Re: [W3af-users] w3af XML
Tom, On Tue, May 27, 2014 at 11:38 AM, Tom Stage voro...@voronwe.dk wrote: Hi All I am working on the OWASP DEF Project, and i was wondering if it would be possible to get my hands on some test data xml, and i would like to include this data in the project for documentation purpose. I have some test data available from test scans that i have done myself, but iam not sure that this covers every possible field that w3af can produse. Well, instead of giving you example outputs which might or might not cover all the cases, I can do something much better :) There is an XSD [0] for our XML, and I can guarantee that all output generated by our xml_file plugin will validate against it [1] [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/output/xml_file/report.xsd [1] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/tests/output/test_xml_file.py#L80 Would you consider adopting this format when it is finished? If you send me a pull-request :) You can have a look at the current progress here: https://github.com/TomStageDK/OWASP-DEF On a side note i can say that i have tried to do the Fix for bug #2067 in the development branch, but if i have done it wrong once again please let me know. Sadly I don't have time this week to spend on it, but please remind me next week Cheers, Tom Stage -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] w3af XML
Hi Andres Thanks for your reply, I will have a look at the XSD and see if the OWASP-DEF format covers what w3af can report. Cheers, Tom -- From: Andres Riancho andres.rian...@gmail.com Sent: Thursday, May 29, 2014 3:29 PM To: Tom Stage voro...@voronwe.dk Cc: w3af-users@lists.sourceforge.net Subject: Re: [W3af-users] w3af XML Tom, On Tue, May 27, 2014 at 11:38 AM, Tom Stage voro...@voronwe.dk wrote: Hi All I am working on the OWASP DEF Project, and i was wondering if it would be possible to get my hands on some test data xml, and i would like to include this data in the project for documentation purpose. I have some test data available from test scans that i have done myself, but iam not sure that this covers every possible field that w3af can produse. Well, instead of giving you example outputs which might or might not cover all the cases, I can do something much better :) There is an XSD [0] for our XML, and I can guarantee that all output generated by our xml_file plugin will validate against it [1] [0] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/output/xml_file/report.xsd [1] https://github.com/andresriancho/w3af/blob/master/w3af/plugins/tests/output/test_xml_file.py#L80 Would you consider adopting this format when it is finished? If you send me a pull-request :) You can have a look at the current progress here: https://github.com/TomStageDK/OWASP-DEF On a side note i can say that i have tried to do the Fix for bug #2067 in the development branch, but if i have done it wrong once again please let me know. Sadly I don't have time this week to spend on it, but please remind me next week Cheers, Tom Stage -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3 -- Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] W3AF XML Output
Hey guys, You may svn-checkout our last version. The requested XSD file is plugins/output/xmlFile/report.xsd. Take a look at it, play with it and if you have any question or suggestion please let me know. Thanks! Javier Andalia On Thu, Dec 9, 2010 at 2:15 PM, Brad Causey bradcau...@owasp.org wrote: I'm good with XSD. :) On 12/9/10, Adrien de Beaupre adrie...@gmail.com wrote: Javier is working on this as we speak, so please talk now or be silent for ever :) Either works for me! Cheers, Adrien -- -- Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] W3AF XML Output
Hey guys, I started working on the task originated by this thread [1]. On Wed, Nov 17, 2010 at 11:20 AM, Brad Causey bradcau...@owasp.org wrote: Agree. DTD will offer the most flexibility, IMO. I'll work on a parser for the XML output. Brad, I think that, on the contrary, XSD is richer and more expressive than DTD. Actually DTD was the precursor to XSD. However if you guys *really* need a DTD document we can also generate one for you. Thanks! Javier Andalia [1] https://sourceforge.net/apps/trac/w3af/ticket/160478 -- ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] W3AF XML Output
Adrien, On Fri, Nov 19, 2010 at 11:48 AM, Adrien de Beaupre adrie...@gmail.com wrote: Hi, I wrote a quick w3af XML output parser. If you could take a look and let me know what you think I would appreciate it. (Yes, it is written in Perl and uses XML::DOM) Had to make some assumptions on the structure of the XML, but will tweak it when more documentation is available. Works for all of the reports I have. Here it is: http://handlers.dshield.org/adebeaupre/parsew3afxml2mysql.pl I added a new ticket to our roadmap. I'm still not sure WHEN its going to be done, but it should be finished before the end of this year. https://sourceforge.net/apps/trac/w3af/ticket/160478 If you guys have any comments on the implementation details, or any special requests about this feature, please feel free to add them to the ticket or comment about them here. Thanks! If anyone is interested I also have written parsers for nessus, nmap, nikto. burp, acunetix, and watcher. Cheers, Adrien On Wed, Nov 17, 2010 at 9:20 AM, Brad Causey bradcau...@owasp.org wrote: Agree. DTD will offer the most flexibility, IMO. I'll work on a parser for the XML output. -Brad Causey CISSP, MCSE, C|EH, CIFI, CGSP http://www.owasp.org -- Si vis pacem, para bellum -- On Wed, Nov 17, 2010 at 6:41 AM, Adrien de Beaupre adrie...@gmail.com wrote: Hi Andrés, I suppose what I really need is a document describing how the XML output is laid out. Elements, attributes... Makes it a wee bit easier to parse it! :) Otherwise I have to make too many assumptions, and we know that assumption is the mother of truly major screw ups. Cheers, Adrien de Beaupré On Wed, Nov 17, 2010 at 1:09 AM, Andres Riancho andres.rian...