Public API for the vuln db.

[gbrindisi]

Yesterday was pointed out on twitter that would be cool to have a way to check from wpscan if a given plugin was vulnerable or not (without scanning).

As said this would be easily solvable by building a public api interfacing with our db and have, at least at the beginning, wpscan as an interactive client.

What do you think?

I think I can put up a basic API quickly if we are interested (finally coding! :).

[gbrindisi]

Ok here is my proposal:

• First we migrate our vulns dbs to a remote server facing the web.
• We build an API to talk to this db server

Then we have wpscan as a client which can use the API to:

• Retrieve db updates (instead of using git as we do now)
• Be an interactive client, for example:
  • User: is this plugin vulnerable? XXX
  • Wpscan: XXX is not vulnerable according to my local db, would you like to check our central db? Y/N
  • User: Yes please!
  • [ :sparkles: API TALK EVERYWHERE! :sparkles: ]
  • Wpscan: Looks like it's vulnerable to YYYYYY have a look: [INFOS]

The second phase is to build a web frontend to our central db. Think like an interactive exploit-db where we add vulnerabilities and let people comment/tag/submit them etc.

The idea around this is to streamline the process of update our dbs, build a reliable source of information in alternative to the references we are actually using, let people help debunking advisories easily trough a social frontend.

DISCUSS! :point_right:

[ethicalhack3r]

I like it a lot and think it's a great idea. I will help with any coding needed.

I think there are 3 stages:

• The remote API. -- We need to decide and agree on server side language, DBMS, domain name & API calls we're going to use.
• WPScan updated to use the remote API. -- API wrapper. -- Prompt user for updates. -- Pull db updates on user request or on overall update.
• The remote API web client. -- Searching? -- Submitting? -- Commenting? -- Rating? -- Admin interface? -- Authentication?

If we're going to go ahead with this maybe we could create a shared google docs document to track what needs doing.

[gbrindisi]

I invoke @erwanlr 's opinion!

[ethicalhack3r]

Opened a private Google Doc for design and implementation and have invited @gbrindisi & @erwanlr.

[erwanlr]

Well, i've just one thing to suggest : add an optional version argument for the API :

/search/plugin/$plugin_name/$version /search/theme/$theme_name/$version

:p

[ethicalhack3r]

Sounds good! I've amended the document, feel free to edit it as well. It is just a draft and hoping for input/feedback.

[gbrindisi]

I've added some feedback in the doc.

Will look into migrating our xml dbs to a proper rdbs.

[firefart]

Sounds great! I like the idea of a public wordpress vulns homepage where you can check your plugin list

[ethicalhack3r]

Any preferences on hosting? I don't mind putting the money in for a dedicated VPS.

[rakiru]

What sort of hosting would be needed for this? I can imagine there being a few users of this who could provide hosting for free.

[gbrindisi]

I think a standard vps should do the trick but before investing in it we first need to have a working prototype and do some load tests.

[ethicalhack3r]

OK.

@gbrindisi do you want to manage the API creation part? as it was originally your idea and you're most familiar with the language we're using?

If so, is there any part of it you think I could work on? The DB migration? setting up a prototype? testing? etc.

[gbrindisi]

Quick update: we are working on the API (privately for now).

If you have suggestions or ideas to share you can do it by commenting on this issue.

[thesp0nge]

For the server side language I suggest stay in ruby and use GRAPE framework, it is born to help people creating API. Link to my blog with an hello world step - by - step (http://armoredcode.com/blog/build-an-api-for-fun-with-grape/).

[ghost]

Sounds great! If I can help with something..

[ethicalhack3r]

This has been added to the roadmap for the version 3.0 release (https://github.com/wpscanteam/wpscan/wiki/Roadmap).

What is currently needs doing to get this completed? I think we should make this a priority and put all resources into it that so we can move on.

[anantshri]

is there any progress on this.

[gbrindisi]

Yes but nothing public right now.

[anantshri]

revisiting an old thread in a small hope that some thing might have been done.

any fixed timelines when we can open the api.

[ethicalhack3r]

Please see - http://www.ethicalhack3r.co.uk/brucon-5by5-wpscan-online-vulnerability-database/

The above is a step in the API direction. It is currently being worked on by me and is in a private repo. Release deadline is August 1st 2014.

[gallart]

Hey guys,

Almost 1 year since the last update of this ticket. Any update on the API progression?

[ethicalhack3r]

Hey! Yea, please see previous comment. We're planning on launching BETA on August 1st and then fully released during BruCON in September.

If anyone wants a sneak peak, let me know as I have some of it on a staging server.

[fgeek]

@ethicalhack3r I can still do some testing. Last address is not working anymore.

[fgeek]

Can we close this issue? API looks good.

[ethicalhack3r]

I think we should leave it open until the API goes live :)

Got most of this week booked out to work on it before going BETA on Friday sometime. I'll update the staging server during the week so those that have the link can see the most up to date codebase before BETA.

My biggest priority this week is probably going to be getting WPScan to parse the new JSON data files as well as tying up any loose ends.

[firefart]

just ping me on skype if you need some help @ethicalhack3r. Or we could meet in #WpScan on freenode (still owned by gbrindisi :D)

[fgeek]

Cool we have IRC-channel! :)

[firefart]

Jeah I asked @gbrindisi once if he can promote us to admins, but I think he lost the PW :D

[gbrindisi]

Yeah sorry Chris I lost it and totally forgot. BTW do you know who should I ping to restore it?

[fgeek]

(sorry, update in Freenode)

Please see: https://freenode.net/faq.shtml

"What do I do if I forget my password?"

[firefart]

https://freenode.net/faq.shtml#sendpass

[ethicalhack3r]

In #WpScan

[ethicalhack3r]

https://wpvulndb.com went live a couple of days a go during BruCON. And with that I'll close our oldest issue. :)

[fgeek]

AWESOME! :+1: