Automated security testing

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links