Browse Prior Art Database

Improving the Coverage of Dynamic Security Scanners by Extracting Rest APIs Requests from Source Code

IP.com Disclosure Number: IPCOM000247465D
Publication Date: 2016-Sep-09
Document File: 1 page(s) / 29K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method to improve the coverage of dynamic security scanners by extracting Representational State Transfer (REST) Application Programming Interface (API) requests from the source code. The method parses the software APIs from the source code and builds requests based on the parameters of the API, which are then run by the dynamic scanning tools to find potential security problems.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 82% of the total text.

Page 01 of 1

Improving the Coverage of Dynamic Security Scanners by Extracting Rest APIs Requests from Source Code

As part of the software development cycle, the development team usually runs dynamic scanning tools on web based software products to find and fix security vulnerabilities before releasing the product. A dynamic scanning tool starts from the client side request, crawls web pages, extracts new web page links, sends the requests to the server, and then finds security vulnerabilities. Therefore, the problem is that the crawler of the dynamic scanner usually cannot cover all of the Application Programming Interfaces (APIs) of the software product. Additionally, a dynamic scanner cannot determine how to call a Representational State Transfer (REST) API without starting from the client side because the scanner does not have the knowledge of the necessary parameters of a REST API.

A method is needed to significantly improve the coverage of the dynamic scanner.

The novel solution is to improve the coverage of dynamic security scanners by extracting REST API requests from the source code.

The method is to parse the software APIs from the source code and build requests based on the parameters of the API . The method then adds those requests to the list of requests that the dynamic scanning tools are going to run in order to find potential security problems.

Existing tools can parse the source code of a product and find all the REST APIs for the software product . From the...