[WEB SECURITY] Web App Defaults DB

Andres Riancho andres.riancho at gmail.com
Mon Mar 11 16:10:07 EDT 2013


On Mon, Mar 11, 2013 at 5:19 AM, Andreas Schmidt <webappsec at siberas.de> wrote:
> Hi Rob,
>
> I'm the author of WATOBO (http://watobo.sourceforge.net) and I would like to
> offer a interface for your DB.

Same could be done with w3af if licensing is correct. Which license is
this work release under?

> From my experience one of the easiest formats
> is YAML. It is straightforward, human readable and there exists ready-to-use
> parsers for almost every scripting language. XML is also fine but most of
> the time just an overkill.

Any computer readable format would be fine, the current one is hard to
parse well. If you guys are interested in having web application
scanners use this DB, you'll have to change to a nicer format. I
noticed that the original version was in JSON, why move to all those
md files?

> From a scanner point of view, to make results more reliable additional
> information about the CMS are necessary. Beside the url which might be the
> same on different CMS (e.g. admin.php) any kind of signature(s) is helpful,
> e.g. a regular expression of its html body or of a specific http header.
>
> Looking forward to see your DB growing.

+1 !

> -andy (@_znow)
>
>
>
> reI also had a quick view on the existing entries. To Am 11.03.2013 02:19,
> schrieb Rob Fuller:
>
> Last year at Derbycon, Gillis Jones ( https://twitter.com/Gillis57 )
> released something he'd been working on for a number of years. He called it
> "BAdmin". Basically it was a list of information, including default
> credentials and paths for a large number of CMSs
>
> I attended his talk and loved the resource. I approached him at ShmooCon
> this year about it being difficult to contribute to the DB. We came up with
> a combined effort to get in onto Github to make it public and easy to access
> like BAdmin was, but also add in the ability for it to grow with community
> support.
>
> Hence https://github.com/WebAppDefaultsDB was born.
>
> There are two repos, the first is cmsdefaultsdb which is basically homage to
> Gillis' original work and once completed from his original work wont change
> or be updated.
>
> The other is https://github.com/WebAppDefaultsDB/webappdefaultsdb where we
> plan to expand past CMSs to every type of web app we can imagine.
>
> Right now this is in a real alpha phase and we are still learning what is
> the best format for consumption by the community, but we could use your
> help, thought, opinions, and knowledge of defaults.
>
> Looking forward to making this a great resource for all. Thanks for your
> time.
>
> Also, if you aren't a Git fan and don't want to mess with it, I've created
> an email account you can just shoot us info in any format you wish:
> webappdefaultsdb_submissions at room362.com
>
> (yes, I'll take PDFs, ZIPs, RARs, and DOCXM if you want to send exploits my
> way) ;-)
>
> --
> Rob Fuller | Mubix
> Certified Checkbox Unchecker
> Room362.com | Hak5.org
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



-- 
Andrés Riancho
Project Leader at w3af - http://w3af.org/
Web Application Attack and Audit Framework
Twitter: @w3af
GPG: 0x93C344F3




More information about the websecurity mailing list