CN104995630A - 基于动态污点的安全性扫描 - Google Patents
基于动态污点的安全性扫描 Download PDFInfo
- Publication number
- CN104995630A CN104995630A CN201280076097.3A CN201280076097A CN104995630A CN 104995630 A CN104995630 A CN 104995630A CN 201280076097 A CN201280076097 A CN 201280076097A CN 104995630 A CN104995630 A CN 104995630A
- Authority
- CN
- China
- Prior art keywords
- module
- weakness
- attack
- dynamic stain
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Debugging And Monitoring (AREA)
- For Increasing The Reliability Of Semiconductor Memories (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
页面 | 字段名称 | 预先筛选的弱点候选 |
搜索.jsp | 搜索 | 跨站点脚本 |
登陆.jsp | 用户名 | SQL注入、LDAP注入 |
位置.jsp | ATM_位置 | SQL注入 |
Claims (15)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2012/052772 WO2014035386A1 (en) | 2012-08-29 | 2012-08-29 | Security scan based on dynamic taint |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104995630A true CN104995630A (zh) | 2015-10-21 |
CN104995630B CN104995630B (zh) | 2018-10-12 |
Family
ID=50184025
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201280076097.3A Active CN104995630B (zh) | 2012-08-29 | 2012-08-29 | 用于安全性测试的计算系统和方法 |
Country Status (7)
Country | Link |
---|---|
US (1) | US9558355B2 (zh) |
EP (1) | EP2891100B1 (zh) |
JP (1) | JP5982575B2 (zh) |
KR (1) | KR20150048778A (zh) |
CN (1) | CN104995630B (zh) |
BR (1) | BR112015004035A2 (zh) |
WO (1) | WO2014035386A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112256580A (zh) * | 2020-10-23 | 2021-01-22 | 济南浪潮数据技术有限公司 | 一种代码扫描方法、装置、设备及存储介质 |
CN113220525A (zh) * | 2021-04-28 | 2021-08-06 | 杭州孝道科技有限公司 | 一种跨应用的动态污点跟踪方法 |
Families Citing this family (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9317693B2 (en) * | 2012-10-22 | 2016-04-19 | Rapid7, Llc | Systems and methods for advanced dynamic analysis scanning |
EP3100192B1 (en) * | 2014-01-27 | 2018-10-31 | Cronus Cyber Technologies Ltd. | Automated penetration testing device, method and system |
US10515219B2 (en) | 2014-07-18 | 2019-12-24 | Micro Focus Llc | Determining terms for security test |
US9781145B2 (en) | 2014-11-25 | 2017-10-03 | International Business Machines Corporation | Persistent cross-site scripting vulnerability detection |
US10110622B2 (en) | 2015-02-13 | 2018-10-23 | Microsoft Technology Licensing, Llc | Security scanner |
US9998482B2 (en) * | 2015-09-18 | 2018-06-12 | International Business Machines Corporation | Automated network interface attack response |
US9940479B2 (en) * | 2015-10-20 | 2018-04-10 | International Business Machines Corporation | Identifying and tracking sensitive data |
CN105808981B (zh) * | 2016-03-10 | 2018-06-19 | 西北大学 | 反污点分析软件保护方法 |
WO2017160309A1 (en) * | 2016-03-18 | 2017-09-21 | Entit Software Llc | Assisting a scanning session |
US10417441B2 (en) | 2016-04-29 | 2019-09-17 | International Business Machines Corporation | Effectively validating dynamic database queries through database activity monitoring |
CN105827644A (zh) * | 2016-05-17 | 2016-08-03 | 努比亚技术有限公司 | 一种实现密码信息处理的方法及终端 |
US10257220B2 (en) | 2017-01-30 | 2019-04-09 | Xm Cyber Ltd. | Verifying success of compromising a network node during penetration testing of a networked system |
US10068095B1 (en) * | 2017-05-15 | 2018-09-04 | XM Cyber Ltd | Systems and methods for selecting a termination rule for a penetration testing campaign |
US10686822B2 (en) | 2017-01-30 | 2020-06-16 | Xm Cyber Ltd. | Systems and methods for selecting a lateral movement strategy for a penetration testing campaign |
US10122750B2 (en) | 2017-01-30 | 2018-11-06 | XM Cyber Ltd | Setting-up penetration testing campaigns |
EP3560170A4 (en) | 2017-01-30 | 2020-07-29 | XM Cyber Ltd. | NETWORKED SYSTEM PENETRATION TEST |
US10581802B2 (en) | 2017-03-16 | 2020-03-03 | Keysight Technologies Singapore (Sales) Pte. Ltd. | Methods, systems, and computer readable media for advertising network security capabilities |
CN107133180B (zh) * | 2017-06-07 | 2021-03-23 | 腾讯科技(深圳)有限公司 | 动态页面的测试方法、测试装置及存储介质 |
US10534917B2 (en) | 2017-06-20 | 2020-01-14 | Xm Cyber Ltd. | Testing for risk of macro vulnerability |
US10574684B2 (en) | 2017-07-09 | 2020-02-25 | Xm Cyber Ltd. | Locally detecting phishing weakness |
US10783239B2 (en) * | 2017-08-01 | 2020-09-22 | Pc Matic, Inc. | System, method, and apparatus for computer security |
US10412112B2 (en) | 2017-08-31 | 2019-09-10 | Xm Cyber Ltd. | Time-tagged pre-defined scenarios for penetration testing |
US10447721B2 (en) | 2017-09-13 | 2019-10-15 | Xm Cyber Ltd. | Systems and methods for using multiple lateral movement strategies in penetration testing |
WO2019097382A1 (en) | 2017-11-15 | 2019-05-23 | Xm Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
JP6928265B2 (ja) * | 2018-04-04 | 2021-09-01 | 日本電信電話株式会社 | 情報処理装置及び情報処理方法 |
US10440044B1 (en) | 2018-04-08 | 2019-10-08 | Xm Cyber Ltd. | Identifying communicating network nodes in the same local network |
US10382473B1 (en) | 2018-09-12 | 2019-08-13 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10469521B1 (en) | 2018-11-04 | 2019-11-05 | Xm Cyber Ltd. | Using information about exportable data in penetration testing |
US10574687B1 (en) | 2018-12-13 | 2020-02-25 | Xm Cyber Ltd. | Systems and methods for dynamic removal of agents from nodes of penetration testing systems |
WO2020161532A1 (en) | 2019-02-06 | 2020-08-13 | Xm Cyber Ltd. | Taking privilege escalation into account in penetration testing campaigns |
US11283827B2 (en) | 2019-02-28 | 2022-03-22 | Xm Cyber Ltd. | Lateral movement strategy during penetration testing of a networked system |
US11206281B2 (en) | 2019-05-08 | 2021-12-21 | Xm Cyber Ltd. | Validating the use of user credentials in a penetration testing campaign |
JP6847460B2 (ja) * | 2019-05-27 | 2021-03-24 | 可立可資安股▲分▼有限公司 | 情報セキュリティ攻撃および防御計画を管理するシステム |
US11640469B2 (en) | 2019-06-21 | 2023-05-02 | Ventech Solutions, Inc. | Method and system for cloud-based software security vulnerability diagnostic assessment |
US10637883B1 (en) | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US11544385B2 (en) * | 2019-07-29 | 2023-01-03 | Ventech Solutions, Inc. | Method and system for dynamic testing with diagnostic assessment of software security vulnerability |
US10880326B1 (en) | 2019-08-01 | 2020-12-29 | Xm Cyber Ltd. | Systems and methods for determining an opportunity for node poisoning in a penetration testing campaign, based on actual network traffic |
US11533329B2 (en) | 2019-09-27 | 2022-12-20 | Keysight Technologies, Inc. | Methods, systems and computer readable media for threat simulation and threat mitigation recommendations |
US11005878B1 (en) | 2019-11-07 | 2021-05-11 | Xm Cyber Ltd. | Cooperation between reconnaissance agents in penetration testing campaigns |
US11575700B2 (en) | 2020-01-27 | 2023-02-07 | Xm Cyber Ltd. | Systems and methods for displaying an attack vector available to an attacker of a networked system |
US11221855B2 (en) * | 2020-03-06 | 2022-01-11 | International Business Machines Corporation | Transformation of an enterprise application into a cloud native application |
US11582256B2 (en) | 2020-04-06 | 2023-02-14 | Xm Cyber Ltd. | Determining multiple ways for compromising a network node in a penetration testing campaign |
CN111859375B (zh) * | 2020-07-20 | 2023-08-29 | 百度在线网络技术(北京)有限公司 | 漏洞检测方法、装置、电子设备及存储介质 |
CN112199274B (zh) * | 2020-09-18 | 2022-05-03 | 北京大学 | 基于V8引擎的JavaScript动态污点跟踪方法及电子装置 |
CN112580060B (zh) * | 2021-01-21 | 2024-06-21 | 国网新疆电力有限公司信息通信公司 | 应用系统数据接口漏洞隐患排查系统 |
US11874932B2 (en) | 2021-06-30 | 2024-01-16 | International Business Machines Corporation | Managing application security vulnerabilities |
CN113886842B (zh) * | 2021-12-02 | 2022-03-08 | 北京华云安信息技术有限公司 | 基于测试的动态智能调度方法及装置 |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050273859A1 (en) * | 2004-06-04 | 2005-12-08 | Brian Chess | Apparatus and method for testing secure software |
US20070240225A1 (en) * | 2006-04-10 | 2007-10-11 | Shrader Theodore J L | Architecture for automatic HTTPS boundary identification |
