From kost at linux.hr  Thu Jun  9 15:57:25 2011
From: kost at linux.hr (Vlatko Kosturjak)
Date: Thu, 9 Jun 2011 22:57:25 +0200
Subject: [Nikto-discuss] OWASP favicon and nikto
Message-ID: <20110609205725.GA23097@griffin.linux.hr>

Hello!

I'm not sure if you aware of the OWASP favicon project located here:
https://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project

In short, it is idea to have central database of favicon hashes. So, 
most of open source projects can have benefit of them. Database itself 
is located on the wiki:
https://www.owasp.org/index.php/OWASP_favicon_database
and everyone is welcomed to contribute (it's wiki!). Also, we're 
trying to ease contributors in process of contributions, so we're 
accepting the contributions via twitter as well (just send MD5 and 
identification to @OWASPfavicon). 

I would like to invite nikto to update its database from there. Also, 
if there's anything the database miss - please help and add. 

We're also preparing for new round of internet wide scan, so post your 
ideas before it's too late! In this new scan, we plan to support 
apple-touch-icon as well.

Looking forward for the partnership!
-- 
Vlatko Kosturjak - KoSt

From csullo at gmail.com  Thu Jun  9 19:55:47 2011
From: csullo at gmail.com (Sullo)
Date: Thu, 9 Jun 2011 20:55:47 -0400
Subject: [Nikto-discuss] OWASP favicon and nikto
In-Reply-To: <20110609205725.GA23097@griffin.linux.hr>
References: <20110609205725.GA23097@griffin.linux.hr>
Message-ID: <BANLkTikkwYxUxoOeQ43g=F_LKUM9f7HLMA@mail.gmail.com>

On Thu, Jun 9, 2011 at 4:57 PM, Vlatko Kosturjak <kost at linux.hr> wrote:

> I'm not sure if you aware of the OWASP favicon project located here:
> https://www.owasp.org/index.php/Category:OWASP_Favicon_Database_Project

I wasn't aware of this project, but I am glad to see it.

> In short, it is idea to have central database of favicon hashes. So,
> most of open source projects can have benefit of them.

I don't see any licensing information on the database--what is it
being released under?

> I would like to invite nikto to update its database from there. Also,
> if there's anything the database miss - please help and add.

Would certainly like to contribute & use the database--how exactly
depends on the licensing (either inclusion in nikto's database, or
loading a distinct file). At some point nikto's database was
incorporated into the nmap nse so it's likely almost all are found in
there already.

>
> We're also preparing for new round of internet wide scan, so post your
> ideas before it's too late! In this new scan, we plan to support
> apple-touch-icon as well.

This is always a worthwhile effort, but the difficult part is of
course sifting through the data when it's gathered, and identifying
the product that an icon ties back to. I have done this previously
with a crawler with quite a bit of success, but weeding out site icons
vs products was a challenge that required a web app. Probably a
discussion for the other list though!

Thanks for making us aware of the project and I look forward to see
how the survey progresses.

-Sullo

-- 

http://www.cirt.net? ?? |? ? ? http://www.osvdb.org/

From dave at cirt.net  Fri Jun 10 08:54:37 2011
From: dave at cirt.net (dave at cirt.net)
Date: Fri, 10 Jun 2011 09:54:37 -0400
Subject: [Nikto-discuss] OWASP favicon and nikto
In-Reply-To: <BANLkTikkwYxUxoOeQ43g=F_LKUM9f7HLMA@mail.gmail.com>
References: <20110609205725.GA23097@griffin.linux.hr>
	<BANLkTikkwYxUxoOeQ43g=F_LKUM9f7HLMA@mail.gmail.com>
Message-ID: <20110610095437.58041yn49j70eyis@webmail.cirt.net>

First off - more good lists coming from OWASP, which're always good  
for the community!

Quoting Sullo <csullo at gmail.com>:
>> I would like to invite nikto to update its database from there. Also,
>> if there's anything the database miss - please help and add.
> Would certainly like to contribute & use the database--how exactly
> depends on the licensing (either inclusion in nikto's database, or
> loading a distinct file). At some point nikto's database was
> incorporated into the nmap nse so it's likely almost all are found in
> there already.

If there's a problem with the licence, then we could always implement  
it like we did the directories list from DirBuster - i.e. add support  
for the file format to the plugin and allow the user to use it, but  
they need to source the list themselves.

Updating directly from OWASP instead of cirt.net also would mean that  
we're dependent on an external site that isn't controlled by cirt.net.

The above can be worked around, if necessary by an import script, but  
it needs to be though about for a bit. (i.e. do we want our users to  
run two scripts, or are we happy that OWASP won't change the URL of  
the database etc.).

