×

Simulating black box test results using information from white box testing

  • US 9,747,187 B2
  • Filed: 10/27/2010
  • Issued: 08/29/2017
  • Est. Priority Date: 10/27/2010
  • Status: Active Grant
First Claim
Patent Images

1. A system, comprising:

  • a white box tester that statically analyzes computer software to identify a plurality of milestones, including a first milestone, associated with a potential vulnerability within the computer software, wherein each of the milestones indicates a location of a method call of a source code statement within the computer software at which a data item can be accessed and modified and wherein the first milestone indicates a first source code location within the computer software at which the data item can be accessed and modified without validation, resulting in the potential vulnerability;

    an entry point tracer that identifies one or more entry points into the computer software associated with the potential vulnerability by tracing paths from the source code statement of the first milestone, wherein each entry point provides a method location where an interface of the computer software is exposed to receive input external to the computer software;

    an input analyzer that identifies one or more HTTP request parameter inputs to at least a first one of the one or more entry points that results in a control flow from the first entry point to the first milestone; and

    a black box simulator that;

    automatically identifies, from a consultation of an Extensible Markup Language (XML) configuration file for a web server executing the computer software, a uniform resource locator (URL) of a class representing the computer software having the potential vulnerability based on the first entry point and the one or more identified HTTP request parameter inputs; and

    presents a simulated black box test result for the computer software by generating a description of the potential vulnerability indicating the identified URL exposing the potential vulnerability, and one or more of the identified HTTP request parameter inputs that have not been validated.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×