WebApp Sec mailing list archives
Re: no standards for webapp exploitation
From: dave () immunitysec com
Date: Wed, 2 Jul 2003 14:47:36 -0400 (EDT)
The main benefit of VulnXML, imo, compared to a python-based engine is that you can distribute VulnXML from untrusted sources, and it won't execute on your machine. Another advantage is that it's self-describing, so you can do searches and stuff on a base of it. A major disadvantage is that it's not well suited for writing actual exploits - there's no good way to do something like urllib.quote_plus() or whatever external libraries you need to exploit something. My HTTP exploits for CANVAS tend to be multi-threaded, which VulnXML can't do... For exploitation, Python is probably your language of choice. But that's not to say a Python class can't have VulnXML in it - SPIKE Proxy is pure Python.... -dave
In-Reply-To: <Pine.LNX.4.44.0307020019361.2234-100000@felinemenace> Hi...# VulnXML and the whisker.dat (and all of libwhisker # (whisker RIP)) are for testing purposes ONLY. they # do not scale to enterprise level where API's should # be easy to work with and provide a high level # interface to lower level scripting languages (like # python, perl). variables should be extinct outside # of module classes. the opensource web securitycommunity# would benefit from a standardized way to exploit # web applications, wether they are remote code execution, # remote command execution, server and client injection, # remote file reading (all of which are going to becovered# in an independant project which seeks to build webapp # exploit primitives provider on top of the websec class). # feel free to send comments and code to me(nd () felinemenace org Well, in fact the intention of VulnXML is to be a description of application level vulnerabilities, that is both suited for human reading and for direct execution of the attacks described within a record. The only problem is, that there currently is no working execution engine for the latest VulnXML description (VulnXML DTD 1.4). There is some script code around to execute older VulnXML records. It is planned to write at least a java-based executor for VulnXML recs next. Watch out for the VulnXML db announcement that follows soon. Kind regards Ingo Struck (OWASP)
Current thread:
- no standards for webapp exploitation ned (Jul 02)
- <Possible follow-ups>
- RE: no standards for webapp exploitation Dawes, Rogan (ZA - Johannesburg) (Jul 02)
- Re: no standards for webapp exploitation Ingo Struck (Jul 02)
- Re: no standards for webapp exploitation dave (Jul 02)