Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove duplicate entries (which differ on technique used to detect vulnerability) #13

Closed
andresriancho opened this issue Mar 30, 2015 · 4 comments
Closed

Remove duplicate entries (which differ on technique used to detect vulnerability) #13

andresriancho opened this issue Mar 30, 2015 · 4 comments
Assignees
@andresriancho
Labels
bug priority:high

Comments

@andresriancho
Copy link
Contributor

Are 27 and 28 the same vulnerability?
@Zapotek
Copy link

Zapotek commented Mar 30, 2015

From vulndb's point of view yeah, you can remove one of them.

@andresriancho
Copy link
Contributor Author

@Zapotek well, this started as a comment to myself, but it's really good you've answered since now I can ask a couple of follow-up questions 👍

I believe we'll have a small decision to make here. First let me ask: "Do you intend on using vulndb in Arachni?" If the answer is yes, then we'll have to find a way to handle these cases, one of course can be that arachni reports the same vulnerability (without the different title) in both cases, another is that the ruby-sdk allows you to override the title?

The same thing happens with other vulnerabilities like XSS where the json files are almost the same. In cases like this I'm unsure if the developer reading these descriptions benefits from:

    "in the server's response.\nFor example", 
    "`HTTP://yoursite.com/INJECTION_HERE/`, where `INJECTION_HERE`", 
    "represents the location where the the tool payload was injected."

vs.

    "content directly into an HTML\ntag. For example `<INJECTION_HERE", 
    "href=.......etc>` where `INJECTION_HERE`\nrepresents the location where", 
    "the the tool payload was detected."

I want you to use vulndb in Arachni, hell, I want every tool to use it, it's the only way to maintain and grow it! So... what should we do?

Referenced files

@Zapotek
Copy link

Zapotek commented Mar 30, 2015

I think we should remove all those permutations (same goes for timing attacks etc) and only keep the data for the root issue.
Then tools will be able to get the generic descriptions etc. and append any extra stuff about the way they identified the vuln as needed.

And yeah I'd like to use vulndb in Arachni eventually.

@andresriancho
Copy link
Contributor Author

Ok then, I'll keep this issue open so we remember to do it

@andresriancho andresriancho changed the title Are 27 and 28 the same vulnerability? Remove duplicate entries (which differ on technique used to detect vulnerability) Mar 30, 2015
andresriancho added a commit that referenced this issue Apr 1, 2015
@andresriancho
Partial fix for "Remove duplicate entries (which differ on technique …
9dad5bd 
…used to detect vulnerability)" #13
@andresriancho andresriancho self-assigned this Apr 2, 2015
andresriancho added a commit that referenced this issue Apr 4, 2015
@andresriancho
Remove dup #13
9d04fe9
andresriancho added a commit that referenced this issue Apr 4, 2015
@andresriancho
Remove dup #13
6dd9d3b
andresriancho added a commit that referenced this issue Apr 4, 2015
@andresriancho
Fix dup #13
233cbbf
andresriancho added a commit that referenced this issue Apr 4, 2015
@andresriancho
Remove dup #13
c7bbcb4
andresriancho added a commit that referenced this issue Apr 4, 2015
@andresriancho
Remove dups #13
885f40b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andresriancho andresriancho

Labels
bug priority:high
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Zapotek @andresriancho