公开(公告)号：GB2494738B

公开(公告)日：2013-08-14

申请号：GB201209473

申请日：2012-05-29

Applicant: IBM

Inventor： AMIT YAIR ,  LANDA ALEXANDER ,  TRIPP OMER

IPC: G06F21/57 ,  H04L29/06

Abstract: A system for detecting security vulnerabilities in web applications, the system including, a black-box tester configured to provide a payload to a web application during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, and an execution engine configured to detect the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determine, responsive to detecting the identifier within the payload, whether the payload instruction underwent a security check prior to execution of the payload instruction.

公开(公告)号：GB2494738A

公开(公告)日：2013-03-20

申请号：GB201209473

申请日：2012-05-29

Applicant: IBM

Inventor： AMIT YAIR ,  LANDA ALEXANDER ,  TRIPP OMER

IPC: G06F21/57 ,  H04L29/06

Abstract: A system for detecting security vulnerabilities in web applications, the system including, a black-box tester 100 configured to provide a payload 110 to a web application 102 during a first interaction with the web application at a computer server, where the payload includes a payload instruction and an identifier, and an execution engine 114 configured to detect the identifier within the payload received during an interaction with the web application subsequent to the first interaction, and determine, responsive to detecting the identifier within the payload 110, whether the payload instruction underwent a security check such as a validator or a sanitizer prior to execution of the payload instruction. The interaction initiating instruction is preferably an AJAX request and the invention is preferably used to detect vulnerability to stored cross site scripting (XSS) attacks.