About
Activity
-
I’m excited to introduce my new company, Tessl! We’re reimagining software development for the AI era, and helping shape a new software development…
I’m excited to introduce my new company, Tessl! We’re reimagining software development for the AI era, and helping shape a new software development…
Liked by Ory Segal
-
לא להגיד חלומות מתגשמים, לא להגיד החיים מלאים בהפתעות, לא להגיד יגעת ומצאת, לא להגיד בא לי לעמוד על השולחן ולצעוק, לא להגיד תאמינו בעצמכם- כמה…
לא להגיד חלומות מתגשמים, לא להגיד החיים מלאים בהפתעות, לא להגיד יגעת ומצאת, לא להגיד בא לי לעמוד על השולחן ולצעוק, לא להגיד תאמינו בעצמכם- כמה…
Liked by Ory Segal
-
Independence Day, 2024. I have deep thoughts, but today, I’m exercising my First Amendment right to say what I want. To all my lovely British…
Independence Day, 2024. I have deep thoughts, but today, I’m exercising my First Amendment right to say what I want. To all my lovely British…
Liked by Ory Segal
Experience & Education
Publications
-
The 12 Most Critical Risks for Serverless Applications
Cloud Security Alliance (CSA)
Today, many organizations are exploring serverless architectures, or just making their first steps in the serverless world. In order to help them become successful in building robust, secure and reliable applications, the Cloud Security Alliance’s Israel Chapter has drafted the “The 12 Most Critical Risks for Serverless Applications 2019.” This new paper enumerates what top industry practitioners and security researchers with vast experience in application security, cloud and serverless…
Today, many organizations are exploring serverless architectures, or just making their first steps in the serverless world. In order to help them become successful in building robust, secure and reliable applications, the Cloud Security Alliance’s Israel Chapter has drafted the “The 12 Most Critical Risks for Serverless Applications 2019.” This new paper enumerates what top industry practitioners and security researchers with vast experience in application security, cloud and serverless architectures believe to be the current top risks, specific to serverless architectures
-
Apache OpenWhisk 'Action' Mutability Weakness (CVE-2018-11756, CVE-2018-11757)
PureSec
Apache OpenWhisk is a serverless, open source cloud platform that executes functions in
response to events at any scale. OpenWhisk is a cloud-first distributed event-based programming
service. It provides a programming model to upload event handlers to a cloud service, and register
the handlers to respond to various events.
PureSec recently discovered that under certain conditions (specified below), a remote attacker
may overwrite the source code of the action (serverless…Apache OpenWhisk is a serverless, open source cloud platform that executes functions in
response to events at any scale. OpenWhisk is a cloud-first distributed event-based programming
service. It provides a programming model to upload event handlers to a cloud service, and register
the handlers to respond to various events.
PureSec recently discovered that under certain conditions (specified below), a remote attacker
may overwrite the source code of the action (serverless function) being executed and influence
subsequent executions of the same function in the same container.
An attacker that manages to overwrite or modify the code of the action can then leverage this to
perform further attacks such as:
- Leak sensitive action input data during subsequent executions, potentially of different
end-users
- Execute rogue logic in parallel to the action’s original logic in subsequent executions,
potentially of different end-users
In addition, an attacker may launch similar attacks in parallel, and in turn affect additional
containers, turning the attack into a more persistent or wide-spread threat.Other authorsSee publication -
Passive Fingerprinting of HTTP/2 Clients
Akamai Technologies
HTTP2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred "on the wire" by introducing a full binary protocol, made up of TCP connections, streams and frames, rather than simply being a plain-text protocol. Such a fundamental change between HTTP/1.x to HTTP/2, meant that client side and server side implementations had to incorporate completely new code to support new HTTP2 features - this fact, introduces nuances in protocol implementations, which in turn…
HTTP2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred "on the wire" by introducing a full binary protocol, made up of TCP connections, streams and frames, rather than simply being a plain-text protocol. Such a fundamental change between HTTP/1.x to HTTP/2, meant that client side and server side implementations had to incorporate completely new code to support new HTTP2 features - this fact, introduces nuances in protocol implementations, which in turn, might be used to passively fingerprint web clients.
