...

Therefore, next sections will use java_custom_neutralizations.xml as the name for our custom file.

Creating a custom “Library” of neutralization routines

Obviously, you don’t need to create an xml file for every single neutralization routine.

Instead, you will include all of them in a single file identified as a “library” of custom neutralization routines, with a “name” for it.

Library identification will be a XML element such as:

<library name="custom.libraries"/>

As a suggestion, we recommend use something as “[technology].custom.library”

Please, refer to technology-specific DTD for available “library” attributes.

Custom Neutralization routines

 As said above, a Neutralization Routine is a piece of code that assures that any tainted data got as input produces untainted as output.

That piece of code is typically a function or a class method (depending whether your technology is object-oriented or not).

To declare the routine, you must include the element. Every technology-specific DTD describes the allowed set of elements that form part of the “library”.

For our purposes, commonly used elements are either “class” or “function”, depending on the language. Please, see those specific DTDs for the allowed set of elements.

Once, the routine is “declared”, must be “marked” as a neutralization routine as follows. See the reference section for more details on how to declare a routine.

Examples

Anchor
reference reference

Reference

Structure of Custom Neutralization File (CNF)

...

Next sections describe this structure.

Reference to master DTD file

Reference to master DTD must be specified in the 1^st line.

...

Definition of the Custom “Library” of Neutralization routines

Obviously, you don’t need to create an xml file for every single neutralization routine.

Instead, you will include all of them in a single file identified as a “library” of custom neutralization routines, with a “name” for it.

Library identification will be a XML element such as:

<library name="custom.libraries"/>

As a suggestion, we recommend use something as “[technology].custom.library”

Please, refer to technology-specific DTD for available “library” attributes.

Custom Neutralization routines

 As said above, a Neutralization Routine is a piece of code that assures that any tainted data got as input produces untainted as output.

...

To declare the routine, you must include the element. Every technology-specific DTD describes the allowed set of elements that form part of the “library”.

For our purposes, commonly used elements are either “class” or “function”, depending on the language. Please, see those specific DTDs for the allowed set of elements.

Once, the routine is “declared”, must be “marked” as a neutralization routine as follows.

Neutralization elements

A neutralization is defined in Kiuwan by the following element:

...

  resource %resource; #IMPLIED

> 

argpos

...

• “-2” : untainted object will the caller to the routine => obj
• “-1” : untainted object will the returned object  => value
• “0 … n” : argument with that index will be untainted => arg1 if 0, arg2 if 1, both if 0,1

...

kind

A neutralization routine is usually applied to a specific vulnerability type (or “kind”).

...

In case you want the neutralization applies to ALL the vulnerabilities (i.e. it’s not specific to any vulnerability), set “string” as the value for “kind” attribute

resource

A neutralization routine also can be specifically suited to a particular resource type. 

...