US20080184208A1 (en) * | 2007-01-30 | 2008-07-31 | Sreedhar Vugranam C | Method and apparatus for detecting vulnerabilities and bugs in software applications |
US20090205047A1 (en) * | 2008-02-08 | 2009-08-13 | Guy Podjarny | Method and Apparatus for Security Assessment of a Computing Platform |
CN101616151A (zh) * | 2009-07-31 | 2009-12-30 | 中国科学院软件研究所 | 一种自动化的网络攻击特征生成方法 |
US20100169974A1 (en) * | 2008-12-31 | 2010-07-01 | International Business Machines Corporation | Measuring Coverage of Application Inputs for Advanced Web Application Security Testing |
US20110087892A1 (en) * | 2009-10-13 | 2011-04-14 | International Business Machines Corporation | Eliminating False Reports of Security Vulnerabilities when Testing Computer Software |
CN102104601A (zh) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | 一种基于渗透技术的web漏洞扫描方法和漏洞扫描器 |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7624422B2 (en) * | 2003-02-14 | 2009-11-24 | Preventsys, Inc. | System and method for security information normalization |
US20040193918A1 (en) * | 2003-03-28 | 2004-09-30 | Kenneth Green | Apparatus and method for network vulnerability detection and compliance assessment |
US8656495B2 (en) * | 2006-11-17 | 2014-02-18 | Hewlett-Packard Development Company, L.P. | Web application assessment based on intelligent generation of attack strings |
US8613080B2 (en) | 2007-02-16 | 2013-12-17 | Veracode, Inc. | Assessment and analysis of software security flaws in virtual machines |
US9069967B2 (en) | 2007-02-16 | 2015-06-30 | Veracode, Inc. | Assessment and analysis of software security flaws |
US8321840B2 (en) | 2007-12-27 | 2012-11-27 | Intel Corporation | Software flow tracking using multiple threads |
US20090282480A1 (en) | 2008-05-08 | 2009-11-12 | Edward Lee | Apparatus and Method for Monitoring Program Invariants to Identify Security Anomalies |
US8713687B2 (en) * | 2008-12-17 | 2014-04-29 | Symantec Corporation | Methods and systems for enabling community-tested security features for legacy applications |
US8365290B2 (en) * | 2009-05-15 | 2013-01-29 | Frederick Young | Web application vulnerability scanner |
CN102081719B (zh) | 2009-12-01 | 2015-05-20 | 南京翰海源信息技术有限公司 | 基于动态污染传播的软件安全测试系统及方法 |
US8615804B2 (en) * | 2010-02-18 | 2013-12-24 | Polytechnic Institute Of New York University | Complementary character encoding for preventing input injection in web applications |
US9747187B2 (en) * | 2010-10-27 | 2017-08-29 | International Business Machines Corporation | Simulating black box test results using information from white box testing |
CA2777434C (en) * | 2012-05-18 | 2019-09-10 | Ibm Canada Limited - Ibm Canada Limitee | Verifying application security vulnerabilities |
-
2012
- 2012-08-29 EP EP12883502.2A patent/EP2891100B1/en active Active
- 2012-08-29 CN CN201280076097.3A patent/CN104995630B/zh active Active
- 2012-08-29 BR BR112015004035A patent/BR112015004035A2/pt not_active IP Right Cessation
- 2012-08-29 US US14/424,401 patent/US9558355B2/en active Active
- 2012-08-29 KR KR1020157006785A patent/KR20150048778A/ko not_active Application Discontinuation
- 2012-08-29 JP JP2015529767A patent/JP5982575B2/ja active Active
- 2012-08-29 WO PCT/US2012/052772 patent/WO2014035386A1/en active Application Filing
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050273859A1 (en) * | 2004-06-04 | 2005-12-08 | Brian Chess | Apparatus and method for testing secure software |
US20070240225A1 (en) * | 2006-04-10 | 2007-10-11 | Shrader Theodore J L | Architecture for automatic HTTPS boundary identification |
US20080184208A1 (en) * | 2007-01-30 | 2008-07-31 | Sreedhar Vugranam C | Method and apparatus for detecting vulnerabilities and bugs in software applications |
US20090205047A1 (en) * | 2008-02-08 | 2009-08-13 | Guy Podjarny | Method and Apparatus for Security Assessment of a Computing Platform |
US20100169974A1 (en) * | 2008-12-31 | 2010-07-01 | International Business Machines Corporation | Measuring Coverage of Application Inputs for Advanced Web Application Security Testing |
CN101616151A (zh) * | 2009-07-31 | 2009-12-30 | 中国科学院软件研究所 | 一种自动化的网络攻击特征生成方法 |
