RE: [OWASP-VULNXML] Re: no standards for webapp exploitation

Ah, I see the issue, I think.

As far as VulnXML goes, the aim is to describe a vulnerability in the HTTP applications that are called by a particular URL. The intention is not to describe a vulnerability in the HTTP server itself, which goes outside of the protocol spec. I think that that sort of thing is well handled by tools such as Nessus (NASL), and quite likely your Canvas tool as well.

Consequently, VulnXML is centered quite heavily around the protocol definition, and does not attempt to address the vulnerabilities outside the protocol. My prototype VulnXML for the the IIS Chunked Encoding Buffer overflow indicated that that was not a realistic goal for VulnXML :-)

One real gap in VulnXML that I do see is as you describe, though: Support for concurrent requests, to test for inadequate application locking as illustrated in WebGoat.

Maybe we need to think about how we can include that kind of description in VulnXML.

Rogan

> -----Original Message-----
> From: dave@immunitysec.com [mailto:dave@immunitysec.com]
> Sent: 03 July 2003 01:45 PM
> To: ingo@ingostruck.de
> Cc: webappsec@securityfocus.com; owasp-vulnxml@lists.sourceforge.net
> Subject: [OWASP-VULNXML] Re: no standards for webapp exploitation
>
>
> Well - and this is all "In My Opinion" of course - I've

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre(at)Deloitte.co.za. Received on Thu Jul 3 11:42:29 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek