Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: no standards for webapp exploitation
Date: Wed Jul 02 2003 - 13:47:36 CDT
The main benefit of VulnXML, imo, compared to a python-based engine is
that you can distribute VulnXML from untrusted sources, and it won't
execute on your machine. Another advantage is that it's self-describing,
so you can do searches and stuff on a base of it. A major disadvantage is
that it's not well suited for writing actual exploits - there's no good
way to do something like urllib.quote_plus() or whatever external
libraries you need to exploit something. My HTTP exploits for CANVAS tend
to be multi-threaded, which VulnXML can't do...
For exploitation, Python is probably your language of choice. But that's
not to say a Python class can't have VulnXML in it - SPIKE Proxy is pure
> In-Reply-To: <Pine.LNX.4.44.0307020019361.2234-100000felinemenace>
>># VulnXML and the whisker.dat (and all of libwhisker
>># (whisker RIP)) are for testing purposes ONLY. they
>># do not scale to enterprise level where API's should
>># be easy to work with and provide a high level
>># interface to lower level scripting languages (like
>># python, perl). variables should be extinct outside
>># of module classes. the opensource web security
>># would benefit from a standardized way to exploit
>># web applications, wether they are remote code execution,
>># remote command execution, server and client injection,
>># remote file reading (all of which are going to be
>># in an independant project which seeks to build webapp
>># exploit primitives provider on top of the websec class).
>># feel free to send comments and code to me
> Well, in fact the intention of VulnXML is to be a
> description of application level vulnerabilities,
> that is both suited for human reading and for direct
> execution of the attacks described within a record.
> The only problem is, that there currently is no
> working execution engine for the latest VulnXML
> description (VulnXML DTD 1.4).
> There is some script code around to execute older
> VulnXML records.
> It is planned to write at least a java-based executor
> for VulnXML recs next.
> Watch out for the VulnXML db announcement that follows
> Kind regards
> Ingo Struck (OWASP)