-
1.发明授权Using fuzzy classification models to perform matching operations in a web application security scanner 有权使用模糊分类模型在Web应用程序安全扫描程序中执行匹配操作公开(公告)号:US08621639B1
公开(公告)日:2013-12-31
申请号:US13307382
申请日:2011-11-30
IPC分类号: G06F21/00
CPC分类号: G06F11/3692
摘要: A system provides for fuzzy classification in comparisons of scanner responses. A web application test suite performs tests against a web application by sending client requests from a testing computer to the server running the web application and checking how the web application responds. A thorough web application security scan might involve thousands of checks and responses. As a result, some sort of programmatic analysis is needed. One such evaluation involves comparing one response against another. Response matching that compares two HTTP responses might use fuzzy classification processes.
摘要翻译: 系统提供了扫描器响应比较中的模糊分类。 Web应用程序测试套件通过将测试计算机的客户端请求发送到运行Web应用程序的服务器并检查Web应用程序的响应方式来对Web应用程序执行测试。 彻底的Web应用程序安全扫描可能涉及数千个检查和响应。 因此,需要进行某种程序化分析。 一个这样的评估涉及将一个响应与另一个相比较 比较两个HTTP响应的响应匹配可能使用模糊分类过程。
-
2.发明授权Pattern tracking and capturing human insight in a web application security scanner 有权模式跟踪并在Web应用程序安全扫描程序中捕获人的洞察力公开(公告)号:US08789187B1
公开(公告)日:2014-07-22
申请号:US11864787
申请日:2007-09-28
IPC分类号: H04L29/06 , G06F11/36 , G06F11/263 , G06F21/57
CPC分类号: G06F11/3672 , G06F11/263 , G06F11/3688 , G06F21/577
摘要: An apparatus and method of managing vulnerability testing of a web application is provided for running a set of one or more scripted tests against a web application, recording results of the one or more scripted tests, providing an interface for a human evaluator to review the recorded results, and accepting from the human evaluator custom test parameters based on observations of the recorded results, wherein custom test parameters include at least one context usable by a future tester in deciding whether to run the custom test, and also includes at least one instruction for automatically running custom test steps of the custom test.
摘要翻译: 提供了一种用于管理web应用的漏洞测试的装置和方法,用于针对web应用运行一组一个或多个脚本测试,记录一个或多个脚本测试的结果,为人类评估者提供一个接口,以查看记录的 结果,并且基于对记录结果的观察从人类评估者自定义测试参数接受,其中定制测试参数包括由未来测试者在决定是否运行定制测试中可用的至少一个上下文,并且还包括至少一个指令 自动运行自定义测试的自定义测试步骤。
-
公开(公告)号:US08341711B1
公开(公告)日:2012-12-25
申请号:US12267235
申请日:2008-11-07
IPC分类号: H04L29/06
CPC分类号: H04L63/1483 , H04L63/10 , H04L63/1433 , H04L63/168
摘要: A web application security scanner (WASS) includes a login manager configured to perform an automated login to a web site. The automated login may be performed when the login manager detects that a login session has ended. The login manager is configured to determine credentials for the web site to allow the WASS to access the web site. The WASS may then use the credentials to continue scanning the web site. Thus, previously unscannable web pages may be accessed in the web site because of the automated login process.
摘要翻译: Web应用安全扫描器(WASS)包括配置为执行自动登录到网站的登录管理器。 当登录管理器检测到登录会话已经结束时,可以执行自动登录。 登录管理器配置为确定网站的凭据以允许WASS访问该网站。 然后,WASS可以使用凭据继续扫描网站。 因此,由于自动登录过程,可能在网站中访问以前不可扫描的网页。
-
公开(公告)号:US09239745B1
公开(公告)日:2016-01-19
申请号:US11864712
申请日:2007-09-28
IPC分类号: G06F11/00
CPC分类号: G06F11/00 , G06F11/3672 , G06F21/577 , H04L63/1433
摘要: Vulnerability testing of a web application can be done using external testing, wherein an external test system runs with permissions of a user of the web application and interacts with the web application over a network, the external test system might obtain a schedule for a vulnerability test, execute the schedule using the external test system, log at least portions of responses of the web application to interactions of the external test system with the web application, compare portions of the responses to expected possible responses associated with particular possible vulnerabilities of the web application, thereby detecting possible vulnerabilities of the web application and, for at least one detected possible vulnerability, generating a retest script that comprises at least instructions to place the web application in a state at least similar to the state at which the at least one detected possible vulnerability was detected during execution of the schedule and that comprises at least instructions to interact with the web application in an attempt to recreate the detection without requiring reexecution of the schedule.
