OWASP's VulnXML Database

Ingo Struck writes "The Open Web Application Security Project released the VulnXML db for early access to the public. VulnXML is a description of static known vulnerabilities. It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success. Besides it provides some human readable classification of the described vulnerability. A tool to execute VulnXML records is currently being developed and will help developers to check their web applications against a suite of well-known vulnerabilities described in a portable format."

fp

fp

Cool

[ShieldW0lf]

I've wanted an army of Zombies ever since playing a Necromancer in junior high.

Thank you, thank you, thank you... you've given me the tools to make my dreams come true.

Re:Cool

this is only web tests. Check out OSVBD (http://www.osvdb.org/) for a project that is creating a database of all vulns.

Slashdot Troll Supply Store�

New! Slashdot Troll Supply Store

Get your latest goatse, penisbird, lemonparty, and tubgirl gear!

http://nero-online.org/store.php

michael is an asshat and a domain theif

Check out my Michael T-Shirt

New! Slashdot Troll Supply Store

Get your latest goatse, penisbird, lemonparty, and tubgirl gear!

http://nero-online.org/store.php

Re:michael is an asshat and a domain theif

that is one funny fucking shirt.

this should be the winner of the slashdot t-shirt contest.

Re:michael is an asshat and a domain theif

Either that or the lemonparty shirt.

Is that the editors in that pic?

I CLAIM THIS FP FOR THE CLIT!!!!!

[News+For+Turds]

I AM THE CLIT COMMANDER!

20 results found for "linux"

1 It will soon be illegal because of SCO and DMCA
2 GPL is anti-capitalist (use bsd instead)
3 Its hard to use (Gnome for example hide all the features that make it useable in its secret gconf database)
4 Its unstable (2.2 is the exception, but unless you apply about 1000 patches and backports its too old to be useful)
5 The software sucks (Openoffice, *puke* at the bloat)
6 The UI is inconsistent (read : gnome file dialog)
7 You have to type commands (None in windows since 95)
8 It doesn't run Windows programs (wine dosen't count)
9 You cannot buy a computer with Linux (Lindows at walmart dosen't count)
10 Linux companies are going out of bussiness (Mandrake for example)
11 RMS is a communist arsehole (note the arse)
12 High total cost of ownership
13 Too many distros
14 Un-american (American software sucks anyway)
15 Its not from microsoft (Therefore it does not have a monopoly in order to succeed)
16 Poor security track record (look at the kernel change logs)
17 Anyone and their 14 year old brother can add (buggy) code (and yes, it DOES sneak through CVS)
18 Even BeOS was better (try it and you will see te light)
19 Eugenia doesn't like it (she dosen't like anything actually)
20 It SUCKS!!!!!!!!!!!!! (-1, flamebait dosen't change this)

Double-edged Sword?

[melete]

As always, it sounds like this is a double egded sword -- won't this give script-kiddies a new engine for quickly scanning for possibly vulnerable targets?

Not that I'm saying this is a bad thing -- it's just one more tools that security professionals will have to use to stay ahead of the competition.

Re:Double-edged Sword?

[PaulK]

This doesn't seem as bad as that...

Scanning scripts exist everywhere, but this isn't one of them. This is a repository for known vulnerabilities, which will serve admins far more than kiddies.

I can quickly check the db for issues on any proposed software, etc....

This is not another virlab.

Re:Double-edged Sword?

[PaulK]

Hmmmm.....

I suppose I'll have to throw myself on my own sword.

After digging through the "whisper" entries, it looks as if that is ALL it is... a repository for scripts.

My apologies. I did read the overview, but it doesn't coincide with the actual database.

This is disturbing.

Re:Double-edged Sword?

[TrekkieGod]

You're right, this will help script-kiddies attack computers of the non-security conscious more easily, I suppose.

However, if you care at all about security, it's also going to make it really easy for you to fix any possible problems. Consider the situation as it is now: You protect yourself against all vulnerabilities you know about, and suffer the chances of a cracker finding out that you have a vulnerability in something that you weren't informed of.

