Taras,
On Fri, Mar 23, 2012 at 4:29 PM, Andres Riancho
<andres.rian...@gmail.com> wrote:
> Taras,
>
> On Tue, Mar 20, 2012 at 5:07 PM, Taras <ox...@oxdef.info> wrote:
>> Hi, all!
>>
>> I have proposal to add references to KB vuln object. For example for XSS
>> we can add references to:
>>
>> * CWE-79: Improper Neutralization of Input During Web Page Generation
>> ('Cross-site Scripting')
>> * OWASP: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
>>
>> in xss.py it will looks like:
>> -------------------------------------------
>> v = vuln.vuln(mutant)
>> v.setPluginName(self.getName())
>> v.setId(response.id)
>> v.setName('Cross site scripting vulnerability')
>> v.setSeverity(severity.MEDIUM)
>> v.addReference('OWASP',
>> 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)')
>> v.addReference('CWE-79: Improper Neutralization of Input During Web Page
>> Generation',
>> 'http://cwe.mitre.org/data/definitions/79.html')
>> msg = 'Cross Site Scripting was found at: ' + mutant.foundAt()
>> msg += ' This vulnerability affects ' + ','.join(mutant.affected_browsers)
>> v.setDesc(msg)
>> v.addToHighlight(mod_value)
>> kb.kb.append(self, 'xss', v)
>> -------------------------------------------
>> we can use this additional information then in output plugins.
>> What do you think about it?
>
> I think its a great idea! I would implement it in another way,
> because in a future we'll also want to add a long description to the
> vulnerability, recommendations for fixing, etc. and it doesn't sound
> like that info should be in the middle of the code. This was something
> that was already tackled a while ago and never got to trunk. The code
> is available here [0] , maybe we can steal some ideas from there. What
> do you think about this? [1] Maybe we should split this into different
> XML files, change the code a little bit and we're done?
Will you work on this proposal?
> [0] http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby
> [1]
> http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/core/data/vulnReferences
>
> Regards,
>
>> --
>> Taras
>> http://oxdef.info
>>
>> ------------------------------------------------------------------------------
>> This SF email is sponsosred by:
>> Try Windows Azure free for 90 days Click Here
>> http://p.sf.net/sfu/sfd2d-msazure
>> _______________________________________________
>> W3af-develop mailing list
>> W3af-develop@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>
>
>
> --
> Andrés Riancho
> Director of Web Security at Rapid7 LLC
> Founder at Bonsai Information Security
> Project Leader at w3af
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
