Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Nessus>
  3. devel
Use of VulnXML on Nessus?
jfernandez at germinus
Oct 31, 2002, 2:50 AM
Post #1 of 4 (723 views)
Permalink
I'm curious to know if anyone is working on a plugin for VulnXML (see
below) for Nessus. Is anyone? VulnXML is a metadabase format to define
vulnerabilities that could be proved using web scanning tools (SPIKE
implements it). I would like to see this kind of support in Nessus, I
have developed Nikto and Whisker tests (the Debian package includes
them. However, as CGI-scanning tools they do just so much (and they
don't use a proper database).

I'm not sure if evolution in this area should be done by taking Nikto
(since Whisker is no longer supported) and changing it into using
VulnXML and have Nessus use Nikto, or rather have Nessus use VulnXML
subsituting the current way to do web-related app security checks.

Regards

Javi

PS: From OWASP: VulnXML
"The VulnXML project is an effort to provide an open standard format for
static web application security checks that can be used by open source
and commercial tools, backed by a community process that provides a
freely available, QA'd, up to date and comprehensive database of
webappsec checks (of course without warranty of any kind !). OWASP will
maintain the database on behalf of the community.
The project team has developed a web interface which gives the ability
for users to submit checks either in a XML file format or by completing
an online form, which then get submitted into queues for QA'ing and
enhancing. Only when a check has quality assured, will it be released
into a production queue to be tagged and join the production database.
The checks will be made available via the web site.
Already SPIKE (www.immunitysec.com), Kavado and OWASP will be
implementing VulnXML with more to follow. The database will be initially
populated in Q4 of 2002 and opened for full use with the OWASP portal in
early 2003."
Re: Use of VulnXML on Nessus? [ In reply to ]
sullo at cirt
Oct 31, 2002, 6:27 AM
Post #2 of 4 (715 views)
Permalink
It's probable that at some point I will support loading checks written in the
VulnXML format for Nikto, but I will continue to rely on CSV, and also the
format for checks that comes from osvdb.org (which may end up being VulnXML).
The VulnXML format seemed a bit lengthy to me when I looked at implementing it
for Nikto, and the CSV files would become really large XML documents if I
converted them. The sample VulnXML check is about 100 lines for one test, which
would make the converted Nikto DB around 150,000 lines... pretty sizable
(correct me if I'm wrong).

That being said, there's no reason a well formatted XML doc can't be fairly
converted easily to NASL, Whisker 1/2 format, Nikto CSV format...

-Sullo



Quoting Javier Fernández-Sanguino Peña <jfernandez@germinus.com>:
> I'm curious to know if anyone is working on a plugin for VulnXML (see
> below) for Nessus. Is anyone? VulnXML is a metadabase format to define
> vulnerabilities that could be proved using web scanning tools (SPIKE
> implements it). I would like to see this kind of support in Nessus, I
> have developed Nikto and Whisker tests (the Debian package includes
> them. However, as CGI-scanning tools they do just so much (and they
> don't use a proper database).
>
> I'm not sure if evolution in this area should be done by taking Nikto
> (since Whisker is no longer supported) and changing it into using
> VulnXML and have Nessus use Nikto, or rather have Nessus use VulnXML
> subsituting the current way to do web-related app security checks.
>
> Regards
>
> Javi
>
> PS: From OWASP: VulnXML
> "The VulnXML project is an effort to provide an open standard format for
> static web application security checks that can be used by open source
> and commercial tools, backed by a community process that provides a
> freely available, QA'd, up to date and comprehensive database of
> webappsec checks (of course without warranty of any kind !). OWASP will
> maintain the database on behalf of the community.
> The project team has developed a web interface which gives the ability
> for users to submit checks either in a XML file format or by completing
> an online form, which then get submitted into queues for QA'ing and
> enhancing. Only when a check has quality assured, will it be released
> into a production queue to be tagged and join the production database.
> The checks will be made available via the web site.
> Already SPIKE (www.immunitysec.com), Kavado and OWASP will be
> implementing VulnXML with more to follow. The database will be initially
> populated in Q4 of 2002 and opened for full use with the OWASP portal in
> early 2003."
>
>
Re: Use of VulnXML on Nessus? [ In reply to ]
mark at curphey
Oct 31, 2002, 7:59 AM
Post #3 of 4 (707 views)
Permalink
I noticed your posts about VulnXML. I am one of the people running OWASP
and thought I would drop you a note.

