OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [was] How is Test (Detect) progress ?


It looks ok now.

Here is another issue:
<xs:attribute name="versionRevisionDateHistory" type="xs:dateTime"
minOccurs="1"/>

The tag 'attribute'  does not support an attribute of 'minOccurs'. It should
be remove, associated with the parent 'element' or be structure differently
to represent the "versionRevisionDateHistory" elements - if needed.

More reading regarding the 'attribute' can be found:
http://msdn.microsoft.com/library/en-us/xmlsdk/htm/xsd_ref_460k.asp


Yuval.

-----Original Message-----
From: Nasseam Elkarra [mailto:nelkarra@opensec.org]
Sent: Tuesday, March 30, 2004 10:52 PM
To: was@lists.oasis-open.org
Subject: RE: [was] How is Test (Detect) progress ?


An element cannot be a child of a complexType, you are going to have to
put it into a element container (e.g. sequence element). Also, elements
that have attributes are considered complexTypes and must be defined as
such. The following should validate correctly:

<xs:complexType>
  <xs:sequence>
    <xs:element name="thesaurusEntry">
      <xs:complexType>
        <xs:attribute name="thesaurusGroupName" type="xs:string" />
        <xs:attribute name="thesaurusSubGroupName" type="xs:string" />
        <xs:attribute name="additionalInformation" type="xs:string" />
      </xs:complexType>
    </xs:element>
    <xs:element name="vulnDatabase">
      <xs:complexType>
        <xs:attribute name="databaseName" type="xs:string" />
        <xs:attribute name="databaseLocation" type="xs:uri" />
        <xs:attribute name="databaseRef" type="xs:string" />
      </xs:complexType>
    </xs:element>
    <xs:element name="shortDescription" type="xs:string" />
    <xs:element name="longDescription" type="xs:string" />
  </xs:sequence>
</xs:complexType>

--Nasseam

> -----Original Message-----
> From: Yuval Ben-Itzhak [mailto:yuvalben@netvision.net.il]
> Sent: Tuesday, March 30, 2004 9:46 AM
> To: Mark Curphey; Rogan Dawes
> Cc: was@lists.oasis-open.org
> Subject: RE: [was] How is Test (Detect) progress ?
>
>
> Hi,
>
> I'm trying to sync. was-core0.3.xml (a Schema) to VulnXML-1.4.dtd for
the
> Detect project.
> It appears that although was-core0.3.xml is a valid XML document it is
not
> a
> valid Schema.
>
> Check the following ComplexType:
>
> <xs:complexType>
> 	<xs:element name="thesaurusEntry" use="required">
> 		<xs:attribute name="thesaurusGroupName"
type="xs:string"/>
> 		<xs:attribute name="thesaurusSubGroupName"
type="xs:string"/>
> 		<xs:attribute name="additionalInformation"
type="xs:string"/>
> 	</xs:element>
> 	<xs:element name="vulnDatabase">
> 		<xs:attribute name="databaseName" type="xs:string"/>
> 		<xs:attribute name="databaseLocation" type="xs:uri"/>
> 		<xs:attribute name="databaseRef" type="xs:string"/>
> 	</xs:element>
> 		<xs:element name="shortDescription" type="xs:string"/>
> 		<xs:element name="longDescription" type="xs:string"/>
> 	</xs:complexType>
>
> It looks to me that the complextype should include attributes and not
> elements (see other ComplexTypes in the Schema). An element is a
parent
> 'element' of a complextype.
> I used an eval of XMLSPY and it alerts on the same issue.
> Here is a reference from MSDN:
> http://msdn.microsoft.com/library/en-us/xmlsdk/htm/xsd_ref_9qpg.asp
>
> Any comments ?
>
>
> Yuval.
>
> -----Original Message-----
> From: Mark Curphey [mailto:mark.curphey@foundstone.com]
> Sent: Monday, March 29, 2004 4:08 PM
> To: Rogan Dawes; yuvalben@netvision.net.il
> Cc: was@lists.oasis-open.org
> Subject: RE: [was] How is Test (Detect) progress ?
>
>
>
> See comments inline.
>
> I think we need to move towards putting this schema under version
> control.
>
> CVS OK with everyone ?
>
> That said I think you Test folks and Protect folks (Ivan) should
develop
> a separate schema and we will integrate it later. This will ensure we
> get less merge conflicts etc. Maybe you can name it WAS-Detect-c.xsd,
> WAS-Protect-x.xsd ? You can upload it to the OASIS site as well for
now
> until we get the CVS setup.
>
> Also I chatted to Ivan about Protect and wanted to facilitate a
> conference call to ensure we don't overlap and reuse as much as is
> possible.
>
> See other Comments inline
>
> -----Original Message-----
> From: Rogan Dawes [mailto:rogan@dawes.za.net]
> Sent: Monday, March 29, 2004 6:09 AM
> To: yuvalben@netvision.net.il
> Cc: Mark Curphey; was@lists.oasis-open.org
> Subject: Re: [was] How is Test (Detect) progress ?
>
>
>
> Yuval Ben-Itzhak wrote:
>
> > As I refresh my memory with all the DTDs and Schemas that are
> > available, I found that there are many overlaps between the current
> > VulXML DTD
> > (VulnXML-1.4.dtd) and the Meta schema (oasis-was-version4.xsd). In
> > addition, the two will need to be in Sync. with the Thesaurus schema
> > (could not find an available schema) as they all reference each
other.
>
> Yes, there are a number of overlaps. The WAS-Core schema that Mark and
> co have been working on replaces the <TestDescription> element of
> VulnXML completely, I think.
>
> The section that we need to aim for with Test is the part of VulnXML
> that starts at <Variable>*, and continues with <Connection>+, where *
> indicates optional element, and + indicates one or more Connection
> elements.
>
> MC > Exactly. This allows Protect and Detect to use the same textual
and
> meta-data so its all consistent. The work you Detect folks are doing
> should be on the Test Case only and not the descriptive or signature
> management pieces.
>
> >
> > 1. The initial work is to do some 'clean-up' and 'sync.' between the
> > documents as well as to have them all with the same format (I prefer
> > Schema). I remember that in the early days of OWASP, Altova (XMLSpy)
> > contributed a license/s - is this still available? can I have it for
> > this task?
>
> Not sure if it is still available. Mark?
>
> MC > We all agreed this should be developed in Schema.
>
> No its not. Well at least not the new versions. If you have VS.NET its
> pretty decent or if you havent used SPY before you can get a 30 day
> trial. Also there are a number of good Java based editors now. I will
> send a mail with the ones I know about.
>
> >
> > 2. After this work, in my opinion, the VulnXML will need to be
updated
>
> > to support all "vulnList" defined in the Meta schema. Currently I
> > could not see how it will support some of the DoS and Injection
types
> defined on the Meta.
>
> Just a reminder, because I'm not sure that Yuval and I are on the same
> page with regards to how/why VulnXML was designed:
>
> The intention with VulnXML was not to create "functions" that would
> automatically expand into a test for a SQL injection in one of almost
> infinite permutations. VulnXML was designed to document the exact
steps
> that one would go through to replicate a test that has been done
before.
>
> This is typical of tests for static vulnerabilities, much as Whisker
and
> Nikto do. This is the problem that VulnXML was intended to solve, and
> the intention of WAS-XML as well.
>
> MC > Perfect
>
> WAS-XML is not intended to describe how to automatically compose
> multiple tests for a SQL injection on an arbitrary form (or XSS, or
> whatever). It is intended to facilitate the interchange of known
> vulnerabilities between tools.
>
> MC > Exactly. WAS 2.0 may though !
>
> So, there are some aspects of the current VulnXML schema/dtd that
would
> need to be refined, but we do not need to code explicit support for
each
> of the categories mentioned in Mark's schema. If it can be expressed
as
> an HTTP Request (request line, headers and body), and tested for in
the
> HTTP Response (status line, headers or response body), we should be
able
> to express anything we want to.
>
> MC > That's true. Remember WAS will have support to describe issues
that
> maybe found in code by code scanners (issues that cant be found by
black
> box scanners. It is the generic vuln description language that people
> can build business process around as well as taking feeds from
> technology and tools. We shouldn'y insist on a Detect or Protect
> signature for every vuln that would be descibed in Meta IMHO.
>
> However, as mentioned in previous mails, outstanding items that are
> *NOT* currently possible are multiple simultaneous requests for
testing
> locking or synchronisation issues, and reliable/intelligent detection
of
> custom 404 responses. These still need to be added to the Test
elements
> of WAS-XML.
>
>
>
> > My current goal is # 1
> >
> > Yuval.
> >
>
> Regards,
>
> Rogan
>
> To unsubscribe from this mailing list (and be removed from the roster
of
> the
> OASIS TC), go to
> http://www.oasis-
> open.org/apps/org/workgroup/was/members/leave_workgroup.php
> .
>
>
>
> To unsubscribe from this mailing list (and be removed from the roster
of
> the OASIS TC), go to http://www.oasis-
> open.org/apps/org/workgroup/was/members/leave_workgroup.php.



To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup.php
.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]