Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The IDS filed 5/8/2020 has been considered and entered.

Drawings
The drawings filed 5/8/2020 are accepted.
Specification
The specification filed 5/8/2020 is accepted.



EXAMINER'S AMENDMENT

An examiner' s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner' s amendment was given in an interview with Ken Sheets on 6-4-2021

The application has been amended as follows: 


1. A method of verifying a regex group in an application testing process, the method comprising: 
creating, through a processor, a flow id, for the regex group when source reaches the sink, 
wherein the flow id is used for tracking the flow of the regex group,
wherein the regex group comprises a plurality of tasks including  at least one regex sanitizer and at least one regex validator; 

wherein the flow id comprises a hash of the combination of:
information from each of the plurality of tasks, 

a vulnerability type corresponding the at least one regex sanitizer and the at least one regex validator and further corresponding to a type of web site injection attack selected from an SQL injection or Cross-site scripting for which the at least one regex sanitizer and the at least one regex validator are configured to mitigate , and 

a regex comprising data input containing tainted characters that may damage the website rendering the website corrupted or gain internal information not intended to be accessed;

checking, through the processor, in case the flow id is a previously tested flow id; 

passing, through the regex group, each of the plurality of tasks in a queue, wherein the passing is performed when the flow id is not the previously tested flow id; 
wherein the passing comprises:
passing the regex as a  corresponding input into a first of the at least one regex sanitizer,
wherein the first replaces at least one of the tainted characters with a benign character to create a corresponding output, 

for each of the remaining of the at least one regex sanitizer, 
receiving the corresponding output from a previous regex sanitizer as a corresponding input, and replacing  at least another one of the tainted characters with a benign character to create a corresponding output

wherein the processor checks for each of the at least one regex sanitizer that the corresponding output is different than the corresponding input;

passing the corresponding output from the last of the at least one regex sanitizer each of the at least one regex validator;

for each of the at least one regex validator 
perform a validation on the corresponding output;

wherein if all of the each of the at least one regex validator validates the corresponding output, the regex group is determined to be a valid regex group; 

wherein if any of the each of the at least one regex validator invalidates the corresponding output, the regex group is determined to be an invalid regex group; and

wherein for any of the at least one regex sanitizer if the corresponding input  matches the corresponding output , the regex group is determined to be an invalid regex group;

wherein when the website receives input data corresponding to an injection attack, the regex group is used to mitigate the injection attack if the regex group was determined to be a valid regex group 


11. A system of verifying a regex group in an application testing process, the system comprising: a processor; and  15a memory coupled to the processor, wherein the memory stores a set of instructions to be executed by the processor, wherein the processor is configured to:
create, through a processor, a flow id, for the regex group when source reaches the sink, 
wherein the flow id is used for tracking the flow of the regex group,
wherein the regex group comprises a plurality of tasks including  at least one regex sanitizer and at least one regex validator; 

wherein the flow id comprises a hash of the combination of:
information from each of the plurality of tasks, 

a vulnerability type corresponding the at least one regex sanitizer and the at least one regex validator and further corresponding to a type of web site injection attack selected from an SQL injection or Cross-site scripting for which the at least one regex sanitizer and the at least one regex validator are configured to mitigate , and 

a regex comprising data input containing tainted characters that may damage the website rendering the website corrupted or gain internal information not intended to be accessed;

check, through the processor, in case the flow id is a previously tested flow id; 

pass, through the regex group, 
wherein the passing comprises:
passing the regex as a  corresponding input into a first of the at least one regex sanitizer,
wherein the first replaces at least one of the tainted characters with a benign character to create a corresponding output, 

for each of the remaining of the at least one regex sanitizer, 
receiving the corresponding output from a previous regex sanitizer as a corresponding input, and replacing  at least another one of the tainted characters with a benign character to create a corresponding output

wherein the processor checks for each of the at least one regex sanitizer that the corresponding output is different than the corresponding input;

passing the corresponding output from the last of the at least one regex sanitizer each of the at least one regex validator;

for each of the at least one regex validator 
perform a validation on the corresponding output;

wherein if all of the each of the at least one regex validator validates the corresponding output, the regex group is determined to be a valid regex group; 

wherein if any of the each of the at least one regex validator invalidates the corresponding output, the regex group is determined to be an invalid regex group; and

wherein for any of the at least one regex sanitizer if the corresponding input  matches the corresponding output , the regex group is determined to be an invalid regex group;

wherein when the website receives input data corresponding to an injection attack, the regex group is used to mitigate the injection attack if the regex group was determined to be a valid regex group 


Allowable Subject Matter
Claims 1-20 are allowed.

The following is an examiner' s statement of reasons for allowance: 
NPL Intrusion Protection against SQL Injection Attacks Using a Reverse Proxy discloses in Fig 2 a flow chart wherein a sanitizer is used to process an incoming client request and subsequently a validator checks the request for maliciousness.

NPL Preventing Input Validation Vulnerabilities in Web Application through Automated Type Analysis  discloses on page 2 a solution whereby input validation is an effective alternative to output sanitization for preventing XSS and SQL injection vulnerabilities.

Chan et al (US 10693,901) discloses in C4 11-14 that applications perform both Input Validation and Output Encoding to address XSS and SQL injection

The prior art of record does not explicitly disclose in light of the other features recited in the independent claims, 
wherein the flow id comprises a hash of the combination of:
information from each of the plurality of tasks, 

a vulnerability type corresponding the at least one regex sanitizer and the at least one regex validator and further corresponding to a type of web site injection attack selected from an SQL injection or Cross-site scripting for which the at least one regex sanitizer and the at least one regex validator are configured to mitigate , and 

a regex comprising data input containing tainted characters that may damage the website rendering the website corrupted or gain internal information not intended to be accessed;

wherein the passing is performed when the flow id is not the previously tested flow id; 

wherein when the website receives input data corresponding to an injection attack, the regex group is used to mitigate the injection attack if the regex group was determined to be a valid regex group 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner' s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD A MCCOY/Examiner, Art Unit 2431