Akamai's Threat Research team recently conducted a research on the possibility of passively fingerprinting HTTP2 clients based on unique implementation features. The paper also proposes a format for passive HTTP2 fingerprints, as well as a few examples of unique fingerprints belonging to common clients and implementations. The ability to passively fingerprint HTTP2 client implementations can be leveraged in multiple ways such as – detecting web bots and automated web attack tools, detecting anonymous proxies & VPNs and also better and more confident detection of the true device and client type.Other authorsSee publication -
SSHowDowN Proxy: Exploitation of IoT devices for Launching Mass-Scale Attack Campaigns
Akamai
While analyzing malicious mass-scale credential stuffing campaigns against Akamai customers’ web sites, Akamai’s Threat Research team recently reported a trend in which millions of Internet-connected devices such as routers, DVR systems and even satellite antennas are the source for such attack campaigns. Further research into these devices confirmed our suspicion that the devices are being used as proxies to route malicious traffic through them by leveraging several default configuration…
While analyzing malicious mass-scale credential stuffing campaigns against Akamai customers’ web sites, Akamai’s Threat Research team recently reported a trend in which millions of Internet-connected devices such as routers, DVR systems and even satellite antennas are the source for such attack campaigns. Further research into these devices confirmed our suspicion that the devices are being used as proxies to route malicious traffic through them by leveraging several default configuration weaknesses in their operating systems.
Deeper analysis of the weakness showed that the vulnerable connected devices are being used for:
1. Mounting attacks against any kind of Internet target and against any kind of Internet-facing service such as HTTP (e.g. web account checking, application layer attacks, etc.), SMTP (e.g. spamming), Network Scanning and so forth
2. Mounting attacks against internal networks hosting these connected devices – e.g., malicious users can launch an attack from machines on the Internet, against internal corporate serversOther authorsSee publication -
HQL Statement Tampering (Security Advisory)
Akamai Blog
"When non-sanitized user input is embedded directly into an HQL (Hibernate Query Language) statement, a malicious hacker may trick the HQL parser into splitting a predefined statement into two separate strings, and to ignore the second string, thus manipulating the original HQL statement and subverting application logic. The effect caused by this vulnerability is similar in nature to using SQL comment indicators for commenting out the rest of a query when performing SQL injection attacks…
"When non-sanitized user input is embedded directly into an HQL (Hibernate Query Language) statement, a malicious hacker may trick the HQL parser into splitting a predefined statement into two separate strings, and to ignore the second string, thus manipulating the original HQL statement and subverting application logic. The effect caused by this vulnerability is similar in nature to using SQL comment indicators for commenting out the rest of a query when performing SQL injection attacks, albeit the difference is that HQL does not provide a legitimate comment indicator similar to SQL..."
-
Allowing anonymized cross-domain access for links deemed benign
IBM
Disclosed is a technique to allow anonymized access to automatically identified benign links in web pages across domains, serving as an exception to the cross-domain access containment security measure. The latter security measure is described in detail in the publication titled "Malicious Scripting Protection Through Cross-Domain Access Containment" from July 7th, 2010
-
Black-Box Automated Detection of Malicious Content in Web Applications
IBM
Disclosed is a technique to automatically identify malicious content being served on or linked off legitimate web pages. The technique includes automatically traversing these websites using a web scanner, passing all the downloaded content through an antivirus or similar tool to identify malicious content, and matching all discovered links against a database of black-listed locations.
-
Close encounters of the third kind - A look at the prevalence of client-side JavaScript Vulnerabilities in Web Applications
IBM
This whitepaper presents the results of a research recently performed by the IBM Rational Application Security group into the prevalence of client-side JavaScript vulnerabilities. For this research, we used a new IBM technology called JavaScript Security Analyzer (JSA), which performs static taint analysis on JavaScript code that was collected from web pages extracted by an automated deep web crawl process. This kind of analysis is superior to and more accurate than regular static taint…
This whitepaper presents the results of a research recently performed by the IBM Rational Application Security group into the prevalence of client-side JavaScript vulnerabilities. For this research, we used a new IBM technology called JavaScript Security Analyzer (JSA), which performs static taint analysis on JavaScript code that was collected from web pages extracted by an automated deep web crawl process. This kind of analysis is superior to and more accurate than regular static taint analysis of JavaScript code, as it includes the entire JavaScript codebase in its natural environment: fully rendered HTML pages and the browser’s Document Object Model (DOM).The research used a sample group of approximately 675 websites, consisting of all the Fortune 500 companies and another 175 handpicked web sites, including IT, Web application security vendors, and social networking sites.
Other authorsSee publication -
Use of anomaly detection on client side to protect against web attacks
IBM
Use of anomaly detection on client side to protect against web attacks
-
Cross-Environment Hopping
Watchfire
Our research team has identified a web-based attack technique that exploits the growing number of applications that require a web server being run on a local machine. Cross-Environment Hopping (CEH) is a result of this trend combined with the current limitations in browsers’ same-origin policy access restrictions.
The CEH technique enables an attacker to exploit a local XSS vulnerability in order to “hop” to a different environment, such as another locally installed server. Under certain…Our research team has identified a web-based attack technique that exploits the growing number of applications that require a web server being run on a local machine. Cross-Environment Hopping (CEH) is a result of this trend combined with the current limitations in browsers’ same-origin policy access restrictions.
The CEH technique enables an attacker to exploit a local XSS vulnerability in order to “hop” to a different environment, such as another locally installed server. Under certain circumstances it may even be possible for an attacker to access remote network services such as network share drives, remote procedure calls, intranet mail, SQL servers, and so on. -
Apache (Win32) Remote Code Execution (CVE-2002-0061)
Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell meta-characters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.
Patents
-
SECURING APPLICATION BEHAVIOR IN SERVERLESS COMPUTING
Issued US20230362168A1
A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage…
A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows.
Other inventorsSee patent -
DYNAMICALLY SCALABLE APPLICATION FIREWALL DEPLOYMENT FOR CLOUD NATIVE APPLICATIONS
Issued WO2022147436A1
A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network…
A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.
Other inventorsSee patent -
DYNAMIC APPLICATION FIREWALL CONFIGURATION FOR CLOUD NATIVE APPLICATIONS
Issued US20220182360A1
To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics…
To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.
Other inventorsSee patent -
SYSTEM AND METHOD FOR APPLICATION TRAFFIC AND RUNTIME BEHAVIOR LEARNING AND ENFORCEMENT
Issued US20220038423A1
Systems and methods for learning behavioral activity correlations. A method includes intercepting a plurality of requests, wherein each of the plurality of requests is directed to a respective destination entity of a plurality of destination entities; creating a request queue by queueing the plurality of requests; inspecting contents of the plurality of requests; separately forwarding each intercepted request to its respective destination entity based on the request queue; monitoring runtime…
Systems and methods for learning behavioral activity correlations. A method includes intercepting a plurality of requests, wherein each of the plurality of requests is directed to a respective destination entity of a plurality of destination entities; creating a request queue by queueing the plurality of requests; inspecting contents of the plurality of requests; separately forwarding each intercepted request to its respective destination entity based on the request queue; monitoring runtime output of each of the plurality of destination entities, wherein the runtime output includes behavioral activities of the plurality of destination entities; and training a machine learning model based on the contents of the plurality of requests the runtime output of each of the plurality of destination entities, wherein the machine learning model is trained to output request-output correlations between groups of requests and subsequent behavioral activities.
Other inventorsSee patent -
ON-THE-FLY CREATION OF TRANSIENT LEAST PRIVILEGED ROLES FOR SERVERLESS FUNCTIONS
Issued 20210329003
The disclosed serverless security access control system leverages static analysis information about application code and runtime information to create and assign on-the-fly transient serverless function roles. A default role can be initially assigned to serverless functions of the application. The default role allows the function to communicate with a security access broker. The access broker accesses least privilege information about an invoked serverless function and then creates and assigns…
The disclosed serverless security access control system leverages static analysis information about application code and runtime information to create and assign on-the-fly transient serverless function roles. A default role can be initially assigned to serverless functions of the application. The default role allows the function to communicate with a security access broker. The access broker accesses least privilege information about an invoked serverless function and then creates and assigns a transient role to the serverless function based on that information. The short life of the role reduces and possibly eliminates the security risk of an over-permissive role. The access broker can update the least privilege information based on updated analysis of the application code and runtime information to allow flexibility and adaptation over executions.
