专利快速检索-快速检索全球专利，免费商用专利数据库-IPRDB

1. 发明授权

US10586049B2 Detection of second order vulnerabilities in web services 有权
公开(公告)号：US10586049B2
公开(公告)日：2020-03-10
申请号：US13335439
申请日：2011-12-22
申请人： Yair Amit , Evgeny Beskrovny , Omer Tripp
发明人： Yair Amit , Evgeny Beskrovny , Omer Tripp
IPC分类号： H04L29/06 , G06F21/57 , H04L29/08 , G06F9/30 , G07B17/00 , H04W12/00
摘要： A system for detecting a vulnerability in a Web service can include a processor configured to initiate executable operations including determining whether a Web service uses identity of a requester to select one of a plurality of different paths of a branch in program code of the Web service and, responsive to determining that the Web service does select one of a plurality of different paths of a branch according to identity of the requester, indicating that the Web service has a potential vulnerability.

2. 发明授权

US08949994B2 Detecting persistent vulnerabilities in web applications 有权
公开(公告)号：US08949994B2
公开(公告)日：2015-02-03
申请号：US13421125
申请日：2012-03-15
申请人： Yair Amit , Omer Tripp
发明人： Yair Amit , Omer Tripp
IPC分类号： G06F21/00 , G06F21/56 , H04L29/06 , G06F21/51 , G06F21/57
CPC分类号： G06F21/563 , G06F21/51 , G06F21/566 , G06F21/577 , H04L63/1433 , H04L63/1466
摘要： A method, including storing a test payload to a persistent state of an application and performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data. A dynamic analysis is then performed to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path.

3. 发明授权

US08495135B2 Preventing cross-site request forgery attacks on a server 有权
标题翻译：防止服务器上的跨站点请求伪造攻击
公开(公告)号：US08495135B2
公开(公告)日：2013-07-23
申请号：US12889300
申请日：2010-09-23
申请人： Yair Amit , Guy Podjarny , Adi Sharabani
发明人： Yair Amit , Guy Podjarny , Adi Sharabani
IPC分类号： G06F15/16
CPC分类号： G06F21/51 , G06F21/445 , G06F21/554 , G06F2221/2129 , G06Q20/382 , H04L63/08
摘要： Preventing Cross-Site Request Forgery (CSRF) security attacks on a server in a client-server environment comprises: embedding a nonce and a script in all responses from the server to the client, the script adapted for executing to add the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value is not the same as the value previously sent by the server. Server-side aspects might be embodied in the server or a proxy between the server and the client.
摘要翻译：防止跨站点请求在客户端 - 服务器环境中的服务器上的伪造（CSRF）安全攻击包括：将随机数和脚本嵌入到从服务器到客户端的所有响应中，该脚本适用于执行以向每个请求添加随机数从客户端到服务器; 将随机数和脚本的响应发送给客户端; 并验证来自客户端的每个请求都包括该随机数。该脚本优选地在服务器响应中修改包括动态生成的对象的所有对象，该服务器响应可以向服务器生成将请求添加到请求中的未来请求。服务器验证请求中的随机值，并且如果值与以前由服务器发送的值不同，则可选地确认与客户端的请求。服务器端方面可能会体现在服务器或服务器和客户端之间的代理服务器端。

4. 发明申请

US20130174262A1 TARGETED SECURITY TESTING 有权
公开(公告)号：US20130174262A1
公开(公告)日：2013-07-04
申请号：US13431808
申请日：2012-03-27
申请人： Yair Amit , Lotem Guy , Daniel Kalman , Ori Segal , Omri Weisman
发明人： Yair Amit , Lotem Guy , Daniel Kalman , Ori Segal , Omri Weisman
IPC分类号： G06F21/00 , G06F17/00
CPC分类号： G06F21/577 , G06F2221/033
摘要： Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads.

