DeforaNetworks/pentext
3
0
Fork 0
Code Releases Activity

Added radicallyopensecurity/templates/xml

Browse Source 
This version has been tagged 'templates' in the original repository
This commit is contained in:
Peter Mosmans
2016-07-25 22:49:31 -07:00
parent 07565df7fe
commit 30c1ad0f7a
154 changed files with 13817 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

674
xml/COPYING Normal file
View File

@@ -0,0 +1,674 @@
GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007
Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The GNU General Public License is a free, copyleft license for
software and other kinds of works.
The licenses for most software and other practical works are designed
to take away your freedom to share and change the works. By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users. We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors. You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.
To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights. Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received. You must make sure that they, too, receive
or can get the source code. And you must show them these terms so they
know their rights.
Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.
For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software. For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.
Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so. This is fundamentally incompatible with the aim of
protecting users' freedom to change the software. The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable. Therefore, we
have designed this version of the GPL to prohibit the practice for those
products. If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.
Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary. To prevent this, the GPL assures that
patents cannot be used to render the program non-free.
The precise terms and conditions for copying, distribution and
modification follow.
TERMS AND CONDITIONS
0. Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this
License. Each licensee is addressed as "you". "Licensees" and
"recipients" may be individuals or organizations.
To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy. The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.
A "covered work" means either the unmodified Program or a work based
on the Program.
To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy. Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.
To "convey" a work means any kind of propagation that enables other
parties to make or receive copies. Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.
An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License. If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.
1. Source Code.
The "source code" for a work means the preferred form of the work
for making modifications to it. "Object code" means any non-source
form of a work.
A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.
The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form. A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.
The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities. However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work. For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.
The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.
The Corresponding Source for a work in source code form is that
same work.
2. Basic Permissions.
All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met. This License explicitly affirms your unlimited
permission to run the unmodified Program. The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work. This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.
You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force. You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright. Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.
Conveying under any other circumstances is permitted solely under
the conditions stated below. Sublicensing is not allowed; section 10
makes it unnecessary.
3. Protecting Users' Legal Rights From Anti-Circumvention Law.
No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.
When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.
4. Conveying Verbatim Copies.
You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.
You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.
5. Conveying Modified Source Versions.
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
b) The work must carry prominent notices stating that it is
released under this License and any conditions added under section
7. This requirement modifies the requirement in section 4 to
"keep intact all notices".
c) You must license the entire work, as a whole, under this
License to anyone who comes into possession of a copy. This
License will therefore apply, along with any applicable section 7
additional terms, to the whole of the work, and all its parts,
regardless of how they are packaged. This License gives no
permission to license the work in any other way, but it does not
invalidate such permission if you have separately received it.
d) If the work has interactive user interfaces, each must display
Appropriate Legal Notices; however, if the Program has interactive
interfaces that do not display Appropriate Legal Notices, your
work need not make them do so.
A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit. Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.
6. Conveying Non-Source Forms.
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
a) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by the
Corresponding Source fixed on a durable physical medium
customarily used for software interchange.
b) Convey the object code in, or embodied in, a physical product
(including a physical distribution medium), accompanied by a
written offer, valid for at least three years and valid for as
long as you offer spare parts or customer support for that product
model, to give anyone who possesses the object code either (1) a
copy of the Corresponding Source for all the software in the
product that is covered by this License, on a durable physical
medium customarily used for software interchange, for a price no
more than your reasonable cost of physically performing this
conveying of source, or (2) access to copy the
Corresponding Source from a network server at no charge.
c) Convey individual copies of the object code with a copy of the
written offer to provide the Corresponding Source. This
alternative is allowed only occasionally and noncommercially, and
only if you received the object code with such an offer, in accord
with subsection 6b.
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
e) Convey the object code using peer-to-peer transmission, provided
you inform other peers where the object code and Corresponding
Source of the work are being offered to the general public at no
charge under subsection 6d.
A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.
A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling. In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage. For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product. A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.
"Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source. The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.
If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information. But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).
The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed. Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.
Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.
7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law. If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.
When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it. (Additional permissions may be written to require their own
removal in certain cases when you modify the work.) You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.
Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the
terms of sections 15 and 16 of this License; or
b) Requiring preservation of specified reasonable legal notices or
author attributions in that material or in the Appropriate Legal
Notices displayed by works containing it; or
c) Prohibiting misrepresentation of the origin of that material, or
requiring that modified versions of such material be marked in
reasonable ways as different from the original version; or
d) Limiting the use for publicity purposes of names of licensors or
authors of the material; or
e) Declining to grant rights under trademark law for use of some
trade names, trademarks, or service marks; or
f) Requiring indemnification of licensors and authors of that
material by anyone who conveys the material (or modified versions of
it) with contractual assumptions of liability to the recipient, for
any liability that these contractual assumptions directly impose on
those licensors and authors.
All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10. If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term. If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.
If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.
Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.
8. Termination.
You may not propagate or modify a covered work except as expressly
provided under this License. Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).
However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.
Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License. If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.
9. Acceptance Not Required for Having Copies.
You are not required to accept this License in order to receive or
run a copy of the Program. Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance. However,
nothing other than this License grants you permission to propagate or
modify any covered work. These actions infringe copyright if you do
not accept this License. Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.
10. Automatic Licensing of Downstream Recipients.
Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License. You are not responsible
for enforcing compliance by third parties with this License.
An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations. If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.
You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License. For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.
11. Patents.
A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based. The
work thus licensed is called the contributor's "contributor version".
A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version. For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.
Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.
In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement). To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.
If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients. "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.
If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.
A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License. You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.
Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.
12. No Surrender of Others' Freedom.
If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all. For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.
13. Use with the GNU Affero General Public License.
Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work. The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.
14. Revised Versions of this License.
The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation. If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.
If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.
Later license versions may give you additional or different
permissions. However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.
15. Disclaimer of Warranty.
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
16. Limitation of Liability.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.
17. Interpretation of Sections 15 and 16.
If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
state the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
Also add information on how to contact you by electronic and paper mail.
If the program does terminal interaction, make it output a short
notice like this when it starts in an interactive mode:
<program> Copyright (C) <year> <name of author>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, your program's commands
might be different; for a GUI interface, you would use an "about box".
You should also get your employer (if you work as a programmer) or school,
if any, to sign a "copyright disclaimer" for the program, if necessary.
For more information on this, and how to apply and follow the GNU GPL, see
<http://www.gnu.org/licenses/>.
The GNU General Public License does not permit incorporating your program
into proprietary programs. If your program is a subroutine library, you
may consider it more useful to permit linking proprietary applications with
the library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License. But first, please read
<http://www.gnu.org/philosophy/why-not-lgpl.html>.

56
xml/INDEX.md Normal file
View File

@@ -0,0 +1,56 @@
# Directory overview:
_boilerplate version 0.1_
This is an XML framework for generating Pentest Reports and Offers for clients. You download the whole framework whenever you need to write a new document (so every document exists in its own framework).
## naming structure
+ All names are lowercase, even personal names and abbreviations.
# Directory overview:
## README.md
This file holds project-related information.
## communication
This folder holds all email messages and other forms of communication between ROS and the client.
## customerprovidedstuff
This folder holds all *source code*, documents and other files that were handed to ROS by the client.
## doc
All available documentation in several formats (pick the one you like best). The 'tools' documentation is general. Writing documentation is specific to offertes and reports and is split up in subdirectories for each.
There is also an 'examples' directory which contains an example report, finding and offerte to have a look at. To generate an example report or offerte, copy it to the 'source' directory and generate it according to the instructions in the tools doc.
## dtd
Contains schemas, i.e. the grammar of the report and offerte language. Not for users.
## findings
Contains all findings in XML format. Note that you can always get the most up-to-date boilerplate findings from the *ROS pentesters library*.
## graphics
If you use screenshots (graphics) in your report or offerte, place them here. You can then reference the graphics from your report or offerte by setting the img href attribute to "../graphics/yourgraphic.jpg".
Note that the `source` directory is the root of the offer letter / report.
## non-findings
Contains all non-findings in XML format. Note that you can always get the most up-to-date boilerplate non-findings from the *ROS pentesters library*.
## rosbot
Rosbot internals. Nothing to see here, move along...
## scans
All scan output in either text or XML format.
## source
This folder holds the offerte as well as pentest XML files. In `source` there is a subdirectory `snippets` containing boilerplate text for reports and offertes, as well as bios. Note that you can always get the most up-to-date snippets and bios from the *ROS pentesters library*.
## target
This is where your intermediate XSL-FO and generated PDF document end up if you have generated your XML according to the instructions in the tools doc.
## templates
Holds templates for offertes, reports, findings (general and specific) and non-findings. Grab whatever you need and copy it to the 'source' directory (in case of offerte or report) or the pentest repo's 'finding' directory (in case of findings). Then edit to your liking.
## xslt
Contains stylesheets to transform the XML into XSL-FO, which can then be used to generate a PDF through FOP. Not for users.

30
xml/README.md Normal file
View File

@@ -0,0 +1,30 @@
# Client / Project
## Summary
## Scope
## Planning
## Goal
## Targets
## Environments
## Accounts
## Contact persons
### Company
+ Name email
## Team
### Pentesters + availability
### Report writers
## Technical details on building
Looking for files ? Check out [INDEX.md](INDEX.md)

199
xml/RELEASE_NOTES.md Normal file
View File

@@ -0,0 +1,199 @@
RELEASE NOTES
=============
June 15, 2016
-------------
Giant update to celebrate these xml templates having been elevated to OWASP project status. Because how better to do that than through introducing a load of bugs. :)
### Multilingual workflow
You can now set the desired language in quickscope, using the offer_language element. This will generate the proper offer with the proper language snippets.
Note: language stuff is defined in two places:
1. in source/snippets/offerte (language directories for all snippets)
2. in source/snippets/localisationstrings.xml (these are strings used in xslt; e.g. when generating an offer from quickscope)
### Offer types
You can now set the desired offer type in quickscope, using the offer_type element. This will generate the proper offer with the proper snippets.
Note: system looks for snippets with the type suffix first, and uses the standard snippet if none is found.
#### Example
Offer type is 'basic-scan'.
When generating an xml offer from quickscope, the xslt will first look for the file:
`methodology_basic-scan.xml`
If it cannot find this file, it will instead use
`methodology.xml`
### Customizable waivers
Yes, the stories you heard are true (and we'll get that snitch one day!) - waivers are no longer hard-coded but are now normal, customizable snippets. Well, not completely normal. It goes like this:
When generating waivers for client + third parties, the xslt will use the contents of the `<standard_waiver>` element in `<waivers>` in the `waiver.xml` snippet.
UNLESS: you have added an optional `<alternative_waiver>` element below `<standard_waiver>` (still in `<waivers>`) and have given it a `Ref` attribute that refers to the `id` of the client/party for which this alternative waiver needs to be used (just add an `id` if the client or party doesn't have one yet).
So to summarize:
1. xslt checks if an alternative waiver has been defined for a specific client or party in the offer,
2. if not, it uses the standard waiver
Now isn't that simple!
Note: to support this functionality, a bunch of waiver-only placeholders have been introduced, to wit: `<signee_long>`, `<signee_short>`, `<signee_street>`, `<signee_city>`, `<signee_country>`, `<signee_waiver_rep>`. Don't use them anywhere else though (they will fail and anyway it wouldn't make sense).
May 23, 2016
------------
### Offerte --> Pentest-report
Last step in the document chain has been completed: you can now generate a (bare bones) Pentest report from any offerte the client has accepted, using the following command:
`java -jar saxon9he.jar -s:source/offerte.xml -xsl:xslt/off2rep.xsl -o:source/report.xml`
This makes the document workflow as follows:
1. Fill in quickscope.xml
2. Create offerte.xml from quickscope.xml using qs2offerte.xsl
3. If client accepts offerte, create report.xml from offerte.xml using off2rep.xsl
4. After pentest has concluded, create invoice from offerte using either the direct route or the roundabout one (see March 24, 2016 in the release notes for more info)
April 25, 2016
-------------
### Hidden elements
It is now possible to hide `section`, `appendix` and `annex` elements from the generated report, offerte or generic document. To do so, add the optional attribute `visibility="hidden"` to whatever it is you want to hide in the generated PDF.
Links to hidden targets will give an error (in the document), as will links to non-existing targets in general.
### Client Placeholder renaming
All placeholders that used to start with `c_*` (c_short, c_poc1, etc) now start with `client_`.
April 21, 2016
-------------
### Generic Documents
We now have a generic document type, which can be used for (drumroll) generic documents (whitepapers, training notes, presentation notes, whatever).
It is a super-simple template: it contains a a sparse meta section, an optional ToC and then any number of sections and elements. All the general text elements (tables, lists, pre, code, a, etc etc) can be used. It's so simple I'm not even going to document it. Check the example doc in `doc/examples` if you're lost, but if you've ever written an offer or a pentest report using this system it should be a piece of cake. :)
Usage: `genericdocument.xml --> genericdocument.pdf (using generate_doc.xsl + fop)`
April 4, 2016
-------------
### Associating targets with parties
You can now associate certain targets with certain parties. The `<client>` and <`party`> element now have an optional `id` attribute. Each `target` element now has an optional `Ref` attribute.
In waivers, only the targets associated with the party/client that needs to sign the waiver will be shown.
`<generate_targets/>` also has an optional `Ref` attribute for when you only want to generate a list of targets for one client/party.
If a target has no Ref attribute, it will appear in all the lists (both in the waivers and when using `<generate_targets/>`).
March 24, 2016
--------------
### More elaborate invoicing
Instead of generating an invoice straight from the offerte, as described in the release notes of March 10, you can now also take the roundabout route and customize the invoice.
So instead of:
1. offerte.xml --> invoice.pdf (using generate_inv.xsl + fop)
You can do:
1. offerte.xml --> invoice.xml (using off2inv.xsl)
2. edit invoice.xml (add some extra costs, most likely)
3. invoice.xml --> invoice.pdf (using generate_inv.xsl + fop)
More often than not, the simple route will do just fine, though.
### Added client VAT element
When billing EU customers, you do not need to charge VAT (but you do need to have the client's VAT number on the invoice). So the `<client>` element now has an optional `<vat_no>` child.
March 10, 2016
-------------
### Fee denomination
The `<fee>` element in `<pentestinfo>` now has an optional `denomination` attribute, which can be set to `euro` (default) or `dollar`. Yay for globalization! No, wait.
Anyway, the denomination is added automatically whenever you reference the fee using the `<p_fee/>` placeholder.
### Client info now has its own file
The `<client>` element has been extracted from the document and now exists all by itself in the file `client_info.xml`, which is located in the `source` directory. This gives us the possibility to have a 'client library' and to easily reuse client info - just replace the file with the proper one for the current client.
Note that there are some new fields in the client section, `<invoice_rep>` and `<invoice_mail>` for use in the... (see next section)
### Invoices!
w00t. You can now generate a pdf invoice directly from offerte.xml. Use:
`java -jar saxon9he.jar -s:/path/to/offerte/source/offerte.xml -xsl:/path/to/offerte/xslt/generate_invoice.xsl -o:/path/to/report/target/invoice.fo INVOICE_NO=[invoice number] -xi`
And then:
`fop -c conf/rosfop.xconf /path/to/offerte/target/invoice.fo path/to/offerte/target/invoice.pdf`
March 9, 2016
-------------
### An essay on placeholders
#### Universality
Placeholders can now be used in both offertes and pentest reports. Within reason, though! Pentest reports only have access to a limited set as the other placeholders are not relevant:
- c_long, c_short, c_street, c_city, c_country (i.e. client data)
- company_long, company_short (i.e. company data)
- p_duration, p_boxtype, p_testingduration, p_reportwritingduration, p_reportdue (i.e. pentest info)
- t_app, t_app_producer (i.e. tested app name & producer)
To accommodate for especially those last two bullets, we now have room for an optional `pentestinfo` tag in the report meta section, following the `<targets>` element. It's the same as the `pentestinfo` for offertes, except it doesn't hold financial info.
#### Robustness
When you insert a placeholder, there is now a check to see if
a. The element you're referring to exists
b. The element you're referring to contains text
If either a or b are not the case, you'll end up with a red XXXXX. Which should hopefully get your, or somebody else's, attention during review time.
#### Title Case
Uppercase is now forced on titles that should be in uppercase (i.e. report and offerte title pages, plus offerte titles in general).
Forcing title case for pentest report titles is unfortunately not possible from a style point of view as xsl-fo can only capitalize every word, which is not really what we want. But Peter Mosmans's validation script has your back on this.
### Finally, we have a `<div>` element!
#### What does `<div>` do?
Nothing. `<div>` just *is*.
#### Sigh. Ok, why *is* `<div>`?
You can use `<div>` as a container for other block elements. This is basically only (but very) useful for snippets, as snippets need to be well-formed XML documentlets and can therefore only have one root element. If the snippet is a complete section, this is not a problem. If the snippet is a bunch of paragraphs or something, you're out of luck. Or rather, you used to be out of luck, because there was no `<div>`. But now there is `<div>`. So your snippet can be `<div>` (root element), containing everything you want. Well, everything that's allowed, anyway.
#### So what's allowed in `<div>`?
All block elements: p, ul, ol, table, img, pre, code
#### And what elements can *contain* `<div>`?
Sections, Annexes and Appendices. NOTHING ELSE. DON'T EVEN TRY.

147
xml/doc/Tools manual.md Normal file
View File

@@ -0,0 +1,147 @@
# Tools Manual
## Intro
You can write your documentation in OpenOffice (and then you just install OpenOffice and do your thing), or you can write it in XML. This allows you to concentrate only on the content without having to worry about what the end result will look like: the XML document is converted to PDF using a style sheet, so you only need to think about what needs to be said, not about numbering, styling or document metadata.
This sounds cool (and it is), but it does mean you may need to use some software you're not well used to working with. You're going to need:
- jEdit, An XML editor
- Saxon, An XML parser
- FOP, A tool to convert XSL-FO to PDF
## Downloading and installing
### Java
Make sure you have at least Java 7 installed (Java 8 is fine as well). If not, download it at www.java.com.
### jEdit
jEdit is an open source, cross platform text editor with support for XML editing. If you're used to working with XML and have a favorite different XML editor that's fine, but if not, start with jEdit.
Download jEdit (5.x) at: http://jedit.org/index.php?page=download and install.
### Saxon
Download Saxon Home Edition (HE) 9.6 **for Java** at: http://saxon.sourceforge.net/ and unzip to a location of your choice.
### FOP
Download Apache FOP 1.1 at https://xmlgraphics.apache.org/fop/download.html and unzip.
### Fonts
Download the Liberation Sans font from http://www.fontsquirrel.com/fonts/liberation-sans and install.
Download the Liberation Mono font from http://www.fontsquirrel.com/fonts/Liberation-Mono and install.
## Configuring
### jEdit
In jEdit, you're going to have to install the XML plugin:
1. Start jEdit, then go to plugins > plugin manager
2. Click on the 'Install' tab
3. Find the plugin called 'XML' and click its checkbox. Its dependencies will be checked automatically; this is a good thing.
5. Click the 'Install' button below the description box and wait until everything is done downloading and installing.
6. Click the 'Close' button.
You may also want to dock the various plugin panes so they're easy to find and use: XML (XML Insert), Error List and Sidekick. XML will give you a list of all the elements you can insert at the caret, Error List will show you where your XML is not valid according to the Schema and Sidekick is useful for quick navigation.
### FOP
First, make sure you have installed the LiberationSansNarrow and LiberationMono fonts on your machine.
In the fop directory, find directory 'conf'. In this directory you'll find a file 'fop.xconf'. Make a copy of this file and rename it, maybe to rosfop.xconf.
Edit rosfop.xconf:
1. Under `<base>.</base>`, add the line: `<font-base>/Path/To/Your/Fonts/Directory</font-base>` (using the actual path to the Fonts directory on your own pc)
2. Change the line `<default-page-settings height="11in" width="8.26in"/>` to `<default-page-settings height="29.7cm" width="21cm"/>`
3. Just above the `</fonts>` closing tag, add:
```
<font kerning="yes" embed-url="LiberationSansNarrow-Regular.ttf">
<font-triplet name="LiberationSansNarrow" style="normal" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationSansNarrow-Bold.ttf">
<font-triplet name="LiberationSansNarrow" style="normal" weight="bold"/>
</font>
<font kerning="yes" embed-url="LiberationSansNarrow-Italic.ttf">
<font-triplet name="LiberationSansNarrow" style="italic" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationSansNarrow-BoldItalic.ttf">
<font-triplet name="LiberationSansNarrow" style="italic" weight="bold"/>
</font>
<font kerning="yes" embed-url="LiberationMono-Regular.ttf">
<font-triplet name="LiberationMono" style="normal" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationMono-Bold.ttf">
<font-triplet name="LiberationMono" style="normal" weight="bold"/>
</font>
<font kerning="yes" embed-url="LiberationMono-Italic.ttf">
<font-triplet name="LiberationMono" style="italic" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationMono-BoldItalic.ttf">
<font-triplet name="LiberationMono" style="italic" weight="bold"/>
</font>
```
4. Save the file.
## Using
### jEdit
When you open an xml pentest report, jEdit automatically loads the referenced schema (the file containing all the xml 'grammar' rules). As part of the schema is online, jEdit will sometimes give you a message asking if you want to cache the online part:
"This XML file depends on a resource which is stored at the following Internet address: http://www.w3.org/2001/XInclude/XInclude.xsd"
Caching it is a good idea, so click the yes button when prompted (or 'no' if you have good reasons not to, it's your party!)