Other inventorsSee patent -
SOFTWARE PACKAGE ANALYSIS FOR DETECTION OF MALICIOUS PROPERTIES
Issued 20210319108
A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from…
A system facilitates detection of malicious properties of software packages. A generic application which comprises known functionality into which a software package has been included is analyzed through a static analysis and/or dynamic analysis, which is performed based on executing the generic application in a controlled environment The static analysis and/or dynamic analysis are performed to determine whether one or more properties associated with the software package comprise deviations from the known behavior of the generic application. Behavior deviations identified based on the static and/or dynamic analysis are associated with a score. An aggregate score is calculated for the software package based on the scores which have been assigned to the identified behavior deviations and may be adjusted based on a reputation multiplier determined based on metadata of the software package. If the aggregate score of the software package exceeds a score threshold, the software package is flagged as malicious.
Other inventorsSee patent -
SYSTEM AND METHOD FOR SECURING APPLICATION BEHAVIOR IN SERVERLESS COMPUTING
Filed US 20200267155
A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage…
A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows.
Other inventorsSee patent -
BOT DETECTION IN AN EDGE NETWORK USING TRANSPORT LAYER SECURITY (TLS) FINGERPRINT
Issued WO2019126165A1
This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as "TLS fingerprinting." Preferably, TLS fingerprinting herein comprises combining different parameters from the initial "Hello" packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the "TLS signature") are: record layer version, client version, ordered TLS extensions, ordered…
This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as "TLS fingerprinting." Preferably, TLS fingerprinting herein comprises combining different parameters from the initial "Hello" packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the "TLS signature") are: record layer version, client version, ordered TLS extensions, ordered cipher list, ordered elliptic curve list, and ordered signature algorithms list. Preferably, the edge server persists the TLS signature for the duration of a session.
Other inventorsSee patent -
BOT DETECTION IN AN EDGE NETWORK USING TRANSPORT LAYER SECURITY (TLS) FINGERPRINT
Filed US 20190190950
This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as “TLS fingerprinting.” Preferably, TLS fingerprinting herein comprises combining different parameters from the initial “Hello” packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the “TLS signature”) are: record layer version, client version, ordered TLS extensions, ordered…
This disclosure describes a technique to fingerprint TLS connection information to facilitate bot detection. The notion is referred to herein as “TLS fingerprinting.” Preferably, TLS fingerprinting herein comprises combining different parameters from the initial “Hello” packet send by the client. In one embodiment, the different parameters from the Hello packet that are to create the fingerprint (the “TLS signature”) are: record layer version, client version, ordered TLS extensions, ordered cipher list, ordered elliptic curve list, and ordered signature algorithms list. Preferably, the edge server persists the TLS signature for the duration of a session.
Other inventorsSee patent -
SYSTEM AND METHOD FOR PROTECTING SERVERLESS APPLICATIONS
Filed US US20190312899A1
A system and methods for protecting a serverless application, the system including: (a) a serverless application firewall configured to inspect input of the serverless function so as to ascertain whether the input contains malicious, suspicious or abnormal data; and (b) a behavioral protection engine configured to monitor behaviors and actions of the serverless functions during execution thereof.
Other inventorsSee patent -
METHODS FOR SECURING SERVERLESS FUNCTIONS
Filed US 20190007458A1
A system and methods for protecting a serverless function including analyzing the serverless function to identify vulnerabilities or insecure configurations and a strict set of security permissions required by the serverless function in order to interact with a computing environment as intended.
Other inventorsSee patent -
DETECTION AND CLASSIFICATION OF MALICIOUS CLIENTS BASED ON MESSAGE ALPHABET ANALYSIS
Issued US US20150358343 A1
Described herein are systems, methods and apparatus for detecting and classifying malicious agents on a computer network. Many attacks require that the malicious message or messages employ certain characters. Such sets of characters can be indicative of an attack and referred to as a “malicious alphabet.” All clients on a network are likely to use characters from malicious alphabets in legitimate and valid network messages. However, malicious clients are likely to use characters from malicious…
Described herein are systems, methods and apparatus for detecting and classifying malicious agents on a computer network. Many attacks require that the malicious message or messages employ certain characters. Such sets of characters can be indicative of an attack and referred to as a “malicious alphabet.” All clients on a network are likely to use characters from malicious alphabets in legitimate and valid network messages. However, malicious clients are likely to use characters from malicious alphabets in different ways than legitimate clients. According to the teachings hereof, a particular client's use of a malicious alphabet can be tracked and used to identify it as a potential attacker. Such tracking may take place across the applications and/or websites to which the traffic is directed. Based on the nature and extent of the client's use of the malicious alphabet, a reputation score for the client can be developed.
