OWASP Data Exchange Format Project

From OWASP
Jump to: navigation, search

Main

At the moment exchanging data between pentest tools it is far too difficult.

So ... the purpose of this project is to define a simple, open format for exchanging data between pentest tools!

Involvement is encouraged, so if you would like to contribute to this project then please join the mailing list and / or contact one of the project leaders.

Theres also a Google Code project http://code.google.com/p/owasp-def/ which we're using to store things like example formats used by pentest products. Contact Simon or Dinis to get commit access to this project.

Requirements

The format must be open, and licensed so that it can be adopted by all products, whether open, closed, free or commercial.

It must be as simple to adopt as possible, and ideally based on existing open formats.

Roadmap

The high level roadmap is:

  1. Psiinon to document a strawman proposal
  2. All - rip the strawman to pieces and agree an improved format
  3. Finalize DEF v1.0
  4. Supporting project leaders to adopt the format in their tools
  5. Publicize and drive adoption in other tools
  6. Learn from our experiences and start on the next version, repeat ;)

Strawman

This tab documents a strawman proposal for all concerned to rip to pieces :)

<Session>
    <!-- Note that most of the elements will probably be optional-->
    <Session-reference>Product specific reference</Session-reference>
    <Tool-name>Name of the tool that found the issue</Tool-name>
    <Tool-version>Version of the tool that found the issue</Tool-version>
    <Date-time>Date and time the session was started</Date-time>
    <Summary>A sort (one line) description</Summary>
    <Description>More detailed description</Description>
    <Site/>
    <Issues/>
    <Pages/>
    <Ports/>
</Session>

<Site>
    <Host>The hostname</Host>
    <Port>The port</Port>
</Site>

<Issues>
    <Issue/> <!-- multiple -->
</Issues>

<Issue>
    <Issue-reference>Product specific reference</Issue-reference>
    <Summary>A sort (one line) description</Summary>
    <Description>More detailed description</Description>
    <Further-info>More information about this specific issue</Further-info>
    <Severity>One of an agreed list of values</Severity>
    <Confidence>One of an agreed list of values</Confidence>
    <Background>More info on the type of issue</Background>
    <Remediation>Advise on how to fix the issue</Remediation>
    <WASC-classification>WASC classification</WASC-classification>
    <Reference-URLs/>
    <Pages/>
</Issue>

<Pages>
    <Page/> <!-- multiple -->
</Pages>

<Page>
    <Page-reference>Product specific reference</Page-reference>
    <Method>HTTP method (GET, POST, etc)</Method>
    <URL>The actual URL</URL>
    <Parameters/>
    <Request-response/>
</Page>

<Ports>
    <Port/> <!-- multiple -->
</Ports>

<Port>
    <Port-number>Port number</Port-number>
    <Protocol>The protocol</Protocol>
    <State>The protocol</State>
    <Service>e.g. http, https, ssh…</Service>
    <Version>e.g. OpenSSH 43.(protocol 2.0)</Version>
</Port>

<Parameters>
    <Parameter>The parameter</Parameter> <!-- multiple -->
</Parameters>

<Request-response>
    <Page-reference>Product specific reference</Page-reference>
    <Request>The base64 encoded request</Request>
    <Response>The base64 encoded request</Response>
</Request-response>

Supporting projects

The following project leaders have agreed to support this format and (once it has been agreed) adopt it within their projects.

If you would like your project added to this list then feel free to update it, or contact one of the project leaders to update it for you.

Project Leader
Burp Suite Dafydd Stuttard (PortSwigger)
O2 Platform Dinis Cruz
WebScarab Daniel Brzozowski
Zed Attack Proxy Simon Bennetts (Psiinon)
Yasca Michael Scovetta (Scovetta)

Project About

PROJECT INFO
What does this OWASP project offer you?
RELEASE(S) INFO
What releases are available for this project?
what is this project?
Name: OWASP Data Exchange Format Project (home page)
Purpose: To define an open format for exchanging data between pentest tools.
License: Apache License 2.0
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Psiinon @ to contribute to this project
  • Contact Psiinon @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed


other releases