公开(公告)号：US09715592B2

公开(公告)日：2017-07-25

申请号：US14885001

申请日：2015-10-16

Applicant: SAP SE

Inventor： Luca Compagna ,  Avinash Sudhodanan ,  Roberto Carbone ,  Alessandro Armando

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  G06F21/57 ,  H04L29/06

CPC classification number: G06F21/577 ,  G06F11/00 ,  G06F2221/033 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/145

Abstract: A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi-Party Web Applications (MPWAs). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security-critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters. A testing environment is configured to collect several varieties of HTTP traffic. User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels. This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed against the MPWA. Attacks are reported back to the tester for evaluation. Embodiments may be implemented with penetration testing tools, in order to automate execution of complex attacker strategies.

公开(公告)号：US20170109534A1

公开(公告)日：2017-04-20

申请号：US14885001

申请日：2015-10-16

Applicant: SAP SE

Inventor： Luca Compagna ,  Avinash Sudhodanan ,  Roberto Carbone ,  Alessandro Armando

IPC: G06F21/57 ,  H04L29/06

CPC classification number: G06F21/577 ,  G06F11/00 ,  G06F2221/033 ,  H04L63/14 ,  H04L63/1408 ,  H04L63/1416 ,  H04L63/1425 ,  H04L63/1433 ,  H04L63/1441 ,  H04L63/145

Abstract: A security testing framework leverages attack patterns to generate test cases for evaluating security of Multi-Party Web Applications (MPWAs). Attack patterns comprise structured artifacts capturing key information to execute general-purpose attacker strategies. The patterns recognize commonalities between attacks, e.g., abuse of security-critical parameter(s), and the attacker's strategy relating to protocol patterns associated with those parameters. A testing environment is configured to collect several varieties of HTTP traffic. User interaction with the MPWA while running security protocols, is recorded. An inference module executes the recorded symbolic sessions, tagging elements in the HTTP traffic with labels. This labeled HTTP traffic is referenced to determine particular attack patterns that are to be applied, and corresponding specific attack test cases that are to be executed against the MPWA. Attacks are reported back to the tester for evaluation. Embodiments may be implemented with penetration testing tools, in order to automate execution of complex attacker strategies.