Versions Compared

Old Version 22

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version 23

changes.mady.by.user Kiuwan Editor User

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Neutralization elements

neutralization is  identifies an element (essentially a method call) as a vulnerability neutralizer, it is defined in Kiuwan by the following element:

Code Block
languagexml
<!ELEMENT neutralization (#PCDATA)*>
<!ATTLIST neutralization
  argpos CDATA #REQUIRED
  kind CDATA #IMPLIED
  resource %resource; #IMPLIED
>

...

  • argpos

...

argpos attribute specifies

...

what object (or objects) are “untainted” by the routine

...

value = obj.call( arg1, arg2)

The neutralization routine can “untaint” one or many of those objects.

argpos attribute specifies which ones, as follows:

...

. Indicates which element is being neutralized by this neutralization. Allowed values are:

      • 0..n: A non negative value indicates that the argument at the given index (starting at 0)is being neutralized.
        • obj.call(arg1, arg2) -> arg1 is neutralized when argpos="0"
                                                       arg2 is neutralized when argpos="1"
                                                       Both are neutralized when argpos="0,1"


      Code Block
      languagexml
          <method name="call" signature="call(fqcn.Arg1Type, fqcn.Arg2Type)">
      <neutralization argpos="0" kind="..." resource="..." />
    </method>
      • -1: Target object (returned value) is being neutralized.
        • value = obj.call(arg1) -> value is neutralized when argpos="-1"
    • Code Block
      languagexml
          <method name="call" signature="call(fqcn.Arg1Type)">
      <return type="fqcn.ValueType"/>
      <neutralization argpos="-1" kind="..." resource="..." />
    </method>



      • -2: Called object is being neutralized.
        • value = obj.call(arg1) -> obj is neutralized when argpos="-2"


Code Block
languagexml
    <method name="call" signature="call(fqcn.Arg1Type)">
      <return type="fqcn.ValueType"/>
      <neutralization argpos="-2" kind="..." resource="..." />
    </method>

...


 
  • kind
A neutralization routine is usually applied to a specific vulnerability type (or “kind”).
...
titlekind
 kind attribute indicates the 
...
type of vulnerability affected by this neutralization, like "xss", "sql_injection", "open_redirect", etc. Use "string" for general purpose neutralizations.

You can include as many neutralization elements as vulnerability types your routine neutralizes.To see the exact attribute value, locate the vulnerability you need to neutralize, open the sink data and see Category value.
You can include as many neutralization elements as vulnerability types your routine neutralizes.
<neutralization argpos="-1" kind="sql_injection"/>
...
Valid values of resource can be one of (memory |os |configuration |environment |filesystem |formatstr |database |web |network |gui |crypto |other).
As above, check the Sink Data to set the appropriate value. That’s the value you must indicate in “kind” kindattribute.
 
Reference
Structure of Custom Neutralization File (CNF)
...