Abstract: A method includes: identifying, by a runtime instrumentation agent of a web server, a plurality of attack surfaces of a web application executed on the web server; generating, by the runtime instrumentation agent, a plurality of hash values, where each hash value is generated based on one of the plurality of attack surfaces; and transmitting, by the runtime instrumentation agent, the plurality of hash values to an attack server external to the web server, where the attack server is to determine whether to scan each attack surface based on the plurality of hash values.

Abstract: Testing software applications often requires a balancing of thoroughness versus the time and computing resources available to perform such tests. By performing a static analysis on candidate software source code and, from the static analysis, configuring a dynamic analysis component to execute the tests, allows for extraneous tests to be omitted. For example, performing certain vulnerability attacks on a function may be futile if the attack requires a string input but the function only accepts integers. By combining static and dynamic analysis, unnecessary tests may be omitted and the results of each analysis process correlated to identify actual vulnerabilities or falsely indicted vulnerabilities reported by one of the static or dynamic analysis component.

Abstract: Examples relate to detecting vulnerabilities in a web application. One example enables identifying a set of inputs in a web application input form. The set of inputs may be categorized based on a set of predetermined conditions. The set of inputs may be scored based on the categorization. A subset of the set of inputs may be determined to be a set of parameters of interest for the web application based on the scored set of inputs.

Abstract: A method includes: identifying, by a runtime instrumentation agent of a web server, a plurality of attack surfaces of a web application executed on the web server; generating, by the runtime instrumentation agent, a plurality of hash values, where each hash value is generated based on one of the plurality of attack surfaces; and transmitting, by the runtime instrumentation agent, the plurality of hash values to an attack server external to the web server, where the attack server is to determine whether to scan each attack surface based on the plurality of hash values.

Abstract: Examples relate to automated multi-credential assessment in a system. One example enables auditing an application by sending a first request for an action to be performed in the application, the first request based on a first privilege level, where the first privilege level corresponds with a first level of access to the application, and sending a second request for the action to be performed in the application, where the second request based on a second privilege level different from the first privilege level. The second privilege level may corresponds with a second level of access to the application different from the first level of access. The first request and second request may be performed, and the results of the performed first request and second request may be combined. The combined results may be made available.

Abstract: Examples relate to detecting vulnerabilities in a web application. One example enables identifying a set of inputs in a web application input form. The set of inputs may be categorized based on a set of predetermined conditions. The set of inputs may be scored based on the categorization. A subset of the set of inputs may be determined to be a set of parameters of interest for the web application based on the scored set of inputs.

Abstract: Example embodiments disclosed herein relate to unused parameters. A request to a web page of an application under test is made. It is determined whether the web page includes one or more unused parameter fields. Another request to the web page of the application under test is made using one or more parameters corresponding to the unused parameter fields.

Abstract: Example embodiments disclosed herein relate to unused parameters. A request to a web page of an application under test is made. It is determined whether the web page includes one or more unused parameter fields. Another request to the web page of the application under test is made using one or more parameters corresponding to the unused parameter fields.

Abstract: An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of an enhanced browser emulator as controlled by javascript provided by the webpage. The enhanced browser emulator tracks behaviors which when aggregated imply malicious intent.

Abstract: An apparatus and system for scoring and grading websites and method of operation. An apparatus receives one or more Uniform Resource Identifiers (URI), requests and receives a resource such as a webpage, and observes the behaviors of an enhanced browser emulator as controlled by javascript provided by the webpage. The enhanced browser emulator tracks behaviors which when aggregated imply malicious intent.

Abstract: A method provides Dynamic Analysis to identify URL provisioning malicious javascripts comprising tracing frequently used javascript feature used to either inject malicious javascript in html response or redirecting user to the website that is serving malicious contents. An apparatus embodiment operates in the cloud in the middle where it identifies javascript in the response traffic and then requests the other corresponding javascript and can make a determination before delivering the original content to the user.