OWASP's VulnXML Database 68
Ingo Struck writes "The
Open Web Application Security Project released the VulnXML db for early access to the public. VulnXML is a description of static known vulnerabilities. It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success. Besides it provides some human readable classification of the
described vulnerability. A tool to execute VulnXML records is currently being developed and will help developers to check their web applications against a suite of well-known vulnerabilities described in a portable format."
Double-edged Sword? (Score:4, Interesting)
Not that I'm saying this is a bad thing -- it's just one more tools that security professionals will have to use to stay ahead of the competition.
Sysadmins? (Score:5, Interesting)
Re:Sysadmins? (Super Nessus?) (Score:1)
The only thing to fear (potentially) is that all those signatures are getting written now! And I'll agree with SHEENm
Re:Double-edged Sword? (Score:3, Insightful)
Scanning scripts exist everywhere, but this isn't one of them. This is a repository for known vulnerabilities, which will serve admins far more than kiddies.
I can quickly check the db for issues on any proposed software, etc....
This is not another virlab [kklotz.de].
Re:Double-edged Sword? (Score:5, Informative)
I suppose I'll have to throw myself on my own sword.
After digging through the "whisper" entries, it looks as if that is ALL it is... a repository for scripts. [owasp.org]
My apologies. I did read the overview, but it doesn't coincide with the actual database.
This is disturbing.
Re:Double-edged Sword? (Score:2, Informative)
The db is beta. That means, all entries found there are only for demonstration purposes. Most are imported from some very outdated Whisker set.
Currently the objective of that db is to evaluate the viability of the entry editor and the data format, not to provide some up-to-date real checks.
I updated the welcome text appropriately.
Thanks for the hint.
Re:Double-edged Sword? (Score:2)
I'm also grateful that you saw my comment as constructive criticism rather than a flame.
Neither was intended, it was meant merely as an observation; even so, kudos for separating the wheat from the chaff.
Re:Double-edged Sword? (Score:3, Interesting)
However, if you care at all about security, it's also going to make it really easy for you to fix any possible problems. Consider the situation as it is now: You protect yourself against all vulnerabilities you know about, and suffer the chances of a cracker finding out that you have a vulnerability in something that you weren't informed of.
Now consider having a central database with all k
Re:Double-edged Sword? (Score:3, Insightful)
Re:Double-edged Sword? (Score:2, Insightful)
I must confess that one of the advantages of closed source is that a vendor could integrate a security measure that would bind a certain serialcode or flexlm key to a certain pool of machines that may be checked by such a tool. This would also slow down script
Re:Double-edged Sword? (Score:2)
All right! (Score:5, Funny)
Wow (Score:4, Funny)
Now that's security by obscurity! <rimshot />
Thank you, ladies and germs, I'll be here all week.
Re:Wow (Score:1)
well... (Score:5, Insightful)
so we've just replaced script kiddies with a (very small) shell script?
Re:well... (Score:3, Funny)
Re:well... (Score:2)
As a matter of fact, I found no data about fixes/patches whatsoever, or even what the vulnerabilities are. Just a damn script for exploit.
The site is junk; stuff broken everywhere, and pointed to the wrong pages.
Binary XML (Score:1, Offtopic)
Re:Binary XML (Score:1)
Why not just ZIP, RAR, or otherwise compress the file? Does there need to be a separate standard?
Re:Binary XML (Score:2)
Because processing reams of text-delimited markups and arrays of text-encoded numbers or blobs is sloooooow. It's not about compression, but you can GZIP/whatever either text or binary.
For scientific data in XML, the process is to take an array of numbers, convert the numbers to text (expensive), compress the numbers (which is slow, especially because of the bulk of the numbers), transport, uncompress, and r
VulnXML (Score:2)
Nessus (Score:1)
By the by, turn off stuff you don't need and you'll find most vulnerabilities disappear like magic.
Also, remember to scan your machines from private and public access just in case.
Yet another.. why? (Score:4, Insightful)
I mean what more could you ask for... a client/server based vuln. scanner that will give you reports in xml, csv, txt, html, doc... Since the site and database has been created, maybe you should just write a program that exports the exploit tests as Nessus nasl scripts [nessus.org] so we can do the tests and Snort rules [snort.org] so we can detect testing.
Cool (Score:2)
It's a very simple idea, but I've never seen anything like it in an open website. Is this new only because it's not a black hat operation?
I think most people are missing this (Score:3, Informative)
From the site:
This database is intended to enable the maintenance of a peer group based set of XML descriptions for web application attacks.
Most people here are comparing this to vulnerability scanners like nessus, but acording to the description provided by the website this appears to be something entirely different. It doesn't check for known vulnerabilities versus services, but rather tries various attacks on web applications. I'm sure that something out there has been created along these same lines before, but I've never heard of it. This sounds like a good idea, and an easy way for inexperienced web application designers to insure that they're not vulnerable to a large database of known attacks.
Sounds pretty cool to me.
Just in time for tomorrow! (Score:3, Informative)
MITRE's OVAL and OpenSec (Score:2, Interesting)
For those interested in open standards for vulnerability assessment, you should check out the Open Vulnerability Assessment Language (OVAL - http://oval.mitre.org/ [mitre.org]). OVAL provides assessments that DO NOT PERFORM THE ACTUAL EXPLOIT but rather specify logical conditions on the values of system characteristics and configuration attributes to characterize which systems are susceptible to a given vulnerability.
The assessments use SQL syntax but there is an XML version coming soon.
The Open Security Project
Re:MITRE's OVAL and OpenSec (Score:1)
BTW, all the software described below either is or will be free.
Now, OVAL is in SQL right now, but we're working on an XML translation mechanism. The SQL is nice because it's intensely readable and writable by humans and also because it can be used to query a database of system attributes. That database leads to a technology called QNA, formerly
XML oversold IMO (Score:1)
I know, some of you don't feel that highly about relational and prefer the older "navigational" formats, but I think relational offers more consistent and logical organization rules and has a better "algebra" to go with it. It is harder to make cross-reference, normalization, and referential integrity rules with structures like XML (except under rare circumsta
Re:XML oversold IMO (Score:2)
Re:XML oversold IMO (Score:2, Interesting)
In fact XML is just a serialization format. Alas a format with lots of unnecessary overhead.
The decision for using XML maybe was based upon it's "popularity" - I don't remember...
Fortunately the serialization format can be switched within seconds to something less overheaded (since we use the OCL [owasp.org] with a generic serialization mechanism). So it is very easy to provide the good ol' properties format instantaneously.
IMO For VulnXML's duty some relational format is clearly ove
Interesting... (Score:1)
A GPL VulnXML engine (Score:2, Informative)
Re:A GPL VulnXML engine (Score:1)
It would be better to post your inadequate insults off-list and face-to-face or not at all.
Automated testing tool, a suggestion (Score:2)
2. convert to OpenSTA script
3. run OpenSTA
Re:Automated testing tool, a suggestion (Score:1)
headscratching (Score:1)