Now consider having a central database with all known vulnerabilities, and a tool that uses that database to verify that you are secure against everything in the database. If the admin uses that tool, he's secure against every known vulnerability, and yes, those who don't have a higher chance of getting screwed. However, if you are serious about securing your systems, the only way you get in trouble is by an attack using an unknown vulnerability. The moment someone discovers that, that person will either a)include it in the database or b)use it, and then in the process make said vulnerability known.

And yeah, that was a really convulated way of explaining my thoughts...it's unfortunate that my thinking process is so damn warped.

Re:Double-edged Sword?

[Alpha_Nerd]

You'd rather have security through obscurity??

Re:Double-edged Sword?

Markus Ranem (sp?), creator of the Guantlet firewall and generally considered father of the firewall, agrees with you, and so do I.

Time to stop giving kids all the ammo they need and push for better vendor response.

Re:Double-edged Sword?

[dimmu]

There is no real cure to make tools only available to system administrators and not to script-kiddies. One way that would work is making it very difficult to use, but there will be obviously a nicer frontend for such a tool within weeks (if not days).

I must confess that one of the advantages of closed source is that a vendor could integrate a security measure that would bind a certain serialcode or flexlm key to a certain pool of machines that may be checked by such a tool. This would also slow down script kiddies in getting such a tool to work, but would never be foolproof.

The best way to retain script kiddies from such tools, is educating youngsters before they become 'script-kiddies'. I know of a couple of projects that are trying to do this (for example the Mostly Harmless team in the Netherlands).

Re:Double-edged Sword?

[jo42]

Oh, yeah, the terrorists could use this, couldn't they? Call out the Patriot Act!

Re:Double-edged Sword?

[istr]

Sorry for that...
:o|
The db is beta. That means, all entries found there are only for demonstration purposes. Most are imported from some very outdated Whisker set.
Currently the objective of that db is to evaluate the viability of the entry editor and the data format, not to provide some up-to-date real checks.
I updated the welcome text appropriately.
Thanks for the hint.

Re:Double-edged Sword?

[PaulK]

Thanks for the supplemental info. It's good to know that my initial perception was closer to the mark.

I'm also grateful that you saw my comment as constructive criticism rather than a flame.

Neither was intended, it was meant merely as an observation; even so, kudos for separating the wheat from the chaff.

michael, I have a hundred working open proxies

modbomb me at will! I cannot be stopped, you domain hijacking terrorist

New! Slashdot Troll Supply Store

Get your latest goatse, penisbird, lemonparty, and tubgirl gear!

http://nero-online.org/store.php

All right!

[Fly+Ricky+-+The+Wine]

Just in time for July 6th!

Wow

[Saint+Aardvark]

A tool to execute VulnXML records is currently being developed

Now that's security by obscurity! <rimshot />

Thank you, ladies and germs, I'll be here all week.

Re:Wow

[istr]

Well, not quite... Development takes place publicly at Sourceforge. Check out our CVS repository. :o)

well...

[LittleBigLui]

It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success.

so we've just replaced script kiddies with a (very small) shell script?

Re:well...

Why not, we've already replaced advanced virus delivery systems with stupid users who would even be willing to open sexy-fun-i-am-not-a-virus-honest.exe

Re:well...

[PaulK]

Apparantly so.

As a matter of fact, I found no data about fixes/patches whatsoever, or even what the vulnerabilities are. Just a damn script for exploit.

The site is junk; stuff broken everywhere, and pointed to the wrong pages.

Instead of modding down, try fixing it!

