...
argpos attribute specifies what object (or objects) are “untainted” by the routine. Indicates which element is being neutralized by this neutralization. Depending on how your custom neutralization routine works, you should code a differente value in this argument. Allowed values are:
Allowed values | Neutralization in xml |
---|
0..n: A non negative value indicates that the argument at the given index (starting at 0)is being neutralized.obj.call(arg1, arg2) --> arg1 is neutralized when argpos="0" arg2 is neutralized when argpos="1" Both are neutralized when argpos="0,1"
|
...
...
<method name="call" signature="call(fqcn.Arg1Type, fqcn.Arg2Type)">
|
|
...
<neutralization argpos="0" kind="..." resource="..." />
|
|
...
...
...
|
-1: Target object (returned value) is being neutralized. |
...
...
...
...
<method name="call" signature="call(fqcn.Arg1Type)">
|
|
...
<return type="fqcn.ValueType"/>
|
|
...
<neutralization argpos="-1" kind="..." resource="..." />
|
|
...
|
-2: Called object is being neutralized. |
...
...
...
...
<method name="call" signature="call()">
|
|
...
<neutralization argpos="-2" kind="..." resource="..." />
|
|
...
Neutralization routines could be defined in the same class where they are used, or in a different one, where you can invoke them through an object instantiation call or by an static call. Any combination of this and the argpos attribute values is possible.
A neutralization routine is usually applied to a specific vulnerability type (or “kind”). kind attribute indicates the type of vulnerability affected by this neutralization, like "xss", "sql_injection", "open_redirect", etc. Use "string" for general purpose neutralizations.
...
In case you want the neutralization applies to ALL the vulnerabilities (i.e. it’s not specific to any vulnerability), set “string” as the value for “kind” attribute
Image Modified
A neutralization routine also can be specifically suited to a particular resource type.
...