Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Kiuwan provides native support for processing XML files, i.e Kiuwan provides off-the-shelf XML rules that will be fired if the application source code contains XML files. 

To apply those rules, Kiuwan uses an XML parser that check for well-formedness of XML files.

In case a XML file is not well-formed or its not compliant to XML format, Kiuwan will inform of it and that file will not be further processed by Kiuwan’s XML rules.

XML is a markup language, not being a pure programming language. This means that XML files are usually marked-up “data” files, rather than procedural logic. 

There are some well-known XML files, i.e. “standardized” XML files broadly used by public frameworks and/or products.  As soon as some XML is standardized, Kiuwan is able to provide rules that check for specific conditions. 

In this sense, Kiuwan provides +20 XML rules addressing Struts1 and XSLT specific conditions.

Just open CQM and search for rules for XML language.

These XML rules are “deactivated” by default in CQM (default model). 

If your application is using any of those frameworks (struts1 and/or xslt), you can activate them and Kiuwan will apply those rules when finding XML files within your application code. 

Why they are deactivated? Because those rules are specific to those frameworks and, if activated, Kiuwan will process every XML file of your application trying to apply them. But If your application is not using any of those frameworks, XML scan will be a waste of time and resources.

Apart from this XML-specific rules, there are some other rules (Java, .Net, etc) that read specific xml files (web.xml, .wsdl files, etc.) to accomplish the rule’s goal. 

  • For example, there are rules that check for misconfiguration of  security properties in web.xml descriptors. These rules do process this “standard” xml file (web.xml) trying to find misconfigurations. 

  • Another example are XML SOAP messages (wsdl files). Kiuwan provides rules that check specific conditions on such files (signatures, encryption, etc,). 

In case you need to check specific conditions for your own XML files, you can build your own rules using Kiuwan APIs.



  • No labels