公开(公告)号：US08484738B2

公开(公告)日：2013-07-09

申请号：US12043673

申请日：2008-03-06

申请人： Alberto Gustavo Soliño Testa ,  Gerardo Gabriel Richarte ,  Fernando Federico Russ ,  Diego Martin Kelyacoubian ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ariel Waissbein ,  Hector Adrian Manrique ,  Javier Ricardo De Acha Campos ,  Eduardo Arias ,  Sebastian Pablo Cufre ,  Axel Elián Brzostowski

发明人： Alberto Gustavo Soliño Testa ,  Gerardo Gabriel Richarte ,  Fernando Federico Russ ,  Diego Martin Kelyacoubian ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ariel Waissbein ,  Hector Adrian Manrique ,  Javier Ricardo De Acha Campos ,  Eduardo Arias ,  Sebastian Pablo Cufre ,  Axel Elián Brzostowski

IPC分类号： G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00

CPC分类号： G06F21/577

摘要： A system and method provide application penetration testing. The system contains logic configured to find at least one vulnerability in the application so as to gain access to data associated with the application, logic configured to confirm the vulnerability and determine if the application can be compromised, and logic configured to compromise and analyze the application by extracting or manipulating data from a database associated with the application. In addition, the method provides for penetration testing of a target by: receiving at least one confirmed vulnerability of the target; receiving a method for compromising the confirmed vulnerability of the target; installing a network agent on the target in accordance with the method, wherein the network agent allows a penetration tester to execute arbitrary operating system commands on the target; and executing the arbitrary operating system commands on the target to analyze risk to which the target may be exposed.

摘要翻译： 系统和方法提供应用程序渗透测试。 该系统包含配置为在应用程序中找到至少一个漏洞的逻辑，以便访问与应用程序相关联的数据，配置为确认漏洞并确定应用程序是否可能受到损害的逻辑，以及配置为妥协和分析应用程序的逻辑 通过从与应用程序相关联的数据库中提取或操纵数据。 此外，该方法通过以下方式提供对目标的渗透测试：接收目标的至少一个确认的脆弱性; 接受破坏目标确认脆弱性的方法; 根据该方法在目标上安装网络代理，其中网络代理允许穿透测试器在目标上执行任意操作系统命令; 并执行目标上的任意操作系统命令来分析目标可能被暴露的风险。

公开(公告)号：US20080263671A1

公开(公告)日：2008-10-23

申请号：US12043673

申请日：2008-03-06

申请人： Alberto Gustavo Solino Testa ,  Gerardo Gabriel Richarte ,  Fernando Federico Russ ,  Diego Martin Kelyacoubian ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ariel Waissbein ,  Hector Adrian Manrique ,  Javier Ricardo De Acha Campos ,  Eduardo Arias ,  Sebastian Pablo Cufre ,  Axel Elian Brzostowski

发明人： Alberto Gustavo Solino Testa ,  Gerardo Gabriel Richarte ,  Fernando Federico Russ ,  Diego Martin Kelyacoubian ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ariel Waissbein ,  Hector Adrian Manrique ,  Javier Ricardo De Acha Campos ,  Eduardo Arias ,  Sebastian Pablo Cufre ,  Axel Elian Brzostowski

IPC分类号： G06F12/14

CPC分类号： G06F21/577

摘要： A system and method provide application penetration testing. The system contains logic configured to find at least one vulnerability in the application so as to gain access to data associated with the application, logic configured to confirm the vulnerability and determine if the application can be compromised, and logic configured to compromise and analyze the application by extracting or manipulating data from a database associated with the application. In addition, the method provides for penetration testing of a target by: receiving at least one confirmed vulnerability of the target; receiving a method for compromising the confirmed vulnerability of the target; installing a network agent on the target in accordance with the method, wherein the network agent allows a penetration tester to execute arbitrary operating system commands on the target; and executing the arbitrary operating system commands on the target to analyze risk to which the target may be exposed.

