OWASP's VulnXML Database

Ingo Struck writes "The Open Web Application Security Project released the VulnXML db for early access to the public. VulnXML is a description of static known vulnerabilities. It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success. Besides it provides some human readable classification of the described vulnerability. A tool to execute VulnXML records is currently being developed and will help developers to check their web applications against a suite of well-known vulnerabilities described in a portable format."

Double-edged Sword?

[melete]

As always, it sounds like this is a double egded sword -- won't this give script-kiddies a new engine for quickly scanning for possibly vulnerable targets?

Not that I'm saying this is a bad thing -- it's just one more tools that security professionals will have to use to stay ahead of the competition.

Re:Double-edged Sword?

[PaulK]

Hmmmm.....

I suppose I'll have to throw myself on my own sword.

After digging through the "whisper" entries, it looks as if that is ALL it is... a repository for scripts.

My apologies. I did read the overview, but it doesn't coincide with the actual database.

This is disturbing.

All right!

[Fly+Ricky+-+The+Wine]

Just in time for July 6th!

well...

[LittleBigLui]

It provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success.

so we've just replaced script kiddies with a (very small) shell script?

Sysadmins?

[SHEENmaster]

This could also be used to create a "Super" Nessus. Remember that script kiddies and system administrators both use such tools. I think that in the long run, it will help the latter more.