Use the pentestreport.xml template (which already contains some default stuff) to create your report (read the doc on report writing for more info).
Make sure the XML file you've created with jEdit is valid (no errors in the Error List in jEdit).
### Saxon
To transform your XML file into XSL-FO, use the following command from the saxon directory:
#### To Generate a Pentest Report
```java -jar saxon9he.jar -s:/path/to/report/source/pentestreport.xml -xsl:/path/to/report/xslt/generate_report.xsl -o:/path/to/report/target/pentestreport.fo -xi```
(Note the source/xslt/target directories in this example, which correspond to the directory structure in the report directory. Also make sure to add the -xi option!)
#### To Generate an Offerte
```java -jar saxon9he.jar -s:/path/to/report/source/offerte.xml -xsl:/path/to/report/xslt/generate_offerte.xsl -o:/path/to/report/target/offerte.fo```
(Note the source/xslt/target directories in this example, which correspond to the directory structure in the report directory.)
If you have defined extra parties that need to give permission, waivers for these parties will be generated in .fo format automatically
### FOP
To then convert your XSL-FO file into a nice and shiny pdf, use the following command from the fop directory:
#### To Generate a Pentest Report
```fop -c conf/rosfop.xconf /path/to/report/target/pentestreport.fo path/to/report/target/pentestreport.pdf```
(If you used another name for your custom FOP configuration file, use that.)
or maybe it is easier to go to your target directory and type:
```/path/to/fop -c path/to/fop/conf/rosfop.xconf offerte.fo offerte.pdf```
it depends on your directory structure, I guess.
Note that, if you define extra parties that need to give permission, you'll need to convert the waiver fo files to pdf as well.
#### To Generate an Offerte
```fop -c conf/rosfop.xconf /path/to/report/target/offerte.fo path/to/report/target/offerte.pdf```
(If you used another name for your custom FOP configuration file, use that.)

18
xml/doc/examples/examplefinding.xml Normal file
View File

@@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<finding threatLevel="Moderate" type="Escalation">
<title>Example Title</title>
<description>
A specialized piece of malware can be crafted to bypass local anti-virus software and to cheat during tests.
</description>
<technicaldescription>
The student desks run antivirus software that will prevent many common remote access and malware tools that students may use to try and cheat. It is however still possible to use common tools to evade detection by the anti-virus software. Note that to run the custom malware, a student needs to have found an arbitrary file execution bug first.
To exploit this vulnerability, we used 'veil-evasion' to build an undetected Meterpreter reverse TCP executable that connects back to an external computer and allows for remote access. See https://www.veil-framework.com/veil-tutorial/ for details.
</technicaldescription>
<impact>
A student may use this malware to have an accomplice at a remote location assist in the test by viewing screenshots of the student desk and reading/modifying files on the student desk. The setup for this can be done very quickly - before the test even starts - and will leave no obvious visible clues that something fishy has happened.
</impact>
<recommendation>
Allow only a set of whitelisted programs to be executed. Base restrictions on file contents, e.g. by comparing agains one or more strong file hashes.
</recommendation>
</finding>

101
xml/doc/examples/examplegenericdocument.xml Normal file
View File

@@ -0,0 +1,101 @@
<?xml version="1.0" encoding="UTF-8"?>
<generic_document xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../dtd/genericdocument.xsd">
<meta>
<title>Generic Document</title>
<subtitle>It can be about ANYTHING you want!</subtitle>
<collaborators>
<reviewers>
<reviewer>Melanie Rieback</reviewer>
</reviewers>
<approver>
<name>Melanie Rieback</name>
<bio>Melanie Rieback is a former Asst. Prof. of Computer Science from the VU,
who is also the co-founder/CEO of Radically Open Security.</bio>
</approver>
</collaborators>
<classification>Confidential</classification>
<version_history>
<version date="2015-01-19T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_description>Initial draft</v_description>
</version>
<version date="2015-01-20T01:00:00" number="auto">
<v_author>Ernest Hemingway</v_author>
<v_description>Structure &amp; contents revision</v_description>
</version>
<version date="2015-01-21T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_description>Added some stuff</v_description>
</version>
<version date="2015-01-22T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_author>JRR Tolkien</v_author>
<v_description>Revision</v_description>
</version>
<version date="2015-01-23T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_description>Revision</v_description>
</version>
<version date="2015-01-26T01:00:00" number="1.0">
<v_author>Arthur Conan Doyle</v_author>
<v_description>Finalizing</v_description>
</version>
</version_history>
<xi:include href="snippets/company_info.xml"/>
</meta>
<generate_index/>
<section id="info">
<title>This is a generic document</title>
<section id="introduction">
<title>This is a subsection</title>
<p>In this document we describe anything that is not an offer, invoice or pentest.</p>
<p>It is as generic as generic can be.</p>
</section>
<section id="other">
<title>Some more info</title>
<p>You can only use the most general of elements in this document (all the elements borrowed from html + monospace, code, section, appendix and title, basically).</p>
<p>Only the company-related placeholders work!</p>
</section>
</section>
<section id="somethingelse">
<title>Anything else?</title>
<p>Mmmm no, that's it.</p>
<table border="1"><tr><th>This is a table</th></tr>
<tr><td>It contains bogus information.</td></tr></table>
<section id="list">
<title>List example</title>
<p>This is a list:</p>
<ul>
<li>item 1 - see <a href="http://www.radicallyopensecurity.com">http://www.radicallyopensecurity.com</a>.</li>
<li>item 2</li>
</ul>
<p>You get the idea</p>
</section>
<section id="bla">
<title>other elements</title>
<p>Command:</p>
<pre>$ this is a pre (for command line entries)</pre>
<p>Outcome:</p>
<pre>This is where
you would write the
output
I
guess.</pre>
<p>Let's have a link pointing to <a href="#list"/> at this point.</p>
</section>
</section>
<appendix id="testteam">
<title>Did we forget anything</title>
<p>Nope.</p>
</appendix>
</generic_document>

30
xml/doc/examples/exampleinvoice.xml Normal file
View File

@@ -0,0 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<invoice xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:fo="http://www.w3.org/1999/XSL/Format" xsi:noNamespaceSchemaLocation="../dtd/invoice.xsd"
invoice_no="00/000" denomination="dollar">
<meta>
<xi:include href="snippets/company_info.xml"/>
<xi:include href="client_info.xml"/>
</meta>
<servicesdelivered>
<service>
<description>10-day penetration test Sitting Duck</description>
<fee vat="yes">7000</fee>
</service>
<service>
<description>Something else</description>
<fee vat="yes">2000</fee>
</service>
</servicesdelivered>
<additionalcosts>
<cost>
<description>An additional cost without vat</description>
<fee vat="no">1000</fee>
</cost>
<cost>
<description>An additional cost with vat</description>
<fee vat="yes">1000</fee>
</cost>
</additionalcosts>
</invoice>

77
xml/doc/examples/exampleofferte.xml Normal file
View File

@@ -0,0 +1,77 @@
<?xml version="1.0" encoding="UTF-8"?>
<offerte xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:fo="http://www.w3.org/1999/XSL/Format"
xsi:noNamespaceSchemaLocation="../dtd/offerte.xsd"
xml:lang="en"><!--document meta information; to be filled in by the offerte writer-->
<meta>
<offered_service_long>penetration testing services</offered_service_long>
<!--if there is a shorter way of saying the same thing, you can type it here (it makes for more dynamic offerte text). If not, just repeat the long name.-->
<offered_service_short>penetration test</offered_service_short>
<xi:include href="snippets/company_info.xml"/>
<targets><!--one target element per target-->
<target>target1.sittingduck.com</target>
<target>target2.sittingduck.com</target>
<target>FishInABarrel App</target>
</targets>
<permission_parties>
<xi:include href="client_info.xml"/>
<party>
<full_name>HotshotDevs Inc.</full_name>
<short_name>HotshotDevs</short_name>
<!--short party name; if no short name: same as long name-->
<waiver_rep>Hotshot Dev Lawyer</waiver_rep>
<address>Silicon Valley St. 50</address>
<city>San Francisco</city>
<country>US</country>
</party>
</permission_parties>
<pentestinfo>
<duration>10</duration>
<!--duration of pentest, in working days-->
<test_planning>August 1st, 2016, lasting until August 13th, 2016</test_planning>
<!--date or date range in text, e.g. May 18th until May 25th, 2015-->
<report_writing>August 26th, 2016</report_writing>
<!--date or date range in text, e.g. May 18th until May 25th, 2015-->
<report_due>August 26th, 2016</report_due>
<nature>time-boxed</nature>
<type>crystal-box</type>
<!--please choose one of the following: black-box, grey-box, crystal-box-->
<fee denomination="euro">1000000</fee>
<!--(euro|dollar)-->
<target_application>FishInABarrel</target_application>
<!--name of application/service to be tested (if any; if none, DELETE target_application element)-->
</pentestinfo>
<version_history><!--needed for date on frontpage and in signature boxes; it is possible to add a new <version> after each review; in that case, make sure to update the date/time-->
<version number="auto" date="2016-07-08T10:00:00"><!--actual date-time here; you can leave the number attribute alone-->
<v_author>ROS Writer</v_author>
<!--name of the author here; for internal use only-->
<v_description>Initial draft</v_description>
<!--for internal use only-->
</version>
</version_history>
</meta>
<!--Introduction and Scope-->
<xi:include href="snippets/offerte/en/introandscope.xml"/>
<!--Project overview section-->
<xi:include href="snippets/offerte/en/projectoverview.xml"/>
<!--Prerequisites section-->
<xi:include href="snippets/offerte/en/prerequisites.xml"/>
<!--Disclaimer section-->
<xi:include href="snippets/offerte/en/disclaimer.xml"/>
<!--Methodology section-->
<xi:include href="snippets/offerte/en/methodology.xml"/>
<xi:include href="snippets/offerte/en/codeauditmethodology.xml"/>
<xi:include href="snippets/offerte/en/teamandreporting.xml"/>
<!--Planning and payment section-->
<xi:include href="snippets/offerte/en/planningandpayment.xml"/>
<!--About Us section-->
<xi:include href="snippets/offerte/en/aboutus.xml"/>
<!--Work condition section-->
<xi:include href="snippets/offerte/en/conditions.xml"/>
<!--General terms and conditions section-->
<xi:include href="snippets/offerte/en/generaltermsandconditions.xml"/>
<!--Waivers-->
<xi:include href="snippets/offerte/en/waiver.xml"/>
</offerte>

61
xml/doc/examples/examplequickscope.xml Normal file
View File

@@ -0,0 +1,61 @@
<?xml version="1.0" encoding="UTF-8"?>
<quickscope xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xml="http://www.w3.org/XML/1998/namespace">
<!-- Today's date -->
<version date="2015-01-01"/>
<!-- YYYY-MM-DD -->
<!-- COMPANY INFO -->
<xi:include href="client_info.xml"/>
<!-- SERVICE INFO -->
<meta>
<!-- Language the offer should be in (en|nl) -->
<offer_language>en</offer_language>
<!-- Offer type (pentest|basic-scan|load-test|other) -->
<offer_type>pentest</offer_type>
<!-- Required service -->
<!-- Note: is only used when type is 'other', if offer_type is a specific type, service name will be taken from the localisation strings -->
<requested_service>penetration testing services</requested_service>
<!-- Which targets will need to be tested?
(one <target> element for each piece of software/service/server address/location...), delete/add as necessary -->
<targets>
<target>target1.sittingduck.com</target>
<target>target2.sittingduck.com</target>
<target>FishInABarral App</target>
</targets>
</meta>
<!-- Some information about any third parties involved with the software/service to be tested, if applicable.
If not applicable, delete the whole <third_party> element. If more parties are needed, add <third_party> elements -->
<third_party>
<full_name>HotshotDevs Inc.</full_name>
<short_name>HotshotDevs</short_name>
<!-- Name of the person who will need to sign the waiver for this vendor -->
<waiver_rep>Hotshot Dev Lawyer</waiver_rep>
<address>Silicon Valley St. 50</address>
<city>San Francisco</city>
<country>US</country>
</third_party>
<pentest_info>
<!-- How long would you like the test to be? (in days) -->
<days>10</days>
<!-- Service execution (Use one of the following values: time-boxed, subscription) -->
<nature>time-boxed</nature>
<!-- Testing type (Use one of the following values: crystal-box, black-box, grey-box) -->
<type>crystal-box</type>
<!-- Test planning (when would you like the test to be executed -->
<!-- Ideally something specific like 'December 7th - December 12th, 2015', but another description 'Beginning of December' is fine as well -->
<!-- do not start with a capital letter -->
<planning>TBD</planning>
<!-- Pentest report delivery date (please allow at least 1 week between the end of the pentest and the report delivery date) -->
<delivery>TBD</delivery>
<!-- Do you need/want a code audit? (possible values: yes/no), only for pentest -->
<codeaudit perform="yes"/>
<!-- Is there an application that needs to be tested? Type its name below. If not, please DELETE <application_name> element -->
<application_name>FishInABarrel</application_name>
<!-- rate (to be filled in by ROS ;) -->
<rate>1000000</rate>
</pentest_info>
</quickscope>

295
xml/doc/examples/examplereport.xml Normal file
View File

@@ -0,0 +1,295 @@
<?xml version="1.0" encoding="UTF-8"?><pentest_report xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" findingCode="SID" xsi:noNamespaceSchemaLocation="../dtd/pentestreport.xsd">
<meta>
<title>Penetration Test Report</title>
<xi:include href="client_info.xml"/>
<targets>
<target>fishinabarrel.sittingduck.com</target>
</targets>
<collaborators>
<reviewers>
<reviewer>Melanie Rieback</reviewer>
</reviewers>
<approver>
<name>Melanie Rieback</name>
<bio>Melanie Rieback is a former Asst. Prof. of Computer Science from the VU,
who is also the co-founder/CEO of Radically Open Security.</bio>
</approver>
<pentesters>
<pentester>
<name>Melanie Rieback</name>
<bio>Melanie Rieback is a former Asst. Prof. of Computer Science from the VU,
who is also the co-founder/CEO of Radically Open Security.</bio>
</pentester>
<pentester>
<name>Aristotle</name>
<bio>Greek philosopher and scientist born in the Macedonian city of Stagira, Chalkidice, on the northern periphery of Classical Greece.</bio>
</pentester>
<pentester>
<name>George Boole</name>
<bio>English mathematician, philosopher and logician. Works in the fields of differential equations and algebraic logic, and is now best known as the author of The Laws of Thought.</bio>
</pentester>
<pentester>
<name>William of Ockham</name>
<bio>English Franciscan friar and scholastic philosopher and theologian. Considered to be one of the major figures of medieval thought. At the centre of some major intellectual and political controversies.</bio>
</pentester>
<pentester>
<name>Ludwig Josef Johann Wittgenstein</name>
<bio>Austrian-British philosopher who works primarily in logic, the philosophy of mathematics, the philosophy of mind, and the philosophy of language.</bio>
</pentester>
</pentesters>
</collaborators>
<classification>Confidential</classification>
<version_history>
<version date="2015-01-19T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_description>Initial draft</v_description>
</version>
<version date="2015-01-20T01:00:00" number="auto">
<v_author>Ernest Hemingway</v_author>
<v_description>Structure &amp; contents revision</v_description>
</version>
<version date="2015-01-21T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_description>Added threat levels and recommendations</v_description>
</version>
<version date="2015-01-22T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_author>JRR Tolkien</v_author>
<v_description>Revision</v_description>
</version>
<version date="2015-01-23T01:00:00" number="auto">
<v_author>Patricia Piolon</v_author>
<v_description>Revision</v_description>
</version>
<version date="2015-01-26T01:00:00" number="1.0">
<v_author>Arthur Conan Doyle</v_author>
<v_description>Finalizing</v_description>
</version>
</version_history>
<xi:include href="snippets/company_info.xml"/>
</meta>
<generate_index/>
<section id="executiveSummary">
<title>Executive Summary</title>
<section id="introduction">
<title>Introduction</title>
<p>Sitting Duck B.V. (“Sitting Duck”) has assigned
the task of performing a Penetration Test of the FishInABarrel Web
Application to Radically Open Security BV (hereafter “ROS”).
Sitting Duck has made this request to better evaluate the security of the application and
to identify application level vulnerabilities in order to see whether the FishInABarrel
Web Application is ready, security-wise, for production deployment.</p>
<p>This report contains our findings as well as detailed explanations of exactly how ROS performed
the penetration test.</p>
</section>
<section id="scope">
<title>Scope of work</title>
<p>The scope of the Sitting Duck penetration test was limited to the following
target:</p>
<generate_targets/>
<p>The penetration test was carried out from a black box perspective: no information
regarding the system(s) tested was provided by Sitting Duck or FishInABarrel, although FishInABarrel
did provide ROS with two test user accounts.</p>
</section>
<section id="objectives">
<title>Project objectives</title>
<p>The objective of the security assessment is to gain insight into the security of
the host and the FishInABarrel Web Application.</p>
</section>
<section id="timeline">
<title>Timeline</title>
<p>The FishInABarrel Security Audit took place between January 14 and January 16,
2015.</p>
</section>
<section id="results">
<title>Results in a Nutshell</title>
<p>During this pentest, we found quite a number of different security problems
Cross-site Scripting (XSS) vulnerabilities, both stored and reflected, Cross-site
Request Forgery (CSRF) vulnerabilities,
information disclosures (multiple instances), and lack of
brute force protection.</p>
</section>
<section id="findingSummary">
<title>Summary of Findings</title>
<generate_findings/>
<!-- generated from Findings section -->
</section>
<section id="recommendationSummary">
<title>Summary of Recommendations</title>
<generate_recommendations/>
<!-- generated from Findings section -->
</section>
</section>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="snippets/report/methodology.xml"/>
<section id="recon">
<title>Reconnaissance and Fingerprinting</title>
<p>Through automated scans we were able to gain the following information about the
software and infrastructure. Detailed scan output can be found in the sections
below.</p>
<table border="1"><tr><th>Fingerprinted Information</th></tr>
<tr><td>Windows XP<br/>Microsoft IIS 6.0<br/>PHP 5.4.29<br/>jQuery 1.7.2<br/>Mailserver XYZ<br/>FTPserver ABC</td></tr></table>
<section id="scans">
<title>Automated Scans</title>
<p>As part of our active reconnaissance we used the following automated scans:</p>
<ul>
<li>nmap <a href="http://nmap.org">http://nmap.org</a></li>
<li>skipfish - <a href="https://code.google.com/p/skipfish/">https://code.google.com/p/skipfish/</a></li>
<li>sqlmap <a href="http://sqlmap.org">http://sqlmap.org</a></li>
<li>Wapiti <a href="http://wapiti.sourceforge.net">http://wapiti.sourceforge.net</a></li>
</ul>
<p>Of these, only the output of nmap turned out to be
useful; consequently only nmap and output will be discussed in
this section.</p>
</section>
<section id="nmap">
<title>nmap</title>
<p>Command:</p>
<pre>$ nmap -vvvv -oA fishinabarrel.sittingduck.com_complete -sV -sC -A -p1-65535 -T5
fishinabarrel.sittingduck.com</pre>
<p>Outcome:</p>
<pre> Nmap scan report for fishinabarrel.sittingduck.com (10.10.10.1)
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-11-11 15:43 EST
Initiating ARP Ping Scan against 10.10.10.1 [1 port] at 15:43
The ARP Ping Scan took 0.01s to scan 1 total hosts.
Initiating SYN Stealth Scan against fishinabarrel.sittingduck.com (10.10.10.1) [1680 ports] at 15:43
Discovered open port 22/tcp on 10.10.10.1
Discovered open port 80/tcp on 10.10.10.1
Discovered open port 8888/tcp on 10.10.10.1
Discovered open port 111/tcp on 10.10.10.1
Discovered open port 3306/tcp on 10.10.10.1
Discovered open port 957/tcp on 10.10.10.1
The SYN Stealth Scan took 0.30s to scan 1680 total ports.
Host fishinabarrel.sittingduck.com (10.10.10.1) appears to be up ... good.
