List,
It's been a long time but I've translated this thread into a
Github issue that you might be interested in reading:
https://github.com/andresriancho/w3af/issues/53
There's a company (still can't mention them because I haven't
talked about how they want to handle this) that's going to be
contributing some of their resources to make this happen and it's
going to be done using the specifications detailed in issue #53. In
other words, this is the time to comment and make sure everything is
covered: before the coding starts :)
Regards,
On Fri, Apr 13, 2012 at 7:53 AM, Taras <ox...@oxdef.info> wrote:
> Andres,
>
>
>> Ah! Now I understand your point. But if in the future we want to be
>> able to generate a full-blown report out of the data that w3af
>> produces we'll need to have the vulnerability description and fix
>> recommendations within our framework.
>>
>> I would do both things:
>> * v.addReference('OWASP',
>> 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)')
>> v.addReference('CWE-79: Improper Neutralization of Input During
>> Web Page Generation', 'http://cwe.mitre.org/data/definitions/79.html')
>>
>> * v.setXMLReference('00036') , which will give us the full text of
>> the vulnerability description, fix recommendation, etc.
>>
>> Don't get me wrong... I don't want to maintain the XML with all the
>> descriptions either! We'll take that XML from some place where they
>> maintain it (Achim recommended one).
>>
>> Regarding plugin atomicity, I prefer to "break it" a little bit and
>> have the long desc in the XML instead of having long text strings
>> inside the plugin code.
>
> I also don't want w3af to have long text inside plugin's code.
>
>
>> I could work on this, it would require some changes in the GTK UI so
>> the desc/recommendation/references are shown and some minor changes to
>> the plugins... if you QA I'll do it :)
>
> Do want to make this references in 2 steps: first simple references and then
> XML-based? Or both in one change set? Yep, I will test it and also can help
> you to add simple references to OWASP into audit plugins.
>
>
>>
>> Regards,
>>
>>>
>>>>> This was something
>>>>> that was already tackled a while ago and never got to trunk. The code
>>>>> is available here [0] , maybe we can steal some ideas from there. What
>>>>> do you think about this? [1] Maybe we should split this into different
>>>>> XML files, change the code a little bit and we're done?
>>>
>>>
>>>
>>> Oh, XML files...single XML file with vulnerability descriptions is not
>>> good
>>> idea
>>> because it breaks idea of plugin's atomicity. You can't simply add Python
>>> file into w3af/plugins/.. you also need to make connection in it with
>>> vulndata xml db. I have seen on sqli.py [0]:
>>>
>>> v = vuln.vuln( mutant )
>>> 79 v.setId( response.id )
>>> 80 v.setName( 'SQL injection vulnerability' )
>>> 81 v.setW3afId('00036')
>>> 82 v.setSeverity(severity.HIGH)
>>> 83 v['error'] = sql_error[0]
>>> 84 v['db'] = sql_error[1]
>>> 85 v.setDesc( 'SQL injection in a '+ v['db'] +' was
>>> found at: ' + mutant.foundAt() )
>>> 86 kb.kb.append( self, 'sqli', v )
>>> 87 break
>>> 88
>>>
>>>
>>> We see here that even with external XML vuln databse we need to specify
>>> additional vuln information here like descm severity, name.
>>>
>>> [0]
>>>
>>> https://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/plugins/audit/sqli.py
>>>
>>>
>>>> Will you work on this proposal?
>>>>
>>>>> [0] http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby
>>>>> [1]
>>>>>
>>>>> http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/core/data/vulnReferences
>>>>>
>>>>> Regards,
>>>>>
>>>>>> --
>>>>>> Taras
>>>>>> http://oxdef.info
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> This SF email is sponsosred by:
>>>>>> Try Windows Azure free for 90 days Click Here
>>>>>> http://p.sf.net/sfu/sfd2d-msazure
>>>>>> _______________________________________________
>>>>>> W3af-develop mailing list
>>>>>> W3af-develop@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Andrés Riancho
>>>>> Director of Web Security at Rapid7 LLC
>>>>> Founder at Bonsai Information Security
>>>>> Project Leader at w3af
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Taras
>>> http://oxdef.info
>>
>>
>>
>>
>
>
> --
> Taras
> http://oxdef.info
--
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3
------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
