I'm curious to know if anyone is working on a plugin for VulnXML (see
below) for Nessus. Is anyone? VulnXML is a metadabase format to define
vulnerabilities that could be proved using web scanning tools (SPIKE
implements it). I would like to see this kind of support in Nessus, I
have developed Nikto and Whisker tests (the Debian package includes
them. However, as CGI-scanning tools they do just so much (and they
don't use a proper database).
I'm not sure if evolution in this area should be done by taking Nikto
(since Whisker is no longer supported) and changing it into using
VulnXML and have Nessus use Nikto, or rather have Nessus use VulnXML
subsituting the current way to do web-related app security checks.
Regards
Javi
PS: From OWASP: VulnXML
"The VulnXML project is an effort to provide an open standard format for
static web application security checks that can be used by open source
and commercial tools, backed by a community process that provides a
freely available, QA'd, up to date and comprehensive database of
webappsec checks (of course without warranty of any kind !). OWASP will
maintain the database on behalf of the community.
The project team has developed a web interface which gives the ability
for users to submit checks either in a XML file format or by completing
an online form, which then get submitted into queues for QA'ing and
enhancing. Only when a check has quality assured, will it be released
into a production queue to be tagged and join the production database.
The checks will be made available via the web site.
Already SPIKE (www.immunitysec.com), Kavado and OWASP will be
implementing VulnXML with more to follow. The database will be initially
populated in Q4 of 2002 and opened for full use with the OWASP portal in
early 2003."
below) for Nessus. Is anyone? VulnXML is a metadabase format to define
vulnerabilities that could be proved using web scanning tools (SPIKE
implements it). I would like to see this kind of support in Nessus, I
have developed Nikto and Whisker tests (the Debian package includes
them. However, as CGI-scanning tools they do just so much (and they
don't use a proper database).
I'm not sure if evolution in this area should be done by taking Nikto
(since Whisker is no longer supported) and changing it into using
VulnXML and have Nessus use Nikto, or rather have Nessus use VulnXML
subsituting the current way to do web-related app security checks.
Regards
Javi
PS: From OWASP: VulnXML
"The VulnXML project is an effort to provide an open standard format for
static web application security checks that can be used by open source
and commercial tools, backed by a community process that provides a
freely available, QA'd, up to date and comprehensive database of
webappsec checks (of course without warranty of any kind !). OWASP will
maintain the database on behalf of the community.
The project team has developed a web interface which gives the ability
for users to submit checks either in a XML file format or by completing
an online form, which then get submitted into queues for QA'ing and
enhancing. Only when a check has quality assured, will it be released
into a production queue to be tagged and join the production database.
The checks will be made available via the web site.
Already SPIKE (www.immunitysec.com), Kavado and OWASP will be
implementing VulnXML with more to follow. The database will be initially
populated in Q4 of 2002 and opened for full use with the OWASP portal in
early 2003."