[OWASP-LEADERS] Sanctums Patent

Mark Curphey mark at curphey.com
Sun Nov 30 21:00:11 EST 2003


I have been hearing rumors that Sanctum are starting to issue writs for
patent infringement. Whilst I personally think its farcical that anyone can
get such a patent that facts are its been issued and they are pursuing
people. The question for us is how is WebScarabs future affected by this
patent ? There are also a lot of questions about OASIS WAS that we need to
deal with but that's a separate issue. What do we do ?

United States Patent No. 6,584,569 to Reshef et al. and assigned to Sanctum
Ltd. ("The Sanctum Patent") discloses a scanner for automatically detecting
potential application-level vulnerabilities or security flaws in a web
application. The independent claims of the Sanctum patent generally relate
to a scanner that (1) traverses a web application in order to discover and
actuate the links therein, (2) analyzes messages that flow or would flow
between an authorized client and a web server in order to discover elements
of the web application's interface with external clients and attributes of
these elements (such as links, fill-in forms, fields, fixed fields, hidden
fields, menu options, etc.), (3) generates unauthorized client requests in
which these elements are mutated, sends the mutated client requests to the
web server, receives server responses to the unauthorized client requests,
and (4) evaluates the results thereof.

More information about the OWASP-Leaders mailing list