OWASP Data Exchange Format Project

Main
At the moment exchanging data between pentest tools it is far too difficult.

So ... the purpose of this project is to define a simple, open format for exchanging data between pentest tools!

Involvement is encouraged, so if you would like to contribute to this project then please join the mailing list and / or contact one of the project leaders.

At the moment this project is hosted at GitHub: https://github.com/TomStageDK/OWASP-DEF

New Project leader Tom Stage, and I am working on updating this Wiki, and I will do so when I have the time.

Old Project Leader(s) Contact Simon or Dinis.

Requirements
The format must be open, and licensed so that it can be adopted by all products, whether open, closed, free or commercial.

It must be as simple to adopt as possible, and ideally based on existing open formats.

Roadmap
The high level roadmap is:


 * 1) Tom Stage to document a strawman proposal
 * 2) Map known XML format outputs from known vulnerability scanners to the strawman, and if these can not be mapped document / implement changes to the strawman.
 * 3) All - rip the strawman to pieces and agree an improved format
 * 4) Finalize DEF v1.0
 * 5) Supporting project leaders to adopt the format in their tools
 * 6) Publicize and drive adoption in other tools
 * 7) Learn from our experiences and start on the next version, repeat ;)

Strawman
The strawman as it looks today (03-06-2014), for the latest strawman visit the above GitHub page.

This tab documents a strawman proposal for all concerned to rip to pieces :)

This Strawman supports 3 different types of scans, these are: Dynamic, Static and Info

  Scan specific reference Date and time the session was started     Name of the tool that found the issue Version of the tool that found the issue Arguments used to perform the scan <Software-Additional> </Software-Additional> <Vulnerability Severity="The Severity"> <Finding NativeID="The internal Test ID" IdentifiedTimestamp="DateTime stamp for when we found this vulnerability" UniqueID="The Software unique ID for this Finding"> <Summary>A sort (one line) description</Summary> <Description>More detailed description</Description> <Confidence>One of an agreed list of values</Confidence> <Background>More info on the type of issue</Background> <Remediation>Advise on how to fix the issue</Remediation> <Further-Information> <Further-Info name="The name" url="The URL to further information" /> </Further-Information> <Classifications> <Classification type="The Classification System" id="Classification ID" href="The URL to the Classification description">The Title for the Clasasification</Classification> </Classifications> <Additional-Data> </Additional-Data> <Page> <Page-Reference>Product specific reference e.g. Page Title</Page-Reference> <URL>The UTL that the Vulnerability was found on</URL> <Method>HTTP method (GET, POST, etc)</Method> <HTTPVersion>The HTTP Version</HTTPVersion> <StatusCode>The HTTP Status code</StatusCode> <Language>The detected Language of the Web Application</Language> <Parameters> <Parameter>The parameter the vulnerability was found with</Parameter> </Parameters> <Request-Response> <Request> <Request-Raw>The RAW HTTP Request</Request-Raw> <Request-Headers> </Request-Headers> <Request-Cookie> </Request-Cookie> <Additional-RequestData> </Additional-RequestData> </Request> <Response> <Response-Raw>The RAW HTTP Response</Response-Raw> <Response-Headers> </Response-Headers> <Response-Cookie> </Response-Cookie> <Additional-ResponseData> </Additional-ResponseData> <Response-ScreenShot>Base64 Encoded Screen Shot</Response-ScreenShot> </Response> </Request-Response> </Page> </Finding> </Vulnerability> </Port> </Host> </Scan> <Scan type="static"> The name of the Software that did the scan</Software-Name> The version of the Software that did the scan</Software-Version> Arguments used to perform the scan</Software-Arguments> <Software-Additional> </Software-Additional> <Vulnerability Severity="The Severity"> <Finding NativeID="The internal Test ID" IdentifiedTimestamp="DateTime stamp for when we found this vulnerability" UniqueID="The Software unique ID for this Finding"> <Summary>A sort (one line) description</Summary> <Description>More detailed description</Description> <Confidence>One of an agreed list of values</Confidence> <Background>More info on the type of issue</Background> <Remediation>Advise on how to fix the issue</Remediation> <Further-Information> <Further-Info>More information about this specific issue</Further-Info> </Further-Information> <Classifications> <Classification type="The Classification System" id="Classification ID" href="The URL to the Classification description">The Title for the Classification</Classification> </Classifications> </Software-Additional> <Host name="Hostname" ip-address="Either IPv4 or IPv6 Address"> <Scan-Info> </Scan-Info> <Port protocol="tcp / udp" portid="The Port Number"> <Service name="Name of the Service" product="Product Name" version="Product Version" /> <Scan-Data> </Scan-Data> </Port> </Host> </Scan> </OWASP-DEF>

Supporting projects
The following project leaders have agreed to support this format and (once it has been agreed) adopt it within their projects.

If you would like your project added to this list then feel free to update it, or contact one of the project leaders to update it for you.