Interesting ports on fishinabarrel.sittingduck.com (10.10.10.1):
Not shown: 1674 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
957/tcp open unknown
3306/tcp open mysql
4000/tcp open dangerous service
Nmap finished: 1 IP address (1 host up) scanned in 0.485 seconds
Raw packets sent: 1681 (73.962KB) | Rcvd: 1681 (77.322KB)</pre>
<p>The scan revealed a very large number of open services on this machine, which
greatly increases the attack surface; see <a href="#f2"/> for more information on the
security risk.</p>
</section>
</section>
<section id="techSummary">
<title>Pentest Technical Summary</title>
<section id="findings">
<title>Findings</title>
<p>We have identified the following issues:</p>
<finding id="f1" threatLevel="Moderate" type="Information Leak">
<title>PHPInfo Disclosure</title>
<description>
<p>The phpinfo() function of the PHP language is readable,
resulting in a listing of all the runtime information of the environment,
thus disclosing potentially valuable information to attackers.</p>
</description>
<technicaldescription>
<p>This is where the good stuff goes. We give a detailed technical description of the problem.</p>
<p>Illustrative picture of an evil hacker pondering dark deeds:</p>
<img height="10" src="../graphics/screenshot.jpg"/>
</technicaldescription>
<impact>
<p>This is where we explain how the sh*t is hitting the fan, exactly.</p>
</impact>
<recommendation>
<p>Here is where we write some tips to solve the problem.</p>
</recommendation>
</finding>
<finding id="f2" threatLevel="High" type="XSS">
<title>A terrible XSS issue</title>
<description>
<p>A general description of the problem.</p>
</description>
<technicaldescription>
<p>This is we go into great detail about the vulnerability.</p>
</technicaldescription>
<impact>
<p>This is where we explain why this vulnerability is a problem.</p>
</impact>
<recommendation>
<p>This is where we solve everything and the sun starts shining again.</p>
</recommendation>
</finding>
</section>
<section id="nonFindings">
<title>Non-Findings</title>
<p>In this section we list some of the things that were tried but turned out to be
dead ends.</p>
<non-finding id="ftp">
<title>FTP</title>
<p>The server was running FTPserver ABC, the most recent
version of this particular piece of software. Anonymous login was turned off and no
relevant vulnerabilities or exploits were found.</p>
</non-finding>
<non-finding id="mail">
<title>Mail Server</title>
<p>The server was running Mailserver XYZ, the most recent
version of this particular piece of software. No relevant vulnerabilities or
exploits were found. </p>
</non-finding>
<non-finding id="sqlInjection">
<title>SQL Code Injection</title>
<p>The following parameters are not vulnerable to SQL injection. </p>
<p>All parameters have been checked manually.</p>
<pre>-file1.php
-file2.php
-file3.php
</pre></non-finding>
<non-finding id="heartbleed">
<title>Heartbleed</title>
<p>System was not vulnerable to heartbleed.</p> </non-finding>
<non-finding id="sp2">
<title>Windows XP</title>
<p>The host is running Windows XP. As we all know, Windows XP is bulletproof.</p>
</non-finding>
</section>
</section>
<section id="conclusion">
<title>Conclusion</title>
<p>In the course of this penetration test, we have demonstrated that the FishInABarrel
Web Application faces a range of security issues which makes it vulnerable to a number
of different attacks. Vulnerabilities found included: cross-site scripting (both stored
and reflected), cross-site request forgery, information disclosure
and lack of brute force protection.</p>
<p>Our conclusion is that there are a number of things that FishInABarrel BV has to fix before
Sitting Duck should use their software. A number of the security issues highlighted in this
report have fairly simple solutions, but these should nevertheless be fixed before use
of the FishInABarrel Web App continues.</p>
<p>We finally want to emphasize that security is a process and this penetration test is
just a one-time snapshot. Security posture must be continuously evaluated and improved.
Regular audits and ongoing improvements are essential in order to maintain control of
your corporate information security. We hope that this pentest report (and the detailed
explanations of our findings) will contribute meaningfully towards that end. Don't
hesitate to let us know if you have any further questions or need further clarification
of anything in this report.</p>
</section>
<appendix id="testteam">
<title>Testing team</title>
<generate_testteam/>
</appendix>
</pentest_report>

BIN
xml/doc/examples/offerte.pdf Normal file
View File

Binary file not shown.

BIN
xml/doc/examples/waiver_HotshotDevs.pdf Normal file
View File

Binary file not shown.

556
xml/doc/offerte/Offerte Writing Procedure.md Normal file
View File

@@ -0,0 +1,556 @@
Writing an offerte
==================
Tools
-----
First of all, make sure you have the right tools installed. Check the
tools manual for more info.
Main structure
--------------
The report's main element is `<offerte>`. It contains a number of major
parts:
- Entity listing, in the doctype. These are fields that will be reused throughout the document, mostly in boilerplate text
- Document information (metadata), in the element `<meta>`
- A variable number of sections (main content), in several `<section>`
elements
- A waiver annex, in the `<annex>` element (located in the snippets directory as it is also boilerplate text)
Entity listing
--------------
When you have your scoping information, fill in all the fields. They are commented in the template, so what to fill in should be pretty self-explanatory.
You should be able to fill all fields. The only exception is `client_waiver_rep`, as it is not always known in advance who this will be.
Document information / metadata
-------------------------------
This is the part where we put all information that is *about the offerte*
rather than about the offer itself (hence the term metadata): who has
been working on it, what is the offer about, what versions has it
gone through, etc.
In XML, this part is indicated by the `<meta>` element. It contains the
following elements (mandatory and in the listed order):
- The offered service, in the `<offered_service>` element
- Client information, in the `<client>` element
- Your-company-related information, in the '<company>' element
- Targets listing, in the `<targets>` element
- The document's version history, in the `<version_history>` element
You need to fill in everything *that isn't already filled in with an entity*. If there is an entity, the info will be taken from the scoping info you entered in the entity list above. So leave it alone. No need to do anything.
For more details, see the sections below.
### The offered service
In the `<offered_service>` element, put the offered_service (in text). This is
something like 'penetration testing services' probably.
Example: `<offered_service>penetration testing services</offered_service>`
**No need to do anything here, the entity takes care of this**
### Client information
The `<client>` element contains four other elements:
- `<full_name>`, in which you should type the client's official name,
e.g. 'Sitting Duck BV', or 'Big International Company Ltd'
- `<short_name>`, in which you should type the client's shorter name,
e.g. 'Sitting Duck' or 'Big International' (or, if there is no
shorter name, just type the long name again)
- `<city>`, in which you should type the city where the client's office is based
- `<legal_rep>`, in which you should type the name of the client's legal representative, i.e. the guy or gal who can sign the offerte.
- `<waiver_rep>`, in which you should type the name of the client's legal representative, i.e. the guy or gal who can sign the waiver. If the legal rep is not known when you are creating the offerte, you can delete this element. The waiver will then be generated with a little line on which the legal rep can write his/her own name.
Example:
<client>
<full_name>Sitting Duck B.V.</full_name>
<short_name>Sitting Duck</short_name>
<city>Amazonia</city>
<legal_rep>Shaniah T. Brick</legal_rep>
<waiver_rep>William Wonder</waiver_rep>
</client>
**If all names are known, no need to do anything here, the entity takes care of this. If the waiver rep is not known, delete the `waiver_rep` element.**
### Company information
The `<company>` element contains two other elements:
- `<full_name>`, in which you should type your company's official name
- `<legal_rep>`, in which you should type the name of your legal rep
Example:
<company>
<full_name>Shining Armour B.V.</full_name>
<legal_rep>Sir Lancelot</legal_rep>
</company>
### Targets
The `<targets>` element contains one or more `<target>` elements, one
for each target specified for the pentest. Put every target of the
pentest in its own `<target>` element. If there is only one target,
you'll end up with a `<targets>` element containing only one `<target>`
element. This is ok.
Example:
<targets>
<target>fishinabarrel.sittingduck.com</target>
<target>hackthis.sittingduck.com</target>
<target>Sitting Duck's support staff</target>
<targets>
### Pentest Info
The `<pentestinfo>` element contains some data about the pentest itself. This element is useful as you can refer to its content using placeholders, allowing e.g. for standard referrals to the tested application name, pentest type or pentest duration.
Example:
<pentestinfo>
<duration>10</duration><!-- duration of pentest, in working days -->
<test_planning>January 1st until January 12th, 2015</test_planning> <!-- date or date range in text, e.g. May 18th until May 25th, 2015 -->
<report_writing>January 15th until January 20th, 2015</report_writing> <!-- date or date range in text, e.g. May 18th until May 25th, 2015 -->
<report_due>January 23rd, 2015</report_due> <!-- date or date range in text, e.g. May 18th until May 25th, 2015 -->
<nature>time-boxed</nature>
<type>black-box</type><!-- please choose one of the following: black-box, grey-box, crystal-box -->
<fee>50000</fee><!-- euro is added automatically in the document -->
<target_application>FishInABarrel</target_application><!-- name of application to be tested (if any) -->
<target_application_producer>H4ckers 'R' Us</target_application_producer>
</pentestinfo>
### Version History
The `<version_history>` element contains one or more `<version>`
elements, one for each version of the document you create. Whenever you
start a new version, add a `<version>` element to the list.
The `<version>` element should contain the following:
- a `date` attribute with a date of your version as a value, in the
format YYYY-MM-DDT00:00:00, e.g. 2015-04-18T00:00:00
- a `number` attribute with the version number as a value. This value
can either be 'auto' or an actual version number, e.g. 1.0. If you
use the 'auto' value, the system will automatically count it
(starting with 0.1 for the first `<version>` element and going up
from there: 0.2, 0.3, etc...).
- One or more `<v_author>` elements, each containing the name of the
person who worked on this version (that would be you at least, and
perhaps a pentester or colleague who did significant work on it)
- A `<v_description>` element with a (very short!) description of what
has been done in this version, e.g. 'Added non-findings' or
'Revision'
Example:
<version_history>
<version number="auto" date="2014-12-18T00:00:00">
<v_author>Bob Goudriaan</v_author>
<v_description>Initial draft</v_description>
</version>
<version date="2014-12-22T00:00:00" number="auto">
<v_author>Bob Goudriaan</v_author>
<v_author>Patricia Piolon</v_author>
<v_description>Revision</v_description>
</version>
</version_history>
Sections
--------
The main bulk of the offerte is made up of normal content. We
divide our content into sections using the `<section>` element.
### Section title
A section must always start with a `<title>` element, which should only
contain text; after that you're free to do what you want. As explained
in the previous section, it's a good idea to have the section id and the
title be somewhat related.
Example:
<section>
<title>Project Planning</title>
...
</section>
### Section content
As said, after the title, anything goes (well, almost):
- A section can be subdivided into smaller sections
- A section can contain generic content, that is to say any number and
order of:
- paragraphs (`<p>`)
- lists (ordered `<ol>` or unordered `<ul>`)
- tables (`<table>`)
- command input/output boxes (`<pre>`)
- code (`<code>`)
- div containers (`<div>`)
- A section can contain a signing box for the offerte itself (`<generate_offer_signature_box/>`)
- A section can contain a listing of targets, taken from the
`<targets>` element in the meta section (`<generate_targets/>`)
All of these elements are described elsewhere in this document; see the
appropriate sections for details.
Annexes
-------
Annexes (using the `<annex>` element) work the same as sections,
they just come last in the report. Like sections, they must start with a title. Also like sections, the rest of
their content is free-form.
You will need at least one annex in the template, for the waiver. An annex can contain a signing box for the waiver (`<generate_waiver_signature_box/>`)
Example:
<annex>
<title>Annex 1: Waiver</title>
<p>You waive all responsibility.</p>
<generate_waiver_signature_box/>
</annex>
Generic content
---------------
Generic content is modeled on very basic HTML.
### Paragraphs
Paragraphs (`<p>`) go in sections or in the various sub-elements of findings and
non-findings. They are the basic way of displaying text.
Example:
<p>This is a paragraph</p>
### Lists
Lists can be ordered (`<ol>`, for '**o**rdered **l**ist') or unordered
(`<ul>`, for **u**nordered **l**ist). Regardless of whether a list is
ordered or unordered, it contains one or more list items (`<li>`, for
**l**ist **i**tem).
**Unordered lists**
Example:
<ul>
<li>Some item</li>
<li>Some other item</li>
</ul>
**Ordered lists**
Ordered lists are numbered by default. You can configure a different
ordering system by setting its `type` attribute to one of the following
values:
type ordering
------ ----------------------
a lowercase alphabetic
A uppercase alphabetic
i lowercase roman
I uppercase roman
Example:
<ol type="i">
<li>Some item</li>
<li>Some other item</li>
</ol>
### Code/Input/Output Blocks
Whenever you need to display some command line input/output or code, use
the `<pre>` element. It will conserve any whitespace you leave, so you
can format the contents of this element in a pleasant/readable way. Use
spaces for indents. Note that text in the `<pre>` element *will not
wrap*.
Example:
<section>
<title>Some output</title>
<p>This is some relevant stuff the client sent us:</p>
<pre>'relevant stuff'</pre>
<p>And this too:</p>
<pre>this relevant stuff comes
in several lines
Some indented
and some not
This is not a haiku.</pre>
</section>
#### Help! The code in my pre element contains \< characters and it messes with my xml!
You can escape the \< character by replacing it with its entity `&lt;`.
### Div containers
#### What does `<div>` do?
Nothing. `<div>` just *is*.
#### Sigh. Ok, why *is* `<div>`?
You can use `<div>` as a container for other block elements. This is basically only (but very) useful for snippets, as snippets need to be well-formed XML documentlets and can therefore only have one root element. If the snippet is a complete section, this is not a problem. If the snippet is a bunch of paragraphs or something, your snippet can be `<div>` (root element), containing everything you want. Well, everything that's allowed, anyway.
#### So what's allowed in `<div>`?
All block elements: `<p>`, `<ul>`, `<ol>`, `<table>`, `<img>`, `<pre>`, `<code>`
#### And what elements can *contain* `<div>`?
`<section>` and `<annex>`.
### Tables
**Rows**
Tables consist of a `<table>` element containing one or more rows
(`<tr>`).
Example:
<table>
<tr>...</tr>
<tr>...</tr>
</table>
**Cells**
A table row consists of one or more cells (`<td>`).
Example:
<table>
<tr>
<td>Cell 1 in row 1</td>
<td>Cell 2 in row 1</td>
</tr>
<tr>
<td>Cell 1 in row 2</td>
<td>Cell 2 in row 2</td>
</tr>
</table>
Columns are implicit: each cell in a row corresponds to a column.
**Header Cells**
Instead of normal cells, you can also use header cells (`<th>`) for a
table header.
Example:
<table>
<tr>
<th>Header cell 1 in row 1</th>
<th>Header cell 2 in row 1</th>
</tr>
<tr>
<td>Cell 1 in row 2</td>
<td>Cell 2 in row 2</td>
</tr>
</table>
**Borders**
To turn on borders for your table, set its `border` attribute to '1'.
Example:
<table border="1">
...
</table>
You can also turn borders on or off (`border="0"`) on lower levels (on
the row level, for example) for finer-tuned border control.
**Setting column width**
To set the width for your columns, add a number for each column to the `cols` element. This number is in millimeters (you can either type 200mm or just 200; don't use cm or pt or px or other measures though). The total width between the margins is 17cm, so 170mm.
Example:
<table cols="50 50 70">
<tr>
<td>cell 1</td><td>cell 2</td><td>cell 3</td>
</tr>
<tr>
<td>cell 4</td><td>cell 5</td><td>cell 6</td>
</tr>
</table>
This will give the first column a width of 50mm (5cm), the second as well, and the third a width of 70mm (7cm).
**Spanning multiple rows/columns**
To make a cell span multiple columns, set its `colspan` attribute to the
number of columns you want to span.
Example:
<tr>
<td colspan="2">This cell spans the two cells in the row below.</td>
</tr>
<tr>
<td>Cell 1 in row 2</td>
<td>Cell 2 in row 2</td>
</tr>
To make a cell span multiple rows, set its `rowspan` attribute to the
number of rows you want to span.
Example:
<tr>
<td rowspan="2">This cell spans the two cells in the second column.</td>
<td>Cell 2 in row 1</td>
</tr>
<tr>
<td>Cell 2 in row 2</td>
</tr>
**Alignment**
Set the `align` attribute of any cell, row or table to one of the
following values to change the text alignment in that cell/row/table:
align result
--------- -----------------
right right alignment
center centered
justify justified
Images
------
To insert an image, use the `<img>` element. In its `src` attribute,
enter the relative path to the image file you want to reference.
To set the height or width, use *either* the `height` or `width`
attribute. Any numerical value you enter will be interpreted as
centimeters.
If you set both, only the width will be interpreted.
If you do not set any height or width, the image will be displayed at
full page width (i.e. 17 cm wide)
Example: `<img src="../graphics/xmlsignatureexclusion.png" width="5"/>`
Optionally, you can set an image caption by adding some text in the `title` attribute.
Example: `<img src="../graphics/xmlsignatureexclusion.png" width="5" title="This is a funny picture LOL"/>`
### Inline elements
Inline elements are elements that modify the text inside e.g. a
paragraph or a list item, for styling or linking purposes. You have the
following options available to you:
**Bold**
To make text bold, wrap it in `<b>` tags.
Example:
`<p><b>This text is bold</b> and this text is not.</p>`
**Italic**
To make text italic, wrap it in `<i>` tags.
Example:
`<p><i>This text is italic</i> and this text is not.</p>`
**Underline**
To make text underlined, wrap it in `<u>` tags.
Example:
`<p><u>This text is underlined</u> and this text is not.</p>`
**Monospace**
To have inline text in a monospace font, wrap it in `<monospace>` tags.
Example:
`<p><monospace>This text is monospace</monospace> and this text is not.</p>`
**Superscript**
To have inline text in superscript, wrap it in `<sup>` tags.
Example:
`<p><sup>This text is in superscript</sup> and this text is not.</p>`
**Subscript**
To have inline text in subscript, wrap it in `<sub>` tags.
Example:
`<p><sub>This text is in subscript</sub> and this text is not.</p>`
**Links**
Link to web pages using the `<a>` element.
In the `href` attribute of the `<a>` element, type the url of the website you're linking to.
Example:
`<p>Please refer to <a href="http://www.radicallyopensecurity.com">our amazing website</a>.</p>`
Manual breaks
-------------
### Line breaks
Mostly text is broken automatically (between paragraphs etc.) but in
some rare cases you may need to insert a manual line break. To do so,
use the `<br/>` element.
Example:
<p>This is my haiku<br/>
my line is broken, but still<br/>
the paragraph flows</p>
### Page breaks
To force a page break before or after a section, set its `break`
attribute to 'before' or 'after'.
Note: breaks are inserted automatcally before every appendix and
before/after the index.
Example:
<section break="before">
<title>Technical Findings</title>
...
</section>

BIN
xml/doc/offerte/offerte.docx Normal file
View File

Binary file not shown.

