System and Method for Streamlining Black Box Testing by Detecting and Overcoming Server Crashes Using Server-Side Runtime Monitoring
Publication Date: 2012-Jun-19
The IP.com Prior Art Database
We present a server-side agent to aid black-box scanning in the scenario where specific attacks "succeed" in crashing the server (denial of service attacks). The agent informs the black-box scanner of the current status, as well as revives the crashed server.
Page 01 of 2
Ȉ ˇ ˄˙ ˙ ˝ ˛ ˙ ˚
When performing a black-box security scan of a web application, it is often the case that the server being scanned may crash or stop responding during the scan (as a result of a successful denial of service vulnerability). This may be caused due to invasive tests being sent by the scanner to the server, which deliberately attempt to
disrupt its normal service. When this happens, the scanner may detect that the server has stopped responding, and if so, it may stop the scan and notify the user. However, it is not easy for the scanner to tell exactly which one of many tests was the one that caused the server to stop responding. Additionally, there is no automatic way to restart the server and continue the scan. This means the user must manually restart the server, and only then continue the scan. This might potentially happen multiple times during a scan, since there are many attempts by the scanner to crash the server. This creates a significant inconvenience for the user and prevents the scan from being run unsupervised.
We present a system by which an agent runs on the server-side (the side being scanned), monitoring the health of the server during the scan. The agent communicates with the scanner, and is aware of which tests are being sent by the scanner and at what point and time. When the agent detects that the server's normal operation has been disrupted (for example by looking at the state of its process, memory performance, CPU performance, the state of the database process etc.), the agent knows exactly which test "succeeded" to crash the server. This information is communicated back to the scanner, so that the scanner can accurately report which test was "successful" (positive). At this stage, the scanner can pause the scan (stop sending further tests), while the server-side agent restarts the normal operation of the server (by restarting the server's process, for example). Once the server-side agent determines that the server has gone back to normal operating state, it notifies the scanner and the scan resumes automatically.
This solves both problems:
1. The scanner knows exactly which test "succeeded" in crashing the server, so that an accurate report can be made to the user
2. The scan can resume in an unsupervised way, even if the server crashes one or more times during the scan
Using our invention, users will be able to run a full scan without supervision
which will decrease the total run time.
We introduce a server-side runtime monitoring agent. This...