CN104995630B - 用于安全性测试的计算系统和方法 - Google Patents
用于安全性测试的计算系统和方法 Download PDFInfo
- Publication number
- CN104995630B CN104995630B CN201280076097.3A CN201280076097A CN104995630B CN 104995630 B CN104995630 B CN 104995630B CN 201280076097 A CN201280076097 A CN 201280076097A CN 104995630 B CN104995630 B CN 104995630B
- Authority
- CN
- China
- Prior art keywords
- module
- weakness
- dynamic stain
- application
- attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
Description
页面 | 字段名称 | 预先筛选的弱点候选 |
搜索.jsp | 搜索 | 跨站点脚本 |
登陆.jsp | 用户名 | SQL注入、LDAP注入 |
位置.jsp | ATM_位置 | SQL注入 |
Claims (15)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/US2012/052772 WO2014035386A1 (en) | 2012-08-29 | 2012-08-29 | Security scan based on dynamic taint |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104995630A CN104995630A (zh) | 2015-10-21 |
CN104995630B true CN104995630B (zh) | 2018-10-12 |
Family
ID=50184025
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201280076097.3A Active CN104995630B (zh) | 2012-08-29 | 2012-08-29 | 用于安全性测试的计算系统和方法 |
Country Status (7)
Country | Link |
---|---|
US (1) | US9558355B2 (zh) |
EP (1) | EP2891100B1 (zh) |
JP (1) | JP5982575B2 (zh) |
KR (1) | KR20150048778A (zh) |
CN (1) | CN104995630B (zh) |
BR (1) | BR112015004035A2 (zh) |
WO (1) | WO2014035386A1 (zh) |
Families Citing this family (48)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9317693B2 (en) * | 2012-10-22 | 2016-04-19 | Rapid7, Llc | Systems and methods for advanced dynamic analysis scanning |
US10237296B2 (en) * | 2014-01-27 | 2019-03-19 | Cronus Cyber Technologies Ltd | Automated penetration testing device, method and system |
US10515219B2 (en) | 2014-07-18 | 2019-12-24 | Micro Focus Llc | Determining terms for security test |
US9781145B2 (en) * | 2014-11-25 | 2017-10-03 | International Business Machines Corporation | Persistent cross-site scripting vulnerability detection |
US10110622B2 (en) | 2015-02-13 | 2018-10-23 | Microsoft Technology Licensing, Llc | Security scanner |
US9998482B2 (en) * | 2015-09-18 | 2018-06-12 | International Business Machines Corporation | Automated network interface attack response |
US9940479B2 (en) * | 2015-10-20 | 2018-04-10 | International Business Machines Corporation | Identifying and tracking sensitive data |
CN105808981B (zh) * | 2016-03-10 | 2018-06-19 | 西北大学 | 反污点分析软件保护方法 |
US11449638B2 (en) * | 2016-03-18 | 2022-09-20 | Micro Focus Llc | Assisting a scanning session |
US10417441B2 (en) * | 2016-04-29 | 2019-09-17 | International Business Machines Corporation | Effectively validating dynamic database queries through database activity monitoring |
CN105827644A (zh) * | 2016-05-17 | 2016-08-03 | 努比亚技术有限公司 | 一种实现密码信息处理的方法及终端 |
US10122750B2 (en) | 2017-01-30 | 2018-11-06 | XM Cyber Ltd | Setting-up penetration testing campaigns |
US10068095B1 (en) * | 2017-05-15 | 2018-09-04 | XM Cyber Ltd | Systems and methods for selecting a termination rule for a penetration testing campaign |
US10686822B2 (en) | 2017-01-30 | 2020-06-16 | Xm Cyber Ltd. | Systems and methods for selecting a lateral movement strategy for a penetration testing campaign |
US10367846B2 (en) | 2017-11-15 | 2019-07-30 | Xm Cyber Ltd. | Selectively choosing between actual-attack and simulation/evaluation for validating a vulnerability of a network node during execution of a penetration testing campaign |
WO2018138608A2 (en) * | 2017-01-30 | 2018-08-02 | XM Ltd. | Penetration testing of a networked system |
US10257220B2 (en) | 2017-01-30 | 2019-04-09 | Xm Cyber Ltd. | Verifying success of compromising a network node during penetration testing of a networked system |
