WebApp Sec mailing list archives
RE: no standards for webapp exploitation
From: "Dawes, Rogan (ZA - Johannesburg)" <rdawes () deloitte co za>
Date: Wed, 2 Jul 2003 17:09:14 +0200
Hi Ned,
# there is no standard definition for web based exploits. # VulnXML and the whisker.dat (and all of libwhisker # (whisker RIP)) are for testing purposes ONLY.
As the original developer/designer of VulnXML, I beg to differ. What you perceive to be a test could very easily contain a payload, which would make it an exploit, as I see it. VulnXML is designed to describe the full sequence of steps, and the exact data required, to execute (and thus verify existence of) an exploit. The exploit may be benign (cause an error message, execute "id", for example) or it may be malicious (change data/"cat /etc/shadow", etc). It is entirely up to the VulnXML writer to choose.
# they # do not scale to enterprise level where API's should # be easy to work with and provide a high level # interface to lower level scripting languages (like # python, perl).
True enough, at this point. VulnXML will be going through some more changes as it it included/massaged into WAS-XML ( a new Technical Committee formed at OASIS). Most likely at the same time, tools for editing and executing WAS-XML will be developed - there is some Perl code that I developed that executes early version of VulnXML, but it has not been updated to handle the more recent developments. Dave Aitel's Spike proxy also has some support for early versions of VulnXML. I'm sure that that situation will improve as WAS-XML progresses.
# variables should be extinct outside # of module classes.
Not sure what you mean by this?
# the opensource web security community # would benefit from a standardized way to exploit # web applications, wether they are remote code execution, # remote command execution, server and client injection, # remote file reading (all of which are going to be covered # in an independant project which seeks to build webapp # exploit primitives provider on top of the websec class). # feel free to send comments and code to me (nd () felinemenace org # - nd
Absolutely. Even though our focus with VulnXML/WAS-XML will not be malicious payloads, the very act of publishing a meaningful test will likely be enough for someone with basic knowledge to adjust them to perform other actions. If this is an area that you feel strongly about, please consider contributing to the WAS-XML project. Rogan Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre () Deloitte co za.
Current thread:
- no standards for webapp exploitation ned (Jul 02)
- <Possible follow-ups>
- RE: no standards for webapp exploitation Dawes, Rogan (ZA - Johannesburg) (Jul 02)
- Re: no standards for webapp exploitation Ingo Struck (Jul 02)
- Re: no standards for webapp exploitation dave (Jul 02)