Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Web Application Penetration Testing Methodology Patent

RE: Web Application Penetration Testing Methodology Patent

From: <sullo_at_cirt.net>
Date: Fri, 16 Jan 2004 13:50:06 -0500

Well, this is not really *new* (filed in 2001), and it was raised on this list
or bugtraq once before--however, it should be of great concern to all of us, and
every product that tests a web server for security issues. I have not heard of
any place Sanctum has tried to enforce this... anyone?

I just don't see how this could be valid...but I am not an expert or even claim
to have a good understanding of patents.

There are many commercial and open source products that are doing this, have
been doing it for a while, and some that were probably doing it before Sanctum
was even founded...

I would love for OWASP--as being an established force in webappsec and with a
budget (?)--take the lead and get some legal advice, or request advice from EFF,
on how this patent *actually* effects "the industry".

-Sullo 

-- 
http://www.cirt.net/
> >>-----Original Message-----
> >>From: webtester_at_hushmail.com [mailto:webtester_at_hushmail.com] 
> >>Sent: Friday, January 16, 2004 9:38 AM
> >>To: webappsec_at_securityfocus.com; pen-test_at_securityfocus.com
> >>Subject: Web Application Penetration Testing Methodology Patent
> >>
> >>
> >>===========================
> >>
> >>As many of you know, Sanctum, Inc. has a been granted a 
> >>patent (United States Patent No. 6,584,569) describing a 
> >>process for automatically detecting potential 
> >>application-level vulnerabilities or security flaws in a web 
> >>application.  What you may not know is that this patent is a 
> >>"method" patent which means that it describes the way 
> >>something works rather than a "product" patent which 
> >>describes an actual product.  A method patent is the broadest 
> >>form of a patent which covers not just products but also the 
> >>process or way people work.  
> >>
> >>The Sanctum patent is very broad and virtually everyone who 
> >>is involved with web application security is in violation of 
> >>this patent.  This is because the patent basically describes 
> >>the process of penetration testing.  The patent can be broken 
> >>down into four elements.  They are:
> >>
> >>1. The process to traverse a web application in order to 
> >>discover and actuate the links therein.  This is also called 
> >>a web crawler.  Something that explores the entire code for a 
> >>website and discovers all the links,  or URLs, contained on 
> >>the website.  The process then actuates each link found on 
> >>the website to generate HTTP requests for transmission to the 
> >>web server (i.e., exercises the links).  If the discovered 
> >>link requires user input, such as when the discovered link 
> >>includes a form, the process also provides fictitious values 
> >>as input based on the field or data type.
> >>
> >>2. The process to analyze messages that flow or would flow 
> >>between an authorized client and a web server in order to 
> >>discover elements of the web application's interface with 
> >>external clients and attributes of these elements (e.g., 
> >>links, forms, fixed fields, hidden fields, menu options,  
> >>etc.).  Here, the process sends the HTTP requests generated 
> >>above for each of the discovered links and receives the 
> >>associated responses from the web server.  The responses are 
> >>then analyzed, in the same manner in which the original 
> >>website was analyzed, to discover all of the links contained 
> >>therein.  The responses are also scanned for other 
> >>application interface elements, such as data parameters, and 
> >>their attributes (such as links, fill-in forms, fixed fields, 
> >>hidden fields, menu options, etc.).  Up to this point, the 
> >>process essentially explores and exercises all of the links 
> >>on a website by sending authorized requests, then analyzes 
> >>the responses for more links and interface elements (explores 
> >>multiple layers of the web application).
> >>
> >>3. The process then generates unauthorized client requests in 
> >>which these elements are mutated, sends the mutated client 
> >>requests to the web server,  receives server responses to the 
> >>unauthorized client requests.  The process creates and sends 
> >>unauthorized or mutated requests (also called
> >>"exploits") to the server.  The process creates a mutated 
> >>request for each interface element discovered above.  The 
> >>mutated request created by the process depends on the type of 
> >>interface element at issue.  For example, if the interface 
> >>element is a numeric field, the scanner will create a mutated 
> >>request that contains text as input, or if the interface 
> >>element is a link, the scanner will create a mutated request 
> >>that appends ".bak" to the link's path.
> >>
> >>4. The process evaluates the results of the mutated requests. 
> >> Finally,  the process evaluates the response to the mutated 
> >>request to ensure that the web server did not accept the 
> >>unauthorized input value.  One example of such an evaluation 
> >>would be to look for responses containing keywords, such as 
> >>"error," "sorry" or "not found."  If such words are not 
> >>returned, the process would conclude that the mutated request 
> >>was accepted and that the web application is vulnerable to 
> >>attack (i.e., that the website contains a security flaw).
> >>
> >>As you can see, this patent is very broad and covers 
> >>everything from security products to penetration testing.  
> >>Unless someone can develop a way to perform web application 
> >>security without violating one of the four points mentioned 
> >>above everyone is in violation of this patent.  Obviously, 
> >>such a patent gives Sanctum an unfair competitive advantage 
> >>within our market.  However, there is a way to challenge this 
> >>patent.  First and foremost is to find something that 
> >>addresses all the above points 1 year prior to when Sanctum 
> >>submitted the patent.  Sanctum submitted for the patent on 
> >>March 3, 2000 so the material must be dated on or before 
> >>March 2, 1999.  If you know of something that has been made 
> >>public (e.g.,  article, posting, product, etc.) that contains 
> >>all of the above elements post your findings to the list.  A 
> >>critical aspect is that is must contain all 4 elements from 
> >>above.  Anything less will not suffice.  
> >>
> >>
> >>
> >>
> >>
> >>Concerned about your privacy? Follow this link to get
> >>FREE encrypted email: https://www.hushmail.com/?l=2
> >>
> >>Free, ultra-private instant messaging with Hush Messenger 
> >>https://www.hushmail.com/services.php?>>subloc=messenger&l=434
> >>
> >>
> >>Promote security and make money with 
> >>the Hushmail Affiliate Program: 
> >>https://www.hushmail.com/about.php?subloc=affiliate&l=427
> >>
>
Received on Jan 16 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]