摘要翻译: Web应用程序的漏洞测试可以使用外部测试完成,其中外部测试系统以Web应用程序的用户的权限运行,并通过网络与Web应用程序交互,外部测试系统可能会获得漏洞测试的进度 ,使用外部测试系统执行计划,将至少部分Web应用程序的响应记录到外部测试系统与Web应用程序的交互中,将响应中的部分响应与Web应用程序的特定可能漏洞相关联的预期可能响应进行比较 ,从而检测网络应用程序的可能的漏洞,并且对于至少一个检测到的可能的脆弱性,生成重新测试脚本,其包括至少指令以将web应用程序置于至少类似于所述至少一个检测到的可能状态的状态 执行时间表期间检测到漏洞,并包括在l 与Web应用程序交互的东方指令,以尝试重新创建检测,而不需要重新执行日程安排。
-
5.发明授权Automatic response culling for web application security scan spidering process 有权自动响应剔除Web应用程序安全扫描过程公开(公告)号:US08370929B1
公开(公告)日:2013-02-05
申请号:US11864749
申请日:2007-09-28
IPC分类号: G06F11/00
CPC分类号: H04L63/1433 , G06F11/3672 , G06F21/577
摘要: A method of testing a web application, wherein a web application is a program that operates on a server and interacts with clients that access the program over a network, wherein further the web application accepts parameters that define results generated from the web application, the method comprising determining which web application uniform resource identifiers (URIs) are used to access various web applications on a system, determining if more than a threshold of the URIs are for a common web application, selecting a subset of less than all of the URIs for the common web application when the threshold is exceeded for that common web application, wherein the subset is selected at least in part independently of the order generated and performing a security scan on the selected subset.
摘要翻译: 一种测试Web应用程序的方法,其中web应用程序是在服务器上操作并且与通过网络访问该程序的客户端进行交互的程序,其中该web应用程序进一步接受定义从web应用程序产生的结果的参数,该方法 包括确定哪个web应用程序统一资源标识符(URI)用于访问系统上的各种Web应用程序,确定多于一个URI的阈值是否用于公共Web应用程序,选择少于所有URI的子集 当对于该通用Web应用程序超过阈值时,其中该子集至少部分地独立于所生成的顺序并且对所选择的子集执行安全扫描。
-
6.发明授权Using fuzzy classification models to perform matching operations in a web application security scanner 有权使用模糊分类模型在Web应用程序安全扫描程序中执行匹配操作公开(公告)号:US08087088B1
公开(公告)日:2011-12-27
申请号:US11864736
申请日:2007-09-28
CPC分类号: G06F11/3692
摘要: A system provides for fuzzy classification in comparisons of scanner responses. A web application test suite performs tests against a web application by sending client requests from a testing computer to the server running the web application and checking how the web application responds. A thorough web application security scan might involve thousands of checks and responses. As a result, some sort of programmatic analysis is needed. One such evaluation involves comparing one response against another. Response matching that compares two HTTP responses might use fuzzy classification processes.
摘要翻译: 系统提供了扫描器响应比较中的模糊分类。 Web应用程序测试套件通过将测试计算机的客户端请求发送到运行Web应用程序的服务器并检查Web应用程序的响应方式来对Web应用程序执行测试。 彻底的Web应用程序安全扫描可能涉及数千个检查和响应。 因此,需要进行某种程序化分析。 一个这样的评估涉及将一个响应与另一个相比较。 比较两个HTTP响应的响应匹配可能使用模糊分类过程。
-
公开(公告)号:US20060048214A1
公开(公告)日:2006-03-02
申请号:US11210351
申请日:2005-08-23
IPC分类号: H04L9/32
CPC分类号: H04L63/1483 , H04L63/10 , H04L63/1433 , H04L63/168
摘要: A web application security scanner (WASS) includes a login manager configured to perform an automated login to a web site. The automated login may be performed when the login manager detects that a login session has ended. The login manager is configured to determine credentials for the web site to allow the WASS to access the web site. The WASS may then use the credentials to continue scanning the web site. Thus, previously unscannable web pages may be accessed in the web site because of the automated login process.