5. 发明申请

US20120311713A1 DETECTING PERSISTENT VULNERABILITIES IN WEB APPLICATIONS 审中-公开
公开(公告)号：US20120311713A1
公开(公告)日：2012-12-06
申请号：US13421125
申请日：2012-03-15
申请人： Yair Amit , Omer Tripp
发明人： Yair Amit , Omer Tripp
IPC分类号： G06F21/00
CPC分类号： G06F21/563 , G06F21/51 , G06F21/566 , G06F21/577 , H04L63/1433 , H04L63/1466
摘要： A method, including storing a test payload to a persistent state of an application and performing a static analysis to identify a first code location in the application that retrieves the test payload, to identify a first path from an entry point to the first code location, and to identify a second path from the first code location to a second code location that executes a security sensitive operation using the retrieved data. A dynamic analysis is then performed to retrieve the test payload via the first path, and to convey the test payload to the second code location via the second path.

6. 发明申请

US20120266248A1 PINPOINTING SECURITY VULNERABILITIES IN COMPUTER SOFTWARE APPLICATIONS 有权
标题翻译：在计算机软件应用程序中确定安全漏洞
公开(公告)号：US20120266248A1
公开(公告)日：2012-10-18
申请号：US13411083
申请日：2012-03-02
申请人： Yair Amit , Roee Hay , Roi Saltzman , Adi Sharabani
发明人： Yair Amit , Roee Hay , Roi Saltzman , Adi Sharabani
IPC分类号： G06F21/00
CPC分类号： G06F21/52 , G06F21/55 , G06F2221/033
摘要： A build process management system can acquire data pertaining to a software build process that is currently being executed by an automated software build system. The software build process can include executable process steps, metadata, and/or environmental parameter values. An executable process step can utilize a build artifact, representing an electronic document that supports the software build process. The acquired data can then be synthesized into an immutable baseline build process and associated baseline artifact library. The baseline artifact library can store copies of the build artifacts. The immutable baseline build process can include baseline objects that represent data values and dependencies indicated in the software build process. In response to a user-specified command, an operation can be performed upon the baseline build process and associated baseline artifact library.
摘要翻译：构建过程管理系统可以获取与当前由自动化软件构建系统执行的软件构建过程有关的数据。软件构建过程可以包括可执行过程步骤，元数据和/或环境参数值。可执行过程步骤可以利用构建工件，代表支持软件构建过程的电子文档。然后，获取的数据可以被合成为不可变的基线构建过程和相关联的基线工件库。基线工件库可以存储构建工件的副本。不可变的基线构建过程可以包括表示软件构建过程中指示的数据值和依赖性的基线对象。响应于用户指定的命令，可以在基线构建过程和相关联的基线工件库上执行操作。

7. 发明申请

US20120180128A1 Preventing Cross-Site Request Forgery Attacks on a Server 有权
标题翻译：防止跨站点请求服务器上的伪造攻击
公开(公告)号：US20120180128A1
公开(公告)日：2012-07-12
申请号：US13411608
申请日：2012-03-04
申请人： Yair Amit , Guy Podjarny , Adi Sharabani
发明人： Yair Amit , Guy Podjarny , Adi Sharabani
IPC分类号： G06F21/00
CPC分类号： G06F21/51 , G06F21/445 , G06F21/554 , G06F2221/2129 , G06Q20/382 , H04L63/08
摘要： Preventing Cross-Site Request Forgery security attacks on a server in a client-server environment. In one aspect, this comprises embedding a nonce and a script in all responses from the server to the client wherein, when executed, the script adds the nonce to each request from the client to the server; sending the response with the nonce and the script to the client; and verifying that each request from the client includes the nonce sent by the server to the client. The script preferably modifies all objects, including dynamically generated objects, in a server response that may generate future requests to the server to add the nonce to the requests. The server verifies the nonce value in a request and optionally confirms the request with the client if the value differs from the value previously sent. Server-side aspects might be embodied in the server or a proxy.
摘要翻译：防止跨站点请求在客户端 - 服务器环境中对服务器进行伪造安全攻击。在一个方面，这包括在从服务器到客户端的所有响应中嵌入随机数和脚本，其中当执行时，脚本将随机数添加到从客户端到服务器的每个请求; 将随机数和脚本的响应发送给客户端; 并验证来自客户端的每个请求都包括服务器发送给客户端的随机数。该脚本优选地在服务器响应中修改包括动态生成的对象的所有对象，该服务器响应可以向服务器生成将请求添加到请求中的未来请求。服务器验证请求中的随机值，并且如果值与先前发送的值不同，则可选地确认该请求与客户端。服务器端方面可能会体现在服务器或代理中。