Other inventorsSee patent -
SECURE TRANSPORT OF WEB FORM SUBMISSIONS
Issued US WO2014049467 A1
Methods and systems for secure web form submission may implement one or more operations including: receiving web content including at least one web form from a web server at a client; determining a value of at least one web form submission security attribute of the at least one web form; and transmitting submission data associated with the at least one web form from the client to the web server according to the value of the web form submission security attribute.
Other inventorsSee patent -
INDICATING COVERAGE OF WEB APPLICATION TESTING
Issued US US20140129878 A1
Testing a system under test includes intercepting, within a proxy system, a request from a client system sent to the system under test. The request is analyzed within the proxy system and sent to the system under test. Within the proxy system, a response from the system under test sent to the client system is intercepted. The response is instrumented creating a modified response indicating test coverage according to the request. The modified response is sent to the client system.
Other inventorsSee patent -
COLLABORATIVE APPLICATION TESTING
Issued US US20140129915 A1
A method, computer program product, and computer system for performing, at a computing device, an analysis of a web application. A response is annotated by the web application with coverage data based upon, at least in part, the analysis, wherein the coverage data indicates which actions have been performed on the web application and which actions have not been performed on the web application according to results of the analysis. The response that includes the coverage data is shared with one…
A method, computer program product, and computer system for performing, at a computing device, an analysis of a web application. A response is annotated by the web application with coverage data based upon, at least in part, the analysis, wherein the coverage data indicates which actions have been performed on the web application and which actions have not been performed on the web application according to results of the analysis. The response that includes the coverage data is shared with one or more users.
Other inventorsSee patent -
COMPUTER SOFTWARE APPLICATION SELF-TESTING
Issued US US20140068563 A1
Testing a computer software application by detecting an arrival of input data provided as input to a computer software application from a source external to the computer software application, modifying the detected input data to include test data configured to test the computer software application in accordance with a predefined test, thereby creating a modified version of the detected input data, and processing the modified version of the detected input data, thereby performing the predefined…
Testing a computer software application by detecting an arrival of input data provided as input to a computer software application from a source external to the computer software application, modifying the detected input data to include test data configured to test the computer software application in accordance with a predefined test, thereby creating a modified version of the detected input data, and processing the modified version of the detected input data, thereby performing the predefined test on the computer software application using the test data.
Other inventorsSee patent -
AUTOMATIC SYNTHESIS OF UNIT TESTS FOR SECURITY TESTING
Issued US US 13/563,376
Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured…
Performing security analysis on a computer program under test (CPUT). The CPUT can be analyzed to identify data pertinent to potential security vulnerabilities of the CPUT. At least a first unit test configured to test a particular unit of program code within the CPUT can be automatically synthesized. The first unit test can be configured to initialize at least one parameter used by the particular unit of program code within the CPUT, and can be provided at least a first test payload configured to exploit at least one potential security vulnerability of the CPUT. The first unit test can be dynamically processed to communicate the first test payload to the particular unit of program code within the CPUT. Whether the first test payload exploits an actual security vulnerability of the CPUT can be determined, and a security analysis report can be output.
Other inventorsSee patent -
INJECTION CONTEXT BASED STATIC ANALYSIS OF COMPUTER SOFTWARE APPLICATIONS
Issued US 8,528,095
In one aspect of the invention a system is provided for injection context based static analysis of computer software applications, the system including a sink selector configured to select a sink within a computer software application, an output stream tracer configured to trace a character output stream leading to the sink within the computer software application, and determine an injection context of the character output stream at the sink, where the injection context is predefined in…
In one aspect of the invention a system is provided for injection context based static analysis of computer software applications, the system including a sink selector configured to select a sink within a computer software application, an output stream tracer configured to trace a character output stream leading to the sink within the computer software application, and determine an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, and a context action identifier configured to identify any actions that have been predefined in association with the identified injection context, and provide a report of the actions, where the sink selector, output stream tracer, and context action identifier are implemented in at least one of a) computer hardware, and b) computer software embodied in a physically-tangible computer-readable storage medium.
