Project

General

Profile

ThreatScript Definitions » History » Version 4

Luke Murphey, 04/10/2010 02:33 PM

1 1 Luke Murphey
h1. ThreatScript Definitions
2 1 Luke Murphey
3 1 Luke Murphey
ThreatScript Definitions are written in ECMAScript (basically the same as JavaScript). The ThreatScript definitions return a Result object which indicates whether a match was observed.
4 1 Luke Murphey
5 1 Luke Murphey
h2. ThreatScript Example
6 1 Luke Murphey
7 1 Luke Murphey
Below is an example of a ThreatScript that triggers if the web-page has a form element.
8 1 Luke Murphey
9 1 Luke Murphey
<pre><code class="javascript">
10 1 Luke Murphey
/*
11 1 Luke Murphey
 * Name: Example.General.Has_Form_Tag
12 1 Luke Murphey
 * Version: 1
13 1 Luke Murphey
 * ID: 1000000
14 1 Luke Murphey
 * Message: Indicates if the page has as a form tag
15 1 Luke Murphey
 * Severity: Low
16 1 Luke Murphey
 */
17 1 Luke Murphey
18 1 Luke Murphey
importPackage(Packages.ThreatScript);
19 1 Luke Murphey
importPackage(Packages.HTTP);
20 1 Luke Murphey
21 1 Luke Murphey
function analyze( httpResponse, operation, variables, environment, defaultRule ){
22 1 Luke Murphey
23 1 Luke Murphey
	var parser = httpResponse.getDocumentParser();
24 1 Luke Murphey
	var location = new URL( httpResponse.getLocation() );
25 1 Luke Murphey
26 1 Luke Murphey
	//Get a list of all script tags
27 1 Luke Murphey
	var tagNameFilter = new TagNameFilter("form");
28 1 Luke Murphey
	var nodesList = parser.extractAllNodesThatMatch(tagNameFilter); 
29 1 Luke Murphey
        if( nodesList.size() > 0 ){
30 1 Luke Murphey
	     return new Result( true, "A form was detected" );
31 1 Luke Murphey
	}
32 1 Luke Murphey
        
33 1 Luke Murphey
	return new Result( false, "No forms detected" );
34 1 Luke Murphey
}
35 1 Luke Murphey
</code>
36 1 Luke Murphey
</pre>
37 2 Luke Murphey
38 3 Luke Murphey
h2. Analysis Function
39 3 Luke Murphey
40 3 Luke Murphey
ThreatScripts must provide an analyze function that takes 5 arguments:
41 3 Luke Murphey
42 3 Luke Murphey
| *Name*       | *Type* | *Note* |
43 4 Luke Murphey
| httpResponse |        | See source:/trunk/src/net/lukemurphey/nsia/scan/HttpResponseData.java       |
44 4 Luke Murphey
| operation    |        | See source:trunk/src/net/lukemurphey/nsia/scan/ScriptDefinition.java#L38       |
45 4 Luke Murphey
| variables    |        | See source:trunk/src/net/lukemurphey/nsia/scan/Variables.java       |
46 3 Luke Murphey
| environment  |        |        |
47 3 Luke Murphey
| defaultRule  |        |        |
48 1 Luke Murphey
49 1 Luke Murphey
h2. Baseline Function
50 1 Luke Murphey
51 4 Luke Murphey
ThreatScripts may declare a baseline function that will allow the definition to be configured to baseline itself against the previous set of scan results. The baseline function is called by NSIA when a user presses the baseline method for a rule. The objective of the baseline function is to view the provided scan results and ignore the particular finding for the given resource in the future. For example, a definition that triggers when the hash of the web-page changes may define a baseline function that causes it to not trigger unless the web-page hashes changes to yet another value.
52 4 Luke Murphey
53 4 Luke Murphey
Below is an example:
54 4 Luke Murphey
55 4 Luke Murphey
<pre>
56 4 Luke Murphey
<code class="javascript">
57 4 Luke Murphey
function baseline( environment ){
58 4 Luke Murphey
	var previousValue = environment.get("LastObservedHash");
59 4 Luke Murphey
60 4 Luke Murphey
	if( previousValue != null && previousValue.getValue() != null ){
61 4 Luke Murphey
		environment.set("Hash", previousValue.getValue() );
62 4 Luke Murphey
	}
63 4 Luke Murphey
64 4 Luke Murphey
	return true;
65 4 Luke Murphey
}
66 4 Luke Murphey
</code>
67 4 Luke Murphey
</pre>
68 4 Luke Murphey
69 3 Luke Murphey
70 3 Luke Murphey
71 1 Luke Murphey
h2. Meta-Data
72 1 Luke Murphey
73 1 Luke Murphey
ThreatScripts must provide a meta-data that indicates the following information:
74 1 Luke Murphey
75 3 Luke Murphey
| *Name*  | *Valid Input*                                      | *Notes* |
76 3 Luke Murphey
| Name    | <category>.<sub_category>.<definition_name>        |         |
77 3 Luke Murphey
| Version | integer                                            | Should be incremented each time the definition is updated |
78 3 Luke Murphey
| ID      | integer                                            | Must be 1000000 or greater (only official definitions can be less than 1000000)        |
79 3 Luke Murphey
| Message | message to be displayed when definition matches    |         |
80 3 Luke Murphey
| Severity| Either: Low, Medium or High                        |         |
81 3 Luke Murphey
| Invasive| Either: True or False (this argument is optional)  |         |
82 1 Luke Murphey
83 3 Luke Murphey
This meta-data is provided in a comment as name-value pairs (see above ThreatScript example).
84 3 Luke Murphey
85 1 Luke Murphey
{{include(Definition_Naming_Convention)}}
86 3 Luke Murphey
87 3 Luke Murphey
h2. Available Packages
88 3 Luke Murphey
89 3 Luke Murphey
A series of packages are available to ThreatScripts in order to perform analysis.
90 3 Luke Murphey
91 3 Luke Murphey
| *Package*            | *Class*            | *Description*                                     |
92 3 Luke Murphey
|/2.HTTP               | URL                | Same as java.net.URL                              |
93 3 Luke Murphey
                       | TagNameFilter      | See http://htmlparser.sourceforge.net/javadoc/org/htmlparser/filters/TagNameFilter.html |
94 3 Luke Murphey
|<default>             | StringUtils        | Provides a trim function for Strings, see source:/trunk/src/net/lukemurphey/nsia/scan/scriptenvironment/StringUtils.java              |
95 3 Luke Murphey
|/2.ThreatScript       | Result             | Indicates the results of analysis, see source:/trunk/src/net/lukemurphey/nsia/scan/Result.java                 |
96 3 Luke Murphey
                       | DataAnalysis       | Provides functions useful for analysis, see source:/trunk/src/net/lukemurphey/nsia/scan/ScriptSignatureUtils.java            |