ThreatScript Definitions » History » Version 1

Version 1/26 - Next » - Current version
Luke Murphey, 04/10/2010 01:01 PM

ThreatScript Definitions¶

ThreatScript Definitions are written in ECMAScript (basically the same as JavaScript). The ThreatScript definitions return a Result object which indicates whether a match was observed.

Meta-Data¶

ThreatScripts must provide a meta-data that indicates the following information:

Name	Valid Input	Notes
Name	<category>.<sub_category>.<definition_name>
Version	integer
ID	integer
Message	message to be displayed when definition matches
Severity	Either: Low, Medium or High

ThreatScript Example¶

Below is an example of a ThreatScript that triggers if the web-page has a form element.

/*
 * Name: Example.General.Has_Form_Tag
 * Version: 1
 * ID: 1000000
 * Message: Indicates if the page has as a form tag
 * Severity: Low
 */

importPackage(Packages.ThreatScript);
importPackage(Packages.HTTP);

function analyze( httpResponse, operation, variables, environment, defaultRule ){

    var parser = httpResponse.getDocumentParser();
    var location = new URL( httpResponse.getLocation() );

    //Get a list of all script tags
    var tagNameFilter = new TagNameFilter("form");
    var nodesList = parser.extractAllNodesThatMatch(tagNameFilter); 
        if( nodesList.size() > 0 ){
         return new Result( true, "A form was detected" );
    }

    return new Result( false, "No forms detected" );
}

Project

General

Profile

ThreatFactor NSIA

Wiki

ThreatScript Definitions » History » Version 1

ThreatScript Definitions¶

Meta-Data¶

ThreatScript Example¶