Slashdot Mirror

← Back to Stories (view on slashdot.org)

OWASP's VulnXML Database

Posted by michael on from the autocracker dept.

Ingo Struck writes "The Open Web Application Security Project released the VulnXML db for early access to the public. VulnXML is a description of static known vulnerabilities. It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success. Besides it provides some human readable classification of the described vulnerability. A tool to execute VulnXML records is currently being developed and will help developers to check their web applications against a suite of well-known vulnerabilities described in a portable format."

18 of 68 comments (clear)

  1. Double-edged Sword? by melete · · Score: 4, Interesting

    As always, it sounds like this is a double egded sword -- won't this give script-kiddies a new engine for quickly scanning for possibly vulnerable targets?

    Not that I'm saying this is a bad thing -- it's just one more tools that security professionals will have to use to stay ahead of the competition.

    1. Re:Double-edged Sword? by PaulK · · Score: 2, Insightful

      This doesn't seem as bad as that...

      Scanning scripts exist everywhere, but this isn't one of them. This is a repository for known vulnerabilities, which will serve admins far more than kiddies.

      I can quickly check the db for issues on any proposed software, etc....

      This is not another virlab.

    2. Re:Double-edged Sword? by PaulK · · Score: 4, Informative

      Hmmmm.....

      I suppose I'll have to throw myself on my own sword.

      After digging through the "whisper" entries, it looks as if that is ALL it is... a repository for scripts.

      My apologies. I did read the overview, but it doesn't coincide with the actual database.

      This is disturbing.

    3. Re:Double-edged Sword? by TrekkieGod · · Score: 2, Interesting
      You're right, this will help script-kiddies attack computers of the non-security conscious more easily, I suppose.

      However, if you care at all about security, it's also going to make it really easy for you to fix any possible problems. Consider the situation as it is now: You protect yourself against all vulnerabilities you know about, and suffer the chances of a cracker finding out that you have a vulnerability in something that you weren't informed of.

      Now consider having a central database with all known vulnerabilities, and a tool that uses that database to verify that you are secure against everything in the database. If the admin uses that tool, he's secure against every known vulnerability, and yes, those who don't have a higher chance of getting screwed. However, if you are serious about securing your systems, the only way you get in trouble is by an attack using an unknown vulnerability. The moment someone discovers that, that person will either a)include it in the database or b)use it, and then in the process make said vulnerability known.

      And yeah, that was a really convulated way of explaining my thoughts...it's unfortunate that my thinking process is so damn warped.

      --

      Warning: Opinions known to be heavily biased.

    4. Re:Double-edged Sword? by Alpha_Nerd · · Score: 2, Insightful

      You'd rather have security through obscurity??

    5. Re:Double-edged Sword? by dimmu · · Score: 2, Insightful

      There is no real cure to make tools only available to system administrators and not to script-kiddies. One way that would work is making it very difficult to use, but there will be obviously a nicer frontend for such a tool within weeks (if not days).

      I must confess that one of the advantages of closed source is that a vendor could integrate a security measure that would bind a certain serialcode or flexlm key to a certain pool of machines that may be checked by such a tool. This would also slow down script kiddies in getting such a tool to work, but would never be foolproof.

      The best way to retain script kiddies from such tools, is educating youngsters before they become 'script-kiddies'. I know of a couple of projects that are trying to do this (for example the Mostly Harmless team in the Netherlands).

      --
      -- Cliff Albert
    6. Re:Double-edged Sword? by istr · · Score: 2, Informative

      Sorry for that...
      :o|
      The db is beta. That means, all entries found there are only for demonstration purposes. Most are imported from some very outdated Whisker set.
      Currently the objective of that db is to evaluate the viability of the entry editor and the data format, not to provide some up-to-date real checks.
      I updated the welcome text appropriately.
      Thanks for the hint.

  2. All right! by Fly+Ricky+-+The+Wine · · Score: 5, Funny

    Just in time for July 6th!

  3. Wow by Saint+Aardvark · · Score: 3, Funny
    A tool to execute VulnXML records is currently being developed

    Now that's security by obscurity! <rimshot />

    Thank you, ladies and germs, I'll be here all week.

    --
    Carousel is a lie!
  4. well... by LittleBigLui · · Score: 5, Insightful
    It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success.


    so we've just replaced script kiddies with a (very small) shell script?
    --
    Free as in mason.
    1. Re:well... by Anonymous Coward · · Score: 3, Funny

      Why not, we've already replaced advanced virus delivery systems with stupid users who would even be willing to open sexy-fun-i-am-not-a-virus-honest.exe

  5. Sysadmins? by SHEENmaster · · Score: 5, Interesting

    This could also be used to create a "Super" Nessus. Remember that script kiddies and system administrators both use such tools. I think that in the long run, it will help the latter more.

    --
    You can't judge a book by the way it wears its hair.
  6. Yet another.. why? by Knightmare · · Score: 3, Insightful

    I honestly don't see the purpose in this site or the tool being developed to use it. I use Nessus on a daily basis and it seems to work just fine for this task.

    I mean what more could you ask for... a client/server based vuln. scanner that will give you reports in xml, csv, txt, html, doc... Since the site and database has been created, maybe you should just write a program that exports the exploit tests as Nessus nasl scripts so we can do the tests and Snort rules so we can detect testing.

  7. I think most people are missing this by Michael+Crutcher · · Score: 3, Informative

    From the site:
    This database is intended to enable the maintenance of a peer group based set of XML descriptions for web application attacks.

    Most people here are comparing this to vulnerability scanners like nessus, but acording to the description provided by the website this appears to be something entirely different. It doesn't check for known vulnerabilities versus services, but rather tries various attacks on web applications. I'm sure that something out there has been created along these same lines before, but I've never heard of it. This sounds like a good idea, and an easy way for inexperienced web application designers to insure that they're not vulnerable to a large database of known attacks.

    Sounds pretty cool to me.

  8. Just in time for tomorrow! by bc90021 · · Score: 2, Informative

    ...since tomorrow is apparently Defacement Day.

    --
    libertarianswag.com
  9. MITRE's OVAL and OpenSec by Anonymous Coward · · Score: 2, Interesting

    For those interested in open standards for vulnerability assessment, you should check out the Open Vulnerability Assessment Language (OVAL - http://oval.mitre.org/). OVAL provides assessments that DO NOT PERFORM THE ACTUAL EXPLOIT but rather specify logical conditions on the values of system characteristics and configuration attributes to characterize which systems are susceptible to a given vulnerability.

    The assessments use SQL syntax but there is an XML version coming soon.

    The Open Security Project (OpenSec - http://www.opensec.org/) is also developing a similar standard. The Advisory and Notification Markup Language (ANML - http://www.opensec.org/anml/) is not only working on assessment but an entire advisory format in XML.

  10. A GPL VulnXML engine by daveaitel · · Score: 2, Informative

    Immunity's SPIKE Proxy (http://www.immunitysec.com/spike.html) offers a python, GPL, VulnXML engine, and has for some time. VulnXML is superior to Nessus-style scripting in many ways for purely web-based assessments. Similar to how Nessus says "for all ports that have a web server on them, run these tests" VulnXML allows a fully interoperable and "self-descriptive" way to say "For all files on the web server, check for file.bak, but ignore custom 404 pages that return 200 OK, etc".

  11. Re:XML oversold IMO by istr · · Score: 2, Interesting
    I agree to a certain extent.
    In fact XML is just a serialization format. Alas a format with lots of unnecessary overhead. :o(
    The decision for using XML maybe was based upon it's "popularity" - I don't remember...
    Fortunately the serialization format can be switched within seconds to something less overheaded (since we use the OCL with a generic serialization mechanism). So it is very easy to provide the good ol' properties format instantaneously.
    IMO For VulnXML's duty some relational format is clearly overdone. A "path-based" / "navigational" format has great advantages regarding to performance and flexibility (not only in this case).

    So - think of XML only to be a serialization form; the description itself is "path-based" deliberately, since it is
    • faster
    • more extensible
    • easier to extend and to store