361
xml/doc/offerte/offerte.html Normal file
View File

@@ -0,0 +1,361 @@
<h1 id="writing-an-offerte">Writing an offerte</h1>
<h2 id="tools">Tools</h2>
<p>First of all, make sure you have the right tools installed. Check the tools manual for more info.</p>
<h2 id="main-structure">Main structure</h2>
<p>The report's main element is <code>&lt;offerte&gt;</code>. It contains a number of major parts:</p>
<ul>
<li>Entity listing, in the doctype. These are fields that will be reused throughout the document, mostly in boilerplate text</li>
<li>Document information (metadata), in the element <code>&lt;meta&gt;</code></li>
<li>A variable number of sections (main content), in several <code>&lt;section&gt;</code> elements</li>
<li>A waiver annex, in the <code>&lt;annex&gt;</code> element (located in the snippets directory as it is also boilerplate text)</li>
</ul>
<h2 id="entity-listing">Entity listing</h2>
<p>When you have your scoping information, fill in all the fields. They are commented in the template, so what to fill in should be pretty self-explanatory.</p>
<p>You should be able to fill all fields. The only exception is <code>client_waiver_rep</code>, as it is not always known in advance who this will be.</p>
<h2 id="document-information-metadata">Document information / metadata</h2>
<p>This is the part where we put all information that is <em>about the offerte</em> rather than about the offer itself (hence the term metadata): who has been working on it, what is the offer about, what versions has it gone through, etc.</p>
<p>In XML, this part is indicated by the <code>&lt;meta&gt;</code> element. It contains the following elements (mandatory and in the listed order):</p>
<ul>
<li>The offered service, in the <code>&lt;offered_service&gt;</code> element</li>
<li>Client information, in the <code>&lt;client&gt;</code> element</li>
<li>Your-company-related information, in the '<company>' element</li>
<li>Targets listing, in the <code>&lt;targets&gt;</code> element</li>
<li>The document's version history, in the <code>&lt;version_history&gt;</code> element</li>
</ul>
<p>You need to fill in everything <em>that isn't already filled in with an entity</em>. If there is an entity, the info will be taken from the scoping info you entered in the entity list above. So leave it alone. No need to do anything.</p>
<p>For more details, see the sections below.</p>
<h3 id="the-offered-service">The offered service</h3>
<p>In the <code>&lt;offered_service&gt;</code> element, put the offered_service (in text). This is something like 'penetration testing services' probably.</p>
<p>Example: <code>&lt;offered_service&gt;penetration testing services&lt;/offered_service&gt;</code></p>
<p><strong>No need to do anything here, the entity takes care of this</strong></p>
<h3 id="client-information">Client information</h3>
<p>The <code>&lt;client&gt;</code> element contains four other elements:</p>
<ul>
<li><code>&lt;full_name&gt;</code>, in which you should type the client's official name, e.g. 'Sitting Duck BV', or 'Big International Company Ltd'</li>
<li><code>&lt;short_name&gt;</code>, in which you should type the client's shorter name, e.g. 'Sitting Duck' or 'Big International' (or, if there is no shorter name, just type the long name again)</li>
<li><code>&lt;city&gt;</code>, in which you should type the city where the client's office is based</li>
<li><code>&lt;legal_rep&gt;</code>, in which you should type the name of the client's legal representative, i.e. the guy or gal who can sign the offerte.</li>
<li><code>&lt;waiver_rep&gt;</code>, in which you should type the name of the client's legal representative, i.e. the guy or gal who can sign the waiver. If the legal rep is not known when you are creating the offerte, you can delete this element. The waiver will then be generated with a little line on which the legal rep can write his/her own name.</li>
</ul>
<p>Example:</p>
<pre><code>&lt;client&gt;
&lt;full_name&gt;Sitting Duck B.V.&lt;/full_name&gt;
&lt;short_name&gt;Sitting Duck&lt;/short_name&gt;
&lt;city&gt;Amazonia&lt;/city&gt;
&lt;legal_rep&gt;Shaniah T. Brick&lt;/legal_rep&gt;
&lt;waiver_rep&gt;William Wonder&lt;/waiver_rep&gt;
&lt;/client&gt;</code></pre>
<p><strong>If all names are known, no need to do anything here, the entity takes care of this. If the waiver rep is not known, delete the <code>waiver_rep</code> element.</strong></p>
<h3 id="company-information">Company information</h3>
<p>The <code>&lt;company&gt;</code> element contains two other elements:</p>
<ul>
<li><code>&lt;full_name&gt;</code>, in which you should type your company's official name</li>
<li><code>&lt;legal_rep&gt;</code>, in which you should type the name of your legal rep</li>
</ul>
<p>Example:</p>
<pre><code>&lt;company&gt;
&lt;full_name&gt;Shining Armour B.V.&lt;/full_name&gt;
&lt;legal_rep&gt;Sir Lancelot&lt;/legal_rep&gt;
&lt;/company&gt;</code></pre>
<h3 id="targets">Targets</h3>
<p>The <code>&lt;targets&gt;</code> element contains one or more <code>&lt;target&gt;</code> elements, one for each target specified for the pentest. Put every target of the pentest in its own <code>&lt;target&gt;</code> element. If there is only one target, you'll end up with a <code>&lt;targets&gt;</code> element containing only one <code>&lt;target&gt;</code> element. This is ok.</p>
<p>Example:</p>
<pre><code>&lt;targets&gt;
&lt;target&gt;fishinabarrel.sittingduck.com&lt;/target&gt;
&lt;target&gt;hackthis.sittingduck.com&lt;/target&gt;
&lt;target&gt;Sitting Duck&#39;s support staff&lt;/target&gt;
&lt;targets&gt;</code></pre>
<h3 id="pentest-info">Pentest Info</h3>
<p>The <code>&lt;pentestinfo&gt;</code> element contains some data about the pentest itself. This element is useful as you can refer to its content using placeholders, allowing e.g. for standard referrals to the tested application name, pentest type or pentest duration.</p>
<p>Example:</p>
<pre><code>&lt;pentestinfo&gt;
&lt;duration&gt;10&lt;/duration&gt;&lt;!-- duration of pentest, in working days --&gt;
&lt;test_planning&gt;January 1st until January 12th, 2015&lt;/test_planning&gt; &lt;!-- date or date range in text, e.g. May 18th until May 25th, 2015 --&gt;
&lt;report_writing&gt;January 15th until January 20th, 2015&lt;/report_writing&gt; &lt;!-- date or date range in text, e.g. May 18th until May 25th, 2015 --&gt;
&lt;report_due&gt;January 23rd, 2015&lt;/report_due&gt; &lt;!-- date or date range in text, e.g. May 18th until May 25th, 2015 --&gt;
&lt;nature&gt;time-boxed&lt;/nature&gt;
&lt;type&gt;black-box&lt;/type&gt;&lt;!-- please choose one of the following: black-box, grey-box, crystal-box --&gt;
&lt;fee&gt;50000&lt;/fee&gt;&lt;!-- euro is added automatically in the document --&gt;
&lt;target_application&gt;FishInABarrel&lt;/target_application&gt;&lt;!-- name of application to be tested (if any) --&gt;
&lt;target_application_producer&gt;H4ckers &#39;R&#39; Us&lt;/target_application_producer&gt;
&lt;/pentestinfo&gt;</code></pre>
<h3 id="version-history">Version History</h3>
<p>The <code>&lt;version_history&gt;</code> element contains one or more <code>&lt;version&gt;</code> elements, one for each version of the document you create. Whenever you start a new version, add a <code>&lt;version&gt;</code> element to the list.</p>
<p>The <code>&lt;version&gt;</code> element should contain the following:</p>
<ul>
<li>a <code>date</code> attribute with a date of your version as a value, in the format YYYY-MM-DDT00:00:00, e.g. 2015-04-18T00:00:00</li>
<li>a <code>number</code> attribute with the version number as a value. This value can either be 'auto' or an actual version number, e.g. 1.0. If you use the 'auto' value, the system will automatically count it (starting with 0.1 for the first <code>&lt;version&gt;</code> element and going up from there: 0.2, 0.3, etc...).</li>
<li>One or more <code>&lt;v_author&gt;</code> elements, each containing the name of the person who worked on this version (that would be you at least, and perhaps a pentester or colleague who did significant work on it)</li>
<li>A <code>&lt;v_description&gt;</code> element with a (very short!) description of what has been done in this version, e.g. 'Added non-findings' or 'Revision'</li>
</ul>
<p>Example:</p>
<pre><code>&lt;version_history&gt;
&lt;version number=&quot;auto&quot; date=&quot;2014-12-18T00:00:00&quot;&gt;
&lt;v_author&gt;Bob Goudriaan&lt;/v_author&gt;
&lt;v_description&gt;Initial draft&lt;/v_description&gt;
&lt;/version&gt;
&lt;version date=&quot;2014-12-22T00:00:00&quot; number=&quot;auto&quot;&gt;
&lt;v_author&gt;Bob Goudriaan&lt;/v_author&gt;
&lt;v_author&gt;Patricia Piolon&lt;/v_author&gt;
&lt;v_description&gt;Revision&lt;/v_description&gt;
&lt;/version&gt;
&lt;/version_history&gt;</code></pre>
<h2 id="sections">Sections</h2>
<p>The main bulk of the offerte is made up of normal content. We divide our content into sections using the <code>&lt;section&gt;</code> element.</p>
<h3 id="section-title">Section title</h3>
<p>A section must always start with a <code>&lt;title&gt;</code> element, which should only contain text; after that you're free to do what you want. As explained in the previous section, it's a good idea to have the section id and the title be somewhat related.</p>
<p>Example:</p>
<pre><code>&lt;section&gt;
&lt;title&gt;Project Planning&lt;/title&gt;
...
&lt;/section&gt;</code></pre>
<h3 id="section-content">Section content</h3>
<p>As said, after the title, anything goes (well, almost):</p>
<ul>
<li>A section can be subdivided into smaller sections</li>
<li>A section can contain generic content, that is to say any number and order of:
<ul>
<li>paragraphs (<code>&lt;p&gt;</code>)</li>
<li>lists (ordered <code>&lt;ol&gt;</code> or unordered <code>&lt;ul&gt;</code>)</li>
<li>tables (<code>&lt;table&gt;</code>)</li>
<li>command input/output boxes (<code>&lt;pre&gt;</code>)</li>
<li>code (<code>&lt;code&gt;</code>)</li>
<li>div containers (<code>&lt;div&gt;</code>)</li>
</ul></li>
<li>A section can contain a signing box for the offerte itself (<code>&lt;generate_offer_signature_box/&gt;</code>)</li>
<li>A section can contain a listing of targets, taken from the <code>&lt;targets&gt;</code> element in the meta section (<code>&lt;generate_targets/&gt;</code>)</li>
</ul>
<p>All of these elements are described elsewhere in this document; see the appropriate sections for details.</p>
<h2 id="annexes">Annexes</h2>
<p>Annexes (using the <code>&lt;annex&gt;</code> element) work the same as sections, they just come last in the report. Like sections, they must start with a title. Also like sections, the rest of their content is free-form.</p>
<p>You will need at least one annex in the template, for the waiver. An annex can contain a signing box for the waiver (<code>&lt;generate_waiver_signature_box/&gt;</code>)</p>
<p>Example:</p>
<pre><code>&lt;annex&gt;
&lt;title&gt;Annex 1: Waiver&lt;/title&gt;
&lt;p&gt;You waive all responsibility.&lt;/p&gt;
&lt;generate_waiver_signature_box/&gt;
&lt;/annex&gt;</code></pre>
<h2 id="generic-content">Generic content</h2>
<p>Generic content is modeled on very basic HTML.</p>
<h3 id="paragraphs">Paragraphs</h3>
<p>Paragraphs (<code>&lt;p&gt;</code>) go in sections or in the various sub-elements of findings and non-findings. They are the basic way of displaying text.</p>
<p>Example:</p>
<pre><code>&lt;p&gt;This is a paragraph&lt;/p&gt;</code></pre>
<h3 id="lists">Lists</h3>
<p>Lists can be ordered (<code>&lt;ol&gt;</code>, for '<strong>o</strong>rdered <strong>l</strong>ist') or unordered (<code>&lt;ul&gt;</code>, for <strong>u</strong>nordered <strong>l</strong>ist). Regardless of whether a list is ordered or unordered, it contains one or more list items (<code>&lt;li&gt;</code>, for <strong>l</strong>ist <strong>i</strong>tem).</p>
<p><strong>Unordered lists</strong></p>
<p>Example:</p>
<pre><code>&lt;ul&gt;
&lt;li&gt;Some item&lt;/li&gt;
&lt;li&gt;Some other item&lt;/li&gt;
&lt;/ul&gt;</code></pre>
<p><strong>Ordered lists</strong></p>
<p>Ordered lists are numbered by default. You can configure a different ordering system by setting its <code>type</code> attribute to one of the following values:</p>
<table>
<thead>
<tr class="header">
<th align="left">type</th>
<th align="left">ordering</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">a</td>
<td align="left">lowercase alphabetic</td>
</tr>
<tr class="even">
<td align="left">A</td>
<td align="left">uppercase alphabetic</td>
</tr>
<tr class="odd">
<td align="left">i</td>
<td align="left">lowercase roman</td>
</tr>
<tr class="even">
<td align="left">I</td>
<td align="left">uppercase roman</td>
</tr>
</tbody>
</table>
<p>Example:</p>
<pre><code>&lt;ol type=&quot;i&quot;&gt;
&lt;li&gt;Some item&lt;/li&gt;
&lt;li&gt;Some other item&lt;/li&gt;
&lt;/ol&gt;</code></pre>
<h3 id="codeinputoutput-blocks">Code/Input/Output Blocks</h3>
<p>Whenever you need to display some command line input/output or code, use the <code>&lt;pre&gt;</code> element. It will conserve any whitespace you leave, so you can format the contents of this element in a pleasant/readable way. Use spaces for indents. Note that text in the <code>&lt;pre&gt;</code> element <em>will not wrap</em>.</p>
<p>Example:</p>
<pre><code>&lt;section&gt;
&lt;title&gt;Some output&lt;/title&gt;
&lt;p&gt;This is some relevant stuff the client sent us:&lt;/p&gt;
&lt;pre&gt;&#39;relevant stuff&#39;&lt;/pre&gt;
&lt;p&gt;And this too:&lt;/p&gt;
&lt;pre&gt;this relevant stuff comes
in several lines
Some indented
and some not
This is not a haiku.&lt;/pre&gt;
&lt;/section&gt;</code></pre>
<h4 id="help-the-code-in-my-pre-element-contains-characters-and-it-messes-with-my-xml">Help! The code in my pre element contains &lt; characters and it messes with my xml!</h4>
<p>You can escape the &lt; character by replacing it with its entity <code>&amp;lt;</code>.</p>
<h3 id="div-containers">Div containers</h3>
<h4 id="what-does-div-do">What does <code>&lt;div&gt;</code> do?</h4>
<p>Nothing. <code>&lt;div&gt;</code> just <em>is</em>.</p>
<h4 id="sigh.-ok-why-is-div">Sigh. Ok, why <em>is</em> <code>&lt;div&gt;</code>?</h4>
<p>You can use <code>&lt;div&gt;</code> as a container for other block elements. This is basically only (but very) useful for snippets, as snippets need to be well-formed XML documentlets and can therefore only have one root element. If the snippet is a complete section, this is not a problem. If the snippet is a bunch of paragraphs or something, your snippet can be <code>&lt;div&gt;</code> (root element), containing everything you want. Well, everything that's allowed, anyway.</p>
<h4 id="so-whats-allowed-in-div">So what's allowed in <code>&lt;div&gt;</code>?</h4>
<p>All block elements: <code>&lt;p&gt;</code>, <code>&lt;ul&gt;</code>, <code>&lt;ol&gt;</code>, <code>&lt;table&gt;</code>, <code>&lt;img&gt;</code>, <code>&lt;pre&gt;</code>, <code>&lt;code&gt;</code></p>
<h4 id="and-what-elements-can-contain-div">And what elements can <em>contain</em> <code>&lt;div&gt;</code>?</h4>
<p><code>&lt;section&gt;</code> and <code>&lt;annex&gt;</code>.</p>
<h3 id="tables">Tables</h3>
<p><strong>Rows</strong></p>
<p>Tables consist of a <code>&lt;table&gt;</code> element containing one or more rows (<code>&lt;tr&gt;</code>).</p>
<p>Example:</p>
<pre><code>&lt;table&gt;
&lt;tr&gt;...&lt;/tr&gt;
&lt;tr&gt;...&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p><strong>Cells</strong></p>
<p>A table row consists of one or more cells (<code>&lt;td&gt;</code>).</p>
<p>Example:</p>
<pre><code>&lt;table&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 1&lt;/td&gt;
&lt;td&gt;Cell 2 in row 1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 2&lt;/td&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p>Columns are implicit: each cell in a row corresponds to a column.</p>
<p><strong>Header Cells</strong></p>
<p>Instead of normal cells, you can also use header cells (<code>&lt;th&gt;</code>) for a table header.</p>
<p>Example:</p>
<pre><code>&lt;table&gt;
&lt;tr&gt;
&lt;th&gt;Header cell 1 in row 1&lt;/th&gt;
&lt;th&gt;Header cell 2 in row 1&lt;/th&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 2&lt;/td&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p><strong>Borders</strong></p>
<p>To turn on borders for your table, set its <code>border</code> attribute to '1'.</p>
<p>Example:</p>
<pre><code>&lt;table border=&quot;1&quot;&gt;
...
&lt;/table&gt;</code></pre>
<p>You can also turn borders on or off (<code>border=&quot;0&quot;</code>) on lower levels (on the row level, for example) for finer-tuned border control.</p>
<p><strong>Setting column width</strong></p>
<p>To set the width for your columns, add a number for each column to the <code>cols</code> element. This number is in millimeters (you can either type 200mm or just 200; don't use cm or pt or px or other measures though). The total width between the margins is 17cm, so 170mm.</p>
<p>Example:</p>
<pre><code>&lt;table cols=&quot;50 50 70&quot;&gt;
&lt;tr&gt;
&lt;td&gt;cell 1&lt;/td&gt;&lt;td&gt;cell 2&lt;/td&gt;&lt;td&gt;cell 3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;cell 4&lt;/td&gt;&lt;td&gt;cell 5&lt;/td&gt;&lt;td&gt;cell 6&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p>This will give the first column a width of 50mm (5cm), the second as well, and the third a width of 70mm (7cm).</p>
<p><strong>Spanning multiple rows/columns</strong></p>
<p>To make a cell span multiple columns, set its <code>colspan</code> attribute to the number of columns you want to span.</p>
<p>Example:</p>
<pre><code>&lt;tr&gt;
&lt;td colspan=&quot;2&quot;&gt;This cell spans the two cells in the row below.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 2&lt;/td&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;</code></pre>
<p>To make a cell span multiple rows, set its <code>rowspan</code> attribute to the number of rows you want to span.</p>
<p>Example:</p>
<pre><code>&lt;tr&gt;
&lt;td rowspan=&quot;2&quot;&gt;This cell spans the two cells in the second column.&lt;/td&gt;
&lt;td&gt;Cell 2 in row 1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;</code></pre>
<p><strong>Alignment</strong></p>
<p>Set the <code>align</code> attribute of any cell, row or table to one of the following values to change the text alignment in that cell/row/table:</p>
<table>
<thead>
<tr class="header">
<th align="left">align</th>
<th align="left">result</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">right</td>
<td align="left">right alignment</td>
</tr>
<tr class="even">
<td align="left">center</td>
<td align="left">centered</td>
</tr>
<tr class="odd">
<td align="left">justify</td>
<td align="left">justified</td>
</tr>
</tbody>
</table>
<h2 id="images">Images</h2>
<p>To insert an image, use the <code>&lt;img&gt;</code> element. In its <code>src</code> attribute, enter the relative path to the image file you want to reference.</p>
<p>To set the height or width, use <em>either</em> the <code>height</code> or <code>width</code> attribute. Any numerical value you enter will be interpreted as centimeters.</p>
<p>If you set both, only the width will be interpreted.</p>
<p>If you do not set any height or width, the image will be displayed at full page width (i.e. 17 cm wide)</p>
<p>Example: <code>&lt;img src=&quot;../graphics/xmlsignatureexclusion.png&quot; width=&quot;5&quot;/&gt;</code></p>
<p>Optionally, you can set an image caption by adding some text in the <code>title</code> attribute.</p>
<p>Example: <code>&lt;img src=&quot;../graphics/xmlsignatureexclusion.png&quot; width=&quot;5&quot; title=&quot;This is a funny picture LOL&quot;/&gt;</code></p>
<h3 id="inline-elements">Inline elements</h3>
<p>Inline elements are elements that modify the text inside e.g. a paragraph or a list item, for styling or linking purposes. You have the following options available to you:</p>
<p><strong>Bold</strong></p>
<p>To make text bold, wrap it in <code>&lt;b&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;b&gt;This text is bold&lt;/b&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Italic</strong></p>
<p>To make text italic, wrap it in <code>&lt;i&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;i&gt;This text is italic&lt;/i&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Underline</strong></p>
<p>To make text underlined, wrap it in <code>&lt;u&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;u&gt;This text is underlined&lt;/u&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Monospace</strong></p>
<p>To have inline text in a monospace font, wrap it in <code>&lt;monospace&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;monospace&gt;This text is monospace&lt;/monospace&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Superscript</strong></p>
<p>To have inline text in superscript, wrap it in <code>&lt;sup&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;sup&gt;This text is in superscript&lt;/sup&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Subscript</strong></p>
<p>To have inline text in subscript, wrap it in <code>&lt;sub&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;sub&gt;This text is in subscript&lt;/sub&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Links</strong></p>
<p>Link to web pages using the <code>&lt;a&gt;</code> element.</p>
<p>In the <code>href</code> attribute of the <code>&lt;a&gt;</code> element, type the url of the website you're linking to.</p>
<p>Example:</p>
<p><code>&lt;p&gt;Please refer to &lt;a href=&quot;http://www.radicallyopensecurity.com&quot;&gt;our amazing website&lt;/a&gt;.&lt;/p&gt;</code></p>
<h2 id="manual-breaks">Manual breaks</h2>
<h3 id="line-breaks">Line breaks</h3>
<p>Mostly text is broken automatically (between paragraphs etc.) but in some rare cases you may need to insert a manual line break. To do so, use the <code>&lt;br/&gt;</code> element.</p>
<p>Example:</p>
<pre><code>&lt;p&gt;This is my haiku&lt;br/&gt;
my line is broken, but still&lt;br/&gt;
the paragraph flows&lt;/p&gt;</code></pre>
<h3 id="page-breaks">Page breaks</h3>
<p>To force a page break before or after a section, set its <code>break</code> attribute to 'before' or 'after'.</p>
<p>Note: breaks are inserted automatcally before every appendix and before/after the index.</p>
<p>Example:</p>
<pre><code>&lt;section break=&quot;before&quot;&gt;
&lt;title&gt;Technical Findings&lt;/title&gt;
...
