公开(公告)号：GB2521640A

公开(公告)日：2015-07-01

申请号：GB201322993

申请日：2013-12-24

Applicant: IBM

Inventor： TRIPP OMER ,  WURTH EMMANUEL

IPC: G06F11/36 ,  G06F21/00 ,  G06F21/57

Abstract: A method of generating test payloads for a target system comprises the steps of: receiving a plurality of reference programs S2.1, each one modeling at least one aspect of the target system; building a specification for each received reference program defining illegal states S2.2; analyzing each specification to determine one or more entry constraints that would generate an illegal state from a specific input S2.3, and; synthesizing one or more payloads from the determined entry constraints S2.4. The broad idea is to obtain a representative list of programs modeling relevant business logic, apply static analysis to these programs to detect classes of payloads that would be effective in testing them, and then use these seeding payloads to produce new payloads on their basis. One of the many applications of this may particularly include security testing of web services, for example, detecting cross-site scripting (XSS) vulnerability in a website that may be coded in PHP, to protect against XSS attacks.

公开(公告)号：GB2519159A

公开(公告)日：2015-04-15

申请号：GB201318119

申请日：2013-10-14

Applicant: IBM

Inventor： WURTH EMMANUEL ,  TRIPP OMER

IPC: G06F21/57 ,  G06F11/36

Abstract: Method and system for security testing of web applications comprises; submitting 304 a test to a web application, wherein the test has a payload with a (possibly empty) set of constraints or variables. It further comprises receiving 305 a response from the web application, deriving 308 at least one constraint from the response, and using these to update the previous set of constraints and synthesize 310 a new payload. The test is then repeated 304 by submitting the new payload, and iterating this method until a security vulnerability is discovered 307 or a new payload cannot be constructed under all determined constraints and which possibly respects the grammar of a computer language used. This method may be used to check for input or script that is not sanitised by the web application and thus may be used as a cross-site scripting (XSS) attack. The constraints may be regarded as tokens, and tokens may be replaced with new tokens when generating the new payload.

公开(公告)号：GB2503696A

公开(公告)日：2014-01-08

申请号：GB201211872

申请日：2012-07-04

Applicant: IBM

Inventor： BESKROVNY EVGENY ,  WURTH EMMANUEL ,  TRIPP OMER

IPC: G06F17/30

Abstract: A method (400) of searching a service registry system (200) comprising a plurality of services (120) identified by respective service names is disclosed in which at least some of said service names are associated with a set of client identifiers. The method at least comprises receiving (410) a search request (250) at said service registry system, said request including a service name (121) and a further set of client identifiers (251); searching (420) the service registry system for a match between the requested service name and a service name of one of said services in the service registry system; and in the absence of such a match, searching (250) the service registry system for services that have an association with at least some of the client identifiers in said further set; and returning a search result (260).

公开(公告)号：GB2511329A

公开(公告)日：2014-09-03

申请号：GB201303562

申请日：2013-02-28

Applicant: IBM

Inventor： TRIPP OMER ,  BESKROVNY EVGENY ,  WURTH EMMANUEL

IPC: G06F11/36

Abstract: Synthesizing tests from a web service document comprising a function call identifier for locating at least one parameter for at least one client to server function call in a web service document, discovering client validation constraints 302 for the at least one parameter, discovering server validation constraints 303 for the at least one parameter in the web service document, calculating the difference 304 between the constraints and discovering at least one range for the at least one parameter that will be accepted by the server and not accepted by the client and building tests 305 using values in the identified rang. These values are used for inputs for black box testing so the input payload reaches the Web service business logic and the Web service is driven into an illegal state thereby returning an error message as the values are incompatible with the client side constraints, the error message being useful for black box validation.

公开(公告)号：GB2509723A

公开(公告)日：2014-07-16

申请号：GB201300415

申请日：2013-01-10

Applicant: IBM

Inventor： WURTH EMMANUEL ,  BESKROVNY EVGENY ,  TRIPP OMER

IPC: G06F9/54 ,  H04L29/08

Abstract: A method of invoking a web service in a software application comprises providing a software application comprising a machine-readable description of a functionality 105 to be supported by a web service to be invoked and a machine-readable description of an execution instruction 110 for the web service to be invoked, and determining a web service 115 that supports the function to be supported and the execution instruction. Determining a web service may comprise analyzing the description of a functionality to be supported so as to determine search parameters, and using these in conjunction with a web service search application (Figure 2). If several web services are identified as suitable, one may be selected in accordance with predetermined selection criteria such as age, version, cost, domain, processing requirements or historical use. The method provides for dynamic run-time resolution of a required web service, which reduces coupling to a specific web service during program development.

