Re: [was] How is Test (Detect) progress ?

[Rogan Dawes <rogan@dawes.za.net>]

Yuval Ben-Itzhak wrote:

> As I refresh my memory with all the DTDs and Schemas that are available, I
> found that there are many overlaps between the current VulXML DTD
> (VulnXML-1.4.dtd) and the Meta schema (oasis-was-version4.xsd). In addition,
> the two will need to be in Sync. with the Thesaurus schema (could not find
> an available schema) as they all reference each other.

Yes, there are a number of overlaps. The WAS-Core schema that Mark and 
co have been working on replaces the <TestDescription> element of 
VulnXML completely, I think.

The section that we need to aim for with Test is the part of VulnXML 
that starts at <Variable>*, and continues with <Connection>+, where * 
indicates optional element, and + indicates one or more Connection elements.

> 
> 1. The initial work is to do some 'clean-up' and 'sync.' between the
> documents as well as to have them all with the same format (I prefer
> Schema). I remember that in the early days of OWASP, Altova (XMLSpy)
> contributed a license/s - is this still available? can I have it for this
> task?

Not sure if it is still available. Mark?

> 
> 2. After this work, in my opinion, the VulnXML will need to be updated to
> support all "vulnList" defined in the Meta schema. Currently I could not see
> how it will support some of the DoS and Injection types defined on the Meta.

Just a reminder, because I'm not sure that Yuval and I are on the same 
page with regards to how/why VulnXML was designed:

The intention with VulnXML was not to create "functions" that would 
automatically expand into a test for a SQL injection in one of almost 
infinite permutations. VulnXML was designed to document the exact steps 
that one would go through to replicate a test that has been done before. 
This is typical of tests for static vulnerabilities, much as Whisker and 
Nikto do. This is the problem that VulnXML was intended to solve, and 
the intention of WAS-XML as well.

WAS-XML is not intended to describe how to automatically compose 
multiple tests for a SQL injection on an arbitrary form (or XSS, or 
whatever). It is intended to facilitate the interchange of known 
vulnerabilities between tools.

So, there are some aspects of the current VulnXML schema/dtd that would 
need to be refined, but we do not need to code explicit support for each 
of the categories mentioned in Mark's schema. If it can be expressed as 
an HTTP Request (request line, headers and body), and tested for in the 
HTTP Response (status line, headers or response body), we should be able 
to express anything we want to.

However, as mentioned in previous mails, outstanding items that are 
*NOT* currently possible are multiple simultaneous requests for testing 
locking or synchronisation issues, and reliable/intelligent detection of 
custom 404 responses. These still need to be added to the Test elements 
of WAS-XML.

> My current goal is # 1
> 
> Yuval.
> 

Regards,

Rogan