[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [was] Meeting Minutes
Rogan / Team, One thing I have been thinking about is possibly a different approach to dealing with the problem (or maybe the same depending on your view point). I think I would be right in saying that today we try to describe a complete transaction. In a simple case like a XSS that would be the http request being sent along with any pre and post conditions. Another approach or more accurately a powerful extension maybe to extrapolate the attack in such a way that the scenario could become; Get a URI, operate on response. So in the case of a xss test you could request a URI, parse the http headers or html and then build test requests with a defined payload. Essentially this approach (extension) would mean you could potentially create generic XSS, path traversal tests etc which then takes WAS to a powerful dynamic testing language from a static description format. Any thoughts on this approach? -----Original Message----- From: Dawes, Rogan (ZA - Johannesburg) [mailto:rdawes@deloitte.co.za] Sent: Thursday, October 23, 2003 1:28 AM To: 'Mark Curphey '; 'was@lists.oasis-open.org ' Hi folks, The WAS engine is checked into the CVS for WebScarab at SourceForge, or you can get an interim release from my personal web page at http://home.intekom.co.za/rdawes/WebScarab.jar The WAS engine is not accessible through the GUI. You will need to call it in the following way: java -cp webscarab.jar org.owasp.webscarab.plugin.was.WASExecutor url testfile You may also need to get the jakarta commons libs, if it complains about missing class files. Currently, it does nothing with the test description. In particular, it does not check to see whether it applies to a particular URL. That will probably be done this week some time. Also, it does not implement Request Body functionality, so you cannot do POST. I have also not yet implemented building a request query from individual parameter elements. If you want an URL with parameters, build it in the <URL> block using ${variable} if necessary. Currently, I think it should be sufficient to implement most of the Whisker and Nikto tests, given the restrictions above. I hope to have time to work on it this week. Rogan -----Original Message----- From: Mark Curphey To: was@lists.oasis-open.org Sent: 10/22/03 9:42 PM Subject: [was] Meeting Minutes Meeting minutes from last weeks meeting are now posted on the OASIS site. In short Rogan Dawes has created a basic WAS execution engine in order for the TC members to explore the limitations of the existing VulnXML format and design WAS accordingly. So at this point we need people to start creating test cases, recording real limitations and designing WAS 1.0 accordingly. Please take time to download the current engine, build test cases and share your experience. Rogan, can you update everyone with the limitations of the current engine build so we don't build test cases that are currently not implemented in the reference engine, and point everyone to the latest build ? Thanks To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup .php. Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre@Deloitte.co.za. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup.php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]