Straight from the modded down setion of OSnews, the TRUTH about linux. Eugina can suck my cock while it BLEEDS! (Text in brackets pre-empt kneejerk responses)

1 It will soon be illegal because of SCO and DMCA
2 GPL is anti-capitalist (use bsd instead)
3 Its hard to use (Gnome for example hide all the features that make it useable in its secret gconf database)
4 Its unstable (2.2 is the exception, but unless you apply about 1000 patches and backports its too old to be useful)
5 The software sucks (Openoffice, *puke* at the bloat)
6 The UI is inconsistent (read : gnome file dialog)
7 You have to type commands (None in windows since 95)
8 It doesn't run Windows programs (wine dosen't count)
9 You cannot buy a computer with Linux (Lindows at walmart dosen't count)
10 Linux companies are going out of bussiness (Mandrake for example)
11 RMS is a communist arsehole (note the arse)
12 High total cost of ownership
13 Too many distros
14 Un-american (American software sucks anyway)
15 Its not from microsoft (Therefore it does not have a monopoly in order to succeed)
16 Poor security track record (look at the kernel change logs)
17 Anyone and their 14 year old brother can add (buggy) code (and yes, it DOES sneak through CVS)
18 Even BeOS was better (try it and you will see te light)
19 Eugenia doesn't like it (she dosen't like anything actually)
20 It SUCKS!!!!!!!!!!!!! (-1, flamebait dosen't change this)

Re:Instead of modding down, try fixing it!

You forgot to preempt the () these are parentheses, not brackets response. Sorry, you are teh failure.

this story is fucked up and boring

I don't give a shit about this pseudo techno gobble gook.

Shove it.

Why not Nessus?

Why didn't these guys just add this as a plugin to Nessus? Would have made more sense.

Sysadmins?

[SHEENmaster]

This could also be used to create a "Super" Nessus. Remember that script kiddies and system administrators both use such tools. I think that in the long run, it will help the latter more.

Slashcode-bug: b i /b /i

Re:Slashcode-bug: b i /b /i

That's not a bug, it's a misfeature.

Warning from goatse.cx

IMPORTANT NOTE: There are many merchandising attempts for goatse.cx around the web-- none of them are real, none of them are official. Do not buy this gimmick merchandise. The official goatse.cx merchandise is coming soon!

So trolls, don't buy from the Slashdot troll store

Theres 20 other reasons not to buy from trollstore

1 It will soon be illegal because of SCO
2 GPL is anti-capitalist
3 Its hard to buy
4 Its unstutible
5 The fabric sucks
6 The designs are inconsistent
7 You have to dry clean it.
8 You can't buy it from windows
9 You cannot buy it.
10 Troll store is going out of business
11 Nero is a communist arsehole
12 High total cost of ownership
13 Too many items
14 Un-american
15 Its not from microsoft
16 Poor feedback track record
17 Anyone and their 14 year old brother can mae their own store.
18 Even goatsemerch was better
19 Eugenia doesn't like it
20 It SUCKS!!!!!!!!!!!!!

Crack

It's how Michael is able to post continuously without sleeping.

Hi, Billy Maze here, for CrackMasters!
Ever want to stay away and troll for hours on end?
Ever think the slashdot editors were a little sub-human with their persistant news posts? Now you too can be an asshole like one of the Trolls and Editors! CrackMasters will keep you awake for upto two fortnights! Let's goto CrackMasters' top customer, Michael, and ask how he does it. Michael?

