OWASP Data Exchange Format Project

Main
At the moment exchanging data between pentest tools it is far too difficult.

So ... the purpose of this project is to define a simple, open format for exchanging data between pentest tools!

Involvement is encouraged, so if you would like to contribute to this project then please join the mailing list and / or contact one of the project leaders.

Theres also a Google Code project http://code.google.com/p/owasp-def/ which we're using to store things like example formats used by pentest products. Contact Simon or Dinis to get commit access to this project.

Requirements
The format must be open, and licensed so that it can be adopted by all products, whether open, closed, free or commercial.

It must be as simple to adopt as possible, and ideally based on existing open formats.

Roadmap
The high level roadmap is:


 * 1) Psiinon to document a strawman proposal
 * 2) All - rip the strawman to pieces and agree an improved format
 * 3) Finalize DEF v1.0
 * 4) Supporting project leaders to adopt the format in their tools
 * 5) Publicize and drive adoption in other tools
 * 6) Learn from our experiences and start on the next version, repeat ;)

Strawman
This tab documents a strawman proposal for all concerned to rip to pieces :)

 Product specific reference Name of the tool that found the issue Version of the tool that found the issue Date and time the session was started A sort (one line) description More detailed description    <Ports/> </Session>

<Site> <Host>The hostname</Host> <Port>The port</Port> </Site>

<Issues> <Issue/> </Issues>

<Issue> <Issue-reference>Product specific reference</Issue-reference> A sort (one line) description</Summary> More detailed description</Description> <Further-info>More information about this specific issue</Further-info> <Severity>One of an agreed list of values</Severity> <Confidence>One of an agreed list of values</Confidence> <Background>More info on the type of issue</Background> <Remediation>Advise on how to fix the issue</Remediation> <WASC-classification>WASC classification</WASC-classification> <Reference-URLs/> <Pages/> </Issue>

<Pages> <Page/> </Pages>

<Page> <Page-reference>Product specific reference</Page-reference> <Method>HTTP method (GET, POST, etc)</Method> <URL>The actual URL</URL> <Parameters/> <Request-response/> </Page>

<Ports> <Port/> </Ports>

<Port> <Port-number>Port number</Port-number> <Protocol>The protocol</Protocol> <State>The protocol</State> <Service>e.g. http, https, ssh…</Service> <Version>e.g. OpenSSH 43.(protocol 2.0)</Version> </Port>

<Parameters> <Parameter>The parameter</Parameter> </Parameters>

<Request-response> <Page-reference>Product specific reference</Page-reference> <Request>The base64 encoded request</Request> <Response>The base64 encoded request</Response> </Request-response>

Supporting projects
The following project leaders have agreed to support this format and (once it has been agreed) adopt it within their projects.

If you would like your project added to this list then feel free to update it, or contact one of the project leaders to update it for you.