[Owasp-leaders] Common web application vulnerability naming standard

psiinon psiinon at gmail.com
Wed Nov 17 08:08:44 EST 2010


Hi Dan,

Good luck with that, and I look forward to whatever you produce.

In OWASP ZAP you can manually raise alerts.
While you can type everything in, it also provides a pull down list of
common vulnerabilities which prepopulate the rest of the fields.
I wanted to use something like the the OWASP vulnerabilities, but
these didnt seem suitable.
In the end I went with WASC and referenced WASC and CWE. I plan to add
OWASP links as well, just havnt had the time.
The file that defines the vulnerabilities is here:
http://code.google.com/p/zaproxy/source/browse/trunk/src/xml/vulnerabilities.xml

But I'd like to replace this with something that is maintained by
someone else :)

Any chance of an XML document coming out of your work - something that
programs like ZAP could consume??

Thanks,

Psiinon

On Wed, Nov 17, 2010 at 12:40 PM, daniel cuthbert
<daniel.cuthbert at owasp.org> wrote:
> Having just spent the past hour looking at both CWE and CAPEC, CAPEC does
> seem to fit in more with the direction im going. Giving your pdf a good read
> now, thanks for pointing that out (must have missed that on my travels)
>
>
> On 17 November 2010 14:26, Dan Cornell <dan at denimgroup.com> wrote:
>>
>> Is MITRE’s CWE (Common Weakness Enumeration) or CAPEC (Common Attack
>> Pattern Enumeration and Classification) what you’re looking for?
>>
>>
>>
>> CWE is similar to the WASC classification but _much_ more granular.  A
>> while back I put together some mappings between CWE and WASC (and OWASP Top
>> 10) here:
>>
>>
>> http://blog.denimgroup.com/denim_group/2010/01/mapping-between-owasp-top-10-2004-2007-wasc-242-and-sans-cwe25.html
>>
>>
>>
>> However, given the examples below the CAPEC might be the more applicable.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Dan
>>
>>
>>
>>
>>
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel cuthbert
>> Sent: Wednesday, November 17, 2010 4:45 AM
>> To: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] Common web application vulnerability naming
>> standard
>>
>>
>>
>> Yes and no. Whilst the WASC Threat Classification is indeed a step in the
>> right direction, it's still incredibly high-level.
>>
>>
>>
>> Take WASC-01: Insufficient Authentication.
>>
>>
>>
>> Now this is great, it gives the viewer a better understanding of the
>> initial high-level issue with authentication but falls short of explaining
>> the vulns normally found such as:
>>
>>
>>
>> - user enumeration via the authentication mechanism
>>
>> - information leakage via the forgotten password function
>>
>> - DoS attacks aimed at account lockout procedure
>>
>>  and so on.
>>
>>
>>
>> I guess what I want doesn't currently exist in the public domain. I know
>> many have a private one, so this seems like a great time to start said
>> project.
>>
>>
>>
>>
>>
>> On 17 November 2010 12:29, Stephen de Vries <stephen at twisteddelight.org>
>> wrote:
>>
>> WASC Threat Classification?
>>
>> http://projects.webappsec.org/w/page/13246978/Threat-Classification
>>
>> On Nov 17, 2010, at 10:04 AM, daniel cuthbert wrote:
>>
>> > hey Leaders,
>> >
>> > I'm busy with potentially a new project for OWASP that tries to create a
>> > standard set of web app vulnerability names to be used during the reporting
>> > phase. In most cases, we all find the same issues but differ when it comes
>> > to the approach taken when reporting them. I feel that this sometimes has
>> > the ability to confuse clients, especially those using multiple vendors to
>> > perform assessments.
>> >
>> > With this in mind, can anyone share links of common web application
>> > vulnerability lists they know of? I'm trying to build up as many sources
>> > before I try and build up an OWASP document.
>> >
>> > Merce,
>> >
>> > Daniel
>>
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


More information about the OWASP-Leaders mailing list