US10581802B2 (en) | 2017-03-16 | 2020-03-03 | Keysight Technologies Singapore (Sales) Pte. Ltd. | Methods, systems, and computer readable media for advertising network security capabilities |
CN107133180B (zh) * | 2017-06-07 | 2021-03-23 | 腾讯科技(深圳)有限公司 | 动态页面的测试方法、测试装置及存储介质 |
US10534917B2 (en) | 2017-06-20 | 2020-01-14 | Xm Cyber Ltd. | Testing for risk of macro vulnerability |
US10574684B2 (en) | 2017-07-09 | 2020-02-25 | Xm Cyber Ltd. | Locally detecting phishing weakness |
US10783239B2 (en) * | 2017-08-01 | 2020-09-22 | Pc Matic, Inc. | System, method, and apparatus for computer security |
US10412112B2 (en) | 2017-08-31 | 2019-09-10 | Xm Cyber Ltd. | Time-tagged pre-defined scenarios for penetration testing |
US10447721B2 (en) | 2017-09-13 | 2019-10-15 | Xm Cyber Ltd. | Systems and methods for using multiple lateral movement strategies in penetration testing |
JP6928265B2 (ja) * | 2018-04-04 | 2021-09-01 | 日本電信電話株式会社 | 情報処理装置及び情報処理方法 |
US10440044B1 (en) | 2018-04-08 | 2019-10-08 | Xm Cyber Ltd. | Identifying communicating network nodes in the same local network |
US10382473B1 (en) | 2018-09-12 | 2019-08-13 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US10469521B1 (en) | 2018-11-04 | 2019-11-05 | Xm Cyber Ltd. | Using information about exportable data in penetration testing |
US10574687B1 (en) | 2018-12-13 | 2020-02-25 | Xm Cyber Ltd. | Systems and methods for dynamic removal of agents from nodes of penetration testing systems |
US10462177B1 (en) | 2019-02-06 | 2019-10-29 | Xm Cyber Ltd. | Taking privilege escalation into account in penetration testing campaigns |
US11283827B2 (en) | 2019-02-28 | 2022-03-22 | Xm Cyber Ltd. | Lateral movement strategy during penetration testing of a networked system |
US11206281B2 (en) | 2019-05-08 | 2021-12-21 | Xm Cyber Ltd. | Validating the use of user credentials in a penetration testing campaign |
JP6847460B2 (ja) * | 2019-05-27 | 2021-03-24 | 可立可資安股▲分▼有限公司 | 情報セキュリティ攻撃および防御計画を管理するシステム |
US11640469B2 (en) | 2019-06-21 | 2023-05-02 | Ventech Solutions, Inc. | Method and system for cloud-based software security vulnerability diagnostic assessment |
US10637883B1 (en) | 2019-07-04 | 2020-04-28 | Xm Cyber Ltd. | Systems and methods for determining optimal remediation recommendations in penetration testing |
US11544385B2 (en) | 2019-07-29 | 2023-01-03 | Ventech Solutions, Inc. | Method and system for dynamic testing with diagnostic assessment of software security vulnerability |
US10880326B1 (en) | 2019-08-01 | 2020-12-29 | Xm Cyber Ltd. | Systems and methods for determining an opportunity for node poisoning in a penetration testing campaign, based on actual network traffic |
US11533329B2 (en) | 2019-09-27 | 2022-12-20 | Keysight Technologies, Inc. | Methods, systems and computer readable media for threat simulation and threat mitigation recommendations |
US11005878B1 (en) | 2019-11-07 | 2021-05-11 | Xm Cyber Ltd. | Cooperation between reconnaissance agents in penetration testing campaigns |
US11575700B2 (en) | 2020-01-27 | 2023-02-07 | Xm Cyber Ltd. | Systems and methods for displaying an attack vector available to an attacker of a networked system |
US11221855B2 (en) * | 2020-03-06 | 2022-01-11 | International Business Machines Corporation | Transformation of an enterprise application into a cloud native application |
US11582256B2 (en) | 2020-04-06 | 2023-02-14 | Xm Cyber Ltd. | Determining multiple ways for compromising a network node in a penetration testing campaign |
CN111859375B (zh) * | 2020-07-20 | 2023-08-29 | 百度在线网络技术(北京)有限公司 | 漏洞检测方法、装置、电子设备及存储介质 |
CN112199274B (zh) * | 2020-09-18 | 2022-05-03 | 北京大学 | 基于V8引擎的JavaScript动态污点跟踪方法及电子装置 |
