公开(公告)号：US20130139267A1

公开(公告)日：2013-05-30

申请号：US13440416

申请日：2012-04-05

申请人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

发明人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

IPC分类号： G06F21/00

CPC分类号： H04L63/1433 ,  H04L63/145 ,  H04L67/02 ,  H04W12/12

摘要： A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.

摘要翻译： 描述了一种用于检测Web应用程序中的漏洞的方法，计算机程序产品和系统。 方法可以包括确定与web应用程序相关联的一个或多个值，其流向与web应用相关联的响应数据。 一个或多个值可能由不可靠的输入修改。 该方法还可以包括生成与web应用相关联的响应数据的表示。 该方法可以另外包括至少部分地基于流向与web应用相关联的响应数据的不可靠输入可修改的一个或多个值来确定响应数据的一个或多个潜在易受攻击的部分，以及 与Web应用程序相关联的响应数据。

公开(公告)号：US09223977B2

公开(公告)日：2015-12-29

申请号：US13447904

申请日：2012-04-16

申请人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

发明人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F21/55 ,  G06F21/56 ,  G06F21/52 ,  G06F21/57

CPC分类号： G06F21/566 ,  G06F21/52 ,  G06F21/577

摘要： Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

摘要翻译： 测试基于Web的应用程序的安全漏洞。 包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。 可以从基于Web的应用程序接收响应HTML和关联的文档对象模型（DOM）对象。 可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。 包括有效载荷的DOM对象的一部分可以被识别为不可信。

公开(公告)号：US09124624B2

公开(公告)日：2015-09-01

申请号：US13440416

申请日：2012-04-05

申请人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

发明人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

IPC分类号： H04L29/06 ,  H04W12/12 ,  H04L29/08

CPC分类号： H04L63/1433 ,  H04L63/145 ,  H04L67/02 ,  H04W12/12

摘要： A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.

摘要翻译： 描述了一种用于检测Web应用程序中的漏洞的方法，计算机程序产品和系统。 方法可以包括确定与web应用程序相关联的一个或多个值，其流向与web应用相关联的响应数据。 一个或多个值可能由不可靠的输入修改。 该方法还可以包括生成与web应用相关联的响应数据的表示。 该方法可以另外包括至少部分地基于流向与web应用相关联的响应数据的不可靠输入可修改的一个或多个值来确定响应数据的一个或多个潜在易受攻击的部分，以及 与Web应用程序相关联的响应数据。

公开(公告)号：US20130139266A1

公开(公告)日：2013-05-30

申请号：US13307780

申请日：2011-11-30

申请人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

发明人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

IPC分类号： G06F11/00

CPC分类号： H04L63/1433 ,  H04L63/145 ,  H04L67/02 ,  H04W12/12

摘要： A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.

公开(公告)号：US09032529B2

公开(公告)日：2015-05-12

申请号：US13307780

申请日：2011-11-30

申请人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

发明人： Yair Amit ,  Daniel Kalman ,  Omer Tripp

IPC分类号： H04L29/06 ,  H04L29/08 ,  H04W12/12

CPC分类号： H04L63/1433 ,  H04L63/145 ,  H04L67/02 ,  H04W12/12

摘要： A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.

公开(公告)号：US08683596B2

公开(公告)日：2014-03-25

申请号：US13283989

申请日：2011-10-28

申请人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

发明人： Yair Amit ,  Yinnon A. Haviv ,  Daniel Kalman ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F21/00

CPC分类号： G06F21/566 ,  G06F21/52 ,  G06F21/577

摘要： Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.

摘要翻译： 测试基于Web的应用程序的安全漏洞。 包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。 可以从基于Web的应用程序接收响应HTML和关联的文档对象模型（DOM）对象。 可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。 包括有效载荷的DOM对象的一部分可以被识别为不可信。

公开(公告)号：US08819644B2

公开(公告)日：2014-08-26

申请号：US13411771

申请日：2012-03-05

申请人： Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

发明人： Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F21/52 ,  G06F8/51 ,  G06F8/75 ,  G06F11/3604

摘要： Performing data flow analysis of a computer software application, including, for a data flow analysis type, identifying within a computer software application code base a plurality of seeds relating to the data flow analysis type, for each of the plurality of seeds, defining a portion of the computer software application code base to a predefined depth of calls backward from the seed and to a predefined depth of calls forward from the seed, thereby resulting in a plurality of bounded portions of the computer software application code base, detecting a change in the computer software application code base, and performing, on any of the bounded portions affected by the change, a data flow analysis relating to the data flow analysis type.