&lt;/section&gt;</code></pre>

957
xml/doc/report/Report Writing - Procedure.md Normal file
View File

@@ -0,0 +1,957 @@
Writing a test report
=====================
Tools
-----
First of all, make sure you have the right tools installed. Check the
tools manual for more info.
Main structure
--------------
The report's main element is `<pentest_report>`. It contains four major
parts:
- Document information (metadata), in the element `<meta>`
- The index, in the element `<generate_index>`
- A variable number of sections (main content), in several `<section>`
elements
- A variable number of appendices (extra content), in one or more
`<appendix>` elements
Additionally, the `<pentest_report>` element has two attributes:
- `findingCode`, which is a three-letter prefix for the finding
numbers, derived from the client name (e.g. 'SID' for Sitting Duck
BV, 'BIC' for Big International Company Ltd, etc.). When this is not
filled in you will see three question marks '???' in the finding ID columns
in the Table of Contents and detailed finding sections.
- `findingNumberingBase`, which can be set to 'Report' or 'Section' -
this configures whether the numbering of findings in the report is
report-based (i.e. starting with XXX-001 and continuing upwards) or
section-based (i.e. findings in section 3 are numbered XXX-301 and
up, findings in section 5 are numbered XXX-501 and up). Use 'Report'
for smaller pentest reports and 'Section' for large ones.
Document information / metadata
-------------------------------
This is the part where we put all information that is *about the report*
rather than about the pentest itself (hence the term metadata): who has
been working on it, what is the document title, what versions has it
gone through, etc.
In XML, this part is indicated by the `<meta>` element. It contains the
following elements (mandatory and in the listed order):
- The document title, in the `<title>` element
- Client information, in the `<client>` element
- Targets listing, in the `<targets>` element
- (Optionally) Pentest-related information, in the `<pentestinfo>` element
- People who worked on the pentest and/or report, in the
`<collaborators>` element
- Document classification, in the `<classification>` element
- The document's version history, in the `<version_history>` element
- Your company contact information, in the `<company>` element
For more details, see the sections below.
### The document title
In the `<title>` element, put the document title (in text). This is
something like 'Penetration Test Report', 'Security Audit Report',
whatever fits the bill.
Example: `<title>`Penetration Test Report`</title>`
### Client information
The `<client>` element contains two other elements:
- `<full_name>`, in which you should type the client's official name,
e.g. 'Sitting Duck BV', or 'Big International Company Ltd'
- `<short_name>`, in which you should type the client's shorter name,
e.g. 'Sitting Duck' or 'Big International' (or, if there is no
shorter name, just type the long name again)
Example:
<client>
<full_name>Sitting Duck B.V.</full_name>
<short_name>Sitting Duck</short_name>
</client>
### Targets
The `<targets>` element contains one or more `<target>` elements, one
for each target specified for the pentest. Put every target of the
pentest in its own `<target>` element. If there is only one target,
you'll end up with a `<targets>` element containing only one `<target>`
element. This is ok.
Example:
<targets>
<target>fishinabarrel.sittingduck.com</target>
<target>hackthis.sittingduck.com</target>
<target>Sitting Duck's support staff</target>
<targets>
### Pentest Info
The `<pentestinfo>` element contains some data about the pentest itself. This element is optional, but may be useful as you can refer to its content using placeholders, allowing e.g. for standard referrals to the tested application name, pentest type or pentest duration.
Example:
<pentestinfo>
<duration>10</duration><!-- duration of pentest, in working days -->
<test_planning>January 1st until January 12th, 2015</test_planning> <!-- date or date range in text, e.g. May 18th until May 25th, 2015 -->
<report_writing>January 15th until January 20th, 2015</report_writing> <!-- date or date range in text, e.g. May 18th until May 25th, 2015 -->
<report_due>January 23rd, 2015</report_due> <!-- date or date range in text, e.g. May 18th until May 25th, 2015 -->
<nature>time-boxed</nature>
<type>black-box</type><!-- please choose one of the following: black-box, grey-box, crystal-box -->
<target_application>FishInABarrel</target_application><!-- name of application to be tested (if any) -->
<target_application_producer>H4ckers 'R' Us</target_application_producer>
</pentestinfo>
### Collaborators
The `<collaborators>` element contains three other elements, mandatory
and in the listed order:
- `<reviewers>`, containing one or more `<reviewer>` elements (same
system as `<targets>`; put the name of each reviewer in its own
`<reviewer>` element.)
- `<approver>`, containing only text. Here you put the name of the
person who has approved the document for distribution to the client
(usually this is Melanie)
- `<pentesters>`, containing one or more `<pentester>` elements (*not*
the same system as targets, see the section on pentesters for more
details)
Example:
<collaborators>
<reviewers>
<reviewer>Patricia Piolon</reviewer>
</reviewers>
<approver>Melanie Rieback</approver>
...
</collaborators>
### Pentesters
As said, the `<pentesters>` element contains one or more `<pentester>`
elements.
The `<pentester>` element contains two other elements:
- `<name>`, containing the pentester's name (in text)
- `<bio>`, containing a paragraph about the pentester's l33tness :) -
For many pentesters, you can get this bio from a previous pentest.
If we're working with a new guy or girl, ask them for some info
about themselves.
The names of the pentesters will appear on the document info page and
their names and bios will be listed automatically in a table wherever
you insert the `<generate_testteam/>` element.
Example:
<collaborators>
...
<pentesters>
<pentester>
<name>Melanie Rieback</name>
<bio>Melanie Rieback is a former Asst. Prof. of Computer Science
from the VU, who is also the co-founder/CEO of
Radically Open Security.</bio>
</pentester>
<pentester>
<name>William of Ockham</name>
<bio>English Franciscan friar and scholastic philosopher and theologian.
Considered to be one of the major figures of medieval thought.
At the centre of some major intellectual and political controversies.</bio>
</pentester>
</pentesters>
</collaborators>
### Document Classification
The `<classification>` element contains information on the
confidentiality level of the report. Usually this will be
'Confidential'.
The classification will appear in the header of each page.
Example:
<classification>Confidential</classification>
### Version History
The `<version_history>` element contains one or more `<version>`
elements, one for each version of the document you create. Whenever you
start a new version, add a `<version>` element to the list.
The `<version>` element should contain the following:
- a `date` attribute with a date of your version as a value, in the
format YYYY-MM-DDT00:00:00, e.g. 2015-04-18T00:00:00
- a `number` attribute with the version number as a value. This value
can either be 'auto' or an actual version number, e.g. 1.0. If you
use the 'auto' value, the system will automatically count it
(starting with 0.1 for the first `<version>` element and going up
from there: 0.2, 0.3, etc...).
- One or more `<v_author>` elements, each containing the name of the
person who worked on this version (that would be you at least, and
perhaps a pentester or colleague who did significant work on it)
- A `<v_description>` element with a (very short!) description of what
has been done in this version, e.g. 'Added non-findings' or
'Revision'
Example:
<version_history>
<version number="auto" date="2014-12-18T00:00:00">
<v_author>Bob Goudriaan</v_author>
<v_description>Initial draft</v_description>
</version>
<version date="2014-12-22T00:00:00" number="auto">
<v_author>Bob Goudriaan</v_author>
<v_author>Patricia Piolon</v_author>
<v_description>Revision</v_description>
</version>
</version_history>
### Contact information
This is the contact information in a basic XML format. It never changes,
so it has been isolated in its own little xml file, which is referred to
from the main document with an `<xi:include>` element:
`<xi:include href="snippets/contact.xml"/>`
If you need to edit the contact information, edit that file. But it's
extremely likely that you won't need to.
The index
---------
The document index is generated at the location of the element
`<generate_index/>`. To make sure the index works (meaning that a
reference page number is listed for each section), you will need to give
a unique `id` attribute to all elements (sections, appendices, findings
and non-findings) that need to be listed in the index.
Insert the `<generate_index/>` element immediately after the `<meta>`
element.
Sections
--------
The main bulk of the pentest report is made up of normal content. We
divide our content into sections using the `<section>` element.
### `id`
Make sure that every `<section>` element, no matter where in the
structure it is located, gets a unique id attribute. By 'unique' we mean
that no other element in the report should have the same value for its
id attribute. This is enforced by the schema, so you will get an error
message if you have duplicate ids in your report.
The exact value of the id attribute doesn't really matter, it can be
anything, but it is good practice to pick an id that has some kind of
relation to the section subject. For example, if your section is titled
'Technical Summary', a good id value for this `<section>` element would
be 'technicalsummary'. You can use dots (.), dashes (-), underscores
(\_) and numbers and letters in the id. You cannot use spaces.
Example:
<section id="summary_of_findings">
...
</section>
### Section title
A section must always start with a `<title>` element, which should only
contain text; after that you're free to do what you want. As explained
in the previous section, it's a good idea to have the section id and the
title be somewhat related.
Example:
<section id="summary_of_findings">
<title>Summary of Findings</title>
...
</section>
### Section content
As said, after the title, anything goes (well, almost):
- A section can be subdivided into smaller sections (section 1 can be
subdivided into 1.1, 1.2, etc.)
- A section can contain generic content, that is to say any number and
order of:
- paragraphs (`<p>`)
- lists (ordered `<ol>` or unordered `<ul>`)
- tables (`<table>`)
- command input/output boxes (`<pre>`)
- div containers (`<div>`)
- A section can contain any number of findings (`<finding>`)
- A section can contain any number of non-findings (`<non-finding>`)
- A section can contain any number of finding or recommendation
summary tables (`<generate_findings>`, `<generate_recommendations>`)
- A section can contain a listing of targets, taken from the
`<targets>` element in the meta section (`<generate_targets>`)
All of these elements are described elsewhere in this document; see the
appropriate sections for details.
Appendices
----------
Appendices (using the `<appendix>` element) work the same as sections,
they just come last in the report. Like sections, they must have a
unique id, and must start with a title. Also like sections, the rest of
their content is free-form.
You will need at least one appendix, for the pentester listing (name and
bio). This is generated from the info you provided in the `<meta>`
section in the beginning of the report, so all you need to do is insert
a `<generate_testteam/>` element.
Example:
<appendix id="pentesters">
<title>Pentesters</title>
<generate_testteam/>
</appendix>
Findings
--------
Findings are special sections with a specific structure. Findings are
written by the pentesters. It is the job of a report writer to copy them
into the report (or reference them using an xi:include) and
edit/elaborate.
A finding consists of a `<finding>` element with the following
attributes:
- `id` - to uniquely identify the finding in the document
- `threatLevel` - which can be set to 'N/A', 'Low', 'Moderate',
'Elevated', 'High', or 'Extreme'
- `type` - the finding type (free text, but keep it short)
Furthermore, the `<finding>` is made up of several sub-elements:
- `<title>`, a title for the finding
- `<description>`, a short, general description of the finding
- `<description_summary>`, an *optional* shorter description for use
in the summary tables
- `<technicaldescription>`, a technical elaboration on what the
problem entails
- `<impact>`, the finding's impact on the target's security
- `<recommendation>`, instructions or advice on how to improve
security
- `<recommendation_summary>`, an *optional* shorter recommendation for
use in the summary tables
For more details, see the sections below.
### Note to pentesters
**PENTESTERS** should only use the `<finding>` element containing:
- the `threatLevel` attribute
- the `type` attribute
- the `<title>` element
- the `<description>` element
- the `<technicaldescription>` element
- the `<impact>` element, and
- the `<recommendation>` element
The contents of these elements is free - write whatever you like. The
report writer will mark up your text.
Please create one file per finding.
There is no need to number your findings, as they will be numbered
automatically in the report. There is also no need to add an `id` since
the report writer is better positioned to do that.
Finding template:
<finding threatLevel="SelectFromList" type="ThreatTypeText">
<title>Finding Title</title>
<description>General Description of the problem</description>
<technicaldescription>Technical description of the problem.</technicaldescription>
<impact>Impact of the finding</impact>
<recommendation>Advice/tips/instructions on how to solve the problem</recommendation>
</finding>
### Note to report writers
**REPORT WRITERS** should: - Add any necessary xml to the main structure
elements (e.g. add paragraphs or `<pre>` text to the technical
description) - Edit the text so that it is in correct english and
informative/helpful to the client (or, when in doubt, ask pentesters to
make it more informative/helpful) - Add a `<description_summary>` and/or
`<recommendation_summary>` element if necessary.
### Description
This is a general intro to the problem. It can be left as-is, in which
case the contents of this element will be treated as a paragraph, or it
can be marked up as generic text (using the Generic content elements
listed elsewhere in this document - with paragraphs, lists, tables,
images).
The contents of the `<description>` element will be used verbatim in the
finding summary table **unless** the finding *also* contains a
`<description_summary>` element, in which case that element will be
used.
Example:
<finding id="xmlsignatureexclusion" threatLevel="Low" type="Signature Exclusion">
<title>XML signature exclusion</title>
<description>
<p>This is a reasonably short general description. It can easily fit in the summary table.</p>
</description>
...
</finding>
### Description for Summary Table
If the general finding description is too long or uses elements like
images or tables, it will not be usable to put in the finding summary
table. In this case you can add a `<description_summary>` element right
after the `<description>` element. The system will then use this
description for the summary table instead. The contents of the
`<description_summary>` element will **only be used in the summary
table**. This means that it **will not be visible in the finding text**.
Example:
<finding id="xmlsignatureexclusion" threatLevel="Low" type="Signature Exclusion">
<title>XML signature exclusion</title>
<description>
<p>This is a more elaborate general description:</p>
<img src="../graphics/screenshot.png"/>
<p>In this case, the screenshot above makes this description a bad candidate for inclusion in the summary table.</p>
<p>Additionally, the description is very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very long.</p>
</description>
<description_summary>
<p>This is the alternative summary.</p>
</description_summary>
...
</finding>
### Technical Description
This is a technical description of the problem. It can be left as-is, in
which case the contents of this element will be treated as a paragraph,
or it can be marked up as generic text (using the Generic content
elements listed elsewhere in this document - with paragraphs, lists,
tables, images).
Example:
<finding id="xmlsignatureexclusion" threatLevel="Low" type="Signature Exclusion">
<title>XML signature exclusion</title>
<description>
<p>This is a reasonably short general description. It can easily fit in the summary table.</p>
</description>
<technicaldescription>
<p>This is a very detailed and technical description of the finding using a screenshot:</p>
<img src="../graphics/screenshot1.png"/>
<p>And another screenshot:</p>
<img src="../graphics/screenshot2.png"/>
</technicaldescription>
...
</finding>
### Impact
This describes the impact of the problem. It can be left as-is, in which
case the contents of this element will be treated as a paragraph, or it
can be marked up as generic text (using the Generic content elements
listed elsewhere in this document - with paragraphs, lists, tables,
images).
Example:
<finding id="xmlsignatureexclusion" threatLevel="Low" type="Signature Exclusion">
<title>XML signature exclusion</title>
...
<impact>This finding is not a big threat because most people don't even know what a
signature inclusion is. Do you?</impact>
</finding>
### Recommendation
This element contains tips/advice/instructions to deal with the problem.
It can be left as-is, in which case the contents of this element will be
treated as a paragraph, or it can be marked up as generic text (using
the Generic content elements listed elsewhere in this document - with
paragraphs, lists, tables, images).
The contents of the `<recommendation>` element will be used verbatim in
the recommendation summary table **unless** the finding *also* contains
a `<recommendation_summary>` element, in which case that element will be
used.
Example:
<finding id="xmlsignatureexclusion" threatLevel="Low" type="Signature Exclusion">
<title>XML signature exclusion</title>
...
<recommendation>Advise all users to change their passwords. That's always a good idea.</recommendation>
</finding>
### Recommendation for Summary Table
If the recommendation is too long or uses elements like images or
tables, it will not be usable to put in the recommendation table. In
this case you can add a `<recommendation_summary>` element right after
the `<recommendation>` element. The system will then use this
recommendation for the summary table instead. The contents of the
`<recommendation_summary>` element will **only be used in the summary
table**. This means that it **will not be visible in the finding text**.
Example:
<finding id="xmlsignatureexclusion" threatLevel="Low" type="Signature Exclusion">
<title>XML signature exclusion</title>
...
<recommendation>
<p>Advise all users to:</p>
<ol>
<li>Stand on their head</li>
<li>Restart their computers</li>
<li>Change their passwords</li>
</ol>
<img src="../graphics/pictureofauserchangingtheirpassword.png"/>
</recommendation>
<recommendation_summary>
<p>Advise all users to change their passwords.</p>
</recommendation_summary>
</finding>
Non-findings
------------
Non-findings are much more freeform than findings. They consist of a
`<non-finding>` element with: - a `<title>` - generic elements such as
paragraphs, images, etc.
`<non-finding>` elements must have an `id` attribute.
(Basically, they are a `<section>` with a special name.)
Example:
<non-finding id="nf_xss">
<title>Mail Server</title>
<p>
The server was running MailServer ABC for SMTP, POP3 and IMAP. This is
the most recent version of this particular piece of software.
No relevant vulnerabilities or exploits were found.
</p>
<p>
Note that this does not mean it's a good idea to use it, since the company
making MailServer ABC is notoriously terrible at pushing out secure software.
</p>
</non-finding>
Summary tables
--------------
Every pentest report should include summary tables for all findings and
recommendations. This is easy, however, as these tables are generated
automatically by the software. You just need to indicate where, by using
the `<generate_findings/>` and `<generate_recommendations/>` elements.
`<generate_findings/>` and `<generate_recommendations/>` will generate
findings/recommendation summary tables for the complete report. If you
only want to generate a table for findings in a specific section, add a
`Ref` attribute and enter the id of the section you want to reference as
its value.
Example:
<section id="xmlxamlsummary">
<title>Summary</title>
<generate_findings Ref="section2"/>
</section>
Generic content
---------------
Generic content is modeled on very basic HTML.
### Paragraphs
Paragraphs ('
') go in sections or in the various sub-elements of findings and
non-findings. They are the basic way of displaying text.
Example:
<p>This is a paragraph</p>
### Lists
Lists can be ordered (`<ol>`, for '**o**rdered **l**ist') or unordered
(`<ul>`, for **u**nordered **l**ist). Regardless of whether a list is
ordered or unordered, it contains one or more list items (`<li>`, for
**l**ist **i**tem).
**Unordered lists**
Example:
<ul>
<li>Some item</li>
<li>Some other item</li>
</ul>
**Ordered lists**
Ordered lists are numbered by default. You can configure a different
ordering system by setting its `type` attribute to one of the following
values:
type ordering
------ ----------------------
a lowercase alphabetic
A uppercase alphabetic
i lowercase roman
I uppercase roman
Example:
<ol type="i">
<li>Some item</li>
<li>Some other item</li>
</ol>
### Code/Input/Output Blocks
Whenever you need to display some command line input/output or code, use
the `<pre>` element. It will conserve any whitespace you leave, so you
can format the contents of this element in a pleasant/readable way. Use
spaces for indents. Note that text in the `<pre>` element *will not
wrap*.
Example:
<section id="nmap">
<title>nmap</title>
<p>Command:</p>
<pre>$ nmap -vvvv -oA fishinabarrel.sittingduck.com_complete -sV -sC -A -p1-65535 -T5 fishinabarrel.sittingduck.com</pre>
<p>Outcome:</p>
<pre>Nmap scan report for fishinabarrel.sittingduck.com (10.10.10.1)
In several lines
Some indented
and some not
This is not a haiku.</pre>
</section>
#### Help! The code in my pre element contains \< characters and it messes with my xml!
You can escape the \< character by replacing it with its entity `&lt;`.
### Div containers
#### What does `<div>` do?
Nothing. `<div>` just *is*.
#### Sigh. Ok, why *is* `<div>`?
You can use `<div>` as a container for other block elements. This is basically only (but very) useful for snippets, as snippets need to be well-formed XML documentlets and can therefore only have one root element. If the snippet is a complete section, this is not a problem. If the snippet is a bunch of paragraphs or something, your snippet can be `<div>` (root element), containing everything you want. Well, everything that's allowed, anyway.
#### So what's allowed in `<div>`?
All block elements: `<p>`, `<ul>`, `<ol>`, `<table>`, `<img>`, `<pre>`, `<code>`
#### And what elements can *contain* `<div>`?
`<section>` and `<appendix>`.
### Tables
**Rows**
Tables consist of a `<table>` element containing one or more rows
(`<tr>`).
Example:
<table>
<tr>...</tr>
<tr>...</tr>
</table>
**Cells**
A table row consists of one or more cells (`<td>`).
Example:
<table>
<tr>
<td>Cell 1 in row 1</td>
<td>Cell 2 in row 1</td>
</tr>
<tr>
<td>Cell 1 in row 2</td>
<td>Cell 2 in row 2</td>
</tr>
</table>
Columns are implicit: each cell in a row corresponds to a column.