8. 发明授权

US09460291B2 Detecting stored cross-site scripting vulnerabilities in web applications 有权
标题翻译：检测Web应用程序中存储的跨站点脚本漏洞
公开(公告)号：US09460291B2
公开(公告)日：2016-10-04
申请号：US13429993
申请日：2012-03-26
申请人： Yair Amit , Alexander Landa , Omer Tripp
发明人： Yair Amit , Alexander Landa , Omer Tripp
IPC分类号： G06F21/57 , H04L29/06
CPC分类号： H04L63/1433 , G06F21/577 , G06F2221/033 , H04L63/1441 , H04L63/1483
摘要： A method for detecting security vulnerabilities in web applications can include providing a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, detecting the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determining, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction.
摘要翻译：用于检测web应用程序中的安全漏洞的方法可以包括在计算机服务器与网络应用程序的第一次交互期间向web应用程序提供有效载荷，其中有效载荷包括有效负载指令和标识符，检测在在所述第一交互之后与所述web应用的交互，以及响应于在所述有效载荷内检测到所述标识符，确定所述有效载荷指令是否在执行所述有效载荷指令之前进行了安全检查。

9. 发明授权

US09223977B2 Detection of DOM-based cross-site scripting vulnerabilities 有权
标题翻译：检测基于DOM的跨站点脚本漏洞
公开(公告)号：US09223977B2
公开(公告)日：2015-12-29
申请号：US13447904
申请日：2012-04-16
申请人： Yair Amit , Yinnon A. Haviv , Daniel Kalman , Omer Tripp , Omri Weisman
发明人： Yair Amit , Yinnon A. Haviv , Daniel Kalman , Omer Tripp , Omri Weisman
IPC分类号： G06F21/55 , G06F21/56 , G06F21/52 , G06F21/57
CPC分类号： G06F21/566 , G06F21/52 , G06F21/577
摘要： Testing a Web-based application for security vulnerabilities. At least one client request including a payload having a unique identifier can be communicated to the Web-based application. Response HTML and an associated Document Object Model (DOM) object can be received from the Web-based application. Content corresponding to the payload can be identified in the DOM object via the unique identifier. A section of the DOM object including the payload can be identified as un-trusted.
摘要翻译：测试基于Web的应用程序的安全漏洞。包括具有唯一标识符的有效载荷的至少一个客户端请求可以被传送到基于Web的应用。可以从基于Web的应用程序接收响应HTML和关联的文档对象模型（DOM）对象。可以通过唯一标识符在DOM对象中识别与有效载荷相对应的内容。包括有效载荷的DOM对象的一部分可以被识别为不可信。

10. 发明授权

US09124624B2 Detecting vulnerabilities in web applications 有权
标题翻译：检测Web应用程序中的漏洞
公开(公告)号：US09124624B2
公开(公告)日：2015-09-01
申请号：US13440416
申请日：2012-04-05
申请人： Yair Amit , Daniel Kalman , Omer Tripp
发明人： Yair Amit , Daniel Kalman , Omer Tripp
IPC分类号： H04L29/06 , H04W12/12 , H04L29/08
CPC分类号： H04L63/1433 , H04L63/145 , H04L67/02 , H04W12/12
摘要： A method, computer program product, and system for detecting vulnerabilities in web applications is described. A method may comprise determining one or more values associated with a web application that flow to response data associated with the web application. The one or more values may be modifiable by unreliable input. The method may further comprise generating a representation of the response data associated with the web application. The method may additionally comprise determining one or more potentially vulnerable portions of the response data based upon, at least in part, the one or more values modifiable by the unreliable input that flow to the response data associated with the web application, and the representation of the response data associated with the web application.
摘要翻译：描述了一种用于检测Web应用程序中的漏洞的方法，计算机程序产品和系统。方法可以包括确定与web应用程序相关联的一个或多个值，其流向与web应用相关联的响应数据。一个或多个值可能由不可靠的输入修改。该方法还可以包括生成与web应用相关联的响应数据的表示。该方法可以另外包括至少部分地基于流向与web应用相关联的响应数据的不可靠输入可修改的一个或多个值来确定响应数据的一个或多个潜在易受攻击的部分，以及与Web应用程序相关联的响应数据。

你已经成功收藏专利！

检索式保存成功!

IPRDB

热门服务

关于我们

友情链接

联系方式