利索-全球专利检索

  1. 登录
  2. 注册

搜索结果

25 条记录 (耗时 0.022 秒)

    DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES
    1.
    发明申请
    DETECTION OF DOM-BASED CROSS-SITE SCRIPTING VULNERABILITIES 审中-公开
    检测基于DOM的跨站脚本的漏洞

    公开(公告)号:US20130111595A1

    公开(公告)日:2013-05-02

    申请号:US13447904

    申请日:2012-04-16

    申请人: YAIR AMIT YINNON A. HAVIV DANIEL KALMAN OMER TRIPP OMRI WEISMAN

    发明人: YAIR AMIT YINNON A. HAVIV DANIEL KALMAN OMER TRIPP OMRI WEISMAN

    IPC分类号: G06F21/00

    CPC分类号: G06F21/566 G06F21/52 G06F21/577

    摘要: Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

    摘要翻译: 测试基于Web的应用程序的安全漏洞。 包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。 可以从基于Web的应用程序接收响应HTML和关联的文档对象模型(DOM)对象。 可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。 包括有效载荷的DOM对象的一部分可以被识别为不可信。

    BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION
    3.
    发明申请
    BLACK-BOX TESTING OF WEB APPLICATIONS WITH CLIENT-SIDE CODE EVALUATION 有权
    使用客户端代码评估的WEB应用程序的黑盒测试

    公开(公告)号:US20130007885A1

    公开(公告)日:2013-01-03

    申请号:US13170839

    申请日:2011-06-28

    申请人: YINNON A. HAVIV DANIEL KALMAN DMITRI PIKUS OMER TRIPP OMRI WEISMAN

    发明人: YINNON A. HAVIV DANIEL KALMAN DMITRI PIKUS OMER TRIPP OMRI WEISMAN

    IPC分类号: G06F21/00

    CPC分类号: G06F21/577 H04L63/1433 H04L63/1441

    摘要: Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.

    摘要翻译: 通过在计算机服务器执行期间与计算机服务器上的Web应用程序交互来检测Web应用程序中的安全漏洞,识别由Web应用程序提供的客户端指令,响应于与Web应用程序的交互,其中客户端指令是 被配置为由从计算机服务器接收客户端指令的客户端计算机实现,评估所识别的客户端指令,以及识别与客户端指令相关联的安全漏洞。

    INJECTION CONTEXT BASED STATIC ANALYSIS OF COMPUTER SOFTWARE APPLICATIONS
    5.
    发明申请
    INJECTION CONTEXT BASED STATIC ANALYSIS OF COMPUTER SOFTWARE APPLICATIONS 有权
    基于注入上下文的计算机软件应用的静态分析

    公开(公告)号:US20110321016A1

    公开(公告)日:2011-12-29

    申请号:US12825293

    申请日:2010-06-28

    申请人: YINNON A. HAVIV ROEE HAY MARCO PISTOIA ORY SEGAL ADI SHARABANI TAKAAKI TATEISHI OMER TRIPP OMRI WEISMAN

    发明人: YINNON A. HAVIV ROEE HAY MARCO PISTOIA ORY SEGAL ADI SHARABANI TAKAAKI TATEISHI OMER TRIPP OMRI WEISMAN

    IPC分类号: G06F11/36 G06F9/44

    CPC分类号: G06F11/3604 G06F8/75 G06F21/577

    摘要: Embodiments of the invention generally relate to injection context based static analysis of computer software applications. Embodiments of the invention may include selecting a sink within a computer software application, tracing a character output stream leading to the sink within the computer software application, determining an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, identifying any actions that have been predefined in association with the identified injection context, and providing a report of the actions.

    摘要翻译: 本发明的实施例一般涉及计算机软件应用的基于注入上下文的静态分析。 本发明的实施例可以包括选择计算机软件应用程序内的汇点,跟踪通向计算机软件应用程序内的汇点的字符输出流,确定汇点处的字符输出流的注入上下文,其中注入上下文在 与汇点处的字符输出流的状态相关联,识别已经与所识别的注入上下文相关联地预定义的任何动作,以及提供动作的报告。

    AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING
    7.
    发明申请
    AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING 有权

    公开(公告)号:US20130205398A1

    公开(公告)日:2013-08-08

    申请号:US13367633

    申请日:2012-02-07

    申请人: DANIEL KALMAN ORY SEGAL OMER TRIPP OMRI WEISMAN

    发明人: DANIEL KALMAN ORY SEGAL OMER TRIPP OMRI WEISMAN

    IPC分类号: G06F21/00

    CPC分类号: G06F21/577 G06F21/10 G06F2221/034 H04L63/1433

    摘要: Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.