**Header Cells**
Instead of normal cells, you can also use header cells (`<th>`) for a
table header.
Example:
<table>
<tr>
<th>Header cell 1 in row 1</th>
<th>Header cell 2 in row 1</th>
</tr>
<tr>
<td>Cell 1 in row 2</td>
<td>Cell 2 in row 2</td>
</tr>
</table>
**Borders**
To turn on borders for your table, set its `border` attribute to '1'.
Example:
<table border="1">
...
</table>
You can also turn borders on or off (`border="0"`) on lower levels (on
the row level, for example) for finer-tuned border control.
**Setting column width**
To set the width for your columns, add a number for each column to the `cols` element. This number is in millimeters (you can either type 200mm or just 200; don't use cm or pt or px or other measures though). The total width between the margins is 17cm, so 170mm.
Example:
<table cols="50 50 70">
<tr>
<td>cell 1</td><td>cell 2</td><td>cell 3</td>
</tr>
<tr>
<td>cell 4</td><td>cell 5</td><td>cell 6</td>
</tr>
</table>
This will give the first column a width of 50mm (5cm), the second as well, and the third a width of 70mm (7cm).
**Spanning multiple rows/columns**
To make a cell span multiple columns, set its `colspan` attribute to the
number of columns you want to span.
Example:
<tr>
<td colspan="2">This cell spans the two cells in the row below.</td>
</tr>
<tr>
<td>Cell 1 in row 2</td>
<td>Cell 2 in row 2</td>
</tr>
To make a cell span multiple rows, set its `rowspan` attribute to the
number of rows you want to span.
Example:
<tr>
<td rowspan="2">This cell spans the two cells in the second column.</td>
<td>Cell 2 in row 1</td>
</tr>
<tr>
<td>Cell 2 in row 2</td>
</tr>
**Alignment**
Set the `align` attribute of any cell, row or table to one of the
following values to change the text alignment in that cell/row/table:
align result
--------- -----------------
right right alignment
center centered
justify justified
Images
------
To insert an image, use the `<img>` element. In its `src` attribute,
enter the relative path to the image file you want to reference.
To set the height or width, use *either* the `height` or `width`
attribute. Any numerical value you enter will be interpreted as
centimeters.
If you set both, only the width will be interpreted.
If you do not set any height or width, the image will be displayed at
full page width (i.e. 17 cm wide)
Example: `<img src="../graphics/xmlsignatureexclusion.png" width="5"/>`
Optionally, you can set an image caption by adding some text in the `title` attribute.
Example: `<img src="../graphics/xmlsignatureexclusion.png" width="5" title="This is a funny picture LOL"/>`
### Inline elements
Inline elements are elements that modify the text inside e.g. a
paragraph or a list item, for styling or linking purposes. You have the
following options available to you:
**Bold**
To make text bold, wrap it in `<b>` tags.
Example:
`<p><b>This text is bold</b> and this text is not.</p>`
**Italic**
To make text italic, wrap it in `<i>` tags.
Example:
`<p><i>This text is italic</i> and this text is not.</p>`
**Underline**
To make text underlined, wrap it in `<u>` tags.
Example:
`<p><u>This text is underlined</u> and this text is not.</p>`
**Monospace**
To have inline text in a monospace font, wrap it in `<monospace>` tags.
Example:
`<p><monospace>This text is monospace</monospace> and this text is not.</p>`
**Superscript**
To have inline text in superscript, wrap it in `<sup>` tags.
Example:
`<p><sup>This text is in superscript</sup> and this text is not.</p>`
**Subscript**
To have inline text in subscript, wrap it in `<sub>` tags.
Example:
`<p><sub>This text is in subscript</sub> and this text is not.</p>`
**Links**
Link to internal (in the report) or external (on the web) pages using
the `<a>` element. For internal destinations, you can either use an
empty `<a/>` (recommended, see example 1) or 'normal' linking (see
example 2).
In the `href` attribute of the `<a>` element, type:
- # + the id of the section you're linking to (when linking to a section
in the report), or
- the url of the website you're linking to (when linking to a website)
Example 1 - linking with an empty element:
`<p>Please refer to <a href="#xss_finding"/>.</p>`
(Note that in this case, we would need to have an element with id
"xss\_finding" in the report, otherwise the link wouldn't resolve.)
This will auto-generate the linked text: 'Please refer to
SID-004 (page 4).', or 'Please refer to section 2 (page 13).'
Example 2:
`<p>Please refer to <a href="#xss_finding">our finding on insecure mailservers</a>.</p>`
(Again, we would need to have an element with id "xss\_finding" in the
report, otherwise the link wouldn't resolve.)
Example 3:
`<p>Please refer to <a href="http://www.radicallyopensecurity.com">our amazing website</a>.</p>`
Manual breaks
-------------
### Line breaks
Mostly text is broken automatically (between paragraphs etc.) but in
some rare cases you may need to insert a manual line break. To do so,
use the `<br/>` element.
Example:
<p>This is my haiku<br/>
my line is broken, but still<br/>
the paragraph flows</p>
### Page breaks
To force a page break before or after a section, set its `break`
attribute to 'before' or 'after'.
Note: breaks are inserted automatcally before every appendix and
before/after the index.
Example:
<section id="technicalfindings" break="before">
<title>Technical Findings</title>
...
</section>

BIN
xml/doc/report/report.docx Normal file
View File

Binary file not shown.

574
xml/doc/report/report.html Normal file
View File

@@ -0,0 +1,574 @@
<h1 id="writing-a-test-report">Writing a test report</h1>
<h2 id="tools">Tools</h2>
<p>First of all, make sure you have the right tools installed. Check the tools manual for more info.</p>
<h2 id="main-structure">Main structure</h2>
<p>The report's main element is <code>&lt;pentest_report&gt;</code>. It contains four major parts:</p>
<ul>
<li>Document information (metadata), in the element <code>&lt;meta&gt;</code></li>
<li>The index, in the element <code>&lt;generate_index&gt;</code></li>
<li>A variable number of sections (main content), in several <code>&lt;section&gt;</code> elements</li>
<li>A variable number of appendices (extra content), in one or more <code>&lt;appendix&gt;</code> elements</li>
</ul>
<p>Additionally, the <code>&lt;pentest_report&gt;</code> element has two attributes:</p>
<ul>
<li><code>findingCode</code>, which is a three-letter prefix for the finding numbers, derivated from the client name (e.g. 'SID' for Sitting Duck BV, 'BIC' for Big International Company Ltd, etc.). When this is not
filled in you will see three question marks '???' in the finding ID columns
in the Table of Contents and detailed finding sections.</li>
<li><code>findingNumberingBase</code>, which can be set to 'Report' or 'Section' - this configures whether the numbering of findings in the report is report-based (i.e. starting with XXX-001 and continuing upwards) or section-based (i.e. findings in section 3 are numbered XXX-301 and up, findings in section 5 are numbered XXX-501 and up). Use 'Report' for smaller pentest reports and 'Section' for large ones.</li>
</ul>
<h2 id="document-information-metadata">Document information / metadata</h2>
<p>This is the part where we put all information that is <em>about the report</em> rather than about the pentest itself (hence the term metadata): who has been working on it, what is the document title, what versions has it gone through, etc.</p>
<p>In XML, this part is indicated by the <code>&lt;meta&gt;</code> element. It contains the following elements (mandatory and in the listed order):</p>
<ul>
<li>The document title, in the <code>&lt;title&gt;</code> element</li>
<li>Client information, in the <code>&lt;client&gt;</code> element</li>
<li>Targets listing, in the <code>&lt;targets&gt;</code> element</li>
<li>(Optionally) Pentest-related information, in the <code>&lt;pentestinfo&gt;</code> element</li>
<li>People who worked on the pentest and/or report, in the <code>&lt;collaborators&gt;</code> element</li>
<li>Document classification, in the <code>&lt;classification&gt;</code> element</li>
<li>The document's version history, in the <code>&lt;version_history&gt;</code> element</li>
<li>Your company contact information, in the <code>&lt;company&gt;</code> element</li>
</ul>
<p>For more details, see the sections below.</p>
<h3 id="the-document-title">The document title</h3>
<p>In the <code>&lt;title&gt;</code> element, put the document title (in text). This is something like 'Penetration Test Report', 'Security Audit Report', whatever fits the bill.</p>
<p>Example: <code>&lt;title&gt;</code>Penetration Test Report<code>&lt;/title&gt;</code></p>
<h3 id="client-information">Client information</h3>
<p>The <code>&lt;client&gt;</code> element contains two other elements:</p>
<ul>
<li><code>&lt;full_name&gt;</code>, in which you should type the client's official name, e.g. 'Sitting Duck BV', or 'Big International Company Ltd'</li>
<li><code>&lt;short_name&gt;</code>, in which you should type the client's shorter name, e.g. 'Sitting Duck' or 'Big International' (or, if there is no shorter name, just type the long name again)</li>
</ul>
<p>Example:</p>
<pre><code>&lt;client&gt;
&lt;full_name&gt;Sitting Duck B.V.&lt;/full_name&gt;
&lt;short_name&gt;Sitting Duck&lt;/short_name&gt;
&lt;/client&gt;</code></pre>
<h3 id="targets">Targets</h3>
<p>The <code>&lt;targets&gt;</code> element contains one or more <code>&lt;target&gt;</code> elements, one for each target specified for the pentest. Put every target of the pentest in its own <code>&lt;target&gt;</code> element. If there is only one target, you'll end up with a <code>&lt;targets&gt;</code> element containing only one <code>&lt;target&gt;</code> element. This is ok.</p>
<p>Example:</p>
<pre><code>&lt;targets&gt;
&lt;target&gt;fishinabarrel.sittingduck.com&lt;/target&gt;
&lt;target&gt;hackthis.sittingduck.com&lt;/target&gt;
&lt;target&gt;Sitting Duck&#39;s support staff&lt;/target&gt;
&lt;targets&gt;</code></pre>
<h3 id="pentest-info">Pentest Info</h3>
<p>The <code>&lt;pentestinfo&gt;</code> element contains some data about the pentest itself. This element is optional, but may be useful as you can refer to its content using placeholders, allowing e.g. for standard referrals to the tested application name, pentest type or pentest duration.</p>
<p>Example:</p>
<pre><code>&lt;pentestinfo&gt;
&lt;duration&gt;10&lt;/duration&gt;&lt;!-- duration of pentest, in working days --&gt;
&lt;test_planning&gt;January 1st until January 12th, 2015&lt;/test_planning&gt; &lt;!-- date or date range in text, e.g. May 18th until May 25th, 2015 --&gt;
&lt;report_writing&gt;January 15th until January 20th, 2015&lt;/report_writing&gt; &lt;!-- date or date range in text, e.g. May 18th until May 25th, 2015 --&gt;
&lt;report_due&gt;January 23rd, 2015&lt;/report_due&gt; &lt;!-- date or date range in text, e.g. May 18th until May 25th, 2015 --&gt;
&lt;nature&gt;time-boxed&lt;/nature&gt;
&lt;type&gt;black-box&lt;/type&gt;&lt;!-- please choose one of the following: black-box, grey-box, crystal-box --&gt;
&lt;target_application&gt;FishInABarrel&lt;/target_application&gt;&lt;!-- name of application to be tested (if any) --&gt;
&lt;target_application_producer&gt;H4ckers &#39;R&#39; Us&lt;/target_application_producer&gt;
&lt;/pentestinfo&gt;</code></pre>
<h3 id="collaborators">Collaborators</h3>
<p>The <code>&lt;collaborators&gt;</code> element contains three other elements, mandatory and in the listed order:</p>
<ul>
<li><code>&lt;reviewers&gt;</code>, containing one or more <code>&lt;reviewer&gt;</code> elements (same system as <code>&lt;targets&gt;</code>; put the name of each reviewer in its own <code>&lt;reviewer&gt;</code> element.)</li>
<li><code>&lt;approver&gt;</code>, containing only text. Here you put the name of the person who has approved the document for distribution to the client (usually this is Melanie)</li>
<li><code>&lt;pentesters&gt;</code>, containing one or more <code>&lt;pentester&gt;</code> elements (<em>not</em> the same system as targets, see the section on pentesters for more details)</li>
</ul>
<p>Example:</p>
<pre><code>&lt;collaborators&gt;
&lt;reviewers&gt;
&lt;reviewer&gt;Patricia Piolon&lt;/reviewer&gt;
&lt;/reviewers&gt;
&lt;approver&gt;Melanie Rieback&lt;/approver&gt;
...
&lt;/collaborators&gt;</code></pre>
<h3 id="pentesters">Pentesters</h3>
<p>As said, the <code>&lt;pentesters&gt;</code> element contains one or more <code>&lt;pentester&gt;</code> elements.</p>
<p>The <code>&lt;pentester&gt;</code> element contains two other elements:</p>
<ul>
<li><code>&lt;name&gt;</code>, containing the pentester's name (in text)</li>
<li><code>&lt;bio&gt;</code>, containing a paragraph about the pentester's l33tness :) - For many pentesters, you can get this bio from a previous pentest. If we're working with a new guy or girl, ask them for some info about themselves.</li>
</ul>
<p>The names of the pentesters will appear on the document info page and their names and bios will be listed automatically in a table wherever you insert the <code>&lt;generate_testteam/&gt;</code> element.</p>
<p>Example:</p>
<pre><code>&lt;collaborators&gt;
...
&lt;pentesters&gt;
&lt;pentester&gt;
&lt;name&gt;Melanie Rieback&lt;/name&gt;
&lt;bio&gt;Melanie Rieback is a former Asst. Prof. of Computer Science
from the VU, who is also the co-founder/CEO of
Radically Open Security.&lt;/bio&gt;
&lt;/pentester&gt;
&lt;pentester&gt;
&lt;name&gt;William of Ockham&lt;/name&gt;
&lt;bio&gt;English Franciscan friar and scholastic philosopher and theologian.
Considered to be one of the major figures of medieval thought.
At the centre of some major intellectual and political controversies.&lt;/bio&gt;
&lt;/pentester&gt;
&lt;/pentesters&gt;
&lt;/collaborators&gt;</code></pre>
<h3 id="document-classification">Document Classification</h3>
<p>The <code>&lt;classification&gt;</code> element contains information on the confidentiality level of the report. Usually this will be 'Confidential'.</p>
<p>The classification will appear in the header of each page.</p>
<p>Example:</p>
<pre><code>&lt;classification&gt;Confidential&lt;/classification&gt;</code></pre>
<h3 id="version-history">Version History</h3>
<p>The <code>&lt;version_history&gt;</code> element contains one or more <code>&lt;version&gt;</code> elements, one for each version of the document you create. Whenever you start a new version, add a <code>&lt;version&gt;</code> element to the list.</p>
<p>The <code>&lt;version&gt;</code> element should contain the following:</p>
<ul>
<li>a <code>date</code> attribute with a date of your version as a value, in the format YYYY-MM-DDT00:00:00, e.g. 2015-04-18T00:00:00</li>
<li>a <code>number</code> attribute with the version number as a value. This value can either be 'auto' or an actual version number, e.g. 1.0. If you use the 'auto' value, the system will automatically count it (starting with 0.1 for the first <code>&lt;version&gt;</code> element and going up from there: 0.2, 0.3, etc...).</li>
<li>One or more <code>&lt;v_author&gt;</code> elements, each containing the name of the person who worked on this version (that would be you at least, and perhaps a pentester or colleague who did significant work on it)</li>
<li>A <code>&lt;v_description&gt;</code> element with a (very short!) description of what has been done in this version, e.g. 'Added non-findings' or 'Revision'</li>
</ul>
<p>Example:</p>
<pre><code>&lt;version_history&gt;
&lt;version number=&quot;auto&quot; date=&quot;2014-12-18T00:00:00&quot;&gt;
&lt;v_author&gt;Bob Goudriaan&lt;/v_author&gt;
&lt;v_description&gt;Initial draft&lt;/v_description&gt;
&lt;/version&gt;
&lt;version date=&quot;2014-12-22T00:00:00&quot; number=&quot;auto&quot;&gt;
&lt;v_author&gt;Bob Goudriaan&lt;/v_author&gt;
&lt;v_author&gt;Patricia Piolon&lt;/v_author&gt;
&lt;v_description&gt;Revision&lt;/v_description&gt;
&lt;/version&gt;
&lt;/version_history&gt;</code></pre>
<h3 id="contact-information">Contact information</h3>
<p>This is the contact information in a basic XML format. It never changes, so it has been isolated in its own little xml file, which is referred to from the main document with an <code>&lt;xi:include&gt;</code> element:</p>
<p><code>&lt;xi:include href=&quot;snippets/contact.xml&quot;/&gt;</code></p>
<p>If you need to edit the contact information, edit that file. But it's extremely likely that you won't need to.</p>
<h2 id="the-index">The index</h2>
<p>The document index is generated at the location of the element <code>&lt;generate_index/&gt;</code>. To make sure the index works (meaning that a reference page number is listed for each section), you will need to give a unique <code>id</code> attribute to all elements (sections, appendices, findings and non-findings) that need to be listed in the index.</p>
<p>Insert the <code>&lt;generate_index/&gt;</code> element immediately after the <code>&lt;meta&gt;</code> element.</p>
<h2 id="sections">Sections</h2>
<p>The main bulk of the pentest report is made up of normal content. We divide our content into sections using the <code>&lt;section&gt;</code> element.</p>
<h3 id="id"><code>id</code></h3>
<p>Make sure that every <code>&lt;section&gt;</code> element, no matter where in the structure it is located, gets a unique id attribute. By 'unique' we mean that no other element in the report should have the same value for its id attribute. This is enforced by the schema, so you will get an error message if you have duplicate ids in your report.</p>
<p>The exact value of the id attribute doesn't really matter, it can be anything, but it is good practice to pick an id that has some kind of relation to the section subject. For example, if your section is titled 'Technical Summary', a good id value for this <code>&lt;section&gt;</code> element would be 'technicalsummary'. You can use dots (.), dashes (-), underscores (_) and numbers and letters in the id. You cannot use spaces.</p>
<p>Example:</p>
<pre><code>&lt;section id=&quot;summary_of_findings&quot;&gt;
...
&lt;/section&gt;</code></pre>
<h3 id="section-title">Section title</h3>
<p>A section must always start with a <code>&lt;title&gt;</code> element, which should only contain text; after that you're free to do what you want. As explained in the previous section, it's a good idea to have the section id and the title be somewhat related.</p>
<p>Example:</p>
<pre><code>&lt;section id=&quot;summary_of_findings&quot;&gt;
&lt;title&gt;Summary of Findings&lt;/title&gt;
...
