[Ivil-discussion] Some ideas for updating the schema

[<da...@ci...>]

I'm interested in IVIL as a generic XML export mechanism to make all  
those pithy little tools import into stuff to minimise the amount of  
crap work we pen testers end up doing.

I'm also slightly peeved as I had a similar idea - though I didn't  
actually do anything about it :-)

Anyway, looking at the schema it looks easy to use and read, though I  
think that there's some room for improvement.

Name
I'd suggest that we pronounce it "evil", just for kicks and giggles -  
it matches the English rules of pronunciation and sends better than  
"ivil"!

Addressee
I'd suggest "recipient" as an alternative name to match sender (though  
it really makes no difference).

<programSpecificData> is a bit wordy for an XML tag, mostly these tend  
to be simple and object orientated. As this should use the source we  
need to define it so that the tags don't need expanding, so, something  
like:
<ivil version="0.90">
  <recipient>
   <program>Dradis</program>
    <options>
     <option name="address">127.0.0.1:8045</option>
     <option name="user">fred</option>
     <option name="password">shelia</option>
    </options>
   </recipient>
(I'm not happy with <options> either - but it's all I could think of  
at the moment).

Sender
Similar comments to <addressee>; we could do with removing the  
underscore in scannertype (as most XML schemas tend to use a dash (-)  
instead). We should also move the type of timestamp to ISO8601. An  
attribute should also be used to specify what type of timestamp it is  
(start/end etc):

  for example:
  <sender>
   <scanner>Nikto</scanner>
    <options>
     <option name="version">2.1.4</option>
     <option name="plugins">scans,siebel,embedded</option>
    </options>
    <timestamp type="start">20110419T1056+01:00</timestamp>
   </scanner>
(Once again, I'm not happy with options).

Findings
Per host and per finding won't cover several cases, for example web  
based assessment on a vhost or a specific sub-site. I'd suggest  
changing the <hosts> schema to <targets>.

I'd also like to see an evidence section (as I always try to include  
evidence in my reports).

For severity, we should allow the option of CVSS severity as a separate type.

References shouldn't have locked tags for each reference, to allow  
future expansion, so I'd suggest having something like <reference  
type="osvdb"> and have a known list or valid references.

For example:
  <targets>
   <target>
    <identification type="url">http://fred.jim.com:843/</identification>
    <identification type="ip">127.0.0.1</identification>
    <identification type="path">/shelia</identification>
    <findings>
     <finding>
      <id>100010</id>
      <location type="url">http://fred.jim.com:843/shelia/404.aspx</location>
      <severity type="numeric">5</severity>
      <description>X-Powered-By HTTP Header found</description>
      <references>
       <reference type="osvdb">100</reference>
      </references>
      <evidence>[[!CDATA <!-- HTTP headers dump goes here --> ]]</evidence
     </finding>
    </findings>
   </target>
  </targets>
</ivil>

The above are all suggestion which may or may not be good.