Continuing with modification #5 from the claim chart.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
5) providing an unbalanced pair in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

4. “boguspassword' OR NOT Password='otherboguspassword”

The string above is an example of an alternative character encoding to encode a transaction field with a character that is equal in nature and different in representation. This string can be found  in “Hackproofing Your Network” (Book published in 2000 of which Greg Hoglund is one of the co-Authors) - Chapter 7  discusses this in length and includes the unbalanced pair example.

Continuing with modification #5 from the claim chart.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
5) providing an unbalanced pair in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

3. blah blah' MORE SQL COMMANDS...

The string above contains an unbalanced pair.  This string can be found at the following URL:
http://www.wiretrip.net/rfp/txt/rfp2k01.txt
The Feb 2000 - RFP2K01 “How I hacked PacketStorm” article documents several options for the use of unbalanced pairs to accomplish SQL injection attacks.

Continuing with modification #5 from the claim chart.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
5) providing an unbalanced pair in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

2. “Mutated parameter: price1=1”

Watchfire Patent No 6,584,569 On page 11, Fig 7 (now held by IBM).

Moving on to modification #5 from the claim chart.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
5) providing an unbalanced pair in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

1. select 'lil'' string | 6+7 | with number'

The string above contains an unbalanced pair.  This string can be found at the following URL:
http://www.wiretrip.net/rfp/txt/rfp9901.txt
This information has been available at the above URL since at least as early as 1999.
The examples of this method are described in the  Cenzic ‘232 in column 6, Table 7.

Continuing with modification #3 from the claim chart, and two for today.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following: 
3) providing all delimiters in the transaction baseline, providing no values in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

2. Examples of this element can be found at the following URL and have been available since at least as early as September 2001 and probably earlier. 

http://www.netkungfu.org/downloads/WhitepaperSQLInjection.pdf

The examples of this method are described in the Cenzic ‘232 patent in column 5, Table 4.

3. “Change parameter value to NULL” and “Increase string length beyond maxlength attribute”

On page 16, Table 1 of Patent No 6,584,569, granted to Watchfire, now held by IBM.

Time to move on to modification #3 from the claim chart.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following: 
3) providing all delimiters in the transaction baseline, providing no values in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

1. Quote: “Try to intentionally cause an error. Either leave a parameter blank, or insert as many “bad” characters as you can”

The quote from above discusses this methodology. This quote can be found  in “Hackproofing Your Network” (Book published in 2000 of which Greg Hoglund is one of the co-Authors) - Chapter 7.

Continuing on modification #2 from the claim chart. Today we will have two examples.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
2) creating a double delimiter in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

3. "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+"

The string above is an example of  “double delimiter”. This string can be found at the following URL:

http://web.archive.org/web/20020705141233/downloads.securityfocus.com/vulnerabilities/exploits/iisex.c 

The information concerning the string above and alternative  encoding using the IIS CGI File Decode Bug exploit was posted at least as early as May 5, 2001.

4. "*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*" 

From 2001 or before, the string above is included in documentation on how to avoid these common attack methodologies, and can be found at URL

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/input.html

Continuing on modification #2 from the claim chart

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
2) creating a double delimiter in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

2. select 'lil'' string | 6+7 | with number'

The string above contains a double delimiter.  This string can be found at the following URL:

http://www.wiretrip.net/rfp/txt/rfp9901.txt

This information has been available since at least as early as 1999.  The examples of this method are described in the Cenzic ‘232 patent in column 5, Table 3

Today we move on to modification #2 from the claim chart

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
2) creating a double delimiter in the transaction baseline,

This item is not specified in the original Provisional Patent filing, which sets its date to at least February 28th 2002

Relevant Prior Art:

1. http://www.host.com///////////////////////////////////////////////////////...

From May 31, 2000 this string can be found at URL

http://www.securityfocus.com/bid/1284/discuss

Included in the above vulnerability report is a small program that implements the entire Claim 10 of “Defining a transaction baseline; and modifying an input field in the transaction baseline to obtain a modified transaction with malformed value”. The program is found at URL

http://www.securityfocus.com/data/vulnerabilities/exploits/http-offset.pl

In this small program, it starts by making a request to establish a baseline and then modifies the URL input field with increasingly repeated characters until it results in a modified transaction with a new result value.