&lt;/section&gt;</code></pre>
<h3 id="section-content">Section content</h3>
<p>As said, after the title, anything goes (well, almost):</p>
<ul>
<li>A section can be subdivided into smaller sections (section 1 can be subdivided into 1.1, 1.2, etc.)</li>
<li>A section can contain generic content, that is to say any number and order of:
<ul>
<li>paragraphs (<code>&lt;p&gt;</code>)</li>
<li>lists (ordered <code>&lt;ol&gt;</code> or unordered <code>&lt;ul&gt;</code>)</li>
<li>tables (<code>&lt;table&gt;</code>)</li>
<li>command input/output boxes (<code>&lt;pre&gt;</code>)</li>
<li>div containers (<code>&lt;div&gt;</code>)</li>
</ul></li>
<li>A section can contain any number of findings (<code>&lt;finding&gt;</code>)</li>
<li>A section can contain any number of non-findings (<code>&lt;non-finding&gt;</code>)</li>
<li>A section can contain any number of finding or recommendation summary tables (<code>&lt;generate_findings&gt;</code>, <code>&lt;generate_recommendations&gt;</code>)</li>
<li>A section can contain a listing of targets, taken from the <code>&lt;targets&gt;</code> element in the meta section (<code>&lt;generate_targets&gt;</code>)</li>
</ul>
<p>All of these elements are described elsewhere in this document; see the appropriate sections for details.</p>
<h2 id="appendices">Appendices</h2>
<p>Appendices (using the <code>&lt;appendix&gt;</code> element) work the same as sections, they just come last in the report. Like sections, they must have a unique id, and must start with a title. Also like sections, the rest of their content is free-form.</p>
<p>You will need at least one appendix, for the pentester listing (name and bio). This is generated from the info you provided in the <code>&lt;meta&gt;</code> section in the beginning of the report, so all you need to do is insert a <code>&lt;generate_testteam/&gt;</code> element.</p>
<p>Example:</p>
<pre><code>&lt;appendix id=&quot;pentesters&quot;&gt;
&lt;title&gt;Pentesters&lt;/title&gt;
&lt;generate_testteam/&gt;
&lt;/appendix&gt;</code></pre>
<h2 id="findings">Findings</h2>
<p>Findings are special sections with a specific structure. Findings are written by the pentesters. It is the job of a report writer to copy them into the report (or reference them using an xi:include) and edit/elaborate.</p>
<p>A finding consists of a <code>&lt;finding&gt;</code> element with the following attributes:</p>
<ul>
<li><code>id</code> - to uniquely identify the finding in the document</li>
<li><code>threatLevel</code> - which can be set to 'N/A', 'Low', 'Moderate', 'Elevated', 'High', or 'Extreme'</li>
<li><code>type</code> - the finding type (free text, but keep it short)</li>
</ul>
<p>Furthermore, the <code>&lt;finding&gt;</code> is made up of several sub-elements:</p>
<ul>
<li><code>&lt;title&gt;</code>, a title for the finding</li>
<li><code>&lt;description&gt;</code>, a short, general description of the finding</li>
<li><code>&lt;description_summary&gt;</code>, an <em>optional</em> shorter description for use in the summary tables</li>
<li><code>&lt;technicaldescription&gt;</code>, a technical elaboration on what the problem entails</li>
<li><code>&lt;impact&gt;</code>, the finding's impact on the target's security</li>
<li><code>&lt;recommendation&gt;</code>, instructions or advice on how to improve security</li>
<li><code>&lt;recommendation_summary&gt;</code>, an <em>optional</em> shorter recommendation for use in the summary tables</li>
</ul>
<p>For more details, see the sections below.</p>
<h3 id="note-to-pentesters">Note to pentesters</h3>
<p><strong>PENTESTERS</strong> should only use the <code>&lt;finding&gt;</code> element containing:</p>
<ul>
<li>the <code>threatLevel</code> attribute</li>
<li>the <code>type</code> attribute</li>
<li>the <code>&lt;title&gt;</code> element</li>
<li>the <code>&lt;description&gt;</code> element</li>
<li>the <code>&lt;technicaldescription&gt;</code> element</li>
<li>the <code>&lt;impact&gt;</code> element, and</li>
<li>the <code>&lt;recommendation&gt;</code> element</li>
</ul>
<p>The contents of these elements is free - write whatever you like. The report writer will mark up your text.</p>
<p>Please create one file per finding.</p>
<p>There is no need to number your findings, as they will be numbered automatically in the report. There is also no need to add an <code>id</code> since the report writer is better positioned to do that.</p>
<p>Finding template:</p>
<pre><code>&lt;finding threatLevel=&quot;SelectFromList&quot; type=&quot;ThreatTypeText&quot;&gt;
&lt;title&gt;Finding Title&lt;/title&gt;
&lt;description&gt;General Description of the problem&lt;/description&gt;
&lt;technicaldescription&gt;Technical description of the problem.&lt;/technicaldescription&gt;
&lt;impact&gt;Impact of the finding&lt;/impact&gt;
&lt;recommendation&gt;Advice/tips/instructions on how to solve the problem&lt;/recommendation&gt;
&lt;/finding&gt;</code></pre>
<h3 id="note-to-report-writers">Note to report writers</h3>
<p><strong>REPORT WRITERS</strong> should: - Add any necessary xml to the main structure elements (e.g. add paragraphs or <code>&lt;pre&gt;</code> text to the technical description) - Edit the text so that it is in correct english and informative/helpful to the client (or, when in doubt, ask pentesters to make it more informative/helpful) - Add a <code>&lt;description_summary&gt;</code> and/or <code>&lt;recommendation_summary&gt;</code> element if necessary.</p>
<h3 id="description">Description</h3>
<p>This is a general intro to the problem. It can be left as-is, in which case the contents of this element will be treated as a paragraph, or it can be marked up as generic text (using the Generic content elements listed elsewhere in this document - with paragraphs, lists, tables, images).</p>
<p>The contents of the <code>&lt;description&gt;</code> element will be used verbatim in the finding summary table <strong>unless</strong> the finding <em>also</em> contains a <code>&lt;description_summary&gt;</code> element, in which case that element will be used.</p>
<p>Example:</p>
<pre><code>&lt;finding id=&quot;xmlsignatureexclusion&quot; threatLevel=&quot;Low&quot; type=&quot;Signature Exclusion&quot;&gt;
&lt;title&gt;XML signature exclusion&lt;/title&gt;
&lt;description&gt;
&lt;p&gt;This is a reasonably short general description. It can easily fit in the summary table.&lt;/p&gt;
&lt;/description&gt;
...
&lt;/finding&gt;</code></pre>
<h3 id="description-for-summary-table">Description for Summary Table</h3>
<p>If the general finding description is too long or uses elements like images or tables, it will not be usable to put in the finding summary table. In this case you can add a <code>&lt;description_summary&gt;</code> element right after the <code>&lt;description&gt;</code> element. The system will then use this description for the summary table instead. The contents of the <code>&lt;description_summary&gt;</code> element will <strong>only be used in the summary table</strong>. This means that it <strong>will not be visible in the finding text</strong>.</p>
<p>Example:</p>
<pre><code>&lt;finding id=&quot;xmlsignatureexclusion&quot; threatLevel=&quot;Low&quot; type=&quot;Signature Exclusion&quot;&gt;
&lt;title&gt;XML signature exclusion&lt;/title&gt;
&lt;description&gt;
&lt;p&gt;This is a more elaborate general description:&lt;/p&gt;
&lt;img src=&quot;../graphics/screenshot.png&quot;/&gt;
&lt;p&gt;In this case, the screenshot above makes this description a bad candidate for inclusion in the summary table.&lt;/p&gt;
&lt;p&gt;Additionally, the description is very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very very very
very very very very very very very very very very very very very very very very very very very
very very very very very very very long.&lt;/p&gt;
&lt;/description&gt;
&lt;description_summary&gt;
&lt;p&gt;This is the alternative summary.&lt;/p&gt;
&lt;/description_summary&gt;
...
&lt;/finding&gt;</code></pre>
<h3 id="technical-description">Technical Description</h3>
<p>This is a technical description of the problem. It can be left as-is, in which case the contents of this element will be treated as a paragraph, or it can be marked up as generic text (using the Generic content elements listed elsewhere in this document - with paragraphs, lists, tables, images).</p>
<p>Example:</p>
<pre><code>&lt;finding id=&quot;xmlsignatureexclusion&quot; threatLevel=&quot;Low&quot; type=&quot;Signature Exclusion&quot;&gt;
&lt;title&gt;XML signature exclusion&lt;/title&gt;
&lt;description&gt;
&lt;p&gt;This is a reasonably short general description. It can easily fit in the summary table.&lt;/p&gt;
&lt;/description&gt;
&lt;technicaldescription&gt;
&lt;p&gt;This is a very detailed and technical description of the finding using a screenshot:&lt;/p&gt;
&lt;img src=&quot;../graphics/screenshot1.png&quot;/&gt;
&lt;p&gt;And another screenshot:&lt;/p&gt;
&lt;img src=&quot;../graphics/screenshot2.png&quot;/&gt;
&lt;/technicaldescription&gt;
...
&lt;/finding&gt;</code></pre>
<h3 id="impact">Impact</h3>
<p>This describes the impact of the problem. It can be left as-is, in which case the contents of this element will be treated as a paragraph, or it can be marked up as generic text (using the Generic content elements listed elsewhere in this document - with paragraphs, lists, tables, images).</p>
<p>Example:</p>
<pre><code>&lt;finding id=&quot;xmlsignatureexclusion&quot; threatLevel=&quot;Low&quot; type=&quot;Signature Exclusion&quot;&gt;
&lt;title&gt;XML signature exclusion&lt;/title&gt;
...
&lt;impact&gt;This finding is not a big threat because most people don&#39;t even know what a
signature inclusion is. Do you?&lt;/impact&gt;
&lt;/finding&gt;</code></pre>
<h3 id="recommendation">Recommendation</h3>
<p>This element contains tips/advice/instructions to deal with the problem. It can be left as-is, in which case the contents of this element will be treated as a paragraph, or it can be marked up as generic text (using the Generic content elements listed elsewhere in this document - with paragraphs, lists, tables, images).</p>
<p>The contents of the <code>&lt;recommendation&gt;</code> element will be used verbatim in the recommendation summary table <strong>unless</strong> the finding <em>also</em> contains a <code>&lt;recommendation_summary&gt;</code> element, in which case that element will be used.</p>
<p>Example:</p>
<pre><code>&lt;finding id=&quot;xmlsignatureexclusion&quot; threatLevel=&quot;Low&quot; type=&quot;Signature Exclusion&quot;&gt;
&lt;title&gt;XML signature exclusion&lt;/title&gt;
...
&lt;recommendation&gt;Advise all users to change their passwords. That&#39;s always a good idea.&lt;/recommendation&gt;
&lt;/finding&gt;</code></pre>
<h3 id="recommendation-for-summary-table">Recommendation for Summary Table</h3>
<p>If the recommendation is too long or uses elements like images or tables, it will not be usable to put in the recommendation table. In this case you can add a <code>&lt;recommendation_summary&gt;</code> element right after the <code>&lt;recommendation&gt;</code> element. The system will then use this recommendation for the summary table instead. The contents of the <code>&lt;recommendation_summary&gt;</code> element will <strong>only be used in the summary table</strong>. This means that it <strong>will not be visible in the finding text</strong>.</p>
<p>Example:</p>
<pre><code>&lt;finding id=&quot;xmlsignatureexclusion&quot; threatLevel=&quot;Low&quot; type=&quot;Signature Exclusion&quot;&gt;
&lt;title&gt;XML signature exclusion&lt;/title&gt;
...
&lt;recommendation&gt;
&lt;p&gt;Advise all users to:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Stand on their head&lt;/li&gt;
&lt;li&gt;Restart their computers&lt;/li&gt;
&lt;li&gt;Change their passwords&lt;/li&gt;
&lt;/ol&gt;
&lt;img src=&quot;../graphics/pictureofauserchangingtheirpassword.png&quot;/&gt;
&lt;/recommendation&gt;
&lt;recommendation_summary&gt;
&lt;p&gt;Advise all users to change their passwords.&lt;/p&gt;
&lt;/recommendation_summary&gt;
&lt;/finding&gt;</code></pre>
<h2 id="non-findings">Non-findings</h2>
<p>Non-findings are much more freeform than findings. They consist of a <code>&lt;non-finding&gt;</code> element with: - a <code>&lt;title&gt;</code> - generic elements such as paragraphs, images, etc.</p>
<p><code>&lt;non-finding&gt;</code> elements must have an <code>id</code> attribute.</p>
<p>(Basically, they are a <code>&lt;section&gt;</code> with a special name.)</p>
<p>Example:</p>
<pre><code>&lt;non-finding id=&quot;nf_xss&quot;&gt;
&lt;title&gt;Mail Server&lt;/title&gt;
&lt;p&gt;
The server was running MailServer ABC for SMTP, POP3 and IMAP. This is
the most recent version of this particular piece of software.
No relevant vulnerabilities or exploits were found.
&lt;/p&gt;
&lt;p&gt;
Note that this does not mean it&#39;s a good idea to use it, since the company
making MailServer ABC is notoriously terrible at pushing out secure software.
&lt;/p&gt;
&lt;/non-finding&gt;</code></pre>
<h2 id="summary-tables">Summary tables</h2>
<p>Every pentest report should include summary tables for all findings and recommendations. This is easy, however, as these tables are generated automatically by the software. You just need to indicate where, by using the <code>&lt;generate_findings/&gt;</code> and <code>&lt;generate_recommendations/&gt;</code> elements.</p>
<p><code>&lt;generate_findings/&gt;</code> and <code>&lt;generate_recommendations/&gt;</code> will generate findings/recommendation summary tables for the complete report. If you only want to generate a table for findings in a specific section, add a <code>Ref</code> attribute and enter the id of the section you want to reference as its value.</p>
<p>Example:</p>
<pre><code>&lt;section id=&quot;xmlxamlsummary&quot;&gt;
&lt;title&gt;Summary&lt;/title&gt;
&lt;generate_findings Ref=&quot;section2&quot;/&gt;
&lt;/section&gt;</code></pre>
<h2 id="generic-content">Generic content</h2>
<p>Generic content is modeled on very basic HTML.</p>
<h3 id="paragraphs">Paragraphs</h3>
<p>Paragraphs ('</p>
<p>') go in sections or in the various sub-elements of findings and non-findings. They are the basic way of displaying text.</p>
<p>Example:</p>
<pre><code>&lt;p&gt;This is a paragraph&lt;/p&gt;</code></pre>
<h3 id="lists">Lists</h3>
<p>Lists can be ordered (<code>&lt;ol&gt;</code>, for '<strong>o</strong>rdered <strong>l</strong>ist') or unordered (<code>&lt;ul&gt;</code>, for <strong>u</strong>nordered <strong>l</strong>ist). Regardless of whether a list is ordered or unordered, it contains one or more list items (<code>&lt;li&gt;</code>, for <strong>l</strong>ist <strong>i</strong>tem).</p>
<p><strong>Unordered lists</strong></p>
<p>Example:</p>
<pre><code>&lt;ul&gt;
&lt;li&gt;Some item&lt;/li&gt;
&lt;li&gt;Some other item&lt;/li&gt;
&lt;/ul&gt;</code></pre>
<p><strong>Ordered lists</strong></p>
<p>Ordered lists are numbered by default. You can configure a different ordering system by setting its <code>type</code> attribute to one of the following values:</p>
<table>
<thead>
<tr class="header">
<th align="left">type</th>
<th align="left">ordering</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">a</td>
<td align="left">lowercase alphabetic</td>
</tr>
<tr class="even">
<td align="left">A</td>
<td align="left">uppercase alphabetic</td>
</tr>
<tr class="odd">
<td align="left">i</td>
<td align="left">lowercase roman</td>
</tr>
<tr class="even">
<td align="left">I</td>
<td align="left">uppercase roman</td>
</tr>
</tbody>
</table>
<p>Example:</p>
<pre><code>&lt;ol type=&quot;i&quot;&gt;
&lt;li&gt;Some item&lt;/li&gt;
&lt;li&gt;Some other item&lt;/li&gt;
&lt;/ol&gt;</code></pre>
<h3 id="codeinputoutput-blocks">Code/Input/Output Blocks</h3>
<p>Whenever you need to display some command line input/output or code, use the <code>&lt;pre&gt;</code> element. It will conserve any whitespace you leave, so you can format the contents of this element in a pleasant/readable way. Use spaces for indents. Note that text in the <code>&lt;pre&gt;</code> element <em>will not wrap</em>.</p>
<p>Example:</p>
<pre><code>&lt;section id=&quot;nmap&quot;&gt;
&lt;title&gt;nmap&lt;/title&gt;
&lt;p&gt;Command:&lt;/p&gt;
&lt;pre&gt;$ nmap -vvvv -oA fishinabarrel.sittingduck.com_complete -sV -sC -A -p1-65535 -T5 fishinabarrel.sittingduck.com&lt;/pre&gt;
&lt;p&gt;Outcome:&lt;/p&gt;
&lt;pre&gt;Nmap scan report for fishinabarrel.sittingduck.com (10.10.10.1)
In several lines
Some indented
and some not
This is not a haiku.&lt;/pre&gt;
&lt;/section&gt;</code></pre>
<h4 id="help-the-code-in-my-pre-element-contains-characters-and-it-messes-with-my-xml">Help! The code in my pre element contains &lt; characters and it messes with my xml!</h4>
<p>You can escape the &lt; character by replacing it with its entity <code>&amp;lt;</code>.</p>
<h3 id="div-containers">Div containers</h3>
<h4 id="what-does-div-do">What does <code>&lt;div&gt;</code> do?</h4>
<p>Nothing. <code>&lt;div&gt;</code> just <em>is</em>.</p>
<h4 id="sigh.-ok-why-is-div">Sigh. Ok, why <em>is</em> <code>&lt;div&gt;</code>?</h4>
<p>You can use <code>&lt;div&gt;</code> as a container for other block elements. This is basically only (but very) useful for snippets, as snippets need to be well-formed XML documentlets and can therefore only have one root element. If the snippet is a complete section, this is not a problem. If the snippet is a bunch of paragraphs or something, you're out of luck. Or rather, you used to be out of luck, because there was no <code>&lt;div&gt;</code>. But now there is <code>&lt;div&gt;</code>. So your snippet can be <code>&lt;div&gt;</code> (root element), containing everything you want. Well, everything that's allowed, anyway.</p>
<h4 id="so-whats-allowed-in-div">So what's allowed in <code>&lt;div&gt;</code>?</h4>
<p>All block elements: <code>&lt;p&gt;</code>, <code>&lt;ul&gt;</code>, <code>&lt;ol&gt;</code>, <code>&lt;table&gt;</code>, <code>&lt;img&gt;</code>, <code>&lt;pre&gt;</code>, <code>&lt;code&gt;</code></p>
<h4 id="and-what-elements-can-contain-div">And what elements can <em>contain</em> <code>&lt;div&gt;</code>?</h4>
<p><code>&lt;section&gt;</code> and <code>&lt;annex&gt;</code>.</p>
<h3 id="tables">Tables</h3>
<p><strong>Rows</strong></p>
<p>Tables consist of a <code>&lt;table&gt;</code> element containing one or more rows (<code>&lt;tr&gt;</code>).</p>
<p>Example:</p>
<pre><code>&lt;table&gt;
&lt;tr&gt;...&lt;/tr&gt;
&lt;tr&gt;...&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p><strong>Cells</strong></p>
<p>A table row consists of one or more cells (<code>&lt;td&gt;</code>).</p>
<p>Example:</p>
<pre><code>&lt;table&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 1&lt;/td&gt;
&lt;td&gt;Cell 2 in row 1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 2&lt;/td&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p>Columns are implicit: each cell in a row corresponds to a column.</p>
<p><strong>Header Cells</strong></p>
<p>Instead of normal cells, you can also use header cells (<code>&lt;th&gt;</code>) for a table header.</p>
<p>Example:</p>
<pre><code>&lt;table&gt;
&lt;tr&gt;
&lt;th&gt;Header cell 1 in row 1&lt;/th&gt;
&lt;th&gt;Header cell 2 in row 1&lt;/th&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 2&lt;/td&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p><strong>Borders</strong></p>
<p>To turn on borders for your table, set its <code>border</code> attribute to '1'.</p>
<p>Example:</p>
<pre><code>&lt;table border=&quot;1&quot;&gt;
...