In another aspect of the invention a method is provided for injection context based static analysis of computer software applications, the method including selecting a sink within a computer software application, tracing a character output stream leading to the sink within the computer software application, determining an injection context of the character output stream at the sink, where the injection context is predefined in association with a state of the character output stream at the sink, identifying any actions that have been predefined in association with the identified injection context, and providing a report of the actions. A computer program product embodying the invention is also provided.Other inventorsSee patent -
METHOD AND APPARATUS FOR SECURITY ASSESSMENT OF A COMPUTING PLATFORM
Issued US US8650651 B2
A system and method for automated security testing are disclosed. The disclosure provides for automated discovery of security vulnerabilities through the monitoring of activities that occur throughout the separate components of a computing platform during a testing session through a communications interface.
Other inventorsSee patent -
DYNAMICALLY SCANNING A WEB APPLICATION THROUGH USE OF WEB TRAFFIC INFORMATION
Filed US US 20130191920 A1
Collecting log file data from at least one log file. From the collected log file data, at least one HTTP request can be generated to exercise a web application to perform a security analysis of the web application. The HTTP request can be communicated to the web application. At least one HTTP response to the HTTP request can be received. The HTTP response can be analyzed to perform validation of the web application. Results of the validation can be output.
Other inventorsSee patent -
IDENTIFYING REQUESTS THAT INVALIDATE USER SESSIONS
Filed US US 13/711,970
An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked…
An illustrative embodiment of a computer-implemented process for identifying a request invalidating a session excludes all marked logout requests of a Web application, crawls an identified next portion of the Web application and responsive to a determination, in one instance, that the state of the crawl is out of session, logs in to the Web application. The computer-implemented process further selects all crawl requests sent since a last time the crawl was in-session, excluding all marked logout requests and responsive to a determination that requests remain, crawls a selected next unprocessed request. Responsive to a determination, in the next instance, that state of the crawl is out of session and the selected request meets logout request criteria, the computer-implemented process marks the selected request as a logout request.
Other inventorsSee patent -
SIMULATING BLACK BOX TEST RESULTS USING INFORMATION FROM WHITE BOX TESTING
Filed US US 2012/0110551 A1
Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry…
Systems, methods are program products for simulating black box test results using information obtained from white box testing, including analyzing computer software (e.g., an application) to identify a potential vulnerability within the computer software application and a plurality of milestones associated with the potential vulnerability, where each of the milestones indicates a location within the computer software application, tracing a path from a first one of the milestones to an entry point into the computer software application, identifying an input to the entry point that would result in a control flow from the entry point and through each of the milestones, describing the potential vulnerability in a description indicating the entry point and the input, and presenting the description via a computer-controlled output medium.
-
SYSTEM AND METHOD FOR IDENTIFYING SESSION IDENTIFICATION INFORMATION
Filed US US20120278480A1
A computer-implemented process, computer program product, and apparatus for identifying session identification information. A recording is initiated and an operation sequence of interest is performed while recording and the recording ceases. Responsive to a determination that the operation sequence of interest was successful, information from the operation sequence of interest is saved as recorded information and responsive to a determination that a same operation sequence of interest was…
A computer-implemented process, computer program product, and apparatus for identifying session identification information. A recording is initiated and an operation sequence of interest is performed while recording and the recording ceases. Responsive to a determination that the operation sequence of interest was successful, information from the operation sequence of interest is saved as recorded information and responsive to a determination that a same operation sequence of interest was recorded, the recorded information from each operation sequence of interest is compared. Differences in the recorded information are identified to form identified differences and a session identifier is constructed using the identified differences.
Other inventorsSee patent -
TARGETED SECURITY TESTING
Filed US US 13/341,426
Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset…
Source code of a plurality of web pages including script code is statically analyzed. A page including a potential vulnerability is identified based on the static analysis. A page not including a potential vulnerability is identified based on the static analysis. The web page including the potential vulnerability is dynamically analyzed using a set of test payloads. The page not including the potential vulnerability is dynamically analyzed using a subset of the set of test payloads, the subset including fewer test payloads than the set of test payloads.