公开(公告)号：US20120054724A1

公开(公告)日：2012-03-01

申请号：US12873219

申请日：2010-08-31

申请人： Daniel Kalman ,  Marco Pistoia ,  Guy Podjarny ,  Omer Tripp ,  Omri Weisman

发明人： Daniel Kalman ,  Marco Pistoia ,  Guy Podjarny ,  Omer Tripp ,  Omri Weisman

IPC分类号： G06F9/44

CPC分类号： G06F8/75 ,  G06F11/3604 ,  G06F21/577

摘要： A system, method and computer program product for incremental static analysis, including a change impact analyzer for identifying a changed portion of a computer software (e.g., an application), where the changed portion was changed subsequent to performing a static analysis on the application, a static analysis result invalidator for invalidating any static analysis result that is dependent on the changed portion, and an incremental static analyzer for performing a first incremental static analysis on at least the changed portion, presenting the results of the first incremental static analysis, receiving a request to provide additional information regarding a selected result of the first incremental static analysis, performing, responsive to receiving the request, a second incremental static analysis on any portion of the application to gather the additional information, and presenting results of the second incremental static analysis, thereby providing the additional information regarding the selected result of the first incremental static analysis.

摘要翻译： 一种用于增量静态分析的系统，方法和计算机程序产品，包括用于识别计算机软件（例如，应用程序）的改变部分的变化影响分析器，其中在对应用执行静态分析之后改变部分被改变， 静态分析结果无效器，用于使依赖于改变的部分的任何静态分析结果无效;以及增量静态分析器，用于至少对所述改变的部分执行第一增量静态分析，呈现第一增量静态分析的结果， 请求提供关于第一增量静态分析的选定结果的附加信息，响应于接收到请求执行，对应用的任何部分进行第二增量静态分析以收集附加信息，以及呈现第二增量静态分析的结果 ，从而提供附加信息rega 选择第一个增量静态分析的结果。

公开(公告)号：US08925094B2

公开(公告)日：2014-12-30

申请号：US13563376

申请日：2012-07-31

申请人： Daniel Kalman ,  Ory Segal ,  Omer Tripp ,  Omri Weisman

发明人： Daniel Kalman ,  Ory Segal ,  Omer Tripp ,  Omri Weisman

IPC分类号： H04L29/06 ,  G06F21/00 ,  G06F21/57 ,  G06F21/10

CPC分类号： G06F21/577 ,  G06F21/10 ,  G06F2221/034 ,  H04L63/1433

摘要： Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.

公开(公告)号：US08910291B2

公开(公告)日：2014-12-09

申请号：US13430013

申请日：2012-03-26

申请人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

发明人： Yinnon A. Haviv ,  Daniel Kalman ,  Dmitri Pikus ,  Omer Tripp ,  Omri Weisman

IPC分类号： H04L29/06 ,  G06F21/57

CPC分类号： G06F21/577 ,  H04L63/1433 ,  H04L63/1441

摘要： Detecting security vulnerabilities in web applications by interacting with a web application at a computer server during its execution at the computer server, identifying client-side instructions provided by the web application responsive to an interaction with the web application, where the client-side instructions are configured to be implemented by a client computer that receives the client-side instructions from the computer server, evaluating the identified client-side instructions, and identifying a security vulnerability associated with the client-side instructions.

摘要翻译： 通过在计算机服务器执行期间与计算机服务器上的Web应用程序交互来检测Web应用程序中的安全漏洞，识别由Web应用程序提供的客户端指令，响应于与Web应用程序的交互，其中客户端指令是 被配置为由从计算机服务器接收客户端指令的客户端计算机实现，评估所识别的客户端指令，以及识别与客户端指令相关联的安全漏洞。