OWASP publishes the VulnXML db

The first VulnXML db draft release is available at:

VulnXML is a description for static known vulnerabilities and provides all necessary information to let an execution engine automatically craft and launch appropriate HTTP, SOAP or WebDAV requests and analyse the response whether the attack had success.

Besides it provides some human readable classification of the described vulnerability.

The online database is based upon OWASP's Common Library (OCL) and suited to create and retrieve VulnXML records.

Deviating from the original plans, lots of work have been put into a viable framework for a HTML based editor that is powerful enough to cope with the relative complexity of structures like the VulnXML description.

The outcome of this is a highly modular, fast and powerful java library that generates validation routines directly from any given DTD and comes with a dynamic layout engine that generates XHTML 1.1 strict and WAI AAA compliant html forms. It is even able to cope with recursive data structures like the "Compare"
node within VulnXML (cf. http://beta.owasp.org/development/ocl\)

We would like to ask you to visit the VulnXML db at http://beta.owasp.org/vulnxml and try out if it works for you. The special focus for the feedback we want
lies in the usability of the editor (for access register, login and "propose entry") and the suitability of the VulnXML DTD to describe application level attacks.

We will implement an execution engine for VulnXML records soon such that it will become much easier to evaluate the latter. (There is some script code available that is able to execute older versions of VulnXML at http://owasp.org/vulnxml\).

Any help and/or feedback is highly welcome

Yours sincerely

The OWASP team

Posted by Ingo Struck 2003-07-03