摘要翻译: Web应用安全扫描器(WASS)包括配置为执行自动登录到网站的登录管理器。 当登录管理器检测到登录会话已经结束时,可以执行自动登录。 登录管理器配置为确定网站的凭据以允许WASS访问该网站。 然后,WASS可以使用凭据继续扫描网站。 因此,由于自动登录过程,可能在网站中访问以前不可扫描的网页。
-
8.发明申请System for detecting vulnerabilities in web applications using client-side application interfaces 有权使用客户端应用程序接口检测Web应用程序中的漏洞的系统公开(公告)号:US20060195588A1
公开(公告)日:2006-08-31
申请号:US11339373
申请日:2006-01-24
IPC分类号: G06F15/16
CPC分类号: H04L63/1433 , G06F21/53 , G06F2221/2119
摘要: An improved method and apparatus for client-side web application analysis is provided. Client-side web application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. In one embodiment, a security vulnerability analyzer is employed to analyze web page content for client-side application files, such as Flash files and Java applets, extract web addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective web server used to service the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the web server.
摘要翻译: 提供了一种用于客户端Web应用程序分析的改进方法和装置。 客户端Web应用程序分析涉及使用客户端应用程序接口等来确定和测试数据输入点,并分析客户端请求和服务器响应。 在一个实施例中,使用安全漏洞分析器来分析诸如Flash文件和Java小应用程序之类的客户端应用程序文件的网页内容,提取嵌入在客户端应用程序文件中的Web地址和数据参数,并修改数据参数 根据用户定义的测试标准。 修改的数据参数作为请求的一部分被发送到用于服务客户端应用文件的相应web服务器。 安全漏洞分析器分析来自服务器的响应,以确定是否存在与客户端应用程序文件和Web服务器之间的接口相关联的任何安全漏洞。
-
9.发明申请SYSTEM FOR DETECTING VULNERABILITIES IN WEB APPLICATIONS USING CLIENT-SIDE APPLICATION INTERFACES 有权使用客户端应用程序界面检测WEB应用程序中的漏洞的系统公开(公告)号:US20130055403A1
公开(公告)日:2013-02-28
申请号:US13595829
申请日:2012-08-27
IPC分类号: G06F21/00
CPC分类号: H04L63/1433 , G06F21/53 , G06F2221/2119
摘要: An improved method and apparatus for client-side web application analysis is provided. Client-side web application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. In one embodiment, a security vulnerability analyzer is employed to analyze web page content for client-side application files, such as Flash files and Java applets, extract web addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective web server used to service the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the web server.
摘要翻译: 提供了一种用于客户端Web应用程序分析的改进方法和装置。 客户端Web应用程序分析涉及使用客户端应用程序接口等来确定和测试数据输入点,并分析客户端请求和服务器响应。 在一个实施例中,使用安全漏洞分析器来分析诸如Flash文件和Java小应用程序之类的客户端应用程序文件的网页内容,提取嵌入在客户端应用程序文件中的Web地址和数据参数,并修改数据参数 根据用户定义的测试标准。 修改的数据参数作为请求的一部分被发送到用于服务客户端应用文件的相应web服务器。 安全漏洞分析器分析来自服务器的响应,以确定是否存在与客户端应用程序文件和Web服务器之间的接口相关联的任何安全漏洞。
-
10.发明授权System for detecting vulnerabilities in applications using client-side application interfaces 有权使用客户端应用程序接口检测应用程序漏洞的系统公开(公告)号:US08893282B2
公开(公告)日:2014-11-18
申请号:US13595829
申请日:2012-08-27
CPC分类号: H04L63/1433 , G06F21/53 , G06F2221/2119
摘要: An improved method and apparatus for client-side application analysis is provided. Client-side application analysis involves determining and testing, using client-side application interfaces and the like, data input points and analyzing client requests and server responses. A security vulnerability analyzer can be employed to analyze content for client-side application files, such as Flash files and Java applets, extract addresses and data parameters embedded in the client-side application file, and modify the data parameters according to user-defined test criteria. The modified data parameters are transmitted as part of a request to a respective server used to service requests from the client-side application files. The security vulnerability analyzer analyzes the response from the server to ascertain if there are any security vulnerabilities associated with the interface between the client-side application file and the server.
摘要翻译: 提供了一种用于客户端应用程序分析的改进方法和装置。 客户端应用程序分析涉及使用客户端应用程序接口等进行确定和测试,数据输入点和分析客户端请求和服务器响应。 可以使用安全漏洞分析器来分析客户端应用程序文件的内容,例如Flash文件和Java小程序,提取嵌入在客户端应用程序文件中的地址和数据参数,以及根据用户定义的测试修改数据参数 标准 修改的数据参数作为请求的一部分被发送到用于服务来自客户端应用文件的请求的相应服务器。 安全漏洞分析器分析来自服务器的响应,以确定是否存在与客户端应用程序文件和服务器之间的接口相关联的任何安全漏洞。
-
-
-
-
-
-
-
-
-
搜索结果
13 条记录 (耗时 0.022 秒)