公开(公告)号：GB2529842A

公开(公告)日：2016-03-09

申请号：GB201415578

申请日：2014-09-03

Applicant: IBM

Inventor： TRIPP OMER ,  WURTH EMMANUEL

IPC: G06F11/36

Abstract: Method and system are provided for generating coverage metrics for black-box testing. The method includes performing static analysis of a program code 110 to be tested, wherein the static analysis includes identifying variables whose value depends on inputs of the program code, and inserting code blocks into the program code to be tested, wherein the code blocks insert vulnerabilities 111-114 into the code at locations where the variables are modified and wherein the code blocks violate one or more properties to be tested. A testing scan 120 is then applied to the program code and the number of vulnerabilities 113,114 located by the test is determined. A coverage metric is output based on the ratio of the located vulnerabilities to the total number of inserted vulnerabilities in the program code.

公开(公告)号：GB2527323A

公开(公告)日：2015-12-23

申请号：GB201410822

申请日：2014-06-18

Applicant: IBM

Inventor： TRIPP OMER ,  WURTH EMMANUEL

IPC: G06F21/50

Abstract: Protecting a runtime web service application by instrumenting the application to log its operation to allow recreation of its execution trace. Identifying trace point vulnerabilities using one or more data payloads; identifying candidate trace point operations associated with the trace point vulnerabilities; compute supplementary candidate operations based on the existing trace point operations and the one or more data payloads: and further instrumenting the Web service application with the one or more supplementary candidate operations. This ensures that vulnerabilities from transitions of data from trusted to untrusted can be identified and defenses to limit injection actions implemented. The trust boundaries are therefore analysed and can be corrected where security checks do not provide protection. A candidate trace point may be the operation for which a payload value has been rejected by a validator or sanitized.

公开(公告)号：GB2515778A

公开(公告)日：2015-01-07

申请号：GB201311909

申请日：2013-07-03

Applicant: IBM

Inventor： WURTH EMMANUEL ,  TRIPP OMER

IPC: H04L29/06

Abstract: The method includes: selecting a web service method for testing; selecting a request pattern for a test as the request pattern with the slowest response using the method from a series of request patterns including irregular requests having a payload aimed at destabilizing the web service; applying a test to the method, wherein the test uses the selected request pattern applied at an increasing frequency to the method; monitoring the response time of the request pattern by the method; determining the frequency of the applied request pattern when a threshold maximum time for response of the method to the request pattern is reached or when the method fails; and determining a metric for the method based on the frequency of the applied request pattern required to reach the threshold.

公开(公告)号：GB2514800A

公开(公告)日：2014-12-10

申请号：GB201309942

申请日：2013-06-04

Applicant: IBM

Inventor： WURTH EMMANUEL ,  CANCHES JULIEN ,  TRIPP OMER

IPC: G06F11/36 ,  G06F17/30

Abstract: A process, system and computer program for comparing two different descriptions of a web service is described, where each description comprises a set of methods (m1-4 and m1-4), each method comprising one or more parameters. Using the process of the invention, it is possible to identify which methods in a later version of the description of the web service most likely correspond to which methods in the earlier version of the description of the web service. The process comprises the steps of computing a distance between each type used as a parameter in the first description and each type used as a parameter in the second description, calculating a distance between each method in the first description and each method in the second description by comparing the parameters of the compared methods using the computed distances between types, adding to each calculated distance a measure of the distance between the names of the compared methods, adding to each calculated distance a measure of the distance between the returned types of the compared methods, and outputting, for each method in the first description, at least the method in the second description with the lowest calculated distance.

公开(公告)号：GB2514796A

公开(公告)日：2014-12-10

申请号：GB201309938

申请日：2013-06-04

Applicant: IBM

Inventor： WURTH EMMANUEL ,  DELPIROUX JEAN-PHILIPPE

IPC: G06F11/36 ,  G06F17/30 ,  G06F21/57

Abstract: A computer-implemented method of inferring a web service infrastructure from a web service hosted on a web server, comprising downloading a web service description language (WSDL) file describing the web service from a location on said web server identified by a uniform resource locator (URL); identifying at least one of a web service design technology and a web service design technology provider from character strings indicative of said technology and implementation respectively in at least one of said URL and WSDL file; and inferring the web service infrastructure from the identified web service design technology and web service design technology provider. The inferred web service infrastructure is then preferably used to design a security test for the web service.