News Column

"Identifying Stored Security Vulnerabilities in Computer Software Applications" in Patent Application Approval Process

August 7, 2014



By a News Reporter-Staff News Editor at Computer Weekly News -- A patent application by the inventors TRIPP, OMER (HAR-ADAR, IL); WEISMAN, OMRI (TEL-AVIV, IL), filed on January 17, 2013, was made available online on July 24, 2014, according to news reporting originating from Washington, D.C., by VerticalNews correspondents.

This patent application is assigned to International Business Machines Corporation.

The following quote was obtained by the news editors from the background information supplied by the inventors: "Computer software applications, and particularly web applications, are often the target of malicious attacks. In one type of malicious attack known as stored cross-site scripting ('stored XSS'), an attacker provides a malicious payload as input to a web application which then stores the malicious payload, where a subsequent interaction with the web application results in the malicious payload causing unwanted or unauthorized actions to be performed. For example, a malicious payload may be in the form of JavaScript.TM. instructions included in a message that is provided by an attacker's computer as input to a web-based message board application, where the application then stores the message for later retrieval. The stored XSS attack succeeds when a client computer subsequently interacts with the application and receives the stored JavaScript.TM. instructions from the application, whereupon the JavaScript.TM. instructions are executed at the client computer, causing unwanted or unauthorized actions to be performed at or by the client computer.

"Computer software applications are often tested during their development to determine whether they are vulnerable to such malicious attacks or otherwise show signs of security vulnerabilities. One such type of testing, known as 'black-box' testing, involves executing an application, interacting with the application's interfaces, such as by using known forms of malicious attacks, and then searching for evidence that an interaction exposed a known type of vulnerability. Unfortunately, black-box testing tools have had only limited success determining whether applications are vulnerable to stored attacks."

In addition to the background information obtained for this patent application, VerticalNews journalists also obtained the inventors' summary information for this patent application: "In one aspect of the invention a method is provided for identifying stored security vulnerabilities in computer software applications, the method including providing via a first interface of a computer software application during execution of the computer software application and using a processor, test data having a characteristic of a malicious payload, where an interaction performed with the first interface results in data written to a location within a persistent data store, and where an interaction performed with a second interface of the computer software application results in data read from the location within the persistent data store, and identifying a stored security vulnerability associated with the computer software application if the test data are written to the persistent data store at the location.

"In another aspect of the invention a method is provided for identifying stored security vulnerabilities in computer software applications, the method including detecting, responsive to an interaction performed with a first interface of a computer software application during execution of the computer software application and using a processor, an interaction with a persistent data store at a location within the persistent data store, detecting, responsive to an interaction performed with a second interface of the computer software application during execution of the computer software application, an interaction with the persistent data store at the location within the persistent data store, recording an association between the first interface and the second interface, where during one of the interactions with the persistent data store data are written to the persistent data store at the location, and where during the other of the interactions with the persistent data store the data are read from the location within the persistent data store, providing to the computer software application during execution of the computer software application, via any of the interfaces indicated by the association, test data having a characteristic of a malicious payload, and identifying a stored security vulnerability associated with the computer software application if the test data are written to the persistent data store at the location.

"Systems and computer program products embodying the invention are also provided.

BRIEF DESCRIPTION OF THE DRAWINGS

"The invention will be understood and appreciated more fully from the following detailed description taken in conjunction with the appended drawings in which:

"FIG. 1 is a simplified conceptual illustration of a system for identifying stored security vulnerabilities in computer software applications, constructed and operative in accordance with an embodiment of the invention;

"FIG. 2 is a simplified flowchart illustration of an exemplary method of operation of the system of FIG. 1, operative in accordance with an embodiment of the invention; and

"FIG. 3 is a simplified block diagram illustration of an exemplary hardware implementation of a computing system, constructed and operative in accordance with an embodiment of the invention."

URL and more information on this patent application, see: TRIPP, OMER; WEISMAN, OMRI. Identifying Stored Security Vulnerabilities in Computer Software Applications. Filed January 17, 2013 and posted July 24, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=38&p=1&f=G&l=50&d=PG01&S1=20140717.PD.&OS=PD/20140717&RS=PD/20140717

Keywords for this news article include: Software, JavaScript, International Business Machines Corporation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Computer Weekly News


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters