公开(公告)号：US09910992B2

公开(公告)日：2018-03-06

申请号：US14763172

申请日：2013-02-25

Applicant: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.

Inventor： Shawn Morgan Simpson ,  Kirill Mendelev ,  Philip Edward Hamer

IPC: G06F21/57

CPC classification number: G06F21/577 ,  G06F2221/033

Abstract: Example embodiments disclosed herein relate to present part of a web application with one or more user interface elements of the part highlighted based on updated rules. A web application is loaded in a browser layout engine. User actions are simulated on user interface elements of the web application to update the rules. The part of the web application is presented with one or more user interface elements highlighted.

公开(公告)号：US10699017B2

公开(公告)日：2020-06-30

申请号：US14764280

申请日：2013-02-28

Applicant: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.

Inventor： Kirill Mendelev ,  Lu Zhao ,  David John Babcock ,  Ronald Joseph Sechman

IPC: G06F21/00 ,  G06F21/57 ,  G06F21/56 ,  G06F11/36 ,  H04L29/06

Abstract: Example embodiments relate to assessing dynamic security scans using runtime analysis and static code analysis. In example embodiments, a system performs static code analysis of a web application to identify reachable code and/or data entry points, where the data entry points are used to determine an attack surface size for the web application. At this stage, the system may initiate runtime monitoring for a dynamic security scan of the web application, where the runtime monitoring detects invocation of a statement at one of the data entry points. The invocation is logged as an invocation entry that comprises invocation parameters and/or code units that were executed in response to the invocation. The system may then determine an attack surface coverage of the dynamic security scan using the invocation entry and the attack surface size and/or a reachable code coverage using the invocation entry and the reachable code.

公开(公告)号：US09438617B2

公开(公告)日：2016-09-06

申请号：US14431996

申请日：2012-09-28

Applicant: Hewlett-Packard Development Company, L.P.

Inventor： Kirill Mendelev ,  Matias Madou ,  Sam Ng Ming Sum

IPC: H04L29/06 ,  G06F11/36 ,  G06F21/52 ,  G06F21/56

CPC classification number: H04L63/1433 ,  G06F11/3672 ,  G06F21/52 ,  G06F21/566 ,  H04L63/20

Abstract: Example embodiments disclosed herein relate to real-time modification of an application under test (AUT). A security rest is performed on the AUT. A real-time modifier determines that a portion of a function to be executed by the AUT is unsafe. The real-time modifier modifies execution of the AUT to not execute the portion.

Abstract translation: 本文公开的示例实施例涉及对被测试应用（AUT）的实时修改。 在AUT上执行安全休息。 实时修饰符确定由AUT执行的功能的一部分是不安全的。 实时修改器修改AUT的执行以不执行该部分。

公开(公告)号：US20150371047A1

公开(公告)日：2015-12-24

申请号：US14764280

申请日：2013-02-28

Applicant: HEWLETT-PACKARD DEVELOPMENT COMPANY. L.P.

Inventor： Kirill Mendelev ,  Lu Zhao ,  David John Babcock ,  Ronald Joseph Sechman

IPC: G06F21/57 ,  G06F21/56 ,  H04L29/06

CPC classification number: G06F21/577 ,  G06F11/3668 ,  G06F21/563 ,  G06F21/564 ,  G06F21/566 ,  G06F2221/033 ,  G06F2221/2101 ,  H04L63/1416 ,  H04L63/1433 ,  H04L63/168

Abstract: Example embodiments relate to assessing dynamic security scans using runtime analysis and static code analysis. In example embodiments, a system performs static code analysis of a web application to identify reachable code and/or data entry points, where the data entry points are used to determine an attack surface size for the web application. At this stage, the system may initiate runtime monitoring for a dynamic security scan of the web application, where the runtime monitoring detects invocation of a statement at one of the data entry points. The invocation is logged as an invocation entry that comprises invocation parameters and/or code units that were executed in response to the invocation. The system may then determine an attack surface coverage of the dynamic security scan using the invocation entry and the attack surface size and/or a reachable code coverage using the invocation entry and the reachable code.