摘要翻译： 系统和方法提供应用程序渗透测试。 该系统包含配置为在应用程序中找到至少一个漏洞的逻辑，以便访问与应用程序相关联的数据，配置为确认漏洞并确定应用程序是否可能受到损害的逻辑，以及配置为妥协和分析应用程序的逻辑 通过从与应用程序相关联的数据库中提取或操纵数据。 此外，该方法通过以下方式提供对目标的渗透测试：接收目标的至少一个确认的脆弱性; 接受破坏目标确认脆弱性的方法; 根据该方法在目标上安装网络代理，其中网络代理允许穿透测试器在目标上执行任意操作系统命令; 并执行目标上的任意操作系统命令来分析目标可能被暴露的风险。

公开(公告)号：US07831995B2

公开(公告)日：2010-11-09

申请号：US11264114

申请日：2005-10-31

申请人： Ariel Futoransky ,  Ariel Waissbein ,  Diego Bartolome Tiscornia ,  Ezequiel Gutesman

发明人： Ariel Futoransky ,  Ariel Waissbein ,  Diego Bartolome Tiscornia ,  Ezequiel Gutesman

IPC分类号： G06F29/06

CPC分类号： H04L63/102 ,  H04L63/14

摘要： Method, system, and computer code for implementing security and privacy policy in a web application having an execution environment in which a representation of each object handled by the execution environment accommodates data and an associated tag. An inbound tagging rule is established for tagging inbound objects according to a respective source of each of the inbound objects. A tag is assigned to an object being operated on by the execution environment based on the inbound tagging rule. A security/privacy rule is established for performing security/privacy actions on outbound objects according to a respective tag of each of the outbound objects. A security/privacy action is performed on the object being operated on by the execution environment based on the security/privacy rule.

摘要翻译： 用于在具有执行环境的web应用中实现安全性和隐私策略的方法，系统和计算机代码，其中由执行环境处理的每个对象的表示容纳数据和相关联的标签。 建立入站标记规则，用于根据每个入站对象的相应源标记入站对象。 基于入站标记规则，将标签分配给由执行环境操作的对象。 建立安全/隐私规则，用于根据每个出站对象的相应标签对出站对象执行安全/隐私操作。 基于安全/隐私规则，由执行环境对正在操作的对象执行安全/隐私操作。

公开(公告)号：US08146135B2

公开(公告)日：2012-03-27

申请号：US12909615

申请日：2010-10-21

申请人： Ariel Waissbein ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ezequiel David Gutesman

发明人： Ariel Waissbein ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ezequiel David Gutesman

IPC分类号： G06F29/06

CPC分类号： H04L63/102 ,  H04L63/14

摘要： Method, system, and computer code for implementing privacy protection in a web application, wherein the web application is executed in a web application language execution environment within a web server, the method containing the steps of: establishing at least one inbound tagging rule for tagging objects entering the web application language execution environment, referred to as inbound objects, according to a respective source of each of the inbound objects; assigning a tag to at least one of the inbound objects being operated on by the web application language execution environment based on the at least one inbound tagging rule; establishing at least one privacy rule for performing privacy actions on at least one object that is outbound from the web application language execution environment, referred to as outbound objects, according to a respective tag of each of the outbound objects; and performing a privacy action on the at least one outbound object being operated on by the web application language execution environment based on the at least one privacy rule.

摘要翻译： 用于在web应用中实现隐私保护的方法，系统和计算机代码，其中所述web应用在Web服务器内的web应用程序语言执行环境中执行，所述方法包括以下步骤：建立至少一个用于标记的入站标记规则 根据每个入站对象的相应来源，进入被称为入站对象的web应用程序语言执行环境的对象; 基于所述至少一个入站标记规则，向所述web应用程序语言执行环境操作的至少一个入站对象分配标签; 根据每个出站对象的相应标签，建立至少一个隐私规则，用于对被称为出站对象的网络应用程序语言执行环境出站的至少一个对象进行隐私操作; 以及基于所述至少一个隐私规则，对由所述web应用程序语言执行环境操作的所述至少一个出站对象执行隐私操作。

公开(公告)号：US20110113468A1

公开(公告)日：2011-05-12

申请号：US12909615

申请日：2010-10-21

申请人： Ariel Waissbein ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ezequiel David Gutesman

发明人： Ariel Waissbein ,  Ariel Futoransky ,  Diego Bartolome Tiscornia ,  Ezequiel David Gutesman

IPC分类号： G06F21/00

CPC分类号： H04L63/102 ,  H04L63/14

摘要： Method, system, and computer code for implementing privacy protection in a web application, wherein the web application is executed in a web application language execution environment within a web server, the method containing the steps of: establishing at least one inbound tagging rule for tagging objects entering the web application language execution environment, referred to as inbound objects, according to a respective source of each of the inbound objects; assigning a tag to at least one of the inbound objects being operated on by the web application language execution environment based on the at least one inbound tagging rule; establishing at least one privacy rule for performing privacy actions on at least one object that is outbound from the web application language execution environment, referred to as outbound objects, according to a respective tag of each of the outbound objects; and performing a privacy action on the at least one outbound object being operated on by the web application language execution environment based on the at least one privacy rule.