CN112256580B (zh) * | 2020-10-23 | 2024-02-13 | 济南浪潮数据技术有限公司 | 一种代码扫描方法、装置、设备及存储介质 |
CN113220525A (zh) * | 2021-04-28 | 2021-08-06 | 杭州孝道科技有限公司 | 一种跨应用的动态污点跟踪方法 |
US11874932B2 (en) | 2021-06-30 | 2024-01-16 | International Business Machines Corporation | Managing application security vulnerabilities |
CN113886842B (zh) * | 2021-12-02 | 2022-03-08 | 北京华云安信息技术有限公司 | 基于测试的动态智能调度方法及装置 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616151A (zh) * | 2009-07-31 | 2009-12-30 | 中国科学院软件研究所 | 一种自动化的网络攻击特征生成方法 |
CN102104601A (zh) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | 一种基于渗透技术的web漏洞扫描方法和漏洞扫描器 |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8091117B2 (en) | 2003-02-14 | 2012-01-03 | Preventsys, Inc. | System and method for interfacing with heterogeneous network data gathering tools |
US20040193918A1 (en) | 2003-03-28 | 2004-09-30 | Kenneth Green | Apparatus and method for network vulnerability detection and compliance assessment |
US20050273859A1 (en) | 2004-06-04 | 2005-12-08 | Brian Chess | Apparatus and method for testing secure software |
US20070240225A1 (en) * | 2006-04-10 | 2007-10-11 | Shrader Theodore J L | Architecture for automatic HTTPS boundary identification |
US8656495B2 (en) | 2006-11-17 | 2014-02-18 | Hewlett-Packard Development Company, L.P. | Web application assessment based on intelligent generation of attack strings |
US20080184208A1 (en) * | 2007-01-30 | 2008-07-31 | Sreedhar Vugranam C | Method and apparatus for detecting vulnerabilities and bugs in software applications |
US8613080B2 (en) | 2007-02-16 | 2013-12-17 | Veracode, Inc. | Assessment and analysis of software security flaws in virtual machines |
US9069967B2 (en) | 2007-02-16 | 2015-06-30 | Veracode, Inc. | Assessment and analysis of software security flaws |
US8321840B2 (en) | 2007-12-27 | 2012-11-27 | Intel Corporation | Software flow tracking using multiple threads |
US8650651B2 (en) * | 2008-02-08 | 2014-02-11 | International Business Machines Corporation | Method and apparatus for security assessment of a computing platform |
US20090282480A1 (en) | 2008-05-08 | 2009-11-12 | Edward Lee | Apparatus and Method for Monitoring Program Invariants to Identify Security Anomalies |
US8713687B2 (en) | 2008-12-17 | 2014-04-29 | Symantec Corporation | Methods and systems for enabling community-tested security features for legacy applications |
US8141158B2 (en) * | 2008-12-31 | 2012-03-20 | International Business Machines Corporation | Measuring coverage of application inputs for advanced web application security testing |
US8365290B2 (en) * | 2009-05-15 | 2013-01-29 | Frederick Young | Web application vulnerability scanner |
US8584246B2 (en) * | 2009-10-13 | 2013-11-12 | International Business Machines Corporation | Eliminating false reports of security vulnerabilities when testing computer software |
CN102081719B (zh) | 2009-12-01 | 2015-05-20 | 南京翰海源信息技术有限公司 | 基于动态污染传播的软件安全测试系统及方法 |
US8615804B2 (en) * | 2010-02-18 | 2013-12-24 | Polytechnic Institute Of New York University | Complementary character encoding for preventing input injection in web applications |
US9747187B2 (en) * | 2010-10-27 | 2017-08-29 | International Business Machines Corporation | Simulating black box test results using information from white box testing |
CA2777434C (en) * | 2012-05-18 | 2019-09-10 | Ibm Canada Limited - Ibm Canada Limitee | Verifying application security vulnerabilities |
-
2012
- 2012-08-29 JP JP2015529767A patent/JP5982575B2/ja active Active
- 2012-08-29 US US14/424,401 patent/US9558355B2/en active Active
- 2012-08-29 CN CN201280076097.3A patent/CN104995630B/zh active Active
