The patent's inventors are Pennington, William (
This patent was filed on
From the background information supplied by the inventors, news correspondents obtained the following quote: "There are a number of different configurations of network client-server interfaces available today, but the most common network in use is the Internet, a global internetwork of networks and networks that use Internet protocols and/or interfaces, such as extranets, intranets, local services, and other variations. In the general case, to which inventions described herein apply, clients connect to servers over the network and clients are not always trusted computers. As a result, the designers of the servers need to ensure that untrusted clients cannot perform malicious acts or access unauthorized portions of the server through the network.
"One approach to ensure that servers cannot be accessed in an unauthorized manner is to only provide access to secured and trusted clients. However, in many situations, that is not possible. For example, if a merchant was running an on-line store, the merchant would want to allow most anyone who has a computer to access the servers providing the on-line store functionality, but do so in a way that still prevents unauthorized interactions with the servers.
"Server security is more than just requiring a username and password from each client before responding to client requests, since even a logged in user might try for unauthorized access and a typical service provided by a server might include content and functionality for use by unauthenticated and unlogged-in clients. One approach to server security is to review all of the code that runs on the server and verify that it does not include statements that allow for unauthorized activity and review all the files present on the server and their respective permissions, side-effects, etc. While this might be practical for a small installation, say an FTP server that serves up predefined files to all corners, it is often not practical with complex, interactive applications that have many response modes.
"One common use of servers in this environment, but not an exclusive use, is that of a web application. As used herein, 'web' refers to a collection of documents/files, some of which have references, or links, to other documents/files in the collection. One example of a web is the World Wide Web ('WWW'), a collection of files served up by WWW servers (also called 'web servers') using HTTP protocols or something similar. The 'WWW' gets its name from the fact that most of these documents/files can be almost anywhere in the world and can be accessed anywhere in the world where there is Internet connectivity.
"A web application is an application that runs on one or more server and provides some functionality or service in response to client requests received over a network using web protocols (i.e., HTTP, HTTPS, or something similar). An example of a web application is a database interface, wherein a database runs on a database system and clients can access data in that database system by sending a request for service over the network to a web application server. The web application server receives the request for service and decides, according to how it is programmed, what to do with the request. It can ignore the request, send an error message back to the client, or trigger an operation with the database system and respond to the client's request by sending the client the results of the database operation.
"In a highly specific example, suppose a client computer system is operated by a customer seeking to configure and purchase a laptop computer. The customer would direct the client computer system to access a web application server operated by a vendor of laptop computers. The client computer system might send a request to the web application server via the network requesting a home page of the vendor. The web application server might respond with a home page that includes features allowing the client to interact with content on the home page (such as by selecting from available model names, features, etc.), send a subsequent request to the server, etc.
"All the while, the web application server is making decisions about what is appropriate to send and what is not appropriate to send, based on its programming. For example, if the client computer sends a request for an updated page with updated pricing for new options selected by the customer, the web application server might perform some calculations, perform some database look-ups, generate a new dynamic web page and return that web page to the client computer in response to the request. However, if the client computer sends a request to see data about what someone else ordered, or internal data from the database server, the web application should properly refuse to respond to the request.
"Because web applications are so complex, securing a web application and testing for security vulnerabilities, often involves an automated testing of the web application. Client-side web application testing refers to tests that are run from a client's point of view. For example, a client-side test suite might have logic for logging in to a web application, applying valid and invalid requests to the web application, noting the web application's responses and evaluating those responses. For example, if the test suite sends a request to the web application for ordering products where the prices have been altered and the response is 'invalid order', the test suite might note that the web application is secure in that regard, but if the response is 'thank you for your order', the test suite might note that the web application is not secure.
"While it is a simple matter for test personnel to look at the response that a web application sends to a request and determine whether the response was appropriate or indicates a security vulnerability, it is more difficult to program a system to automatically programmatically assess a response and determine whether it is a security vulnerability.
"In view of the above, the inventions described herein provide improvements over existing approaches."
Supplementing the background information on this patent, VerticalNews reporters also obtained the inventors' summary information for this patent: "Embodiments of the present invention provide for gathering human insights as to potential security vulnerabilities and structure data storage to contain data supporting recordations of those insights in such a way that later security scans can use that data to trigger an analysis by computer or human when conditions are met that represent the human insight.
"In specific embodiments, apparatus and methods of managing vulnerability testing of a web application are provided for running a set of one or more scripted tests against a web application, recording results of the one or more scripted tests, providing an interface for a human evaluator to review the recorded results, and accepting from the human evaluator custom test parameters based on observations of the recorded results, wherein custom test parameters include at least one context usable by a future tester in deciding whether to run the custom test, and also includes at least one instruction for automatically running custom test steps of the custom test.
"In a specific example, a test suite provides a tester with an interface to enter in details of a custom test of an application. Thus, when a tester is executing manual tests on a web application to test for potential security vulnerabilities and the tester notices some indicators of a potential weakness, the tester might perform additional tests, but might also enter a custom test record into the data storage for custom tests. A custom test record would be a recordation of elements of human insight. For example, if the tester noticed that a particular file is present in a web application at a particular URI and the tester assessed that the existence of the file and/or similarly named files may be of a security concern, the tester can create a custom test record that specifies a regular expression, for example, that matches the file's name and the names of the similarly named files, add comments as to the name of the custom test, human-readable comments about when the test should be run, why it should be run, what to look for, prior experience, etc. Then, when a later automated scan is being done, the regular expressions of the custom test records are compared to the requests the scanner is making and if there is a match, the scanner might alert the later tester and present the tester with the custom test record information so that the later tester can be prompted to decide to run that custom test.
"The following detailed description together with the accompanying drawings will provide a better understanding of the nature and advantages of the present invention."
For the URL and additional information on this patent, see: Pennington, William; Grossman, Jeremiah; Stone, Robert; Pazirandeh, Siamak. Pattern Tracking and Capturing Human Insight in a Web Application Security Scanner. U.S. Patent Number 8789187, filed
Keywords for this news article include:
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- PBS Series Examines America's Demographic Shift
- California's Ban on Plastic Bags: What Now?
- Petri Likely Broke House Ethics Rules
- Americans Bet Big on Gambling Industry
- Exxon Gives Nod to Fracking Risks
- Morgan: 'Can't Believe' Wal-Mart Blaming Him
- Texas Sees Gains in Hispanic College Enrollment
- Wealth Gap Widens as Rich Spend More on Kids' Education
- Can You Be Fired for Using Medical Marijuana?
- Lack of Sea Ice Brings 35,000 Walruses Ashore