摘要翻译： 用于在web应用中实现隐私保护的方法，系统和计算机代码，其中所述web应用在Web服务器内的web应用程序语言执行环境中执行，所述方法包括以下步骤：建立至少一个用于标记的入站标记规则 根据每个入站对象的相应来源，进入被称为入站对象的web应用程序语言执行环境的对象; 基于所述至少一个入站标记规则，向所述web应用程序语言执行环境操作的至少一个入站对象分配标签; 根据每个出站对象的相应标签，建立至少一个隐私规则，用于对被称为出站对象的网络应用程序语言执行环境出站的至少一个对象进行隐私操作; 以及基于所述至少一个隐私规则，对由所述web应用程序语言执行环境操作的所述至少一个出站对象执行隐私操作。

公开(公告)号：US07549147B2

公开(公告)日：2009-06-16

申请号：US10414314

申请日：2003-04-15

申请人： Ariel Futoransky ,  Carlos Emilio Sarraute Yamada ,  Diego Ariel Bendersky ,  Luciano Notarfrancesco ,  Ariel Waissbein

发明人： Ariel Futoransky ,  Carlos Emilio Sarraute Yamada ,  Diego Ariel Bendersky ,  Luciano Notarfrancesco ,  Ariel Waissbein

IPC分类号： G06F9/44 ,  G06F9/45 ,  G06F11/30 ,  G06F17/30 ,  H04L9/00

CPC分类号： G06F21/125 ,  G06F21/16

摘要： A method for protecting software is provided, where source code for the software has a first directive marking an encryption beginning point and a second directive marking an encryption end point. The method contains the steps of: processing the source code to identify a block of code between the first and second directives; compiling the source code to produce a binary file; generating a valid key and a random string; encrypting the random string with the key to obtain a first encrypted value; encrypting a portion of the binary file corresponding to the block of code with the valid key to obtain a second encrypted value; and replacing the portion of the binary file corresponding to the block of code with the second encrypted value and code that can decrypt the second encrypted value during execution of the software.

摘要翻译： 提供了一种用于保护软件的方法，其中软件的源代码具有标记加密开始点的第一指令和标记加密终点的第二指令。 该方法包括以下步骤：处理源代码以识别第一和第二指令之间的代码块; 编译源代码生成二进制文件; 生成有效的密钥和随机字符串; 用所述密钥加密所述随机字符串以获得第一加密值; 用有效密钥加密对应于代码块的二进制文件的一部分以获得第二加密值; 以及用所述第二加密值替换与所述代码块相对应的所述二进制文件的所述部分，以及在所述软件执行期间能够解密所述第二加密值的代码。

公开(公告)号：US09183397B2

公开(公告)日：2015-11-10

申请号：US14123647

申请日：2012-06-05

申请人： Ariel Futoransky ,  Aureliano Emanuel Calvo ,  Fernando Russ Federico Russ ,  Jorge Lucangeli Obes ,  Ariel Waissbein ,  Alejandro Javier Frydman ,  Ezequiel David Gutesman ,  Pedro Oscar Varangot

发明人： Ariel Futoransky ,  Aureliano Emanuel Calvo ,  Fernando Russ Federico Russ ,  Jorge Lucangeli Obes ,  Ariel Waissbein ,  Alejandro Javier Frydman ,  Ezequiel David Gutesman ,  Pedro Oscar Varangot

IPC分类号： G06F21/57 ,  H04L29/06 ,  G06F21/55 ,  H04L29/08

CPC分类号： G06F21/577 ,  G06F21/552 ,  H04L63/1433 ,  H04L67/025

摘要： A system for providing automated computer security compromise as a service, contains a web server having a web front end running on the web server. The Web server has stored therein pentest definitions. A command and control component processes the pentest definitions, builds pentest task tickets and reporting task tickets, and monitors at least one penetration tester component and/or at least one report generator component. The command and control component interacts with a cloud computing environment to scale up or down the number of penetration tester components and the number of report generator components, and assigns task tickets to the penetration tester and report generator components. At least one penetration tester component runs penetration testing modules available inside the penetration testing framework as instructed by the pentest task tickets. At least one reporter generator component generates reports based on the reporting tasks tickets generated by the command and control service.

