International Business Machines Corporation

Hcl Technologies Limited

Sagi Kedmi

Roee Hay

Emanuel Bronshtein

Omer Tripp

David N Kaplan

Erez Rokah

Ilan Ben-Bassat

Daniel Dubnikov

One or more communication interfaces of a first application may be scanned. In response to the scanning, it may be determined that at least a first component of the first application is subject to public access from any application. One or more public access features associated with the first component may be removed, wherein the first component is no longer subject to public access from any application. A first module may be added to the first application to control access to data to or from the first component via one or more security rules.

Protecting an application via an intra-application firewall

Various techniques for detecting a persistent cross-site scripting vulnerability are described herein. In one example, a method includes detecting, via the processor, a read operation executed on a resource using an instrumentation mechanism and returning, via the processor, a malicious script in response to the read operation. The method also includes detecting, via the processor, a write operation executed on the resource using the instrumentation mechanism and detecting, via the processor, a script operation executed by the malicious script that results in resource data being sent to an external computing device from a client device. Furthermore, the method includes receiving, via the processor, metadata indicating the execution of the read operation, the write operation, and the script operation.

Persistent cross-site scripting vulnerability detection

A computer-implemented method for detecting malware based on asymmetry includes receiving, via a processor, an application to be tested. The method includes computing, via the processor, a static call graph for the application. The method also includes generating, via the processor, an interprocedural control-flow graph (ICFG) based on the static call graph. The method further includes detecting, via the processor, symbolic path conditions and executable operations along different paths of conditional branches in the ICFG. The method further includes detecting, via the processor, asymmetries based on the symbolic path conditions and the executable operations. The method includes detecting, via the processor, a malicious block based on the detected asymmetries. The method further includes modifying, via the processor, the application based on the detected malicious block.

Detecting malicious code based on conditional branch asymmetry

An example system includes a processor to crawl a plurality of web pages of a web application to be tested. The processor is to also receive an intercepted input to the web application and an output from a web application associated with each crawled web page. The processor is to further detect testable elements in the intercepted input and the output. The processor is also to generate a fingerprint for each web page based on the detected testable elements. The processor is to generate a list of clusters comprising one or more similar web pages based on the fingerprints. The processor is to test a single web page from each cluster.

Testing web applications using clusters

An example system includes a processor to crawl a plurality of web pages of a web application to be tested. The processor is also configured to receive an intercepted input to the web application and an output from a web application associated with each crawled web page. The processor is to further configured to detect testable elements in the intercepted input and the output. The processor is also configured to generate a fingerprint for each web page based on the detected testable elements. The processor is also configured to generate a list of clusters comprising one or more similar web pages based on the fingerprints. The processor is configured to test a single web page from each cluster.

A client application performs certificate pinning as a means of authenticating the identity of a server. A proxy is interposed in the communications path of the client and the hosting server and provides a proxy security certificate to the client. In response to the client extracting a proxy authentication component from the proxy security certificate, operation of the client is paused and a hosting server authentication component is extracted from a hosting server security certificate. The client operation is resumed, providing the extracted hosting server authentication component to the client, in substitution for the proxy authentication component. Based on receiving the extracted hosting server authentication component, the client authenticates the proxy to receive communications directed to the hosting server.

Bypassing certificate pinning

An example computer-implemented method includes receiving, via a processor, an application to be tested, a set of intrusive monitoring capabilities, and a set of external monitoring capabilities. The method includes executing, via the processor, the application in a clean environment to generate unmonitored application behavior. The method includes executing, via the processor, the application with intrusive monitoring based on two randomly generated seeds to generate trigger events and external monitoring to detect changes of application behavior in response to the intrusive monitoring. The method includes computing, via the processor, a correlation measure between the trigger events and the detected changes in the application behavior. The method includes modifying, via the processor, the application in response to detecting the application is evasive based on the correlation measure.

Modifying evasive code using correlation analysis

A given application is instrumented to trace its execution flow. Constraints and/or transformation associated with input identified in the execution flow are mirrored on a set of candidate test payloads. The set of candidate test payloads are modified or pruned based on the execution flow of the instrumented application reaching a security operation with the input satisfying the constraints while the payloads may not. If the set of candidate test payloads is not empty at reaching the security operation, it is determined that the give application has vulnerability and a signal issuing a warning may be generated and transmitted.

Execution of test inputs with applications in computer security assessment

A system and program product are described herein for various techniques for detecting a persistent cross-site scripting vulnerability are described herein. In one example, the techniques include detecting, via the processor, a read operation executed on a resource using an instrumentation mechanism and returning, via the processor, a malicious script in response to the read operation. The techniques also include detecting, via the processor, a write operation executed on the resource using the instrumentation mechanism and detecting, via the processor, a script operation executed by the malicious script that results in resource data being sent to an external computing device from a client device. Furthermore, the techniques include receiving, via the processor, metadata indicating the execution of the read operation, the write operation, and the script operation.

Growing community of inventors

Raanana, Israel

Sagi Kedmi