Project

General

Profile

ThreatScript Definitions » History » Version 2

Luke Murphey, 04/10/2010 01:03 PM

1 1 Luke Murphey
h1. ThreatScript Definitions
2 1 Luke Murphey
3 1 Luke Murphey
ThreatScript Definitions are written in ECMAScript (basically the same as JavaScript). The ThreatScript definitions return a Result object which indicates whether a match was observed.
4 1 Luke Murphey
5 1 Luke Murphey
h2. ThreatScript Example
6 1 Luke Murphey
7 1 Luke Murphey
Below is an example of a ThreatScript that triggers if the web-page has a form element.
8 1 Luke Murphey
9 1 Luke Murphey
<pre><code class="javascript">
10 1 Luke Murphey
/*
11 1 Luke Murphey
 * Name: Example.General.Has_Form_Tag
12 1 Luke Murphey
 * Version: 1
13 1 Luke Murphey
 * ID: 1000000
14 1 Luke Murphey
 * Message: Indicates if the page has as a form tag
15 1 Luke Murphey
 * Severity: Low
16 1 Luke Murphey
 */
17 1 Luke Murphey
18 1 Luke Murphey
importPackage(Packages.ThreatScript);
19 1 Luke Murphey
importPackage(Packages.HTTP);
20 1 Luke Murphey
21 1 Luke Murphey
function analyze( httpResponse, operation, variables, environment, defaultRule ){
22 1 Luke Murphey
23 1 Luke Murphey
	var parser = httpResponse.getDocumentParser();
24 1 Luke Murphey
	var location = new URL( httpResponse.getLocation() );
25 1 Luke Murphey
26 1 Luke Murphey
	//Get a list of all script tags
27 1 Luke Murphey
	var tagNameFilter = new TagNameFilter("form");
28 1 Luke Murphey
	var nodesList = parser.extractAllNodesThatMatch(tagNameFilter); 
29 1 Luke Murphey
        if( nodesList.size() > 0 ){
30 1 Luke Murphey
	     return new Result( true, "A form was detected" );
31 1 Luke Murphey
	}
32 1 Luke Murphey
        
33 1 Luke Murphey
	return new Result( false, "No forms detected" );
34 1 Luke Murphey
}
35 1 Luke Murphey
</code>
36 1 Luke Murphey
</pre>
37 2 Luke Murphey
38 2 Luke Murphey
h2. Meta-Data
39 2 Luke Murphey
40 2 Luke Murphey
ThreatScripts must provide a meta-data that indicates the following information:
41 2 Luke Murphey
42 2 Luke Murphey
| *Name*  | *Valid Input*                                   | *Notes* |
43 2 Luke Murphey
| Name    | <category>.<sub_category>.<definition_name>     |         |
44 2 Luke Murphey
| Version | integer                                         |         |
45 2 Luke Murphey
| ID      | integer                                         |         |
46 2 Luke Murphey
| Message | message to be displayed when definition matches |         |
47 2 Luke Murphey
| Severity| Either: Low, Medium or High                     |         |
48 2 Luke Murphey
49 2 Luke Murphey
{{include(Definition_Naming_Convention)}}