We continue to stick to the claim chart possible modification #1

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:
1) providing alternative character encoding for a character in the transaction baseline, 

Relevant Prior Art:

2. "/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+"

The string above is an example  of  “alternative encoding to encode a transaction field with a character that is equal in nature and different in representation”. This string can be found at the following URL:

http://web.archive.org/web/20020705141233/downloads.securityfocus.com/vulnerabilities/exploits/iisex.c

The information concerning the string above and alternative  encoding using the IIS CGI File Decode Bug exploit was posted at least as early as May 5, 2001.

3. From Feb 2, 2000 - “CERT Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests” can be found at URL

http://www.cert.org/advisories/CA-2000-02.html
http://www.cert.org/tech_tips/malicious_code_mitigation.html

This above advisory discusses this common variation on the attack payloads, From the Article:

“Use of Less-Common Character Sets May Present Additional Risk Browsers interpret the information they receive according to the character set chosen by the user if no character set is specified in the page returned by the web server. However, many web sites fail to explicitly specify the character set (even if they encode or filter characters with special meaning in the ISO-8859-1), leaving users of alternate character sets at risk.”

I am not sure there will be a set pattern for the days. but for now I will continue down the claim chart and move into #1 of the possible modifications.

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising: defining a transaction baseline; and  modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following: 
1) providing alternative character encoding for a character in the transaction baseline, 

Relevant Prior Art:

1. filename="=oiso8859- 1oBoLi5cLi5cLi5cLi5cLi5cV2LuZG9

The string above is an example  of  “alternative encoding to encode a transaction field with a character that is equal in nature and different in representation.” This string can be found at the following URL:

http://securityvulns.com/Bdocument129.html

The information concerning the string above and alternative  encoding using the Bat directory traversal was posted at least as early as January 4, 2001.  This exact prior art string appears to have been copied  by the inventors  to be used as an example of the alternative character encoding method claimed in the Cenzic ‘232 patent. The example is listed in column 7, Table 10 of the Cenzic ‘232 patent, but is not mentioned in any of the patent references.

To start of the Month of Prior Art (MoPA) we will use the broad read of patent 232. I have words on that topic to be spoken later about limits on the scope, but until I have more to present about that we will stick with the broad read from the Claim Chart.

Today we will start on the basic concept itself

Cenzic 232 Patent Claim 10: A method of testing a target on a network by fault injection, the method comprising:
defining a transaction baseline;
and 
modifying an input field in the transaction baseline to obtain a modified transaction with malformed value, wherein modifying the input field comprises at least one of the following:

A few of the many Prior Art Examples

1. The concept of fault injection goes far back into history. In the last 100 years it is the common model for testing, the act of applying something outside normal to find the limits. Applying this concept to software is a newer application, but not even that new and is something that common QA tools have been doing for a long time. Take nearly any QA tool from the 90's and it would easily apply as prior art to this point.
   
   
2. The wording is slightly different but meaning and result is identical
   Watchfire Patent No 6,584,569, now held by IBM
   From the abstract:
   "A method for detecting security vulnerabilities in a web application includes analyzing the client requests and server responses resulting therefrom in order to discover pre-defined elements of the application's interface with external clients and the attributes of these elements. The client requests are then mutated based on a pre-defined set of mutation rules to thereby generate exploits unique to the application. The web application is attacked using the exploits and the results of the attack are evaluated for anomalous application activity."
   
   
3. The entire topic of  the 1998 book "Software Fault Injection: Inoculating Programs Against Errors" by Jeff Voas and Gary McGraw discusses this topic indepth and is not the first publication by Jeff Voas about the topic as well. I will post more as the month goes on.
   
   
4. Software programs like nmap were doing these kinds of activities even for HTTP Server Fingerprinting going back into 90's as well. This example from a few weeks ago is another simple example of how easy it is to .
   