Michael: Hello Biwwy. I've posted continously without sleeping, all thanks to CrackMasters.
BMaze: Yes, that's what I've been telling all your troll moderators in the audience. We want to know how well CrackMasters has improved your lifestyle. Care to comment?
Michael: Yeah, Biwwy. I've always had this malevolent attraction to CmdrTaco, but he was never quite receptive. So, I used CrackMasters' product for about 1 month, went to the FBI and created an artificial entity named "Kate Fent", and immediatly CmdrTaco was allured by my gay-appeal in a matter of days. CmdrTaco thinks Kate Fent isn't me, but I'll be the one to confess what happens in the beadroom.
BMaze: That sound great. Have you ever solicited our product to anyone and helped sell this great American name: CrackMasters?
Michael: Yep. You see, CmdrTaco and me (Kate Fent) can't have children. So, we goto the orphanage to buy one. We can never make out a decision on which livestock^H^H^H^H^H^H^H little boy we want to take home. I don't bring candy much, so the orphans started asking about the kittle bag of CrackMasters I carried around. CrackMasters was an instant hit with the kids. They love the taste and I've since donated five Pentium 200 computers to the orphanage with Linux and Quake3 insalled. Those kids are up all night fragging and trading porn. They will remember the name, CrackMasters, come 20 years. I'm sure they'll pass on such a quality name to their grandkids.
BMaze: That sounds terrific! Have you tried starting a slashdot poll, pitting ol' caffeine to CrackMasters?
Michael: I'm working on CowboyNeal, but he isn't receptive to my sexual advances on him. It'll take a big boost, perhaps CrackMasters plus, to allure CowboyNeal's urges to me and have him submit to my dairy-wand.
BMaze: I thought you'ld never ask! CrackMasters Plus is the new product that not even the most fat and ugliest of mother fucking geeks can resist. Slip some CrackMasters Plus in their drinks and voila! Instant a'whorin' crack whore! This is Billy Maze, for CrackMasters!

xml =

[legcramp]

xml = souped up ini files. kidding...

Unbelievable

[sixdotoh]

This story has been posted for 43 minutes, and only 20 or so comments? man, where is everybody?

Re:Unbelievable

Half are recovering from yesterday, half are preparing for tomorrow...

Binary XML

[csbruce]

Check out BXML for a binary encoding of XML to efficiently carry scientific/array-type data. Feedback appreciated.

Re:Binary XML

[WarpForge]

Check out BXML for a binary encoding of XML to efficiently carry scientific/array-type data. Feedback appreciated.

Why not just ZIP, RAR, or otherwise compress the file? Does there need to be a separate standard?

Re:Binary XML

[csbruce]

Why not just ZIP, RAR, or otherwise compress the file? Does there need to be a separate standard?

Because processing reams of text-delimited markups and arrays of text-encoded numbers or blobs is sloooooow. It's not about compression, but you can GZIP/whatever either text or binary.

For scientific data in XML, the process is to take an array of numbers, convert the numbers to text (expensive), compress the numbers (which is slow, especially because of the bulk of the numbers), transport, uncompress, and re-parse the numbers (expensive) back into binary. It's much more sensible to take the binary numbers, dump them out in a raw write(), compress (faster, because of less input plus extra speedup with GZIP anyway because of data properties), fetch with a raw read(), and sometimes do endian swap. No encode/decode, and the GZIP compressed data anyway is actually smaller (less redundant junk in the stream to begin with).

FROM THE DESK OF COMMANDER SHITHEAD

Help me! I'm being attacked in the rear by GAY NIGGERS FROM OUTER SPACE!

VulnXML

[Faust7]

I know security is the first thing that leaps to my mind when I read that name. ;)

Perl is the problem

I don't like Perl because it sucks. Why does it suck? It sucks because Larry Wall is not a computer scientist so he designed an ugly mish-mash of a language that is write-only. It is almost impossible to decipher a Perl script 6 months after it has been written.

What is even more ironic is that Larry fancies himself some sort of "linguist" or "English" major. He went to college and read a couple books on Shakespeare so now he thinks he is some kind of language expert. Well it doesn't work that way.

Take a look at Perl. Does it look like it was designed by anyone who knew anything about the English language? No, it doesn't. It honest-to-God looks like it was designed by someone who was an Egyptian hieroglyphics major who spent all his free time watching Star Trek -- in other words, someone completely disconnected with reality.

So you can see why Perl sucks. Not to worry; there are other better languages to use. Try Python or Ruby, or gosh darn it -- Korn Shell. Any of these is better than Perl which should be relegated to set decoration for Raiders of the Lost Ark.

Nessus

[Synithium]

I've used Nessus to scan mine own boxen for months now. Very useful and powerful. Having this shouldn't raise any warning flags, being that a similar tool for this has been around for a long time now.

By the by, turn off stuff you don't need and you'll find most vulnerabilities disappear like magic.

