Project

General

Profile

History

Start Here » User Guide » Writing Definitions »

ThreatScript Definitions » History » Version 2

Version 1 (Luke Murphey, 04/10/2010 01:01 PM) → Version 2/26 (Luke Murphey, 04/10/2010 01:03 PM)

h1. ThreatScript Definitions

ThreatScript Definitions are written in ECMAScript (basically the same as JavaScript). The ThreatScript definitions return a Result object which indicates whether a match was observed.

h2. Meta-Data

ThreatScripts must provide a meta-data that indicates the following information:

| *Name* | *Valid Input* | *Notes* |
| Name | <category>.<sub_category>.<definition_name> | |
| Version | integer | |
| ID | integer | |
| Message | message to be displayed when definition matches | |
| Severity| Either: Low, Medium or High | |

h2. ThreatScript Example

Below is an example of a ThreatScript that triggers if the web-page has a form element.

<pre><code class="javascript">
/*
* Name: Example.General.Has_Form_Tag
* Version: 1
* ID: 1000000
* Message: Indicates if the page has as a form tag
* Severity: Low
*/

importPackage(Packages.ThreatScript);
importPackage(Packages.HTTP);

function analyze( httpResponse, operation, variables, environment, defaultRule ){

var parser = httpResponse.getDocumentParser();
var location = new URL( httpResponse.getLocation() );

//Get a list of all script tags
var tagNameFilter = new TagNameFilter("form");
var nodesList = parser.extractAllNodesThatMatch(tagNameFilter);
if( nodesList.size() > 0 ){
return new Result( true, "A form was detected" );
}

return new Result( false, "No forms detected" );
}
</code>
</pre>

h2. Meta-Data

ThreatScripts must provide a meta-data that indicates the following information:

| *Name* | *Valid Input* | *Notes* |
| Name | <category>.<sub_category>.<definition_name> | |
| Version | integer | |
| ID | integer | |
| Message | message to be displayed when definition matches | |
| Severity| Either: Low, Medium or High | |

{{include(Definition_Naming_Convention)}}