Taras,
On Sun, Apr 8, 2012 at 5:16 AM, Taras <ox...@oxdef.info> wrote:
> Andres,
>
> please read inline
>
>>>> I have proposal to add references to KB vuln object. For example for XSS
>>>> we can add references to:
>>>>
>>>> * CWE-79: Improper Neutralization of Input During Web Page Generation
>>>> ('Cross-site Scripting')
>>>> * OWASP: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
>>>>
>>>> in xss.py it will looks like:
>>>> -------------------------------------------
>>>> v = vuln.vuln(mutant)
>>>> v.setPluginName(self.getName())
>>>> v.setId(response.id)
>>>> v.setName('Cross site scripting vulnerability')
>>>> v.setSeverity(severity.MEDIUM)
>>>> v.addReference('OWASP',
>>>> 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)')
>>>> v.addReference('CWE-79: Improper Neutralization of Input During Web Page
>>>> Generation',
>>>> 'http://cwe.mitre.org/data/definitions/79.html')
>>>> msg = 'Cross Site Scripting was found at: ' + mutant.foundAt()
>>>> msg += ' This vulnerability affects ' +
>>>> ','.join(mutant.affected_browsers)
>>>> v.setDesc(msg)
>>>> v.addToHighlight(mod_value)
>>>> kb.kb.append(self, 'xss', v)
>>>> -------------------------------------------
>>>> we can use this additional information then in output plugins.
>>>> What do you think about it?
>>>
>>>
>>> I think its a great idea! I would implement it in another way,
>>> because in a future we'll also want to add a long description to the
>>> vulnerability, recommendations for fixing, etc. and it doesn't sound
>>> like that info should be in the middle of the code.
>
> Hmm, I don't sure if it is good idea to add such big data into plugins and
> w3af core. Why we simply don't want to add references to such good security
> information database as OWASP site or CWE? There are good descriptions,
> recommendations for fixing and so on in it. For us it will be **much
> simpler** to maintain correct references in plugins then whole texts!
Ah! Now I understand your point. But if in the future we want to be
able to generate a full-blown report out of the data that w3af
produces we'll need to have the vulnerability description and fix
recommendations within our framework.
I would do both things:
* v.addReference('OWASP',
'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)')
v.addReference('CWE-79: Improper Neutralization of Input During
Web Page Generation', 'http://cwe.mitre.org/data/definitions/79.html')
* v.setXMLReference('00036') , which will give us the full text of
the vulnerability description, fix recommendation, etc.
Don't get me wrong... I don't want to maintain the XML with all the
descriptions either! We'll take that XML from some place where they
maintain it (Achim recommended one).
Regarding plugin atomicity, I prefer to "break it" a little bit and
have the long desc in the XML instead of having long text strings
inside the plugin code.
I could work on this, it would require some changes in the GTK UI so
the desc/recommendation/references are shown and some minor changes to
the plugins... if you QA I'll do it :)
Regards,
>
>>> This was something
>>> that was already tackled a while ago and never got to trunk. The code
>>> is available here [0] , maybe we can steal some ideas from there. What
>>> do you think about this? [1] Maybe we should split this into different
>>> XML files, change the code a little bit and we're done?
>
>
> Oh, XML files...single XML file with vulnerability descriptions is not good
> idea
> because it breaks idea of plugin's atomicity. You can't simply add Python
> file into w3af/plugins/.. you also need to make connection in it with
> vulndata xml db. I have seen on sqli.py [0]:
>
> v = vuln.vuln( mutant )
> 79 v.setId( response.id )
> 80 v.setName( 'SQL injection vulnerability' )
> 81 v.setW3afId('00036')
> 82 v.setSeverity(severity.HIGH)
> 83 v['error'] = sql_error[0]
> 84 v['db'] = sql_error[1]
> 85 v.setDesc( 'SQL injection in a '+ v['db'] +' was
> found at: ' + mutant.foundAt() )
> 86 kb.kb.append( self, 'sqli', v )
> 87 break
> 88
>
>
> We see here that even with external XML vuln databse we need to specify
> additional vuln information here like descm severity, name.
>
> [0]
> https://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/plugins/audit/sqli.py
>
>
>> Will you work on this proposal?
>>
>>> [0] http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby
>>> [1]
>>> http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/core/data/vulnReferences
>>>
>>> Regards,
>>>
>>>> --
>>>> Taras
>>>> http://oxdef.info
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF email is sponsosred by:
>>>> Try Windows Azure free for 90 days Click Here
>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>> _______________________________________________
>>>> W3af-develop mailing list
>>>> W3af-develop@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>
>>>
>>>
>>>
>>> --
>>> Andrés Riancho
>>> Director of Web Security at Rapid7 LLC
>>> Founder at Bonsai Information Security
>>> Project Leader at w3af
>>
>>
>>
>>
>
>
> --
> Taras
> http://oxdef.info
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
