Application security testing

US 9,501,650 B2
Filed: 09/04/2015
Issued: 11/22/2016
Est. Priority Date: 05/31/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a server hosting an application under test (AUT);

an observer to i) monitor instructions executed by the AUT, and ii) communicate with a computing device, at least in part, by adding a custom header to an application response; and

the computing device communicatively coupled to the AUT and the observer through a common communication channel, the computing device comprising a processor and a memory device for storing computer-readable instructions configured to direct the processor to;

send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT;

receive the application response from the AUT in accordance with the AUT'"'"'s programming;

send a service request to the observer; and

receive a service response from the observer, the service response containing information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure provides a system that includes a server hosting an application under test (AUT), an observer configured to monitor instructions executed by the AUT, and a computing device communicatively coupled to the AUT and the observer through a common communication channel. The computing device may be configured to send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT. The computing device may receive an application response from the AUT in accordance with the AUT'"'"'s programming. The computing device may send a service request to the observer, and receive a service response from the observer that contains information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.

38 Citations

View as Search Results

20 Claims

1. A system, comprising:
- a server hosting an application under test (AUT);
  
  an observer to i) monitor instructions executed by the AUT, and ii) communicate with a computing device, at least in part, by adding a custom header to an application response; and
  
  the computing device communicatively coupled to the AUT and the observer through a common communication channel, the computing device comprising a processor and a memory device for storing computer-readable instructions configured to direct the processor to;
  
  send an application request to the AUT, wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receive the application response from the AUT in accordance with the AUT'"'"'s programming;
  
  send a service request to the observer; and
  
  receive a service response from the observer, the service response containing information corresponding to the instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The system of claim 1, the memory device comprising computer-readable instructions configured to direct the processor to receive trace information from the observer, the trace information comprising a plurality of vulnerability trace nodes, each vulnerability trace node containing code locations corresponding to a vulnerability detected by the observer.
  - 3. The system of claim 2, the memory device comprising computer-readable instructions configured to direct the processor to group the plurality of vulnerability trace nodes based on the vulnerability trace nodes containing the same code locations.
  - 4. The system of claim 1, wherein the observer is configured to monitor the AUT to identify new uniform resource locators (URLs) that are generated dynamically during runtime of the AUT, and return an update field in a header of the application response, the update field configured to inform the computing device that an attack surface of the AUT has changed.
  - 5. The system of claim 1, wherein the observer is configured to:
    - receive a request from the computing device and analyze a header of the request;
      
      identify the request as the application request or the service request based on the analysis of the header;
      
      pass the application request to the AUT; and
      
      process the service request without passing the service request to the AUT.

6. A method, comprising:
- sending an application request to an application under test (AUT), wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receiving an application response from the AUT in accordance with the AUT'"'"'s programming, the application response including a custom header that was added by an observer that monitors instructions executed by the AUT;
  
  sending a service request to the observer; and
  
  receiving a service response from the observer, the service response containing information corresponding to instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT;
  
  wherein the application request, application response, service request, and service response are communicated over a same network channel.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14)
- - 7. The method of claim 6, comprising receiving a file-not-found header in the application response, the file-not-found header added to the application response by the observer to indicate a file-not-found error generated by the AUT.
  - 8. The method of claim 6, wherein the service request is a trace service request, the method comprising receiving a stack trace in a body of the service response received from the observer.
  - 9. The method of claim 6, comprising receiving a vulnerability trace node in the body of the service response, wherein the vulnerability trace node identifies a vulnerability detected by the observer.
  - 10. The method of claim 6, wherein the service request is an attack surface service request, the method comprising receiving information about the attack surface of the AUT in a body of the service response, the attack surface comprising static URLs and dynamic URLs that are generated by the AUT during runtime.
  - 11. The method of claim 6, further comprising:
    - receiving, by the observer, a request and analyzes a header of the request;
      
      identifying, by the observer, the request as the application request or the service request based on the analysis of the header;
      
      passing, by the observer, the application request to the AUT; and
      
      processing, by the observer, the service request without passing the service request to the AUT.
  - 12. The method of claim 6, wherein the trace includes trace information comprising a plurality of vulnerability trace nodes, each vulnerability trace node containing code locations corresponding to a vulnerability detected by the observer.
  - 13. The method of claim 6, further comprising:
    - receiving trace information from the observer, the trace information comprising a plurality of vulnerability trace nodes, each vulnerability trace node containing code locations corresponding to a vulnerability detected by the observer.
  - 14. The method of claim 13, further comprising:
    - grouping the plurality of vulnerability trace nodes based on the vulnerability trace nodes containing the same code locations.

15. A non-transitory, computer readable medium, comprising code configured to direct a processor to:
- send an application request to an application under test (AUT), wherein the application request is configured to expose a potential vulnerability of the AUT;
  
  receive an application response from the AUT in accordance with the AUT'"'"'s programming, the application response including a custom header that was added by an observer that monitors instructions executed by the AUT;
  
  send a service request to the observer; and
  
  receive a service response from the observer, the service response containing information corresponding to instructions executed by the AUT due to the application request, information about the AUT, or information about a server hosting the AUT;
  
  wherein the application request, application response, service request, and service response are communicated over a same network channel.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory, computer readable medium of claim 15, comprising code configured to direct the processor to add a request ID to a header of the application request that uniquely identifies the application request, wherein the service response received from the observer includes the request ID.
  - 17. The non-transitory, computer readable medium of claim 15, wherein the service response includes a database trace node that includes information corresponding to a database query performed by the AUT as a result of the application request.
  - 18. The non-transitory, computer readable medium of claim 15, wherein the observer:
    - receives a request and analyzes a header of the request;
      
      identifies the request as the application request or the service request based on the analysis of the header;
      
      passes the application request to the AUT; and
      
      processes the service request without passing the service request to the AUT.
  - 19. The non-transitory, computer readable medium of claim 15, wherein:
    - the service request is an attack surface service request, andinformation about the attack surface of the AUT is included in the body of the service response, and the attack surface comprises static URLs and dynamic URLs that are generated by the AUT during runtime.
  - 20. The non-transitory, computer readable medium of claim 15, comprising code configured to direct the processor to receive trace information from the observer, the trace information comprising a plurality of vulnerability trace nodes, each vulnerability trace node containing code locations corresponding to a vulnerability detected by the observer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus LLC (Open Text Corporation)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Chess, Brian V., Ragoler, Iftach, Hamer, Philip Edward, Spitler, Russell Andrew, Fay, Sean Patrick, Jagdale, Prajakta Subbash
Primary Examiner(s)
BAYOU, YONAS A

Application Number

US14/846,462
Publication Number

US 20150379273A1
Time in Patent Office

445 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

Application security testing

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Application security testing

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links