Slashdot Mirror

← Back to Stories (view on slashdot.org)

OWASP's VulnXML Database

Posted by michael on from the autocracker dept.

Ingo Struck writes "The Open Web Application Security Project released the VulnXML db for early access to the public. VulnXML is a description of static known vulnerabilities. It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success. Besides it provides some human readable classification of the described vulnerability. A tool to execute VulnXML records is currently being developed and will help developers to check their web applications against a suite of well-known vulnerabilities described in a portable format."

5 of 68 comments (clear)

  1. Re:Double-edged Sword? by PaulK · · Score: 4, Informative

    Hmmmm.....

    I suppose I'll have to throw myself on my own sword.

    After digging through the "whisper" entries, it looks as if that is ALL it is... a repository for scripts.

    My apologies. I did read the overview, but it doesn't coincide with the actual database.

    This is disturbing.

  2. I think most people are missing this by Michael+Crutcher · · Score: 3, Informative

    From the site:
    This database is intended to enable the maintenance of a peer group based set of XML descriptions for web application attacks.

    Most people here are comparing this to vulnerability scanners like nessus, but acording to the description provided by the website this appears to be something entirely different. It doesn't check for known vulnerabilities versus services, but rather tries various attacks on web applications. I'm sure that something out there has been created along these same lines before, but I've never heard of it. This sounds like a good idea, and an easy way for inexperienced web application designers to insure that they're not vulnerable to a large database of known attacks.

    Sounds pretty cool to me.

  3. Just in time for tomorrow! by bc90021 · · Score: 2, Informative

    ...since tomorrow is apparently Defacement Day.

    --
    libertarianswag.com
  4. A GPL VulnXML engine by daveaitel · · Score: 2, Informative

    Immunity's SPIKE Proxy (http://www.immunitysec.com/spike.html) offers a python, GPL, VulnXML engine, and has for some time. VulnXML is superior to Nessus-style scripting in many ways for purely web-based assessments. Similar to how Nessus says "for all ports that have a web server on them, run these tests" VulnXML allows a fully interoperable and "self-descriptive" way to say "For all files on the web server, check for file.bak, but ignore custom 404 pages that return 200 OK, etc".

  5. Re:Double-edged Sword? by istr · · Score: 2, Informative

    Sorry for that...
    :o|
    The db is beta. That means, all entries found there are only for demonstration purposes. Most are imported from some very outdated Whisker set.
    Currently the objective of that db is to evaluate the viability of the entry editor and the data format, not to provide some up-to-date real checks.
    I updated the welcome text appropriately.
    Thanks for the hint.