@gmail.com wrote: Brad, Adrien, I'm exploring this enhancement right now and I see that there are two options: - DTD - XML Schema Which one do you guys *really* need? What are the advantages of DTD over XML Schema? For me, xml schema seems to be the smarter option, but I can't be missing important things as I've never really used none of the options. Once we decide on that, do you know if there is some type of XML schema generator that generates the schema based on sample xml files? Yes, I'm really lazy :) Regards, On Tue, Nov 16, 2010 at 1:57 PM, Brad Causey bradcau...@owasp.org wrote: I second this!! On 11/16/10, Adrien de Beaupre adrie...@gmail.com wrote: I was wondering is a DTD was available for the W3AF XML output format? Has anyone created a parser for this output? I didn't see the answer in the user guide or mailing list archive. W3AF user. Cheers, Adrien de Beaupre -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Sent from my mobile device -Brad Causey CISSP, MCSE, C|EH, CIFI, CGSP http://www.owasp.org -- Si vis pacem, para bellum -- -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af -- Cheers, Adrien de Beaupre SANS Internet Storm Center Handler --- Note: The SANS Handlers is a group of approximately 30 volunteer incident handlers. You may receive responses from other individuals on that list. Also, please direct all communication to handl...@sans.org, so that everyone is kept in the loop. -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev
Re: [W3af-users] W3AF XML Output
Hi Andrés, I suppose what I really need is a document describing how the XML output is laid out. Elements, attributes... Makes it a wee bit easier to parse it! :) Otherwise I have to make too many assumptions, and we know that assumption is the mother of truly major screw ups. Cheers, Adrien de Beaupré On Wed, Nov 17, 2010 at 1:09 AM, Andres Riancho andres.rian...@gmail.com wrote: Brad, Adrien, I'm exploring this enhancement right now and I see that there are two options: - DTD - XML Schema Which one do you guys *really* need? What are the advantages of DTD over XML Schema? For me, xml schema seems to be the smarter option, but I can't be missing important things as I've never really used none of the options. Once we decide on that, do you know if there is some type of XML schema generator that generates the schema based on sample xml files? Yes, I'm really lazy :) Regards, On Tue, Nov 16, 2010 at 1:57 PM, Brad Causey bradcau...@owasp.org wrote: I second this!! On 11/16/10, Adrien de Beaupre adrie...@gmail.com wrote: I was wondering is a DTD was available for the W3AF XML output format? Has anyone created a parser for this output? I didn't see the answer in the user guide or mailing list archive. W3AF user. Cheers, Adrien de Beaupre -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Sent from my mobile device -Brad Causey CISSP, MCSE, C|EH, CIFI, CGSP http://www.owasp.org -- Si vis pacem, para bellum -- -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] W3AF XML Output
Agree. DTD will offer the most flexibility, IMO. I'll work on a parser for the XML output. -Brad Causey CISSP, MCSE, C|EH, CIFI, CGSP http://www.owasp.org -- Si vis pacem, para bellum -- On Wed, Nov 17, 2010 at 6:41 AM, Adrien de Beaupre adrie...@gmail.comwrote: Hi Andrés, I suppose what I really need is a document describing how the XML output is laid out. Elements, attributes... Makes it a wee bit easier to parse it! :) Otherwise I have to make too many assumptions, and we know that assumption is the mother of truly major screw ups. Cheers, Adrien de Beaupré On Wed, Nov 17, 2010 at 1:09 AM, Andres Riancho andres.rian...@gmail.com wrote: Brad, Adrien, I'm exploring this enhancement right now and I see that there are two options: - DTD - XML Schema Which one do you guys *really* need? What are the advantages of DTD over XML Schema? For me, xml schema seems to be the smarter option, but I can't be missing important things as I've never really used none of the options. Once we decide on that, do you know if there is some type of XML schema generator that generates the schema based on sample xml files? Yes, I'm really lazy :) Regards, On Tue, Nov 16, 2010 at 1:57 PM, Brad Causey bradcau...@owasp.org wrote: I second this!! On 11/16/10, Adrien de Beaupre adrie...@gmail.com wrote: I was wondering is a DTD was available for the W3AF XML output format? Has anyone created a parser for this output? I didn't see the answer in the user guide or mailing list archive. W3AF user. Cheers, Adrien de Beaupre -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Sent from my mobile device -Brad Causey CISSP, MCSE, C|EH, CIFI, CGSP http://www.owasp.org -- Si vis pacem, para bellum -- -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
Re: [W3af-users] W3AF XML Output
Brad, Adrien, I'm exploring this enhancement right now and I see that there are two options: - DTD - XML Schema Which one do you guys *really* need? What are the advantages of DTD over XML Schema? For me, xml schema seems to be the smarter option, but I can't be missing important things as I've never really used none of the options. Once we decide on that, do you know if there is some type of XML schema generator that generates the schema based on sample xml files? Yes, I'm really lazy :) Regards, On Tue, Nov 16, 2010 at 1:57 PM, Brad Causey bradcau...@owasp.org wrote: I second this!! On 11/16/10, Adrien de Beaupre adrie...@gmail.com wrote: I was wondering is a DTD was available for the W3AF XML output format? Has anyone created a parser for this output? I didn't see the answer in the user guide or mailing list archive. W3AF user. Cheers, Adrien de Beaupre -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Sent from my mobile device -Brad Causey CISSP, MCSE, C|EH, CIFI, CGSP http://www.owasp.org -- Si vis pacem, para bellum -- -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users -- Andrés Riancho Director of Web Security at Rapid7 LLC Founder at Bonsai Information Security Project Leader at w3af -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev ___ W3af-users mailing list W3af-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-users