摘要翻译： 一种用于提供作为服务的自动计算机安全泄密的系统包含具有在web服务器上运行的web前端的web服务器。 Web服务器存储了最为明确的定义。 命令和控制组件处理最佳定义，构建最简单的任务票据和报告任务票据，并监视至少一个穿透测试器组件和/或至少一个报告生成器组件。 命令和控制组件与云计算环境交互，以扩大或缩小穿透测试器组件的数量和报告生成器组件的数量，并将任务票据分配给渗透测试器和报告生成器组件。 至少有一个渗透测试仪组件可以在渗透测试框架内提供渗透测试模块，这些测试模块按照最复杂的任务票据指示。 至少一个记者生成器组件基于由命令和控制服务生成的报告任务票据生成报告。

公开(公告)号：US20060143688A1

公开(公告)日：2006-06-29

申请号：US11264114

申请日：2005-10-31

申请人： Ariel Futoransky ,  Ariel Waissbein ,  Diego Tiscornia ,  Ezequiel Gutesman

发明人： Ariel Futoransky ,  Ariel Waissbein ,  Diego Tiscornia ,  Ezequiel Gutesman

IPC分类号： H04L9/00

CPC分类号： H04L63/102 ,  H04L63/14

摘要： Method, system, and computer code for implementing security and privacy policy in a web application having an execution environment in which a representation of each object handled by the execution environment accommodates data and an associated tag. An inbound tagging rule is established for tagging inbound objects according to a respective source of each of the inbound objects. A tag is assigned to an object being operated on by the execution environment based on the inbound tagging rule. A security/privacy rule is established for performing security/privacy actions on outbound objects according to a respective tag of each of the outbound objects. A security/privacy action is performed on the object being operated on by the execution environment based on the security/privacy rule.

摘要翻译： 用于在具有执行环境的web应用中实现安全性和隐私策略的方法，系统和计算机代码，其中由执行环境处理的每个对象的表示容纳数据和相关联的标签。 建立入站标记规则，用于根据每个入站对象的相应源标记入站对象。 基于入站标记规则，将标签分配给由执行环境操作的对象。 建立安全/隐私规则，用于根据每个出站对象的相应标签对出站对象执行安全/隐私操作。 基于安全/隐私规则，由执行环境对正在操作的对象执行安全/隐私操作。

公开(公告)号：US20140237606A1

公开(公告)日：2014-08-21

申请号：US14123647

申请日：2012-06-05

申请人： Ariel Futoransky ,  Aureliano Emanuel Calvo ,  Alejandro Javier Frydman ,  Ezequiel David Gutesman ,  Pedro Oscar Varangot ,  Fernando Russ Federico Russ ,  Jorge Lucangeli Obes ,  Ariel Waissbein

发明人： Ariel Futoransky ,  Aureliano Emanuel Calvo ,  Alejandro Javier Frydman ,  Ezequiel David Gutesman ,  Pedro Oscar Varangot ,  Fernando Russ Federico Russ ,  Jorge Lucangeli Obes ,  Ariel Waissbein

IPC分类号： G06F21/57

CPC分类号： G06F21/577 ,  G06F21/552 ,  H04L63/1433 ,  H04L67/025

摘要： A system for providing automated computer security compromise as a service, contains a web server having a web front end running on the web server. The Web server has stored therein pentest definitions. A command and control component processes the pentest definitions, builds pentest task tickets and reporting task tickets, and monitors at least one penetration tester component and/or at least one report generator component. The command and control component interacts with a cloud computing environment to scale up or down the number of penetration tester components and the number of report generator components, and assigns task tickets to the penetration tester and report generator components. At least one penetration tester component runs penetration testing modules available inside the penetration testing framework as instructed by the pentest task tickets. At least one reporter generator component generates reports based on the reporting tasks tickets generated by the command and control service.

摘要翻译： 一种用于提供作为服务的自动计算机安全泄密的系统包含具有在web服务器上运行的web前端的web服务器。 Web服务器存储了最为明确的定义。 命令和控制组件处理最佳定义，构建最简单的任务票据和报告任务票据，并监视至少一个穿透测试器组件和/或至少一个报告生成器组件。 命令和控制组件与云计算环境交互，以扩大或缩小穿透测试器组件的数量和报告生成器组件的数量，并将任务票据分配给渗透测试器和报告生成器组件。 至少有一个渗透测试仪组件可以在渗透测试框架内提供渗透测试模块，这些测试模块按照最复杂的任务票据指示。 至少一个记者生成器组件基于由命令和控制服务生成的报告任务票据生成报告。