Other inventorsSee patent -
DETECTING SECURITY VULNERABILITIES IN WEB APPLICATIONS
Filed US US 20130007886 A1
Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side…
Method to detect security vulnerabilities includes: interacting with a web application during its execution to identify a web page exposed by the web application; statically analyzing the web page to identify a parameter within the web page that is constrained by a client-side validation measure and that is to be sent to the web application; determining a server-side validation measure to be applied to the parameter in view of the constraint placed upon the parameter by the client-side validation measure; statically analyzing the web application to identify a location within the web application where the parameter is input into the web application; determining whether the parameter is constrained by the server-side validation measure prior to the parameter being used in a security-sensitive operation; and identifying the parameter as a security vulnerability.
Other inventorsSee patent -
DETERMINING THE VULNERABILITY OF COMPUTER SOFTWARE APPLICATIONS TO PRIVILEGE-ESCALATION ATTACKS
Filed US 20120198557
Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform…
Determining the vulnerability of computer software applications to privilege-escalation attacks, such as where an instruction classifier is configured to be used for identifying a candidate access-restricted area of the instructions of a computer software application, and a static analyzer is configured to statically analyze the candidate access-restricted area to determine if there is a conditional instruction that controls execution flow into the candidate access-restricted area, perform static analysis to determine if the conditional instruction is dependent on a data source within the computer software application, and designate the candidate access-restricted area as vulnerable to privilege-escalation attacks absent either of the conditional instruction and the date source.
Other inventorsSee patent -
APPLICATION STATE DETECTOR AND INDUCER
US 20090320043
A method for controlling a computer-implemented application, the method including determining a current state of a computer-implemented application, inducing the application into a predefined state associated with a target action of the application if the current state does not match the predefined state in accordance with predefined match criteria, and causing the target action to be performed
Other inventorsSee patent -
BLACK BOX TESTING OPTIMIZATION USING INFORMATION FROM WHITE BOX TESTING
US 20110055813
Testing a computer software application by identifying a sink in the computer software application, identifying a source associated with the sink in the application, identifying an entry point associated with the source in the application, where the source is configured to receive input provided externally to the application via the entry point, determining a sink type represented by the sink, and providing to a testing application information identifying the entry point and in association with…
Testing a computer software application by identifying a sink in the computer software application, identifying a source associated with the sink in the application, identifying an entry point associated with the source in the application, where the source is configured to receive input provided externally to the application via the entry point, determining a sink type represented by the sink, and providing to a testing application information identifying the entry point and in association with the sink type
Other inventorsSee patent -
CRAWLING OF OBJECT MODEL USING TRANSFORMATION GRAPH
US 20100088668
A transformation tree for an object model (OM) is defined. The transformation tree has nodes interconnected by edges, where each node is connected to at most one other tree node. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. A transformation graph for the OM is constructed by simulating the transformation tree. The transformation graph has nodes interconnected by edges, and is a…
A transformation tree for an object model (OM) is defined. The transformation tree has nodes interconnected by edges, where each node is connected to at most one other tree node. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. A transformation graph for the OM is constructed by simulating the transformation tree. The transformation graph has nodes interconnected by edges, and is a directed graph in which each node is connected to one or more other nodes. Each node corresponds to a state of the OM; each edge corresponds to an event causing the OM to transition from the state of one node to the state of another node. Crawling-oriented actions are performed in relation to the OM by being performed in relation to the transformation graph.
Other inventorsSee patent -
CROSS-DOMAIN ACCESS PREVENTION
US 20100088761
A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request…
A method, system, and computer program product for cross-domain access prevention are provided. The method includes detecting a request from a first domain to access a second domain, and applying cross-domain access heuristics to determine whether to allow the request. The cross-domain access heuristics define common ownership characteristics between the first domain and the second domain. The method further includes performing the requested access in response to determining that the request complies with at least one of the cross-domain access heuristics, and blocking the requested access in response to determining that the request fails to comply with the cross-domain access heuristics
Other inventorsSee patent -
LOGIN SEQUENCE PROFILING METHODS AND SYSTEMS
CA CA 2680609
This invention encompasses several heuristics used in profiling and understanding the login mechanism used by an web application in an automated fashion.
Other inventorsSee patent
Languages
-
Hebrew
-
-
English
-
Organizations
-
Cloud Security Alliance (CSA)
Israel Chapter Board Member
- Present -
Web Application Security Consortium (WASC)
Officer
- Present -
OWASP
OWASP Israel Board Member
- -
W3C Web Application Security Working Group
Participant
More activity by Ory
-
📣 Announcing Whiterabbit: A Cybersecurity Venture Studio Building the Future of Security I've partnered with Nir Polak (former founder & CEO of…
📣 Announcing Whiterabbit: A Cybersecurity Venture Studio Building the Future of Security I've partnered with Nir Polak (former founder & CEO of…
Liked by Ory Segal
-
Dazz and Avalor Security, a Zscaler Company summit. Cyberstarts
Dazz and Avalor Security, a Zscaler Company summit. Cyberstarts
Liked by Ory Segal
-
Your org is evaluating M365 Copilot. You are in charge of keeping things secure. Microsoft says there's nothing to worry about - they use responsible…
Your org is evaluating M365 Copilot. You are in charge of keeping things secure. Microsoft says there's nothing to worry about - they use responsible…
Liked by Ory Segal
-
While many in the US were enjoying the 4th of July holiday, our engineers and researchers were hard at work to launch Zenity Labs; a distinct place…
While many in the US were enjoying the 4th of July holiday, our engineers and researchers were hard at work to launch Zenity Labs; a distinct place…
Liked by Ory Segal
-
Data and Identity intersect at a critical point for most security teams. Savvy has introduced a distinctive identity graph technology that…
Data and Identity intersect at a critical point for most security teams. Savvy has introduced a distinctive identity graph technology that…
Liked by Ory Segal
-
Microsoft: copilot is protected by 8 security layers to prevent AI jailbreaking Tamir Ishay Sharbat: hold my beer
Microsoft: copilot is protected by 8 security layers to prevent AI jailbreaking Tamir Ishay Sharbat: hold my beer
Liked by Ory Segal
-
Shaun Maguire is visiting Michmoret! the red carpet was properly set... Always fun to discuss Israeli early stage #cybersecurity startups, Persian…
Shaun Maguire is visiting Michmoret! the red carpet was properly set... Always fun to discuss Israeli early stage #cybersecurity startups, Persian…
Liked by Ory Segal
-
Sydney, the wait is over! We’re thrilled to have Steve Manley kick off Ignite on Tour Australia 2024! ✨ It will be full day of discussion about the…
Sydney, the wait is over! We’re thrilled to have Steve Manley kick off Ignite on Tour Australia 2024! ✨ It will be full day of discussion about the…
Liked by Ory Segal
-
Security practitioners - join us for the first Amazon Web Services (AWS) and Cyberstarts summit. New York June 13 and 14. Probably the best place…
Security practitioners - join us for the first Amazon Web Services (AWS) and Cyberstarts summit. New York June 13 and 14. Probably the best place…
Liked by Ory Segal
-
Unveiling the power of our security exposure graph. #msem #xspm #exposuremanagement
Unveiling the power of our security exposure graph. #msem #xspm #exposuremanagement
Liked by Ory Segal
-
Thank you Notable Capital and all the CISOs for recognizing Endor Labs as one of the 30 “Rising in Cyber 2024” startups. It's incredible to see Endor…
Thank you Notable Capital and all the CISOs for recognizing Endor Labs as one of the 30 “Rising in Cyber 2024” startups. It's incredible to see Endor…
Liked by Ory Segal
People also viewed
-
Ronen Yaari
Connect -
Adi Shemesh Amikam
Talent Acquisition Manager @ Zenity | Top 5 Most promising Israeli startups 2024
Connect -
Ron Vider
Connect -
Elad Koren
Connect -
Ankur Shah
Co-founder & CEO, Stealth AI
Connect -
Daniel Krivelevich 🇮🇱
Connect -
Yuval Adler
Director of Customer Success at Zenity
Connect -
🦾 Inbar Raz
Connect -
Nelson William Gamazo
Sr. Principal Researcher at Palo Alto Networks
Connect -
Avi Shulman
Connect
Explore collaborative articles
We’re unlocking community knowledge in a new way. Experts add insights directly into each article, started with the help of AI.
Explore More