OWASP publishes the VulnXML db first draft release

OWASP's VulnXML db is now available at

http://beta.owasp.org/vulnxml

VulnXML is a description for static known vulnerabilities. It provides all necessary information to let an execution engine
automatically craft and launch appropriate HTTP, SOAP or WebDAV
requests and analyse the response whether the attack had success.

Besides it provides some human readable classification of the
described vulnerability.

The online database is based upon OWASP Common Library (OCL) and
suited to create and retrieve VulnXML records.

VulnXML will be handed over to the WAS technical committee at
OASIS (http://www.oasis-open.org) as a proposal that has passed the
proof-of-concept phase and is intended to form the basis of further
WAS work. The WAS tc wants to produce

• a classification scheme for web security vulnerabilities
• a model to provide guidance for initial threat, impact and therefore risk ratings
• an XML schema to describe web security conditions that can be used by both assessment and protection tools These plans are similar to an extension of VulnXML and a merge-in of the OWASP ASAC project (see http://beta.owasp.org/wasxml).

Deviating from the original plans, lots of work have been put
into a viable framework for a HTML based editor that is powerful
enough to cope with the relative complexity of structures like
the VulnXML description.

The outcome of this is a highly modular, fast and powerful java library that generates validation routines directly from any
given DTD and comes with a dynamic layout engine that generates
XHTML 1.1 strict and WAI AAA compliant html forms. It is even
able to cope with recursive data structures like the "Compare"
node within VulnXML (cf.
http://beta.owasp.org/development/ocl)

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

On behalf of OWASP I would like to ask you to visit the new VulnXML db at http://beta.owasp.org/vulnxml and try out if it works for you. The special focus for the feedback we want
lies in the usability of the editor (for access register, login
and "propose entry") and the suitability of the VulnXML DTD to
describe application level attacks.

We will implement an execution engine for VulnXML records soon
such that it will become much easier to evaluate the latter.
(There is some script code available that is able to execute
older versions of VulnXML at http://owasp.org/vulnxml).

Any help and/or feedback is highly welcome

Yours sincerely

Ingo Struck

---
Ingo Struck
OWASP Technical Lead
ingo@ingostruck.de
http://owasp.orghttp://beta.owasp.org