Re: no standards for webapp exploitation

[Ingo Struck <ingo () ingostruck de>]

In-Reply-To: <Pine.LNX.4.44.0307020019361.2234-100000@felinemenace>

Hi...

> # VulnXML and the whisker.dat (and all of libwhisker 
> # (whisker RIP)) are for testing purposes ONLY. they 
> # do not scale to enterprise level where API's should 
> # be easy to work with and provide a high level 
> # interface to lower level scripting languages (like 
> # python, perl). variables should be extinct outside 
> # of module classes. the opensource web security
community 
> # would benefit from a standardized way to exploit
> # web applications, wether they are remote code execution,
> # remote command execution, server and client injection,
> # remote file reading (all of which are going to be
covered
> # in an independant project which seeks to build webapp 
> # exploit primitives provider on top of the websec class).
> # feel free to send comments and code to me
(nd () felinemenace org

Well, in fact the intention of VulnXML is to be a
description of application level vulnerabilities,
that is both suited for human reading and for direct
execution of the attacks described within a record.
The only problem is, that there currently is no
working execution engine for the latest VulnXML
description (VulnXML DTD 1.4).
There is some script code around to execute older
VulnXML records.
It is planned to write at least a java-based executor
for VulnXML recs next.

Watch out for the VulnXML db announcement that follows
soon.

Kind regards

Ingo Struck (OWASP)