-
11.发明授权System for detecting vulnerabilities in web applications using client-side application interfaces 有权使用客户端应用程序接口检测Web应用程序中的漏洞的系统公开(公告)号:US08281401B2
公开(公告)日:2012-10-02
申请号:US11339373
申请日:2006-01-24
IPC分类号: G06F12/14
CPC分类号: H04L63/1433 , G06F21/53 , G06F2221/2119
摘要: An improved method and apparatus for client-side web application analysis is provided. Client-side web application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. A security vulnerability analyzer can analyze web page content for client-side application files, such as Flash files and Java applets, extract web addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective web server used to service the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the web server.
摘要翻译: 提供了一种用于客户端Web应用程序分析的改进方法和装置。 客户端Web应用程序分析涉及使用客户端应用程序接口等来确定和测试数据输入点,并分析客户端请求和服务器响应。 安全漏洞分析器可以分析客户端应用程序文件(如Flash文件和Java小程序)的网页内容,提取嵌入在客户端应用程序文件中的Web地址和数据参数,并根据用户定义的测试修改数据参数 标准 修改的数据参数作为请求的一部分被发送到用于服务客户端应用文件的相应web服务器。 安全漏洞分析器分析来自服务器的响应,以确定是否存在与客户端应用程序文件和Web服务器之间的接口相关联的任何安全漏洞。
-
12.发明授权公开(公告)号:US07467402B2
公开(公告)日:2008-12-16
申请号:US11210351
申请日:2005-08-23
CPC分类号: H04L63/1483 , H04L63/10 , H04L63/1433 , H04L63/168
摘要: A web application security scanner (WASS) includes a login manager configured to perform an automated login to a web site. The automated login may be performed when the login manager detects that a login session has ended. The login manager is configured to determine credentials for the web site to allow the WASS to access the web site. The WASS may then use the credentials to continue scanning the web site. Thus, previously unscannable web pages may be accessed in the web site because of the automated login process.
摘要翻译: Web应用安全扫描器(WASS)包括配置为执行自动登录到网站的登录管理器。 当登录管理器检测到登录会话已经结束时,可以执行自动登录。 登录管理器配置为确定网站的凭据以允许WASS访问该网站。 然后,WASS可以使用凭据继续扫描网站。 因此,由于自动登录过程,可能在网站中访问以前不可扫描的网页。
-
13.发明申请In-line website securing system with HTML processor and link verification 审中-公开使用HTML处理器和链接验证的在线网站安全系统公开(公告)号:US20060288220A1
公开(公告)日:2006-12-21
申请号:US11415794
申请日:2006-05-01
IPC分类号: H04L9/00
CPC分类号: H04L63/02
摘要: A web application firewall (WAFs) used to secure websites from many known and unknown vulnerabilities is described. In one embodiment, the WAF is installed between a server that is serving web content and a network over which clients access the website hosted on the server. The WAF is configured to provide security from external attacks by preventing the website from receiving data that it did not send, and that the data received was not altered by a client. The WAF encodes outbound HTTP response data such that when a client or interloper follows one of the links or other constructs in the response data, the WAF can determine the validity of the next client request. In one embodiment, each universal resource locator link is encrypted and checked for validity when it is returned to the server via the WAF.
摘要翻译: 描述了用于从许多已知和未知的漏洞保护网站的Web应用程序防火墙(WAFs)。 在一个实施例中,WAF被安装在服务于web内容的服务器和客户端访问在服务器上托管的网站的网络之间。 WAF被配置为通过防止网站收到未发送的数据,并且接收到的数据未被客户端更改,从而提供外部攻击的安全性。 WAF编码出站HTTP响应数据,使得当客户端或内部访问者遵循响应数据中的一个链接或其他结构时,WAF可以确定下一个客户端请求的有效性。 在一个实施例中,当通过WAF返回到服务器时,每个通用资源定位符链路被加密并检查其有效性。
-
-
搜索结果
13 条记录 (耗时 0.019 秒)
