...
Neutralization elements
A neutralization is identifies an element (essentially a method call) as a vulnerability neutralizer, it is defined in Kiuwan by the following element:
Code Block | ||
---|---|---|
| ||
<!ELEMENT neutralization (#PCDATA)*> <!ATTLIST neutralization argpos CDATA #REQUIRED kind CDATA #IMPLIED resource %resource; #IMPLIED > |
...
argpos
...
:
argpos attribute specifies
...
what object (or objects) are “untainted” by the routine
...
value = obj.call( arg1, arg2)
The neutralization routine can “untaint” one or many of those objects.
argpos attribute specifies which ones, as follows:
...
. Indicates which element is being neutralized by this neutralization. Allowed values are:
- 0..n: A non negative value indicates that the argument at the given index (starting at 0)is being neutralized.
obj.call(arg1, arg2)
-> arg1 is neutralized when argpos="0"
arg2 is neutralized when argpos="1"
Both are neutralized when argpos="0,1"
Code Block language xml <method name="call" signature="call(fqcn.Arg1Type, fqcn.Arg2Type)"> <neutralization argpos="0" kind="..." resource="..." /> </method>
- 0..n: A non negative value indicates that the argument at the given index (starting at 0)is being neutralized.
- -1: Target object (returned value) is being neutralized.
value = obj.call(arg1)
-> value is neutralized when argpos="-1"
- -1: Target object (returned value) is being neutralized.
Code Block language xml <method name="call" signature="call(fqcn.Arg1Type)"> <return type="fqcn.ValueType"/> <neutralization argpos="-1" kind="..." resource="..." /> </method>
- -2: Called object is being neutralized.
value = obj.call(arg1)
-> obj is neutralized when argpos="-2"
- -2: Called object is being neutralized.
Code Block | ||
---|---|---|
| ||
<method name="call" signature="call(fqcn.Arg1Type)">
<return type="fqcn.ValueType"/>
<neutralization argpos="-2" kind="..." resource="..." />
</method> |
...
kind
A neutralization routine is usually applied to a specific vulnerability type (or “kind”).
...
title | kind |
---|
kind attribute indicates the
...
type of vulnerability affected by this neutralization, like "xss", "sql_injection", "open_redirect", etc. Use "string" for general purpose neutralizations.
You can include as many neutralization elements as vulnerability types your routine neutralizes.To see the exact attribute value, locate the vulnerability you need to neutralize, open the sink data and see Category value.
You can include as many neutralization elements as vulnerability types your routine neutralizes.
<neutralization argpos="-1" kind="sql_injection"/>
...
Valid values of resource can be one of (memory |os |configuration |environment |filesystem |formatstr |database |web |network |gui |crypto |other
).
As above, check the Sink Data to set the appropriate value. That’s the value you must indicate in “kind” “kind” attribute.
Reference
Structure of Custom Neutralization File (CNF)
...