    AUTOMATIC CLASSIFICATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS
    8.
    发明申请
    AUTOMATIC CLASSIFICATION OF SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS 有权
    计算机软件应用中安全漏洞的自动分类

    公开(公告)号:US20140075560A1

    公开(公告)日:2014-03-13

    申请号:US13609320

    申请日:2012-09-11

    申请人: LOTEM GUY DANIEL KALMAN OMER TRIPP OMRI WEISMAN

    发明人: LOTEM GUY DANIEL KALMAN OMER TRIPP OMRI WEISMAN

    IPC分类号: G06F21/00

    CPC分类号: G06F21/577

    摘要: Automatically classifying security vulnerabilities in computer software applications by identifying candidate security vulnerabilities in a learning set including at least a first computer software application, classifying each of the candidate security vulnerabilities using predefined classifications, determining, for each of the candidate security vulnerabilities, values for predefined properties, creating a set of correlations between the property values and the classifications of the candidate security vulnerabilities, identifying a candidate security vulnerability in a second computer software application, determining, for the candidate security vulnerability in the second computer software application, values for the predefined properties, and using the set of correlations to classify the candidate security vulnerability in the second computer software application with a classification from the predefined classifications that best correlates with the property values of the candidate security vulnerability in the second computer software application.

    摘要翻译: 通过识别包括至少第一计算机软件应用程序的学习集中的候选安全漏洞来自动分类计算机软件应用中的安全漏洞,使用预定义分类对每个候选安全漏洞进行分类,为每个候选安全漏洞确定预定义的值 属性,创建属性值与候选安全漏洞的分类之间的一组相关性,识别第二计算机软件应用中的候选安全漏洞,为第二计算机软件应用中的候选安全漏洞确定预定义的值 属性,并使用一组相关性对第二计算机软件应用程序中的候选安全漏洞进行分类,从预定义的分类中分类,这些分类与坦率的属性值最相关 在第二台计算机软件应用程序中出现安全漏洞。

    AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING
    9.
    发明申请
    AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING 有权
    用于安全测试的自动综合测试

    公开(公告)号:US20130205399A1

    公开(公告)日:2013-08-08

    申请号:US13563376

    申请日:2012-07-31

    申请人: DANIEL KALMAN ORY SEGAL OMER TRIPP OMRI WEISMAN

    发明人: DANIEL KALMAN ORY SEGAL OMER TRIPP OMRI WEISMAN

    IPC分类号: G06F21/00

    CPC分类号: G06F21/577 G06F21/10 G06F2221/034 H04L63/1433

    摘要: Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.

    摘要翻译: 对被测电脑程式(CPUT)执行安全性分析。 可以分析CPUT以识别与CPUT的潜在安全漏洞相关的数据。 至少可以自动合成在CPUT内测试程序代码的特定单位的第一单元测试。 可以将第一单元测试配置为初始化由CPUT内的程序代码的特定单元使用的至少一个参数,并且可以提供至少一个被配置为利用CPUT的至少一个潜在安全漏洞的第一测试负载。 可以动态地处理第一单元测试,以将第一测试有效负载传送到CPUT内的程序代码的特定单元。 是否可以确定第一个测试有效负载是否利用CPUT的实际安全漏洞,并可以输出安全分析报告。

    DETECTION OF SECOND ORDER VULNERABILITIES IN WEB SERVICES
    10.
    发明申请
    DETECTION OF SECOND ORDER VULNERABILITIES IN WEB SERVICES 审中-公开
    在WEB服务中检测第二个订单的漏洞

    公开(公告)号:US20130167239A1

    公开(公告)日:2013-06-27

    申请号:US13430002

    申请日:2012-03-26

    申请人: YAIR AMIT EVGENY BESKROVNY OMER TRIPP

    发明人: YAIR AMIT EVGENY BESKROVNY OMER TRIPP

    IPC分类号: G06F21/00

    摘要: A method of detecting a vulnerability in a Web service can include determining, using a processor, whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service. The method further can include, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability.

    摘要翻译: 检测Web服务中的漏洞的方法可以包括:使用处理器确定Web服务是否使用请求者的身份来选择Web服务的程序代码中的分支的多个不同路径中的一个。 该方法还可以包括响应于确定Web服务根据请求者的身份选择分支的多个不同路径中的一个,指示该Web服务具有潜在的漏洞。