From kost at linux.hr  Wed Jun 15 16:28:00 2011
From: kost at linux.hr (Vlatko Kosturjak)
Date: Wed, 15 Jun 2011 23:28:00 +0200
Subject: [Nikto-discuss] OWASP favicon and nikto
In-Reply-To: <BANLkTikkwYxUxoOeQ43g=F_LKUM9f7HLMA@mail.gmail.com>
References: <20110609205725.GA23097@griffin.linux.hr>
	<BANLkTikkwYxUxoOeQ43g=F_LKUM9f7HLMA@mail.gmail.com>
Message-ID: <20110615212800.GC18806@griffin.linux.hr>

On Thu, Jun 09, 2011 at 08:55:47PM -0400, Sullo wrote:
> On Thu, Jun 9, 2011 at 4:57 PM, Vlatko Kosturjak <kost at linux.hr> wrote:
> > In short, it is idea to have central database of favicon hashes. So,
> > most of open source projects can have benefit of them.
> I don't see any licensing information on the database--what is it
> being released under?
> Would certainly like to contribute & use the database--how exactly
> depends on the licensing (either inclusion in nikto's database, or
> loading a distinct file). At some point nikto's database was
> incorporated into the nmap nse so it's likely almost all are found in
> there already.

That's another invite - let's talk about licensing!  
Scripts I've made to crawl the internet are under GPL 2+ :                      
https://github.com/kost/owasp-favicon-crawl                                     
Since, I'm only contributor to these scripts, I can dual license it or change   
+the script license if there's any problem with that. But personally, I don't   
see any problem with GPL 2+ and the scripts are not rocket science!

Regarding database, my personal viewpoint is there is no sense to have 10 
different and incomplete databases. And also there is no point in having 
database which noone will use. So, yes, cooperation sounds good and let's 
see what license is best for OWASP and for open and/or commercial projects 
including nikto, w3af, ...

So, what's the best/acceptable licenses for nikto?

> This is always a worthwhile effort, but the difficult part is of
> course sifting through the data when it's gathered, and identifying
> the product that an icon ties back to. I have done this previously
> with a crawler with quite a bit of success, but weeding out site icons
> vs products was a challenge that required a web app. Probably a
> discussion for the other list though!

Absolutely true! Had same experience, but that's where power of community 
comes and I tried to make contributions easy as you can edit wiki yourself or 
send MD5 via twitter with proper identification. 

In short, let's talk!
-- 
Vlatko Kosturjak - KoSt

From kost at linux.hr  Wed Jun 15 16:43:32 2011
From: kost at linux.hr (Vlatko Kosturjak)
Date: Wed, 15 Jun 2011 23:43:32 +0200
Subject: [Nikto-discuss] OWASP favicon and nikto
In-Reply-To: <20110610095437.58041yn49j70eyis@webmail.cirt.net>
References: <20110609205725.GA23097@griffin.linux.hr>
	<BANLkTikkwYxUxoOeQ43g=F_LKUM9f7HLMA@mail.gmail.com>
	<20110610095437.58041yn49j70eyis@webmail.cirt.net>
Message-ID: <20110615214332.GD18806@griffin.linux.hr>

On Fri, Jun 10, 2011 at 09:54:37AM -0400, dave at cirt.net wrote:
> If there's a problem with the licence, then we could always implement it 
> like we did the directories list from DirBuster - i.e. add support for 
> the file format to the plugin and allow the user to use it, but they need 
> to source the list themselves.

Again, let's talk about the license!

> Updating directly from OWASP instead of cirt.net also would mean that  
> we're dependent on an external site that isn't controlled by cirt.net.
> The above can be worked around, if necessary by an import script, but it 
> needs to be though about for a bit. (i.e. do we want our users to run two 
> scripts, or are we happy that OWASP won't change the URL of the database 
> etc.).

I guess, having cron script on Nikto update server side and sync(with additional checks) on some regular base sounds reasonable. Database is not big and you will be less dependant on external stuff and you don't have to update nikto if OWASP (for some reason) changes URL.  You only need to change sync script on the server.

I'm also attaching the script which I used for converting from OWASP database 
to Nikto db style if it will help. Don't ask me for the license, it's public
domain! ;)
-- 
Vlatko Kosturjak - KoSt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owaspfavicon2nikto.pl
Type: text/x-perl
Size: 271 bytes
Desc: not available
URL: <http://attrition.org/pipermail/nikto-discuss/attachments/20110615/08f7a8c9/attachment.bin>

From kost at linux.hr  Wed Jun 15 17:01:24 2011
From: kost at linux.hr (Vlatko Kosturjak)
Date: Thu, 16 Jun 2011 00:01:24 +0200
Subject: [Nikto-discuss] OWASP favicon and nikto
In-Reply-To: <20110615214332.GD18806@griffin.linux.hr>
References: <20110609205725.GA23097@griffin.linux.hr>	<BANLkTikkwYxUxoOeQ43g=F_LKUM9f7HLMA@mail.gmail.com>	<20110610095437.58041yn49j70eyis@webmail.cirt.net>
	<20110615214332.GD18806@griffin.linux.hr>
Message-ID: <4DF92BB4.6030707@linux.hr>

On 06/15/2011 11:43 PM, Vlatko Kosturjak wrote:
> On Fri, Jun 10, 2011 at 09:54:37AM -0400, dave at cirt.net wrote:
> I'm also attaching the script which I used for converting from OWASP database 
> to Nikto db style if it will help. Don't ask me for the license, it's public
> domain! ;)

That there is no confusion - by public domain, I mean license for this
short&ugly script :)

Kost