The support continues to roll in.
HP Acquires Firm Hostile Towards Free Software, a Microsoft Ally
Can you patent the obvious? Apparently when it comes to software security, maybe you can.
[...]
On to patent land. Apparently the security testing firm Cenzic believes that they deserve a patent for software fault injection. In February 2007 (a decade after our book was published) Cenzic was awarded patent number 7185232 for “fault injection methods and apparatus.” The basic claims in the patent involve injecting some faulty input into a web program (thing one) and watching for error responses (thing two). Very nice. Or maybe not. A grass roots effort to collect prior art and dispute the patent is being spearheaded on the net byEnrique A. Sanchez Montellano.

In case you still think this is just about one vendor fighting another, check out this document from Cenzic that turned up on the OWASP mailing list. The so called "Claims Chart" tells us the things Cenzic is asserting that NTO is infringing on. View the file here.

As said in the email, Claim 10 is a "method patent", which Cenzic could say this would mean that it does not require this to be done in an "apparatus" or software program. Because of this, it would mean that a human consultant doing these test manually would infringe all the same, not to say the companies that hired them.

This document shows clearly that Cenzic seems to think that they own the ability to test for Cross-Site Scripting, SQL Injection, CMD Injection, and even HTTP Response Splitting!

That is ludicrious! This effectively means Cenzic has a patent for anyone that requires PCI Compliance as PCI requires webscanning!

This RSA I visited with expectation, why would I have any expectations on a "trade show"? Well I knew Cenzic was going to be there and I also heard that NTObjectives was going to be there, so I could get a first hand chat and views on this matter.

I first visited the entire expo, I did not find an NTObjectives stand, which defeated one of the purposes but I knew they were there so I tried to get in touch with them in any means asking around, after couple of hours of moving around I gave up on them and slowly walked to the Cenzic stand.

A friend was jokingly saying he was going to take pictures of me at the stands to record the event and he was walking with me, as soon as we reached the stand I got closer and wondered how to start the convesation, this is not an over the counter conversation and I didn't want to make a big fuzz about it, there were a couple of guys asking for information and I thought it would be in bad taste to go and ask directly so I waited until someone was pretty much alone before going in there and asking directly about it.

The conversation was completely off the record, so I cannot write or quote about it, I heard their views they were really nice and knew about the site, they thanked me for going in there and introducing myself and said they are probably going to be lawyer gagged for a while, as I'm a fan of always having both stories for people to make their own desition I reiterated that if they wanted to say something this site would have some space for it if they wanted, they kindly declined and said they would ask their lawyers.

The support continues to roll in. Its only Tuesday and already we have popped up on the OWASP wiki and the oldest/original security blog.

• Software [In]security: Software Patents and Fault Injection
  Gary McGraw and Jeff Voas wrote a book on Software Fault Injection that was published in 1997 which covers a great deal of the type of activities which Cenzic/Greg Hoglund decided to file a patent for in 2002.
  From the article:
  "Apparently the security testing firm Cenzic believes that they deserve a patent for software fault injection. In February 2007 (a decade after our book was published) Cenzic was awarded patent number 7185232 for "fault injection methods and apparatus." The basic claims in the patent involve injecting some faulty input into a web program (thing one) and watching for error responses (thing two). Very nice. Or maybe not. A grass roots effort to collect prior art and dispute the patent is being spearheaded on the net by Enrique A. Sanchez Montellano."
  
  
• Hacker News Network Cast
  We made this weeks Hacker News Network Cast! On this weeks episode (HNNCast.2011.02.25) at 5:46 into the episode Space Rogue discusses the Cenzic patent and quite clearly expresses the dangers it poses to the community if not stopped. I was cracking up at the sound effects and seeing our site banner on the video. Sweet.
  
  
• Jeff Williams Statement
  The president of OWASP has posted a statement about the Cenzic 232 patent on the OWASP Leadership Mailing list.
  From statement:
  "I'm much more concerned about the effect of the patent on the application security industry than on OWASP." <snip> "Regardless of the pending litigation, this patent seems to touch on a technique that is fundamental to our industry, and we are certainly entitled to discuss, analyze, and even take support one side or the other."
  
