ThreatScript Definitions » History » Version 2
Luke Murphey, 04/10/2010 01:03 PM
| 1 | 1 | Luke Murphey | h1. ThreatScript Definitions |
|---|---|---|---|
| 2 | 1 | Luke Murphey | |
| 3 | 1 | Luke Murphey | ThreatScript Definitions are written in ECMAScript (basically the same as JavaScript). The ThreatScript definitions return a Result object which indicates whether a match was observed. |
| 4 | 1 | Luke Murphey | |
| 5 | 1 | Luke Murphey | h2. ThreatScript Example |
| 6 | 1 | Luke Murphey | |
| 7 | 1 | Luke Murphey | Below is an example of a ThreatScript that triggers if the web-page has a form element. |
| 8 | 1 | Luke Murphey | |
| 9 | 1 | Luke Murphey | <pre><code class="javascript"> |
| 10 | 1 | Luke Murphey | /* |
| 11 | 1 | Luke Murphey | * Name: Example.General.Has_Form_Tag |
| 12 | 1 | Luke Murphey | * Version: 1 |
| 13 | 1 | Luke Murphey | * ID: 1000000 |
| 14 | 1 | Luke Murphey | * Message: Indicates if the page has as a form tag |
| 15 | 1 | Luke Murphey | * Severity: Low |
| 16 | 1 | Luke Murphey | */ |
| 17 | 1 | Luke Murphey | |
| 18 | 1 | Luke Murphey | importPackage(Packages.ThreatScript); |
| 19 | 1 | Luke Murphey | importPackage(Packages.HTTP); |
| 20 | 1 | Luke Murphey | |
| 21 | 1 | Luke Murphey | function analyze( httpResponse, operation, variables, environment, defaultRule ){ |
| 22 | 1 | Luke Murphey | |
| 23 | 1 | Luke Murphey | var parser = httpResponse.getDocumentParser(); |
| 24 | 1 | Luke Murphey | var location = new URL( httpResponse.getLocation() ); |
| 25 | 1 | Luke Murphey | |
| 26 | 1 | Luke Murphey | //Get a list of all script tags |
| 27 | 1 | Luke Murphey | var tagNameFilter = new TagNameFilter("form"); |
| 28 | 1 | Luke Murphey | var nodesList = parser.extractAllNodesThatMatch(tagNameFilter); |
| 29 | 1 | Luke Murphey | if( nodesList.size() > 0 ){ |
| 30 | 1 | Luke Murphey | return new Result( true, "A form was detected" ); |
| 31 | 1 | Luke Murphey | } |
| 32 | 1 | Luke Murphey | |
| 33 | 1 | Luke Murphey | return new Result( false, "No forms detected" ); |
| 34 | 1 | Luke Murphey | } |
| 35 | 1 | Luke Murphey | </code> |
| 36 | 1 | Luke Murphey | </pre> |
| 37 | 2 | Luke Murphey | |
| 38 | 2 | Luke Murphey | h2. Meta-Data |
| 39 | 2 | Luke Murphey | |
| 40 | 2 | Luke Murphey | ThreatScripts must provide a meta-data that indicates the following information: |
| 41 | 2 | Luke Murphey | |
| 42 | 2 | Luke Murphey | | *Name* | *Valid Input* | *Notes* | |
| 43 | 2 | Luke Murphey | | Name | <category>.<sub_category>.<definition_name> | | |
| 44 | 2 | Luke Murphey | | Version | integer | | |
| 45 | 2 | Luke Murphey | | ID | integer | | |
| 46 | 2 | Luke Murphey | | Message | message to be displayed when definition matches | | |
| 47 | 2 | Luke Murphey | | Severity| Either: Low, Medium or High | | |
| 48 | 2 | Luke Murphey | |
| 49 | 2 | Luke Murphey | {{include(Definition_Naming_Convention)}} |