OWASP Data Exchange Format Project

Revision as of 07:24, 26 July 2011 by Psiinon (talk | contribs)

Jump to: navigation, search


At the moment exchanging data between pentest tools it is far too difficult.

So ... the purpose of this project is to define a simple, open format for exchanging data between pentest tools!

Involvement is encouraged, so if you would like to contribute to this project then please join the mailing list and / or contact one of the project leaders.

Theres also a Google Code project http://code.google.com/p/owasp-def/ which we're using to store things like example formats used by pentest products. Contact Simon or Dinis to get commit access to this project.


The format must be open, and licensed so that it can be adopted by all products, whether open, closed, free or commercial.

It must be as simple to adopt as possible, and ideally based on existing open formats.


The high level roadmap is:

  1. Psiinon to document a strawman proposal
  2. All - rip the strawman to pieces and agree an improved format
  3. Finalize DEF v1.0
  4. Supporting project leaders to adopt the format in their tools
  5. Publicize and drive adoption in other tools
  6. Learn from our experiences and start on the next version, repeat ;)


This tab will document a strawman proposal for all concerned to rip to pieces :)

Rather than diving into the detail of the format I think its worth agreeing some of the proposed characteristics of v1.0:

  • The format will be JSON (to make it as simple as possible)
  • Products can generate and/or consume DEF
  • Products will be able to generate DEF via a defined REST interface and/or simple files - products can choose
  • Products which consume DEF must support both REST and file options
  • There will be minimal security (but REST based services can limit by IP addr)
  • The data model will cover: hosts, ports, sites (host:port), urls, issues, requests/responses
  • Products can generate a subset of DEF, the level support will be described in the DEF

Supporting projects

The following project leaders have agreed to support this format and (once it has been agreed) adopt it within their projects.

If you would like your project added to this list then feel free to update it, or contact one of the project leaders to update it for you.

Project Leader
Burp Suite Dafydd Stuttard (PortSwigger)
O2 Platform Dinis Cruz
WebScarab Daniel Brzozowski
Zed Attack Proxy Simon Bennetts (Psiinon)
Yasca Michael Scovetta (Scovetta)

Project About

What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP Data Exchange Format Project (home page)
Purpose: To define an open format for exchanging data between pentest tools.
License: Apache License 2.0
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation:
Mailing list: Mailing List Archives
Project Roadmap: View
Main links:
Key Contacts
  • Contact Psiinon @ to contribute to this project
  • Contact Psiinon @ to review or sponsor this project
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases