RE: no standards for webapp exploitation

Hi Ned,

> # there is no standard definition for web based exploits.

As the original developer/designer of VulnXML, I beg to differ. What you perceive to be a test could very easily contain a payload, which would make it an exploit, as I see it.

VulnXML is designed to describe the full sequence of steps, and the exact data required, to execute (and thus verify existence of) an exploit. The exploit may be benign (cause an error message, execute "id", for example) or it may be malicious (change data/"cat /etc/shadow", etc). It is entirely up to the VulnXML writer to choose.

> # they

True enough, at this point. VulnXML will be going through some more changes as it it included/massaged into WAS-XML ( a new Technical Committee formed at OASIS). Most likely at the same time, tools for editing and executing WAS-XML will be developed - there is some Perl code that I developed that executes early version of VulnXML, but it has not been updated to handle the more recent developments. Dave Aitel's Spike proxy also has some support for early versions of VulnXML. I'm sure that that situation will improve as WAS-XML progresses.

> # variables should be extinct outside

Not sure what you mean by this?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> # the opensource web security community

Absolutely. Even though our focus with VulnXML/WAS-XML will not be malicious payloads, the very act of publishing a meaningful test will likely be enough for someone with basic knowledge to adjust them to perform other actions.

If this is an area that you feel strongly about, please consider contributing to the WAS-XML project.

Rogan

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre(at)Deloitte.co.za. Received on Wed Jul 2 13:21:47 2003