RE: no standards for webapp exploitation

["Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>]

Hi Ned,

> # there is no standard definition for web based exploits.
> # VulnXML and the whisker.dat (and all of libwhisker 
> # (whisker RIP)) are for testing purposes ONLY. 

As the original developer/designer of VulnXML, I beg to differ. What you
perceive to be a test could very easily contain a payload, which would make
it an exploit, as I see it.

VulnXML is designed to describe the full sequence of steps, and the exact
data required, to execute (and thus verify existence of) an exploit. The
exploit may be benign (cause an error message, execute "id", for example) or
it may be malicious (change data/"cat /etc/shadow", etc). It is entirely up
to the VulnXML writer to choose.

> # they 
> # do not scale to enterprise level where API's should 
> # be easy to work with and provide a high level 
> # interface to lower level scripting languages (like 
> # python, perl). 

True enough, at this point. VulnXML will be going through some more changes
as it it included/massaged into WAS-XML ( a new Technical Committee formed
at OASIS). Most likely at the same time, tools for editing and executing
WAS-XML will be developed - there is some Perl code that I developed that
executes early version of VulnXML, but it has not been updated to handle the
more recent developments. Dave Aitel's Spike proxy also has some support for
early versions of VulnXML. I'm sure that that situation will improve as
WAS-XML progresses.

> # variables should be extinct outside 
> # of module classes. 

Not sure what you mean by this?

> # the opensource web security community 
> # would benefit from a standardized way to exploit
> # web applications, wether they are remote code execution,
> # remote command execution, server and client injection,
> # remote file reading (all of which are going to be covered
> # in an independant project which seeks to build webapp 
> # exploit primitives provider on top of the websec class).
> # feel free to send comments and code to me (nd () felinemenace org
> # - nd 

Absolutely. Even though our focus with VulnXML/WAS-XML will not be malicious
payloads, the very act of publishing a meaningful test will likely be enough
for someone with basic knowledge to adjust them to perform other actions.

If this is an area that you feel strongly about, please consider
contributing to the WAS-XML project.

Rogan

Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") 
that must be accessed and read by clicking here or by copying and pasting the following address into your Internet 
browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this 
email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access 
the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.