...
Next sections describe this structure.
Reference to master DTD file
Reference to master DTD must be specified in the 1st line.
Next table shows specific content depending on the technology:
Tech | DTD specification | DTD location |
|---|---|---|
abap | <!DOCTYPE library SYSTEM "abap_library.dtd"> | [agent_home_dir]/libraries/abap |
c / cpp | <!DOCTYPE library SYSTEM "cpp_library.dtd"> | [agent_home_dir]/libraries/c |
csharp | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
java | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
javascript | <!DOCTYPE library SYSTEM "js_library_metadata.dtd"> | [agent_home_dir]/libraries/javascript |
objectivec | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
php | <!DOCTYPE library SYSTEM "php_library.dtd"> | [agent_home_dir]/libraries/php |
python | <!DOCTYPE library SYSTEM "python_library_metadata.dtd"> | [agent_home_dir]/libraries/python |
Definition of the Custom “Library” of Neutralization routines
Obviously, you don’t need to create an xml file for every single neutralization routine.
Instead, you will include all of them in a single file identified as a “library” of custom neutralization routines, with a “name” for it.
Library identification will be a XML element such as:
<library name="custom.libraries"/>
As a suggestion, we recommend use something as “[technology].custom.library”
Please, refer to technology-specific DTD for available “library” attributes.
Custom Neutralization routines
As said above, a Neutralization Routine is a piece of code that assures that any tainted data got as input produces untainted as output.
That piece of code is typically a function or a class method (depending whether your technology is object-oriented or not).
| Info |
|---|
Then, what you must do in the XML file is to properly declare such “routine” and mark it as a neutralization routine. |
To declare the routine, you must include the element. Every technology-specific DTD describes the allowed set of elements that form part of the “library”.
For our purposes, commonly used elements are either “class” or “function”, depending on the language. Please, see those specific DTDs for the allowed set of elements.
Once, the routine is “declared”, must be “marked” as a neutralization routine as follows.
Neutralization elements
A neutralization is defined in Kiuwan by the following element:
<!ELEMENT neutralization (#PCDATA)*><!ATTLIST neutralization argpos CDATA #REQUIRED kind CDATA #IMPLIED resource %resource; #IMPLIED> argpos
| Info | ||
|---|---|---|
| ||
argpos attribute specifies the “tainted” object, i.e. what object (or objects) are “untainted” by the routine. |
In a typical method call, there are several objects involved:
value = obj.call( arg1, arg2)The neutralization routine can “untaint” one or many of those objects.
argpos attribute specifies which ones, as follows:
- “-2” : untainted object will the caller to the routine => obj
- “-1” : untainted object will the returned object => value
- “0 … n” : argument with that index will be untainted => arg1 if 0, arg2 if 1, both if 0,1
kind
A neutralization routine is usually applied to a specific vulnerability type (or “kind”).
| Info | ||
|---|---|---|
| ||
kind attribute indicates the kind of vulnerability affected by this neutralization, like "xss", "sql_injection", "open_redirect", etc. |
To see the exact attribute value, locate the vulnerability you need to neutralize, open the sink data and see Category value.
You can include as many neutralization elements as vulnerability types your routine neutralizes.
<neutralization argpos="-1" kind="sql_injection"/><neutralization argpos="-1" kind="xss"/>In case you want the neutralization applies to ALL the vulnerabilities (i.e. it’s not specific to any vulnerability), set “string” as the value for “kind” attribute
resource
A neutralization routine also can be specifically suited to a particular resource type.
For example, your neutralization routine could be applied to “database” or “filesystem” resource types.
Valid values of resource can be one of (memory |os |configuration |environment |filesystem |formatstr |database |web |network |gui |crypto |other).
As above, check the Sink Data to set the appropriate value. That’s the value you must indicate in “kind” attribute.