| 摘要 |
A system for automatically identifying broken authentication and other related vulnerabilities in web services are disclosed. The system includes an emulating module, a first database, a second database, a tampering module and a response analysis module. The emulating module is configured to run web service with (a) a first credential, and (b) a second credential to obtain first and second parameters. The first database and the second database is configured to store (i) the first session identifying parameters, (ii) the first request, and, (iii) the first response, (iv) the second session identifying parameters, (v) the second request, and (vi) the second response. The tampering module is configured to receive (a) the first and the second request from the first and the second database. The response analysis module is configured to receive (a) the third response from the tampering module. |
| 主权项 |
1. An automatic vulnerability assessment system to assess vulnerability of a web service, comprising:
a memory unit that stores a set of modules and instructions; and a processor which when configured by said instructions executes said set of modules, wherein said set of modules comprises: an emulating module, executed by said processor, that is configured to run said web service with (a) a first credential to obtain a first set of parameters, and (b) a second credential to obtain a second set of parameters, wherein said first set of parameters comprises (i) a first session identifying parameters, (ii) a first request, and, (iii) a first response, wherein said second set of parameters comprises (i) a second session identifying parameters, (ii) a second request, and, (iii) a second response; a first database, stored in said memory, that stores (i) said first session identifying parameters, (ii) said first request, and, (iii) said first response; a second database, stored in said memory, that stores (i) said second session identifying parameters, (ii) said second request, and (iii) said second response; a tampering module, executed by said processor, that is configured to receive (a) said first request from said first database, and (b) said second request from said second database, wherein said tampering module tampers a plurality of parameters of said first request with parameter values of said second request to obtain a third response; and a response analysis module, executed by said processor, that is configured to receive (a) said third response from said tampering module, (b) said first response from said first database, and (c) said second response from said second database, wherein said response analysis module assesses vulnerability of said web service by comparing said third response with said second response. |
