[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [was] How is Test (Detect) progress ?
Yuval Ben-Itzhak wrote: > As I refresh my memory with all the DTDs and Schemas that are available, I > found that there are many overlaps between the current VulXML DTD > (VulnXML-1.4.dtd) and the Meta schema (oasis-was-version4.xsd). In addition, > the two will need to be in Sync. with the Thesaurus schema (could not find > an available schema) as they all reference each other. Yes, there are a number of overlaps. The WAS-Core schema that Mark and co have been working on replaces the <TestDescription> element of VulnXML completely, I think. The section that we need to aim for with Test is the part of VulnXML that starts at <Variable>*, and continues with <Connection>+, where * indicates optional element, and + indicates one or more Connection elements. > > 1. The initial work is to do some 'clean-up' and 'sync.' between the > documents as well as to have them all with the same format (I prefer > Schema). I remember that in the early days of OWASP, Altova (XMLSpy) > contributed a license/s - is this still available? can I have it for this > task? Not sure if it is still available. Mark? > > 2. After this work, in my opinion, the VulnXML will need to be updated to > support all "vulnList" defined in the Meta schema. Currently I could not see > how it will support some of the DoS and Injection types defined on the Meta. Just a reminder, because I'm not sure that Yuval and I are on the same page with regards to how/why VulnXML was designed: The intention with VulnXML was not to create "functions" that would automatically expand into a test for a SQL injection in one of almost infinite permutations. VulnXML was designed to document the exact steps that one would go through to replicate a test that has been done before. This is typical of tests for static vulnerabilities, much as Whisker and Nikto do. This is the problem that VulnXML was intended to solve, and the intention of WAS-XML as well. WAS-XML is not intended to describe how to automatically compose multiple tests for a SQL injection on an arbitrary form (or XSS, or whatever). It is intended to facilitate the interchange of known vulnerabilities between tools. So, there are some aspects of the current VulnXML schema/dtd that would need to be refined, but we do not need to code explicit support for each of the categories mentioned in Mark's schema. If it can be expressed as an HTTP Request (request line, headers and body), and tested for in the HTTP Response (status line, headers or response body), we should be able to express anything we want to. However, as mentioned in previous mails, outstanding items that are *NOT* currently possible are multiple simultaneous requests for testing locking or synchronisation issues, and reliable/intelligent detection of custom 404 responses. These still need to be added to the Test elements of WAS-XML. > My current goal is # 1 > > Yuval. > Regards, Rogan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]