...
Therefore, next sections will use java_custom_neutralizations.xml as the name for our custom file.
Creating a custom “Library” of neutralization routines
Obviously, you don’t need to create an xml file for every single neutralization routine.
Instead, you will include all of them in a single file identified as a “library” of custom neutralization routines, with a “name” for it.
Library identification will be a XML element such as:
Code Block |
---|
<library name="custom.libraries"/> |
As a suggestion, we recommend use something as “[technology].custom.library”
Please, refer to technology-specific DTD for available “library” attributes.
Custom Neutralization routines
As said above, a Neutralization Routine is a piece of code that assures that any tainted data got as input produces untainted as output.
That piece of code is typically a function or a class method (depending whether your technology is object-oriented or not).
Info |
---|
Then, what you must do in the XML file is to properly declare such “routine” and mark it as a neutralization routine. |
To declare the routine, you must include the element. Every technology-specific DTD describes the allowed set of elements that form part of the “library”.
For our purposes, commonly used elements are either “class” or “function”, depending on the language. Please, see those specific DTDs for the allowed set of elements.
Once, the routine is “declared”, must be “marked” as a neutralization routine as follows. See the reference section for more details on how to declare a routine.
Examples
Anchor | ||||
---|---|---|---|---|
|
Structure of Custom Neutralization File (CNF)
...
Next sections describe this structure.
Reference to master DTD file
Reference to master DTD must be specified in the 1st line.
...
Tech | DTD specification | DTD location |
---|---|---|
abap | <!DOCTYPE library SYSTEM "abap_library.dtd"> | [agent_home_dir]/libraries/abap |
c / cpp | <!DOCTYPE library SYSTEM "cpp_library.dtd"> | [agent_home_dir]/libraries/c |
csharp | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
java | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
javascript | <!DOCTYPE library SYSTEM "js_library_metadata.dtd"> | [agent_home_dir]/libraries/javascript |
objectivec | <!DOCTYPE library SYSTEM "library_metadata.dtd"> |
|
php | <!DOCTYPE library SYSTEM "php_library.dtd"> | [agent_home_dir]/libraries/php |
python | <!DOCTYPE library SYSTEM "python_library_metadata.dtd"> | [agent_home_dir]/libraries/python |
Definition of the Custom “Library” of Neutralization routines
Obviously, you don’t need to create an xml file for every single neutralization routine.
Instead, you will include all of them in a single file identified as a “library” of custom neutralization routines, with a “name” for it.
Library identification will be a XML element such as:
<library name="custom.libraries"/>
As a suggestion, we recommend use something as “[technology].custom.library”
Please, refer to technology-specific DTD for available “library” attributes.
Custom Neutralization routines
As said above, a Neutralization Routine is a piece of code that assures that any tainted data got as input produces untainted as output.
...
Info |
---|
Then, what you must do in the XML file is to properly declare such “routine” and mark it as a neutralization routine. |
To declare the routine, you must include the element. Every technology-specific DTD describes the allowed set of elements that form part of the “library”.
For our purposes, commonly used elements are either “class” or “function”, depending on the language. Please, see those specific DTDs for the allowed set of elements.
Once, the routine is “declared”, must be “marked” as a neutralization routine as follows.
Neutralization elements
A neutralization is defined in Kiuwan by the following element:
...
resource %resource; #IMPLIED
>
argpos
Info | ||
---|---|---|
| ||
argpos attribute specifies the “tainted” object, i.e. what object (or objects) are “untainted” by the routine. |
...
- “-2” : untainted object will the caller to the routine => obj
- “-1” : untainted object will the returned object => value
- “0 … n” : argument with that index will be untainted => arg1 if 0, arg2 if 1, both if 0,1
...
kind
A neutralization routine is usually applied to a specific vulnerability type (or “kind”).
...
In case you want the neutralization applies to ALL the vulnerabilities (i.e. it’s not specific to any vulnerability), set “string” as the value for “kind” attribute
resource
A neutralization routine also can be specifically suited to a particular resource type.
...