Its worth noting that VulnXML really is about static web application
security checks only (you can do very funky things with iterating over
spider results but as SPIKE is doing (or planning) but...). It focuses
on building HTTP transactions such as specific headers (cookies, refers
etc) and requests. It wasn't designed or optimized to be a generic
vulnerability format, but specifically for web application checks.

As I think someone mentioned a well formed and validated XML document
(every VulnXML from the OWASP database will have to be this) can easily
be converted. This supports the ideas we had for interoperability. We
designed the format so it contains enough meta-data to build the check,
but doesn't dictate how the tools actually does it.

The OWASP web interface to our database should be on-line within a few
weeks and well have a developers guide to the VulnXML format out later
this week.

Cheers

Mark


On Thu, 2002-10-31 at 05:27, sullo@cirt.net wrote:
> It's probable that at some point I will support loading checks written in the
> VulnXML format for Nikto, but I will continue to rely on CSV, and also the
> format for checks that comes from osvdb.org (which may end up being VulnXML).
> The VulnXML format seemed a bit lengthy to me when I looked at implementing it
> for Nikto, and the CSV files would become really large XML documents if I
> converted them. The sample VulnXML check is about 100 lines for one test, which
> would make the converted Nikto DB around 150,000 lines... pretty sizable
> (correct me if I'm wrong).
>
> That being said, there's no reason a well formatted XML doc can't be fairly
> converted easily to NASL, Whisker 1/2 format, Nikto CSV format...
>
> -Sullo
>
>
>
> Quoting Javier Fernández-Sanguino Peña <jfernandez@germinus.com>:
> > I'm curious to know if anyone is working on a plugin for VulnXML (see
> > below) for Nessus. Is anyone? VulnXML is a metadabase format to define
> > vulnerabilities that could be proved using web scanning tools (SPIKE
> > implements it). I would like to see this kind of support in Nessus, I
> > have developed Nikto and Whisker tests (the Debian package includes
> > them. However, as CGI-scanning tools they do just so much (and they
> > don't use a proper database).
> >
> > I'm not sure if evolution in this area should be done by taking Nikto
> > (since Whisker is no longer supported) and changing it into using
> > VulnXML and have Nessus use Nikto, or rather have Nessus use VulnXML
> > subsituting the current way to do web-related app security checks.
> >
> > Regards
> >
> > Javi
> >
> > PS: From OWASP: VulnXML
> > "The VulnXML project is an effort to provide an open standard format for
> > static web application security checks that can be used by open source
> > and commercial tools, backed by a community process that provides a
> > freely available, QA'd, up to date and comprehensive database of
> > webappsec checks (of course without warranty of any kind !). OWASP will
> > maintain the database on behalf of the community.
> > The project team has developed a web interface which gives the ability
> > for users to submit checks either in a XML file format or by completing
> > an online form, which then get submitted into queues for QA'ing and
> > enhancing. Only when a check has quality assured, will it be released
> > into a production queue to be tagged and join the production database.
> > The checks will be made available via the web site.
> > Already SPIKE (www.immunitysec.com), Kavado and OWASP will be
> > implementing VulnXML with more to follow. The database will be initially
> > populated in Q4 of 2002 and opened for full use with the OWASP portal in
> > early 2003."
> >
> >
>
>
>
>
Re: Use of VulnXML on Nessus? [ In reply to ]
jfernandez at germinus
Oct 31, 2002, 8:33 AM
Post #4 of 4 (714 views)
Permalink
Mark Curphey wrote:

>I noticed your posts about VulnXML. I am one of the people running OWASP
>and thought I would drop you a note.
>
Thanks beforehand.

>Its worth noting that VulnXML really is about static web application
>security checks only (you can do very funky things with iterating over
>spider results but as SPIKE is doing (or planning) but...). It focuses
>on building HTTP transactions such as specific headers (cookies, refers
>etc) and requests. It wasn't designed or optimized to be a generic
>vulnerability format, but specifically for web application checks.
>
(...)
I knew that already, maybe I was too generic. I meant that Nessus could
use it for the web application checks that are currently done using NASL
(or Whisker or Nikto...) In any case, nessus could (should?) get to a
point doing similar stuff to Spike (except for the proxy stuff).

>
>
>The OWASP web interface to our database should be on-line within a few
>weeks and well have a developers guide to the VulnXML format out later
>this week.
>
And I will gladly use it :)

>
>
>Cheers
>
>Mark
>
Regards

Javi

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal