OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [was] How is Test (Detect) progress ?


I'm trying to sync. was-core0.3.xml (a Schema) to VulnXML-1.4.dtd for the
Detect project.
It appears that although was-core0.3.xml is a valid XML document it is not a
valid Schema.

Check the following ComplexType:

	<xs:element name="thesaurusEntry" use="required">
		<xs:attribute name="thesaurusGroupName" type="xs:string"/>
		<xs:attribute name="thesaurusSubGroupName" type="xs:string"/>
		<xs:attribute name="additionalInformation" type="xs:string"/>
	<xs:element name="vulnDatabase">
		<xs:attribute name="databaseName" type="xs:string"/>
		<xs:attribute name="databaseLocation" type="xs:uri"/>
		<xs:attribute name="databaseRef" type="xs:string"/>
		<xs:element name="shortDescription" type="xs:string"/>
		<xs:element name="longDescription" type="xs:string"/>

It looks to me that the complextype should include attributes and not
elements (see other ComplexTypes in the Schema). An element is a parent
'element' of a complextype.
I used an eval of XMLSPY and it alerts on the same issue.
Here is a reference from MSDN:

Any comments ?


-----Original Message-----
From: Mark Curphey [mailto:mark.curphey@foundstone.com]
Sent: Monday, March 29, 2004 4:08 PM
To: Rogan Dawes; yuvalben@netvision.net.il
Cc: was@lists.oasis-open.org
Subject: RE: [was] How is Test (Detect) progress ?

See comments inline.

I think we need to move towards putting this schema under version

CVS OK with everyone ?

That said I think you Test folks and Protect folks (Ivan) should develop
a separate schema and we will integrate it later. This will ensure we
get less merge conflicts etc. Maybe you can name it WAS-Detect-c.xsd,
WAS-Protect-x.xsd ? You can upload it to the OASIS site as well for now
until we get the CVS setup.

Also I chatted to Ivan about Protect and wanted to facilitate a
conference call to ensure we don't overlap and reuse as much as is

See other Comments inline

-----Original Message-----
From: Rogan Dawes [mailto:rogan@dawes.za.net]
Sent: Monday, March 29, 2004 6:09 AM
To: yuvalben@netvision.net.il
Cc: Mark Curphey; was@lists.oasis-open.org
Subject: Re: [was] How is Test (Detect) progress ?

Yuval Ben-Itzhak wrote:

> As I refresh my memory with all the DTDs and Schemas that are
> available, I found that there are many overlaps between the current
> (VulnXML-1.4.dtd) and the Meta schema (oasis-was-version4.xsd). In
> addition, the two will need to be in Sync. with the Thesaurus schema
> (could not find an available schema) as they all reference each other.

Yes, there are a number of overlaps. The WAS-Core schema that Mark and
co have been working on replaces the <TestDescription> element of
VulnXML completely, I think.

The section that we need to aim for with Test is the part of VulnXML
that starts at <Variable>*, and continues with <Connection>+, where *
indicates optional element, and + indicates one or more Connection

MC > Exactly. This allows Protect and Detect to use the same textual and
meta-data so its all consistent. The work you Detect folks are doing
should be on the Test Case only and not the descriptive or signature
management pieces.

> 1. The initial work is to do some 'clean-up' and 'sync.' between the
> documents as well as to have them all with the same format (I prefer
> Schema). I remember that in the early days of OWASP, Altova (XMLSpy)
> contributed a license/s - is this still available? can I have it for
> this task?

Not sure if it is still available. Mark?

MC > We all agreed this should be developed in Schema.

No its not. Well at least not the new versions. If you have VS.NET its
pretty decent or if you havent used SPY before you can get a 30 day
trial. Also there are a number of good Java based editors now. I will
send a mail with the ones I know about.

> 2. After this work, in my opinion, the VulnXML will need to be updated

> to support all "vulnList" defined in the Meta schema. Currently I
> could not see how it will support some of the DoS and Injection types
defined on the Meta.

Just a reminder, because I'm not sure that Yuval and I are on the same
page with regards to how/why VulnXML was designed:

The intention with VulnXML was not to create "functions" that would
automatically expand into a test for a SQL injection in one of almost
infinite permutations. VulnXML was designed to document the exact steps
that one would go through to replicate a test that has been done before.

This is typical of tests for static vulnerabilities, much as Whisker and
Nikto do. This is the problem that VulnXML was intended to solve, and
the intention of WAS-XML as well.

MC > Perfect

WAS-XML is not intended to describe how to automatically compose
multiple tests for a SQL injection on an arbitrary form (or XSS, or
whatever). It is intended to facilitate the interchange of known
vulnerabilities between tools.

MC > Exactly. WAS 2.0 may though !

So, there are some aspects of the current VulnXML schema/dtd that would
need to be refined, but we do not need to code explicit support for each
of the categories mentioned in Mark's schema. If it can be expressed as
an HTTP Request (request line, headers and body), and tested for in the
HTTP Response (status line, headers or response body), we should be able
to express anything we want to.

MC > That's true. Remember WAS will have support to describe issues that
maybe found in code by code scanners (issues that cant be found by black
box scanners. It is the generic vuln description language that people
can build business process around as well as taking feeds from
technology and tools. We shouldn'y insist on a Detect or Protect
signature for every vuln that would be descibed in Meta IMHO.

However, as mentioned in previous mails, outstanding items that are
*NOT* currently possible are multiple simultaneous requests for testing
locking or synchronisation issues, and reliable/intelligent detection of
custom 404 responses. These still need to be added to the Test elements

> My current goal is # 1
> Yuval.



To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]