Andres,
> Ah! Now I understand your point. But if in the future we want to be
> able to generate a full-blown report out of the data that w3af
> produces we'll need to have the vulnerability description and fix
> recommendations within our framework.
>
> I would do both things:
> * v.addReference('OWASP',
> 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)')
> v.addReference('CWE-79: Improper Neutralization of Input During
> Web Page Generation', 'http://cwe.mitre.org/data/definitions/79.html')
>
> * v.setXMLReference('00036') , which will give us the full text of
> the vulnerability description, fix recommendation, etc.
>
> Don't get me wrong... I don't want to maintain the XML with all the
> descriptions either! We'll take that XML from some place where they
> maintain it (Achim recommended one).
>
> Regarding plugin atomicity, I prefer to "break it" a little bit and
> have the long desc in the XML instead of having long text strings
> inside the plugin code.
I also don't want w3af to have long text inside plugin's code.
> I could work on this, it would require some changes in the GTK UI so
> the desc/recommendation/references are shown and some minor changes to
> the plugins... if you QA I'll do it :)
Do want to make this references in 2 steps: first simple references and
then XML-based? Or both in one change set? Yep, I will test it and also
can help you to add simple references to OWASP into audit plugins.
>
> Regards,
>
>>
>>>> This was something
>>>> that was already tackled a while ago and never got to trunk. The code
>>>> is available here [0] , maybe we can steal some ideas from there. What
>>>> do you think about this? [1] Maybe we should split this into different
>>>> XML files, change the code a little bit and we're done?
>>
>>
>> Oh, XML files...single XML file with vulnerability descriptions is not good
>> idea
>> because it breaks idea of plugin's atomicity. You can't simply add Python
>> file into w3af/plugins/.. you also need to make connection in it with
>> vulndata xml db. I have seen on sqli.py [0]:
>>
>> v = vuln.vuln( mutant )
>> 79 v.setId( response.id )
>> 80 v.setName( 'SQL injection vulnerability' )
>> 81 v.setW3afId('00036')
>> 82 v.setSeverity(severity.HIGH)
>> 83 v['error'] = sql_error[0]
>> 84 v['db'] = sql_error[1]
>> 85 v.setDesc( 'SQL injection in a '+ v['db'] +' was
>> found at: ' + mutant.foundAt() )
>> 86 kb.kb.append( self, 'sqli', v )
>> 87 break
>> 88
>>
>>
>> We see here that even with external XML vuln databse we need to specify
>> additional vuln information here like descm severity, name.
>>
>> [0]
>> https://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/plugins/audit/sqli.py
>>
>>
>>> Will you work on this proposal?
>>>
>>>> [0] http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby
>>>> [1]
>>>> http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/core/data/vulnReferences
>>>>
>>>> Regards,
>>>>
>>>>> --
>>>>> Taras
>>>>> http://oxdef.info
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> This SF email is sponsosred by:
>>>>> Try Windows Azure free for 90 days Click Here
>>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>>> _______________________________________________
>>>>> W3af-develop mailing list
>>>>> W3af-develop@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Andrés Riancho
>>>> Director of Web Security at Rapid7 LLC
>>>> Founder at Bonsai Information Security
>>>> Project Leader at w3af
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Taras
>> http://oxdef.info
>
>
>
--
Taras
http://oxdef.info
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