US20110087892A1 (en) * | 2009-10-13 | 2011-04-14 | International Business Machines Corporation | Eliminating False Reports of Security Vulnerabilities when Testing Computer Software |
CN102104601A (zh) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | 一种基于渗透技术的web漏洞扫描方法和漏洞扫描器 |
Non-Patent Citations (1)
Title |
---|
APPSECINSIDER: ""Through the Looking-Glass"", 《IBM RATIONAL APPLICATION SECURITY INSIDER》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112256580A (zh) * | 2020-10-23 | 2021-01-22 | 济南浪潮数据技术有限公司 | 一种代码扫描方法、装置、设备及存储介质 |
CN112256580B (zh) * | 2020-10-23 | 2024-02-13 | 济南浪潮数据技术有限公司 | 一种代码扫描方法、装置、设备及存储介质 |
CN113220525A (zh) * | 2021-04-28 | 2021-08-06 | 杭州孝道科技有限公司 | 一种跨应用的动态污点跟踪方法 |
Also Published As
Publication number | Publication date |
---|---|
CN104995630B (zh) | 2018-10-12 |
EP2891100A1 (en) | 2015-07-08 |
US9558355B2 (en) | 2017-01-31 |
WO2014035386A1 (en) | 2014-03-06 |
EP2891100A4 (en) | 2016-03-16 |
JP2015534155A (ja) | 2015-11-26 |
KR20150048778A (ko) | 2015-05-07 |
US20150248559A1 (en) | 2015-09-03 |
EP2891100B1 (en) | 2017-05-24 |
JP5982575B2 (ja) | 2016-08-31 |
BR112015004035A2 (pt) | 2017-07-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104995630A (zh) | 基于动态污点的安全性扫描 | |
Iqbal et al. | Adgraph: A graph-based approach to ad and tracker blocking | |
US10503910B2 (en) | Security testing framework including virtualized server-side platform | |
US10243679B2 (en) | Vulnerability detection | |
US10505966B2 (en) | Cross-site request forgery (CSRF) vulnerability detection | |
TWI575397B (zh) | 利用運行期代理器及動態安全分析之應用程式逐點保護技術 | |
Felmetsger et al. | Toward automated detection of logic vulnerabilities in web applications | |
US9152795B2 (en) | Security vulnerability correction | |
US10043012B2 (en) | Method of correlating static and dynamic application security testing results for a web application | |
US10043004B2 (en) | Method of correlating static and dynamic application security testing results for a web and mobile application | |
CN105391729A (zh) | 基于模糊测试的web漏洞自动挖掘方法 | |
Li et al. | LogicScope: Automatic discovery of logic vulnerabilities within web applications | |
CN112688966A (zh) | webshell检测方法、装置、介质和设备 | |
Zhao et al. | Dynamic taint tracking of web application based on static code analysis | |
Aarya et al. | Web scanning: existing techniques and future | |
Muralee et al. | {ARGUS}: A Framework for Staged Static Taint Analysis of {GitHub} Workflows and Actions | |
Kumar | Reverse Engineering and Vulnerability Analysis in Cyber Security. | |
Erturk et al. | Web Vulnerability Scanners: A Case Study | |
George et al. | A proposed architecture for query anomaly detection and prevention against SQL injection attacks | |
Vernotte | A pattern-driven and model-based vulnerability testing for web applications | |
Zhou et al. | DAppHunter: Identifying Inconsistent Behaviors of Blockchain-based Decentralized Applications | |
Kilaru | Improving techniques for SQL injection defenses | |
Mutai | Hybrid Multi-Agents System Vulnerability Scanner For Detecting SQL Injection Attacks In Web Applications | |
Avancini et al. | Security oracle based on tree kernel methods | |
CN118036009A (zh) | 处理安全漏洞的方法、装置及电子设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C41 | Transfer of patent application or patent right or utility model | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20161230 Address after: American Texas Applicant after: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP Address before: American Texas Applicant before: Hewlett-Packard Development Company, L.P. |
|
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20180613 Address after: American California Applicant after: Antite Software Co., Ltd. Address before: American Texas Applicant before: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP |
|
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: Utah, USA Patentee after: Weifosi Co., Ltd Address before: California, USA Patentee before: Antiy Software Co.,Ltd. |