Abstract translation: 示例实施例涉及使用运行时分析和静态代码分析来评估动态安全扫描。 在示例实施例中，系统执行web应用程序的静态代码分析以识别可达代码和/或数据入口点，其中数据输入点用于确定web应用程序的攻击面大小。 在这个阶段，系统可以启动对web应用程序的动态安全扫描的运行时监视，其中运行时监视检测到在数据入口点之一处的语句的调用。 该调用被记录为一个调用条目，其中包含响应于该调用执行的调用参数和/或代码单元。 系统然后可以使用调用条目和攻击面大小和/或使用调用条目和可达代码的可达代码覆盖来确定动态安全扫描的攻击面覆盖。

公开(公告)号：US20160078146A1

公开(公告)日：2016-03-17

申请号：US14762939

申请日：2013-01-29

Applicant: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.

Inventor： Shawn Morgan Simpson ,  Kirill Mendelev ,  David Scott Tillery

IPC: G06F17/30 ,  G06F17/22

CPC classification number: G06F17/30896 ,  G06F8/38 ,  G06F9/455 ,  G06F17/2247 ,  G06F21/51 ,  G06F2221/033 ,  G06F2221/2119

Abstract: Example embodiments disclosed herein relate to analyzing a web application. A web application is loaded. User actions are simulated on user interface elements of the web application. A structure of the web application is traversed based on rules to determine a set of actionable tokens. The respective actionable tokens include a portion of the web application that can change a user interface presented based on the web application.

Abstract translation: 本文公开的示例实施例涉及分析web应用。 加载了Web应用程序。 在Web应用程序的用户界面元素上模拟用户操作。 基于规则来遍历web应用的结构以确定一组可操作的令牌。 相应的可操作令牌包括可以改变基于web应用呈现的用户界面的Web应用程序的一部分。

公开(公告)号：US20150356302A1

公开(公告)日：2015-12-10

申请号：US14763172

申请日：2013-02-25

Applicant: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.

Inventor： Shawn Morgan Simpson ,  Kirill Mendelev ,  Philip Edward Hamer

IPC: G06F21/57

CPC classification number: G06F21/577 ,  G06F2221/033

Abstract: Example embodiments disclosed herein relate to present part of a web application with one or more user interface elements of the part highlighted based on updated rules. A web application is loaded in a browser layout engine. User actions are simulated on user interface elements of the web application to update the rules. The part of the web application is presented with one or more user interface elements highlighted.

Abstract translation: 本文公开的示例性实施例涉及基于更新的规则突出显示部分的一个或多个用户界面元素的web应用的一部分。 Web应用程序加载到浏览器布局引擎中。 在Web应用程序的用户界面元素上模拟用户操作，以更新规则。 web应用程序的一部分被呈现出突出显示的一个或多个用户界面元素。

公开(公告)号：US20150264074A1

公开(公告)日：2015-09-17

申请号：US14431996

申请日：2012-09-28

Applicant: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.

Inventor： Kirill Mendelev ,  Matias Madou ,  Sam Ng Ming Sum

IPC: H04L29/06

CPC classification number: H04L63/1433 ,  G06F11/3672 ,  G06F21/52 ,  G06F21/566 ,  H04L63/20

Abstract: Example embodiments disclosed herein relate to real-time modification of an application under test (AUT). A security rest is performed on the AUT. A real-time modifier determines that a portion of a function to be executed by the AUT is unsafe. The real-time modifier modifies execution of the AUT to not execute the portion.

Abstract translation: 本文公开的示例性实施例涉及对被测试应用（AUT）的实时修改。 在AUT上执行安全休息。 实时修饰符确定由AUT执行的功能的一部分是不安全的。 实时修改器修改AUT的执行以不执行该部分。