  I am regularly reading the OWASP Leadership Mailing list and know the topic is active. I think Jeff's comments are good and reasonable at this stage of what is happening. So here are my two cents for OWASP members to consider: OWASP is all about pushing forward WebAppSec. If a company, even a member company, is employing business practices which could stifle the progress of WebAppSec, doesnt this fall into conflict with OWASP's goals?
  Cenzic has sued once before, and I think it is clear that this is now a behavior pattern which we all need to be concerned about.
  
  I do agree that we all need more details, and this site is dedicated to the pursuit and disclosure of information and details about this patent.
  One problem is that a patent can sometimes mean what the patent holder wants to assert it means, until someone challenges those claims at great financial costs (like NTO is doing). I cannot know what OWASP's role should be, or what it could even do, but it is a center piece of the community and does carry a great deal of influence. Maybe its worth taking David Hoyt up on his offer to help. At least to discuss OWASP projects that might be considered to infringe.
  
  
• OWASP WikiPage for Cenzic 232 Patent
  The group at OWASP has no "official" position about this matter as discussed above. Some members have setup a page on the OWASP Wiki to keep track of activity and information. This site will be sharing data to the OWASP wiki as activities progress.
  
  
• InfoSec Place Podcast Discussion
  The Dan Kuykendall, the co-CEO of NTO discusses the topic on the podcast he co-hosts. The discussion starts 41 mins into the episode. Interesting to hear first hand discussion.
  
  

This week has started to show that the community is responding to our call.

There are 3 stories from this week

• OWASP - Has it Reached a Tipping Point?: The founder of OWASP, Mark Curphey, posted something of a rant about the current state of OWASP and part of the discussion about Ethics is centered around the Cenzic 232 patent issue.
  
  From the article:
  "This is a firm that was founded by the same people that founded HB Gary. Yes the same firm that has been exposed to have been plotting a campaign to discredit wiki-leaks. Cenzic also have a patent for web fuzzing. Now I am not a lawyer but this patent appears that it could be applied against OWASP projects like WebScarab at any time. This is the same firm that used to claim in their marketing that they scan for the OWASP Top Ten. Thats right using HTTP they scanned for insecure crypto! These are my personal opinion but this is not a firm with good ethics yet is actively involved in OWASP."
  
  
• The Curious Case Of Patent 232: Alan Shimel has written this article for Network World this week, where he referenced this site and discussed the story of Cenzic going after _NTO and the wider implications.
  
  From the article:
  "But lets be clear this patent goes well beyond NT Objectives and even web application scanners. Many think this patent can apply to any vulnerability type scanner like those used by Qualys, Rapid 7, Metasploit, etc. This could have a major impact on the industry."
  
  
• Security Firm Strikes Back At Cenzic Patent Lawsuit Threat: This article was posted minutes ago on DarkReading which details alot of the problems with the broad nature of the patent.
  
  From the article:
  "According to a penetration tester familiar with the case who requested anonymity, the way the patent is written it could even apply to SQL injection and cross-site scripting attacks or pen-tests. It could apply to any products that execute these techniques for bypassing normal security routines. "Even when I do this manually -- it would apply. So as a pen-tester, I couldn't do that" according to the lawsuit, the source says."

There has also been a discussion going on in the OWASP mailing list about this, and I think Rogan Dawes quote was great.

Example with Baselining (May 2000):

I will be collecting prior art over the next several months and plan to post at least one example a week. Your contributions will aid in the effort!

The first example is from May 31, 2000 (almost 9 months BEFORE the patent was filled) on Security Focus as part of the details for a security issue found in Apache. The article has an example script written by HD Moore. 

For the sake of flow I will also paste below...

The short of it is; Creating a program to which send a malformed request with intentionally bad content in order to generate a "malformed" or error response.

The Long of it can be read from the patent. The first claim is basically a method in which they variate patterns, in which they alter a character encoding, add a double delimiter (aka // and multiple / or \ or delimiters), provide no values to the expression, adding single quotes and double quotes, changing the value for a "buffer function" (aka a long line of characters, sounds like buffer overflows right?) using all that to form an expression to then attack a system and detect failures.

The full claim is as follows...