[WEB SECURITY] Web App Defaults DB
webappsec at siberas.de
Mon Mar 11 04:19:34 EDT 2013
I'm the author of WATOBO (http://watobo.sourceforge.net) and I would
like to offer a interface for your DB. From my experience one of the
easiest formats is YAML. It is straightforward, human readable and there
exists ready-to-use parsers for almost every scripting language. XML is
also fine but most of the time just an overkill.
>From a scanner point of view, to make results more reliable additional
information about the CMS are necessary. Beside the url which might be
the same on different CMS (e.g. admin.php) any kind of signature(s) is
helpful, e.g. a regular expression of its html body or of a specific
Looking forward to see your DB growing.
reI also had a quick view on the existing entries. To Am 11.03.2013
02:19, schrieb Rob Fuller:
> Last year at Derbycon, Gillis Jones ( https://twitter.com/Gillis57 )
> released something he'd been working on for a number of years. He
> called it "BAdmin". Basically it was a list of information, including
> default credentials and paths for a large number of CMSs
> I attended his talk and loved the resource. I approached him at
> ShmooCon this year about it being difficult to contribute to the DB.
> We came up with a combined effort to get in onto Github to make it
> public and easy to access like BAdmin was, but also add in the ability
> for it to grow with community support.
> Hence https://github.com/WebAppDefaultsDB was born.
> There are two repos, the first is cmsdefaultsdb which is basically
> homage to Gillis' original work and once completed from his original
> work wont change or be updated.
> The other is https://github.com/WebAppDefaultsDB/webappdefaultsdb
> where we plan to expand past CMSs to every type of web app we can imagine.
> Right now this is in a real alpha phase and we are still learning what
> is the best format for consumption by the community, but we could use
> your help, thought, opinions, and knowledge of defaults.
> Looking forward to making this a great resource for all. Thanks for
> your time.
> Also, if you aren't a Git fan and don't want to mess with it, I've
> created an email account you can just shoot us info in any format you
> wish: webappdefaultsdb_submissions at room362.com
> <mailto:webappdefaultsdb_submissions at room362.com>
> (yes, I'll take PDFs, ZIPs, RARs, and DOCXM if you want to send
> exploits my way) ;-)
> Rob Fuller | Mubix
> Certified Checkbox Unchecker
> Room362.com | Hak5.org
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity