Last year at Derbycon, Gillis Jones ( https://twitter.com/Gillis57 ) released something he'd been working on for a number of years. He called it "BAdmin". Basically it was a list of information, including default credentials and paths for a large number of CMSs I attended his talk and loved the resource. I approached him at ShmooCon this year about it being difficult to contribute to the DB. We came up with a combined effort to get in onto Github to make it public and easy to access like BAdmin was, but also add in the ability for it to grow with community support. Hence https://github.com/WebAppDefaultsDB was born. There are two repos, the first is cmsdefaultsdb which is basically homage to Gillis' original work and once completed from his original work wont change or be updated. The other is https://github.com/WebAppDefaultsDB/webappdefaultsdb where we plan to expand past CMSs to every type of web app we can imagine. Right now this is in a real alpha phase and we are still learning what is the best format for consumption by the community, but we could use your help, thought, opinions, and knowledge of defaults. Looking forward to making this a great resource for all. Thanks for your time. Also, if you aren't a Git fan and don't want to mess with it, I've created an email account you can just shoot us info in any format you wish: webappdefaultsdb_submissions@room362.com (yes, I'll take PDFs, ZIPs, RARs, and DOCXM if you want to send exploits my way) ;-) -- Rob Fuller | Mubix Certified Checkbox Unchecker Room362.com | Hak5.org

Hi Rob, I'm the author of WATOBO (http://watobo.sourceforge.net) and I would like to offer a interface for your DB. From my experience one of the easiest formats is YAML. It is straightforward, human readable and there exists ready-to-use parsers for almost every scripting language. XML is also fine but most of the time just an overkill. >From a scanner point of view, to make results more reliable additional information about the CMS are necessary. Beside the url which might be the same on different CMS (e.g. admin.php) any kind of signature(s) is helpful, e.g. a regular expression of its html body or of a specific http header. Looking forward to see your DB growing. -andy (@_znow) reI also had a quick view on the existing entries. To Am 11.03.2013 02:19, schrieb Rob Fuller: > Last year at Derbycon, Gillis Jones ( https://twitter.com/Gillis57 ) > released something he'd been working on for a number of years. He > called it "BAdmin". Basically it was a list of information, including > default credentials and paths for a large number of CMSs > > I attended his talk and loved the resource. I approached him at > ShmooCon this year about it being difficult to contribute to the DB. > We came up with a combined effort to get in onto Github to make it > public and easy to access like BAdmin was, but also add in the ability > for it to grow with community support. > > Hence https://github.com/WebAppDefaultsDB was born. > > There are two repos, the first is cmsdefaultsdb which is basically > homage to Gillis' original work and once completed from his original > work wont change or be updated. > > The other is https://github.com/WebAppDefaultsDB/webappdefaultsdb > where we plan to expand past CMSs to every type of web app we can imagine. > > Right now this is in a real alpha phase and we are still learning what > is the best format for consumption by the community, but we could use > your help, thought, opinions, and knowledge of defaults. > > Looking forward to making this a great resource for all. Thanks for > your time. > > Also, if you aren't a Git fan and don't want to mess with it, I've > created an email account you can just shoot us info in any format you > wish: webappdefaultsdb_submissions@room362.com > <mailto:webappdefaultsdb_submissions@room362.com> > > (yes, I'll take PDFs, ZIPs, RARs, and DOCXM if you want to send > exploits my way) ;-) > > -- > Rob Fuller | Mubix > Certified Checkbox Unchecker > Room362.com | Hak5.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

On Mon, Mar 11, 2013 at 5:19 AM, Andreas Schmidt <webappsec@siberas.de> wrote: > Hi Rob, > > I'm the author of WATOBO (http://watobo.sourceforge.net) and I would like to > offer a interface for your DB. Same could be done with w3af if licensing is correct. Which license is this work release under? > From my experience one of the easiest formats > is YAML. It is straightforward, human readable and there exists ready-to-use > parsers for almost every scripting language. XML is also fine but most of > the time just an overkill. Any computer readable format would be fine, the current one is hard to parse well. If you guys are interested in having web application scanners use this DB, you'll have to change to a nicer format. I noticed that the original version was in JSON, why move to all those md files? > From a scanner point of view, to make results more reliable additional > information about the CMS are necessary. Beside the url which might be the > same on different CMS (e.g. admin.php) any kind of signature(s) is helpful, > e.g. a regular expression of its html body or of a specific http header. > > Looking forward to see your DB growing. +1 ! > -andy (@_znow) > > > > reI also had a quick view on the existing entries. To Am 11.03.2013 02:19, > schrieb Rob Fuller: > > Last year at Derbycon, Gillis Jones ( https://twitter.com/Gillis57 ) > released something he'd been working on for a number of years. He called it > "BAdmin". Basically it was a list of information, including default > credentials and paths for a large number of CMSs > > I attended his talk and loved the resource. I approached him at ShmooCon > this year about it being difficult to contribute to the DB. We came up with > a combined effort to get in onto Github to make it public and easy to access > like BAdmin was, but also add in the ability for it to grow with community > support. > > Hence https://github.com/WebAppDefaultsDB was born. > > There are two repos, the first is cmsdefaultsdb which is basically homage to > Gillis' original work and once completed from his original work wont change > or be updated. > > The other is https://github.com/WebAppDefaultsDB/webappdefaultsdb where we > plan to expand past CMSs to every type of web app we can imagine. > > Right now this is in a real alpha phase and we are still learning what is > the best format for consumption by the community, but we could use your > help, thought, opinions, and knowledge of defaults. > > Looking forward to making this a great resource for all. Thanks for your > time. > > Also, if you aren't a Git fan and don't want to mess with it, I've created > an email account you can just shoot us info in any format you wish: > webappdefaultsdb_submissions@room362.com > > (yes, I'll take PDFs, ZIPs, RARs, and DOCXM if you want to send exploits my > way) ;-) > > -- > Rob Fuller | Mubix > Certified Checkbox Unchecker > Room362.com | Hak5.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- Andrés Riancho Project Leader at w3af - http://w3af.org/ Web Application Attack and Audit Framework Twitter: @w3af GPG: 0x93C344F3