Also, remember to scan your machines from private and public access just in case.

Yet another.. why?

[Knightmare]

I honestly don't see the purpose in this site or the tool being developed to use it. I use Nessus on a daily basis and it seems to work just fine for this task.

I mean what more could you ask for... a client/server based vuln. scanner that will give you reports in xml, csv, txt, html, doc... Since the site and database has been created, maybe you should just write a program that exports the exploit tests as Nessus nasl scripts so we can do the tests and Snort rules so we can detect testing.

Re:Yet another.. why?

What more could you ask for from Nessus?

see sussen.sourceforge.net,
it looks WAY better than the default Nessus client.

Cool

[poptones]

So this could become an open XML database of all known attacks and vulnerabilities? I think that's fantastic - not because I like to break into systems, but because it could be a real stick in the eye of all those expensive, proprietary security tools... and I love opportunities to poke sticks in the eyes of the establishment.

It's a very simple idea, but I've never seen anything like it in an open website. Is this new only because it's not a black hat operation?

I think most people are missing this

[Michael+Crutcher]

From the site:
This database is intended to enable the maintenance of a peer group based set of XML descriptions for web application attacks.

Most people here are comparing this to vulnerability scanners like nessus, but acording to the description provided by the website this appears to be something entirely different. It doesn't check for known vulnerabilities versus services, but rather tries various attacks on web applications. I'm sure that something out there has been created along these same lines before, but I've never heard of it. This sounds like a good idea, and an easy way for inexperienced web application designers to insure that they're not vulnerable to a large database of known attacks.

Sounds pretty cool to me.

Just in time for tomorrow!

[bc90021]

...since tomorrow is apparently Defacement Day.

MITRE's OVAL and OpenSec

For those interested in open standards for vulnerability assessment, you should check out the Open Vulnerability Assessment Language (OVAL - http://oval.mitre.org/). OVAL provides assessments that DO NOT PERFORM THE ACTUAL EXPLOIT but rather specify logical conditions on the values of system characteristics and configuration attributes to characterize which systems are susceptible to a given vulnerability.

The assessments use SQL syntax but there is an XML version coming soon.

The Open Security Project (OpenSec - http://www.opensec.org/) is also developing a similar standard. The Advisory and Notification Markup Language (ANML - http://www.opensec.org/anml/) is not only working on assessment but an entire advisory format in XML.

Re:MITRE's OVAL and OpenSec

[jjb]

I'm actually working on OVAL. The first critical difference to understand is that OVAL covers all vulnerabilities, while VulnXML only covers web-based vulns.

BTW, all the software described below either is or will be free.

Now, OVAL is in SQL right now, but we're working on an XML translation mechanism. The SQL is nice because it's intensely readable and writable by humans and also because it can be used to query a database of system attributes. That database leads to a technology called QNA, formerly known as Outpost.

QNA involves a system whereby which host-based agents insert data about the system into a SQL database which you can then query. The host-based agents give you far better accuracy than a network vulnerability scanner like Nessus. The database gets you massive scalability, so that you can check a thousand hosts in pretty reasonable times. (Nessus still rocks, btw. Go Renaud!)

BTW, you don't need QNA to make this useful. You can run an OVAL query interpreter on a single host to check a vulnerability. This query interpreter already exists for Windows -- we'll build it for Linux too.

Anyway, check it all out. oval.mitre.org.

- Jay

I thought lousy performance of SOAP

was the biggest vulnerability of web services. Let's face it, all some has to do is send 20-40 concurrent soap requests based on the WSDL and the server will grind to crawl. Throw a couple more requests and IIS will likely crash. Luckily IIS will try to restart the webserver 3 times. After that what it does is anyone's guess. If you don't believe me, go ahead and send 2K SOAP messages to a 2.2-2.6Ghz system and watch what happens to the CPU usage.

XML oversold IMO

[Tablizer]

If people would stick to the relational model, then XML would not be of much use above what a slightly improved comma-delimited format could provide.

I know, some of you don't feel that highly about relational and prefer the older "navigational" formats, but I think relational offers more consistent and logical organization rules and has a better "algebra" to go with it. It is harder to make cross-reference, normalization, and referential integrity rules with structures like XML (except under rare circumstances).

Dr. Codd was a terrible marketer, but he was otherwise a genius.

Re:XML oversold IMO

[MattRog]

Indeed. XML is quite oversold. I could understand the need for human-parseable data files, but XML sucks for a data storage and transmission mechanism. See: this thread for an example of the lunacy of XML.

Re:XML oversold IMO

[istr]

I agree to a certain extent.
In fact XML is just a serialization format. Alas a format with lots of unnecessary overhead. :o(
The decision for using XML maybe was based upon it's "popularity" - I don't remember...
Fortunately the serialization format can be switched within seconds to something less overheaded (since we use the OCL with a generic serialization mechanism). So it is very easy to provide the good ol' properties format instantaneously.
IMO For VulnXML's duty some relational format is clearly overdone. A "path-based" / "navigational" format has great advantages regarding to performance and flexibility (not only in this case).

So - think of XML only to be a serialization form; the description itself is "path-based" deliberately, since it is

• faster
• more extensible
• easier to extend and to store

Re:Offtopic

Exploit Repository -> Automated Server Compromise -> Multitude of Hacked Servers -> "Zombies" for Distributed Denial of Service Attack

Just because you don't understand the reference, doesn't mean it's offtopic.

What's the point...

[xtrat]

You can do the same thing by posting the URL on /.

Interesting...

[apex2000]

That is very interesting. .

A GPL VulnXML engine

[daveaitel]

Immunity's SPIKE Proxy (http://www.immunitysec.com/spike.html) offers a python, GPL, VulnXML engine, and has for some time. VulnXML is superior to Nessus-style scripting in many ways for purely web-based assessments. Similar to how Nessus says "for all ports that have a web server on them, run these tests" VulnXML allows a fully interoperable and "self-descriptive" way to say "For all files on the web server, check for file.bak, but ignore custom 404 pages that return 200 OK, etc".

Re:A GPL VulnXML engine

Dave you are a fucking spammer. Stop spamming the lists, nobody likes your canvas or spike. They suck which is why you sell them so cheaply. I can't even go to slashdot without seeing SPIKE PROXY spam. Jesus christ.

Re:A GPL VulnXML engine

[istr]

Anonymous Coward...
It would be better to post your inadequate insults off-list and face-to-face or not at all.

What is it with slashdot submissions?

A few days ago, slashdot had a story with links to warez gamez sites, they used to regularly post links to bittorrent sites which had porn and warez, now they're posting links directly to script kiddie archives the day before "web defacement day" which was ALSO mentioned here on slashdot.

I see a disturbing trend, it is not "news for nerds" is is "n3wz for l33t"

XML bites chimpanzee nutz..

I really, really think so..anyone who has worked with any of the existing technologies implementing it for the web should agree if you are not totally masochistic and braindead.

Automated testing tool, a suggestion

[heironymouscoward]

1. take VulnXML db
2. convert to OpenSTA script
3. run OpenSTA

Re:Automated testing tool, a suggestion

[istr]

Sounds like a good suggestion at the first glance... :o)

Re:Sysadmins? (Super Nessus?)

[jjb]

Well, this isn't going to be a "super nessus" really. It still requires that some human being write the initial signature (XML encoding of the vuln/exploit). While it may provide an easier framework for creating those signatures than Nessus' NASL language (and that hasn't yet been proven), the core technology doesn't advance the state of attacker tools enough to really be that dangerous.

The only thing to fear (potentially) is that all those signatures are getting written now! And I'll agree with SHEENmaster that the creation of security tools, while a double-edged sword, benefits defenders even more than attackers.

-

headscratching

[bitspotter]

Wouldn't a machine-readable vulnerability database allow for a worm that could keep up to date with the latest vulnerabilities by itself?