Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Web Application Penetration Testing Methodology Patent

RE: Web Application Penetration Testing Methodology Patent

From: Mark Curphey <mark_at_curphey.com>
Date: Fri, 16 Jan 2004 10:54:12 -0500 (EST)

Actually this has everyhting to do with this list and the people that subscribe.

If the interpretation of the patent is true (IANAL), then using much of the discussion that has taken place on this list for services and many of the tool that are used to proove those concepts (like SPIKE, PAROS etc) over the past few years looks like they are in violation.

More so many people who follow this list make a living from pen testing web applications. I think as a matter of public disclosure its important that people understand the implications of the patent, hence the reason why I let it through. If this list does nothing else then it educates people of the current issues (technical or otherwize).

NB: Its pretty easy to reply with a hushmail address (rewrites mail headers so is anon) to the original poster if you are a conspiracy theorist !

---- "Levenglick, Jeff" <JLevenglick_at_fhlbatl.com> wrote:
> "If you know of something that has been made public (e.g.,
> article, posting, product, etc.) that contains all of the above elements
> post your findings to the list. A critical aspect is that is must contain
> all 4 elements from above. Anything less will not suffice. "
>
> Yea, sure pal. If I was doing anything illegal, I'll tell you so you can sue me.
> I'm assuming that your close to being out of money and are looking for a cheap
> way to find and sue people?
>
> Listmaster:
>
> That had nothing to do with the list. Is your list now becoming a spam list?
> (ie: this should be on some legal list)
>
> Jeffrey
>
> -----Original Message-----
> From: webtester_at_hushmail.com [mailto:webtester_at_hushmail.com]
> Sent: Friday, January 16, 2004 09:38 AM
> To: webappsec_at_securityfocus.com; pen-test_at_securityfocus.com
> Subject: Web Application Penetration Testing Methodology Patent
>
>
> ===========================
>
> As many of you know, Sanctum, Inc. has a been granted a patent (United
> States Patent No. 6,584,569) describing a process for automatically detecting
> potential application-level vulnerabilities or security flaws in a web
> application. What you may not know is that this patent is a "method"
> patent which means that it describes the way something works rather than
> a "product" patent which describes an actual product. A method patent
> is the broadest form of a patent which covers not just products but also
> the process or way people work.
>
> The Sanctum patent is very broad and virtually everyone who is involved
> with web application security is in violation of this patent. This is
> because the patent basically describes the process of penetration testing.
> The patent can be broken down into four elements. They are:
>
> 1. The process to traverse a web application in order to discover and
> actuate the links therein. This is also called a web crawler. Something
> that explores the entire code for a website and discovers all the links,
> or URLs, contained on the website. The process then actuates each link
> found on the website to generate HTTP requests for transmission to the
> web server (i.e., exercises the links). If the discovered link requires
> user input, such as when the discovered link includes a form, the process
> also provides fictitious values as input based on the field or data type.
>
> 2. The process to analyze messages that flow or would flow between an
> authorized client and a web server in order to discover elements of the
> web application's interface with external clients and attributes of these
> elements (e.g., links, forms, fixed fields, hidden fields, menu options,
> etc.). Here, the process sends the HTTP requests generated above for
> each of the discovered links and receives the associated responses from
> the web server. The responses are then analyzed, in the same manner
> in which the original website was analyzed, to discover all of the links
> contained therein. The responses are also scanned for other application
> interface elements, such as data parameters, and their attributes (such
> as links, fill-in forms, fixed fields, hidden fields, menu options, etc.).
> Up to this point, the process essentially explores and exercises all
> of the links on a website by sending authorized requests, then analyzes
> the responses for more links and interface elements (explores multiple
> layers of the web application).
>
> 3. The process then generates unauthorized client requests in which these
> elements are mutated, sends the mutated client requests to the web server,
> receives server responses to the unauthorized client requests. The
> process creates and sends unauthorized or mutated requests (also called
> "exploits") to the server. The process creates a mutated request for
> each interface element discovered above. The mutated request created
> by the process depends on the type of interface element at issue. For
> example, if the interface element is a numeric field, the scanner will
> create a mutated request that contains text as input, or if the interface
> element is a link, the scanner will create a mutated request that appends
> ".bak" to the link's path.
>
> 4. The process evaluates the results of the mutated requests. Finally,
> the process evaluates the response to the mutated request to ensure
> that the web server did not accept the unauthorized input value. One
> example of such an evaluation would be to look for responses containing
> keywords, such as "error," "sorry" or "not found." If such words are
> not returned, the process would conclude that the mutated request was
> accepted and that the web application is vulnerable to attack (i.e.,
> that the website contains a security flaw).
>
> As you can see, this patent is very broad and covers everything from
> security products to penetration testing. Unless someone can develop
> a way to perform web application security without violating one of the
> four points mentioned above everyone is in violation of this patent.
> Obviously, such a patent gives Sanctum an unfair competitive advantage
> within our market. However, there is a way to challenge this patent.
> First and foremost is to find something that addresses all the above
> points 1 year prior to when Sanctum submitted the patent. Sanctum submitted
> for the patent on March 3, 2000 so the material must be dated on or before
> March 2, 1999. If you know of something that has been made public (e.g.,
> article, posting, product, etc.) that contains all of the above elements
> post your findings to the list. A critical aspect is that is must contain
> all 4 elements from above. Anything less will not suffice.
>
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2
>
> Free, ultra-private instant messaging with Hush Messenger
> https://www.hushmail.com/services.php?subloc=messenger&l=434
>
> Promote security and make money with the Hushmail Affiliate Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
> -----------------------------------------
> This e-mail message is private and may contain confidential or privileged information.
>
>
>
Received on Jan 16 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]