RE: [was] Meeting Minutes

["Mark Curphey" <mark@curphey.com>]

Rogan / Team,

One thing I have been thinking about is possibly a different approach to
dealing with the problem (or maybe the same depending on your view point).

I think I would be right in saying that today we try to describe a complete
transaction. In a simple case like a XSS that would be the http request
being sent along with any pre and post conditions. 

Another approach or more accurately a powerful extension maybe to
extrapolate the attack in such a way that the scenario could become;

Get a URI, operate on response. So in the case of a xss test you could
request a URI, parse the http headers or html and then build test requests
with a defined payload. 

Essentially this approach (extension) would mean you could potentially
create generic XSS, path traversal tests etc which then takes WAS to a
powerful dynamic testing language from a static description format.

Any thoughts on this approach?


-----Original Message-----
From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawes@deloitte.co.za] 
Sent: Thursday, October 23, 2003 1:28 AM
To: 'Mark Curphey '; 'was@lists.oasis-open.org '

Hi folks,

The WAS engine is checked into the CVS for WebScarab at SourceForge, or you
can get an interim release from my personal web page at
http://home.intekom.co.za/rdawes/WebScarab.jar

The WAS engine is not accessible through the GUI. You will need to call it
in the following way:

java -cp webscarab.jar org.owasp.webscarab.plugin.was.WASExecutor url
testfile

You may also need to get the jakarta commons libs, if it complains about
missing class files.

Currently, it does nothing with the test description. In particular, it does
not check to see whether it applies to a particular URL. That will probably
be done this week some time.

Also, it does not implement Request Body functionality, so you cannot do
POST. I have also not yet implemented building a request query from
individual parameter elements. If you want an URL with parameters, build it
in the <URL> block using ${variable} if necessary.

Currently, I think it should be sufficient to implement most of the Whisker
and Nikto tests, given the restrictions above.

I hope to have time to work on it this week.

Rogan

-----Original Message-----
From: Mark Curphey
To: was@lists.oasis-open.org
Sent: 10/22/03 9:42 PM
Subject: [was] Meeting Minutes

Meeting minutes from last weeks meeting are now posted on the OASIS site.

In short Rogan Dawes has created a basic WAS execution engine in order for
the TC members to explore the limitations of the existing VulnXML format and
design WAS accordingly.

So at this point we need people to start creating test cases, recording real
limitations and designing WAS 1.0 accordingly. 

Please take time to download the current engine, build test cases and share
your experience. 

Rogan, can you update everyone with the limitations of the current engine
build so we don't build test cases that are currently not implemented in the
reference engine, and point everyone to the latest build ?

Thanks


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup
.php.

Important Notice: This email is subject to important restrictions,
qualifications and disclaimers ("the Disclaimer") that must be accessed and
read by clicking here or by copying and pasting the following address into
your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The
Disclaimer is deemed to form part of the content of this email in terms of
Section 11 of the Electronic Communications and Transactions Act, 25 of
2002. If you cannot access the Disclaimer, please obtain a copy thereof from
us by sending an email to ClientServiceCentre@Deloitte.co.za.

To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup.php
.