- 2012-08-29 WO PCT/US2012/052772 patent/WO2014035386A1/en active Application Filing
- 2012-08-29 BR BR112015004035A patent/BR112015004035A2/pt not_active IP Right Cessation
- 2012-08-29 EP EP12883502.2A patent/EP2891100B1/en active Active
- 2012-08-29 KR KR1020157006785A patent/KR20150048778A/ko not_active Application Discontinuation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101616151A (zh) * | 2009-07-31 | 2009-12-30 | 中国科学院软件研究所 | 一种自动化的网络攻击特征生成方法 |
CN102104601A (zh) * | 2011-01-14 | 2011-06-22 | 无锡市同威科技有限公司 | 一种基于渗透技术的web漏洞扫描方法和漏洞扫描器 |
Non-Patent Citations (1)
Title |
---|
"Through the Looking-Glass";AppSecInsider;《IBM Rational Application Security Insider》;20111117;第1-4页 * |
Also Published As
Publication number | Publication date |
---|---|
CN104995630A (zh) | 2015-10-21 |
EP2891100A1 (en) | 2015-07-08 |
KR20150048778A (ko) | 2015-05-07 |
JP2015534155A (ja) | 2015-11-26 |
BR112015004035A2 (pt) | 2017-07-04 |
US20150248559A1 (en) | 2015-09-03 |
JP5982575B2 (ja) | 2016-08-31 |
EP2891100B1 (en) | 2017-05-24 |
WO2014035386A1 (en) | 2014-03-06 |
US9558355B2 (en) | 2017-01-31 |
EP2891100A4 (en) | 2016-03-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104995630B (zh) | 用于安全性测试的计算系统和方法 | |
US9736177B2 (en) | Automated security testing | |
CN101788982B (zh) | 在未修改浏览器上保护Web应用的跨域交互的方法和系统 | |
US8800042B2 (en) | Secure web application development and execution environment | |
US6996845B1 (en) | Internet security analysis system and process | |
US9152795B2 (en) | Security vulnerability correction | |
US8640233B2 (en) | Environmental imaging | |
CN110221977A (zh) | 基于ai的网站渗透测试方法 | |
CN107688743A (zh) | 一种恶意程序的检测分析方法及系统 | |
CN113342639B (zh) | 小程序安全风险评估方法和电子设备 | |
Nagpal et al. | SECSIX: security engine for CSRF, SQL injection and XSS attacks | |
Roy et al. | Generating phishing attacks using chatgpt | |
Li et al. | The application of fuzzing in web software security vulnerabilities test | |
CN113190839A (zh) | 一种基于SQL注入的web攻击防护方法及系统 | |
CN110851838A (zh) | 一种基于互联网的云测试系统及安全测试方法 | |
CN113190838A (zh) | 一种基于表达式的web攻击行为检测方法及系统 | |
Noseevich et al. | Detecting insufficient access control in web applications | |
Long et al. | An efficient algorithm and tool for detecting dangerous website vulnerabilities | |
Dharam et al. | Runtime monitoring technique to handle tautology based SQL injection attacks | |
CN112287349A (zh) | 安全漏洞检测方法及服务端 | |
CN115857912A (zh) | 一种nasl插件的生成方法及系统 | |
Erturk et al. | Web Vulnerability Scanners: A Case Study | |
Sharma | A Study of Vulnerability Scanners for Detecting SQL Injection and XSS Attack in Websites | |
tul Hassan | Analysis of vulnerabilities in system by penetration testing | |
Dmytro et al. | MODERN CLOUD NATIVE INFRASTRUCTURE PROTECTION TOOLS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C41 | Transfer of patent application or patent right or utility model | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20161230 Address after: American Texas Applicant after: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP Address before: American Texas Applicant before: Hewlett-Packard Development Company, L.P. |
|
TA01 | Transfer of patent application right |
Effective date of registration: 20180613 Address after: American California Applicant after: Antite Software Co., Ltd. Address before: American Texas Applicant before: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP03 | "change of name, title or address" |
Address after: Utah, USA Patentee after: Weifosi Co., Ltd Address before: California, USA Patentee before: Antiy Software Co.,Ltd. |
|
CP03 | "change of name, title or address" |