Andres,
please read inline
>>> I have proposal to add references to KB vuln object. For example for XSS
>>> we can add references to:
>>>
>>> * CWE-79: Improper Neutralization of Input During Web Page Generation
>>> ('Cross-site Scripting')
>>> * OWASP: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
>>>
>>> in xss.py it will looks like:
>>> -------------------------------------------
>>> v = vuln.vuln(mutant)
>>> v.setPluginName(self.getName())
>>> v.setId(response.id)
>>> v.setName('Cross site scripting vulnerability')
>>> v.setSeverity(severity.MEDIUM)
>>> v.addReference('OWASP',
>>> 'https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)')
>>> v.addReference('CWE-79: Improper Neutralization of Input During Web Page
>>> Generation',
>>> 'http://cwe.mitre.org/data/definitions/79.html')
>>> msg = 'Cross Site Scripting was found at: ' + mutant.foundAt()
>>> msg += ' This vulnerability affects ' + ','.join(mutant.affected_browsers)
>>> v.setDesc(msg)
>>> v.addToHighlight(mod_value)
>>> kb.kb.append(self, 'xss', v)
>>> -------------------------------------------
>>> we can use this additional information then in output plugins.
>>> What do you think about it?
>>
>> I think its a great idea! I would implement it in another way,
>> because in a future we'll also want to add a long description to the
>> vulnerability, recommendations for fixing, etc. and it doesn't sound
>> like that info should be in the middle of the code.
Hmm, I don't sure if it is good idea to add such big data into plugins
and w3af core. Why we simply don't want to add references to such good
security information database as OWASP site or CWE? There are good
descriptions, recommendations for fixing and so on in it. For us it will
be **much simpler** to maintain correct references in plugins then whole
texts!
>> This was something
>> that was already tackled a while ago and never got to trunk. The code
>> is available here [0] , maybe we can steal some ideas from there. What
>> do you think about this? [1] Maybe we should split this into different
>> XML files, change the code a little bit and we're done?
Oh, XML files...single XML file with vulnerability descriptions is not
good idea
because it breaks idea of plugin's atomicity. You can't simply add
Python file into w3af/plugins/.. you also need to make connection in it
with vulndata xml db. I have seen on sqli.py [0]:
v = vuln.vuln( mutant )
79 v.setId( response.id )
80 v.setName( 'SQL injection vulnerability' )
81 v.setW3afId('00036')
82 v.setSeverity(severity.HIGH)
83 v['error'] = sql_error[0]
84 v['db'] = sql_error[1]
85 v.setDesc( 'SQL injection in a '+ v['db'] +' was
found at: ' + mutant.foundAt() )
86 kb.kb.append( self, 'sqli', v )
87 break
88
We see here that even with external XML vuln databse we need to specify
additional vuln information here like descm severity, name.
[0]
https://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/plugins/audit/sqli.py
> Will you work on this proposal?
>
>> [0] http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby
>> [1]
>> http://sourceforge.net/apps/trac/w3af/browser/branches/rickybobby/core/data/vulnReferences
>>
>> Regards,
>>
>>> --
>>> Taras
>>> http://oxdef.info
>>>
>>> ------------------------------------------------------------------------------
>>> This SF email is sponsosred by:
>>> Try Windows Azure free for 90 days Click Here
>>> http://p.sf.net/sfu/sfd2d-msazure
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3af-develop@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>
>
>
--
Taras
http://oxdef.info
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