&lt;/table&gt;</code></pre>
<p>You can also turn borders on or off (<code>border=&quot;0&quot;</code>) on lower levels (on the row level, for example) for finer-tuned border control.</p>
<p><strong>Setting column width</strong></p>
<p>To set the width for your columns, add a number for each column to the <code>cols</code> element. This number is in millimeters (you can either type 200mm or just 200; don't use cm or pt or px or other measures though). The total width between the margins is 17cm, so 170mm.</p>
<p>Example:</p>
<pre><code>&lt;table cols=&quot;50 50 70&quot;&gt;
&lt;tr&gt;
&lt;td&gt;cell 1&lt;/td&gt;&lt;td&gt;cell 2&lt;/td&gt;&lt;td&gt;cell 3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;cell 4&lt;/td&gt;&lt;td&gt;cell 5&lt;/td&gt;&lt;td&gt;cell 6&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;</code></pre>
<p>This will give the first column a width of 50mm (5cm), the second as well, and the third a width of 70mm (7cm).</p>
<p><strong>Spanning multiple rows/columns</strong></p>
<p>To make a cell span multiple columns, set its <code>colspan</code> attribute to the number of columns you want to span.</p>
<p>Example:</p>
<pre><code>&lt;tr&gt;
&lt;td colspan=&quot;2&quot;&gt;This cell spans the two cells in the row below.&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 1 in row 2&lt;/td&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;</code></pre>
<p>To make a cell span multiple rows, set its <code>rowspan</code> attribute to the number of rows you want to span.</p>
<p>Example:</p>
<pre><code>&lt;tr&gt;
&lt;td rowspan=&quot;2&quot;&gt;This cell spans the two cells in the second column.&lt;/td&gt;
&lt;td&gt;Cell 2 in row 1&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Cell 2 in row 2&lt;/td&gt;
&lt;/tr&gt;</code></pre>
<p><strong>Alignment</strong></p>
<p>Set the <code>align</code> attribute of any cell, row or table to one of the following values to change the text alignment in that cell/row/table:</p>
<table>
<thead>
<tr class="header">
<th align="left">align</th>
<th align="left">result</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left">right</td>
<td align="left">right alignment</td>
</tr>
<tr class="even">
<td align="left">center</td>
<td align="left">centered</td>
</tr>
<tr class="odd">
<td align="left">justify</td>
<td align="left">justified</td>
</tr>
</tbody>
</table>
<h2 id="images">Images</h2>
<p>To insert an image, use the <code>&lt;img&gt;</code> element. In its <code>src</code> attribute, enter the relative path to the image file you want to reference.</p>
<p>To set the height or width, use <em>either</em> the <code>height</code> or <code>width</code> attribute. Any numerical value you enter will be interpreted as centimeters.</p>
<p>If you set both, only the width will be interpreted.</p>
<p>If you do not set any height or width, the image will be displayed at full page width (i.e. 17 cm wide)</p>
<p>Example: <code>&lt;img src=&quot;../graphics/xmlsignatureexclusion.png&quot; width=&quot;5&quot;/&gt;</code></p>
<p>Optionally, you can set an image caption by adding some text in the <code>title</code> attribute.</p>
<p>Example: <code>&lt;img src=&quot;../graphics/xmlsignatureexclusion.png&quot; width=&quot;5&quot; title=&quot;This is a funny picture LOL&quot;/&gt;</code></p>
<h3 id="inline-elements">Inline elements</h3>
<p>Inline elements are elements that modify the text inside e.g. a paragraph or a list item, for styling or linking purposes. You have the following options available to you:</p>
<p><strong>Bold</strong></p>
<p>To make text bold, wrap it in <code>&lt;b&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;b&gt;This text is bold&lt;/b&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Italic</strong></p>
<p>To make text italic, wrap it in <code>&lt;i&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;i&gt;This text is italic&lt;/i&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Underline</strong></p>
<p>To make text underlined, wrap it in <code>&lt;u&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;u&gt;This text is underlined&lt;/u&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Monospace</strong></p>
<p>To have inline text in a monospace font, wrap it in <code>&lt;monospace&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;monospace&gt;This text is monospace&lt;/monospace&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Superscript</strong></p>
<p>To have inline text in superscript, wrap it in <code>&lt;sup&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;sup&gt;This text is in superscript&lt;/sup&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Subscript</strong></p>
<p>To have inline text in subscript, wrap it in <code>&lt;sub&gt;</code> tags.</p>
<p>Example:</p>
<p><code>&lt;p&gt;&lt;sub&gt;This text is in subscript&lt;/sub&gt; and this text is not.&lt;/p&gt;</code></p>
<p><strong>Links</strong></p>
<p>Link to internal (in the report) or external (on the web) pages using the <code>&lt;a&gt;</code> element. For internal destinations, you can either use an empty <code>&lt;a/&gt;</code> (recommended, see example 1) or 'normal' linking (see example 2).</p>
<p>In the <code>href</code> attribute of the <code>&lt;a&gt;</code> element, type:</p>
<ul>
<li><h1>+ the id of the section you're linking to (when linking to a section</h1>
in the report), or</li>
<li>the url of the website you're linking to (when linking to a website)</li>
</ul>
<p>Example 1 - linking with an empty element:</p>
<p><code>&lt;p&gt;Please refer to &lt;a href=&quot;#xss_finding&quot;/&gt;.&lt;/p&gt;</code></p>
<p>(Note that in this case, we would need to have an element with id &quot;xss_finding&quot; in the report, otherwise the link wouldn't resolve.)</p>
<p>This will auto-generate the linked text: 'Please refer to SID-004 (page 4).', or 'Please refer to section 2 (page 13).'</p>
<p>Example 2:</p>
<p><code>&lt;p&gt;Please refer to &lt;a href=&quot;#xss_finding&quot;&gt;our finding on insecure mailservers&lt;/a&gt;.&lt;/p&gt;</code></p>
<p>(Again, we would need to have an element with id &quot;xss_finding&quot; in the report, otherwise the link wouldn't resolve.)</p>
<p>Example 3:</p>
<p><code>&lt;p&gt;Please refer to &lt;a href=&quot;http://www.radicallyopensecurity.com&quot;&gt;our amazing website&lt;/a&gt;.&lt;/p&gt;</code></p>
<h2 id="manual-breaks">Manual breaks</h2>
<h3 id="line-breaks">Line breaks</h3>
<p>Mostly text is broken automatically (between paragraphs etc.) but in some rare cases you may need to insert a manual line break. To do so, use the <code>&lt;br/&gt;</code> element.</p>
<p>Example:</p>
<pre><code>&lt;p&gt;This is my haiku&lt;br/&gt;
my line is broken, but still&lt;br/&gt;
the paragraph flows&lt;/p&gt;</code></pre>
<h3 id="page-breaks">Page breaks</h3>
<p>To force a page break before or after a section, set its <code>break</code> attribute to 'before' or 'after'.</p>
<p>Note: breaks are inserted automatcally before every appendix and before/after the index.</p>
<p>Example:</p>
<pre><code>&lt;section id=&quot;technicalfindings&quot; break=&quot;before&quot;&gt;
&lt;title&gt;Technical Findings&lt;/title&gt;
...
&lt;/section&gt;</code></pre>

BIN
xml/doc/tools.docx Normal file
View File

Binary file not shown.

95
xml/doc/tools.html Normal file
View File

@@ -0,0 +1,95 @@
<h1 id="tools-manual">Tools Manual</h1>
<h2 id="intro">Intro</h2>
<p>You can write your documentation in OpenOffice (and then you just install OpenOffice and do your thing), or you can write it in XML. This allows you to concentrate only on the content without having to worry about what the end result will look like: the XML document is converted to PDF using a style sheet, so you only need to think about what needs to be said, not about numbering, styling or document metadata.</p>
<p>This sounds cool (and it is), but it does mean you may need to use some software you're not well used to working with. You're going to need:</p>
<ul>
<li>jEdit, An XML editor</li>
<li>Saxon, An XML parser</li>
<li>FOP, A tool to convert XSL-FO to PDF</li>
</ul>
<h2 id="downloading-and-installing">Downloading and installing</h2>
<h3 id="java">Java</h3>
<p>Make sure you have at least Java 7 installed (Java 8 is fine as well). If not, download it at www.java.com.</p>
<h3 id="jedit">jEdit</h3>
<p>jEdit is an open source, cross platform text editor with support for XML editing. If you're used to working with XML and have a favorite different XML editor that's fine, but if not, start with jEdit.</p>
<p>Download jEdit (5.x) at: http://jedit.org/index.php?page=download and install.</p>
<h3 id="saxon">Saxon</h3>
<p>Download Saxon Home Edition (HE) 9.6 <strong>for Java</strong> at: http://saxon.sourceforge.net/ and unzip to a location of your choice.</p>
<h3 id="fop">FOP</h3>
<p>Download Apache FOP 1.1 at https://xmlgraphics.apache.org/fop/download.html and unzip.</p>
<h3 id="fonts">Fonts</h3>
<p>Download the Liberation Sans font from http://www.fontsquirrel.com/fonts/liberation-sans and install.</p>
<p>Download the Liberation Mono font from http://www.fontsquirrel.com/fonts/Liberation-Mono and install.</p>
<h2 id="configuring">Configuring</h2>
<h3 id="jedit-1">jEdit</h3>
<p>In jEdit, you're going to have to install the XML plugin:</p>
<ol style="list-style-type: decimal">
<li>Start jEdit, then go to plugins &gt; plugin manager</li>
<li>Click on the 'Install' tab</li>
<li>Find the plugin called 'XML' and click its checkbox. Its dependencies will be checked automatically; this is a good thing.</li>
<li>Click the 'Install' button below the description box and wait until everything is done downloading and installing.</li>
<li>Click the 'Close' button.</li>
</ol>
<p>You may also want to dock the various plugin panes so they're easy to find and use: XML (XML Insert), Error List and Sidekick. XML will give you a list of all the elements you can insert at the caret, Error List will show you where your XML is not valid according to the Schema and Sidekick is useful for quick navigation.</p>
<h3 id="fop-1">FOP</h3>
<p>First, make sure you have installed the LiberationSansNarrow and LiberationMono fonts on your machine.</p>
<p>In the fop directory, find directory 'conf'. In this directory you'll find a file 'fop.xconf'. Make a copy of this file and rename it, maybe to rosfop.xconf.</p>
<p>Edit rosfop.xconf:</p>
<ol style="list-style-type: decimal">
<li>Under <code>&lt;base&gt;.&lt;/base&gt;</code>, add the line: <code>&lt;font-base&gt;/Path/To/Your/Fonts/Directory&lt;/font-base&gt;</code> (using the actual path to the Fonts directory on your own pc)</li>
<li>Change the line <code>&lt;default-page-settings height=&quot;11in&quot; width=&quot;8.26in&quot;/&gt;</code> to <code>&lt;default-page-settings height=&quot;29.7cm&quot; width=&quot;21cm&quot;/&gt;</code></li>
<li><p>Just above the <code>&lt;/fonts&gt;</code> closing tag, add:</p>
<pre><code>&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationSansNarrow-Regular.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationSansNarrow&quot; style=&quot;normal&quot; weight=&quot;normal&quot;/&gt;
&lt;/font&gt;
&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationSansNarrow-Bold.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationSansNarrow&quot; style=&quot;normal&quot; weight=&quot;bold&quot;/&gt;
&lt;/font&gt;
&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationSansNarrow-Italic.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationSansNarrow&quot; style=&quot;italic&quot; weight=&quot;normal&quot;/&gt;
&lt;/font&gt;
&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationSansNarrow-BoldItalic.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationSansNarrow&quot; style=&quot;italic&quot; weight=&quot;bold&quot;/&gt;
&lt;/font&gt;
&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationMono-Regular.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationMono&quot; style=&quot;normal&quot; weight=&quot;normal&quot;/&gt;
&lt;/font&gt;
&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationMono-Bold.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationMono&quot; style=&quot;normal&quot; weight=&quot;bold&quot;/&gt;
&lt;/font&gt;
&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationMono-Italic.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationMono&quot; style=&quot;italic&quot; weight=&quot;normal&quot;/&gt;
&lt;/font&gt;
&lt;font kerning=&quot;yes&quot; embed-url=&quot;LiberationMono-BoldItalic.ttf&quot;&gt;
&lt;font-triplet name=&quot;LiberationMono&quot; style=&quot;italic&quot; weight=&quot;bold&quot;/&gt;
&lt;/font&gt;</code></pre></li>
<li><p>Save the file.</p></li>
</ol>
<h2 id="using">Using</h2>
<h3 id="jedit-2">jEdit</h3>
<p>When you open an xml pentest report, jEdit automatically loads the referenced schema (the file containing all the xml 'grammar' rules). As part of the schema is online, jEdit will sometimes give you a message asking if you want to cache the online part:</p>
<p>&quot;This XML file depends on a resource which is stored at the following Internet address: http://www.w3.org/2001/XInclude/XInclude.xsd&quot;</p>
<p>Caching it is a good idea, so click the yes button when prompted (or 'no' if you have good reasons not to, it's your party!)</p>
<p>Use the pentestreport.xml template (which already contains some default stuff) to create your report (read the doc on report writing for more info).</p>
<p>Make sure the XML file you've created with jEdit is valid (no errors in the Error List in jEdit).</p>
<h3 id="saxon-1">Saxon</h3>
<p>To transform your XML file into XSL-FO, use the following command from the saxon directory:</p>
<h4 id="to-generate-a-pentest-report">To Generate a Pentest Report</h4>
<p><code>java -jar saxon9he.jar -s:/path/to/report/source/pentestreport.xml -xsl:/path/to/report/xslt/generate_report.xsl -o:/path/to/report/target/pentestreport.fo -xi</code></p>
<p>(Note the source/xslt/target directories in this example, which correspond to the directory structure in the report directory. Also make sure to add the -xi option!)</p>
<h4 id="to-generate-an-offerte">To Generate an Offerte</h4>
<p><code>java -jar saxon9he.jar -s:/path/to/report/source/offerte.xml -xsl:/path/to/report/xslt/generate_offerte.xsl -o:/path/to/report/target/offerte.fo</code></p>
<p>(Note the source/xslt/target directories in this example, which correspond to the directory structure in the report directory.)</p>
<p>If you have defined extra parties that need to give permission, waivers for these parties will be generated in .fo format automatically</p>
<h3 id="fop-2">FOP</h3>
<p>To then convert your XSL-FO file into a nice and shiny pdf, use the following command from the fop directory:</p>
<h4 id="to-generate-a-pentest-report-1">To Generate a Pentest Report</h4>
<p><code>fop -c conf/rosfop.xconf /path/to/report/target/pentestreport.fo path/to/report/target/pentestreport.pdf</code></p>
<p>(If you used another name for your custom FOP configuration file, use that.)</p>
<p>or maybe it is easier to go to your target directory and type:</p>
<p><code>/path/to/fop -c path/to/fop/conf/rosfop.xconf offerte.fo offerte.pdf</code></p>
<p>it depends on your directory structure, I guess.</p>
<p>Note that, if you define extra parties that need to give permission, you'll need to convert the waiver fo files to pdf as well.</p>
<h4 id="to-generate-an-offerte-1">To Generate an Offerte</h4>
<p><code>fop -c conf/rosfop.xconf /path/to/report/target/offerte.fo path/to/report/target/offerte.pdf</code></p>
<p>(If you used another name for your custom FOP configuration file, use that.)</p>

453
xml/dtd/common.xsd Normal file
View File

@@ -0,0 +1,453 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" elementFormDefault="qualified"
vc:minVersion="1.0" vc:maxVersion="1.1">
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xs:import namespace="http://www.w3.org/2001/XInclude"
schemaLocation="http://www.w3.org/2001/XInclude/XInclude.xsd"/>
<!-- company -->
<xs:simpleType name="emailAddress">
<xs:restriction base="xs:string">
<xs:pattern value="[^@]+@[^\.]+\..+"/>
</xs:restriction>
</xs:simpleType>
<xs:element name="company">
<xs:complexType>
<xs:sequence>
<xs:group ref="name-group"/>
<xs:element ref="legal_rep"/>
<xs:element ref="poc1"/>
<xs:group ref="address-group"/>
<xs:element ref="phone"/>
<xs:element ref="email"/>
<xs:element ref="website"/>
<xs:element ref="coc"/>
<xs:element ref="vat_no"/>
<xs:element ref="iban"/>
</xs:sequence>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:group name="name-group">
<xs:sequence>
<xs:element ref="full_name"/>
<xs:element ref="short_name"/>
</xs:sequence>
</xs:group>
<xs:group name="address-group">
<xs:sequence>
<xs:element ref="address"/>
<xs:element ref="postal_code"/>
<xs:element ref="city"/>
<xs:element ref="country"/>
</xs:sequence>
</xs:group>
<xs:element name="full_name" type="xs:string"/>
<xs:element name="short_name" type="xs:string"/>
<xs:element name="poc1" type="xs:string"/>
<xs:element name="legal_rep" type="xs:string"/>
<xs:element name="address">
<xs:complexType mixed="true">
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="br"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="postal_code" type="xs:string"/>
<xs:element name="city" type="xs:string"/>
<xs:element name="country" type="xs:string"/>
<xs:element name="phone" type="xs:string"/>
<xs:element name="email" type="emailAddress"/>
<xs:element name="website" type="xs:anyURI"/>
<xs:element name="vat_no" type="xs:string"/>
<xs:element name="iban" type="xs:string"/>
<xs:element name="coc">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:integer">
<xs:attribute name="nationality" type="xs:string"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="waiver_rep" type="xs:string"/>
<!-- client -->
<xs:element name="client">
<xs:complexType>
<xs:sequence>
<xs:group ref="name-group"/>
<xs:element ref="legal_rep"/>
<xs:element ref="waiver_rep"/>
<xs:element ref="poc1"/>
<xs:group ref="address-group"/>
<xs:element ref="coc"/>
<xs:element ref="invoice_rep"/>
<xs:element ref="invoice_mail"/>
<xs:element ref="vat_no"/>
</xs:sequence>
<xs:attribute ref="xml:base"/>
<xs:attribute name="id" type="xs:ID"/>
</xs:complexType>
</xs:element>
<xs:element name="invoice_rep" type="xs:string"/>
<xs:element name="invoice_mail" type="emailAddress"/>
<xs:element name="duration" type="xs:nonNegativeInteger"/>
<xs:element name="test_planning" type="xs:string"/>
<xs:element name="report_writing" type="xs:string"/>
<xs:element name="report_due" type="xs:string"/>
<xs:element name="nature" type="xs:string"/>
<xs:element name="type">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="black-box"/>
<xs:enumeration value="crystal-box"/>
<xs:enumeration value="grey-box"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="target_application" type="xs:string"/>
<xs:element name="target_application_producer" type="xs:string"/>
<!-- doc -->
<xs:element name="title">
<xs:complexType mixed="true">
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:group ref="placeholders"/>
<xs:group ref="inline-all"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="br">
<xs:complexType/>
</xs:element>
<xs:element name="table">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" ref="tr"/>
</xs:sequence>
<xs:attribute name="border" use="optional" type="xs:integer"/>
<xs:attribute name="cols" use="optional" type="xs:string"/>
</xs:complexType>
</xs:element>
<xs:element name="tr">
<xs:complexType>
<xs:choice maxOccurs="unbounded" minOccurs="1">
<xs:element ref="td"/>
<xs:element ref="th"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="th" type="xs:string"/>
<xs:element name="td">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-all"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="ul">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="li" type="li"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="ol">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" name="li" type="li"/>
</xs:sequence>
<xs:attribute name="type" use="optional">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="a"/>
<xs:enumeration value="A"/>
<xs:enumeration value="i"/>
<xs:enumeration value="I"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:complexType name="li" mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-all"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="ul"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="ol"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
<xs:element name="img">
<xs:complexType>
<xs:attribute name="height" use="optional" type="xs:integer"/>
<xs:attribute name="width" use="optional" type="xs:integer"/>
<xs:attribute name="src" use="required"/>
<xs:attribute name="title" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="div">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element name="p" type="block"/>
<xs:element ref="table"/>
<xs:element ref="ul"/>
<xs:element ref="ol"/>
<xs:element ref="img"/>
</xs:choice>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:element name="version_history">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" ref="version"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="version">
<xs:complexType>
<xs:sequence>
<xs:element ref="v_author" maxOccurs="unbounded"/>
<xs:element ref="v_description"/>
</xs:sequence>
<xs:attribute name="date" use="required" type="xs:dateTime"/>
<xs:attribute name="number" use="required" type="xs:NMTOKEN"/>
</xs:complexType>
</xs:element>
<xs:element name="v_author" type="xs:string"/>
<xs:element name="v_description" type="xs:string"/>
<xs:element name="targets">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" ref="target"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="target">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="Ref" use="optional" type="xs:IDREFS"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="generate_index">
<xs:complexType/>
</xs:element>
<xs:element name="generate_targets">
<xs:complexType>
<xs:attribute name="Ref" use="optional" type="xs:IDREFS"/>
</xs:complexType>
</xs:element>
<xs:element name="pre">
<xs:complexType mixed="true">
<xs:choice>
<xs:group ref="inline-except-monospace"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="code">
<xs:complexType mixed="true">
<xs:choice>
<xs:group ref="inline-except-monospace"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<!-- Inline elements -->
<xs:element name="a">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="href" use="required" type="xs:anyURI"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="b">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-except-b"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="i">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-except-i"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="u">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-except-u"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="monospace">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-except-monospace"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="sup">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-except-sup"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="sub">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-except-sub"/>
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="name">
<xs:complexType mixed="true">
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:group ref="placeholders"/>
</xs:choice>
</xs:complexType>
</xs:element>
<!-- attributes -->
<xs:attribute name="break">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="before"/>
<xs:enumeration value="after"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="visibility">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="hidden"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<!-- Inline groups -->
<xs:group name="inline-all">
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="a"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="br"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="i"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="b"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="u"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="monospace"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sup"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sub"/>
</xs:choice>
</xs:group>
<xs:group name="inline-except-b">
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="a"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="br"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="i"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="u"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="monospace"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sup"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sub"/>
</xs:choice>
</xs:group>
<xs:group name="inline-except-sup">
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="a"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="br"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="i"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="u"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="b"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="monospace"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sub"/>
</xs:choice>
</xs:group>
<xs:group name="inline-except-sub">
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="a"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="br"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="i"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="u"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="b"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="monospace"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sup"/>
</xs:choice>
</xs:group>
<xs:group name="inline-except-i">
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="a"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="br"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="b"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="u"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="monospace"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sup"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sub"/>
</xs:choice>
</xs:group>
<xs:group name="inline-except-u">
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="a"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="br"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="i"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="b"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="monospace"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sup"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sub"/>
</xs:choice>
</xs:group>
<xs:group name="inline-except-monospace">
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="a"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="br"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="i"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="b"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="u"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sup"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="sub"/>
</xs:choice>
</xs:group>
</xs:schema>

120
xml/dtd/genericdocument.xsd Normal file
View File

@@ -0,0 +1,120 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified">
<xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd" />
<xs:import namespace="http://www.w3.org/2001/XInclude" schemaLocation="http://www.w3.org/2001/XInclude/XInclude.xsd"/>
<xs:include schemaLocation="common.xsd"/>
<xs:element name="generic_document">
<xs:complexType>
<xs:sequence>
<xs:element ref="meta"/>
<xs:element ref="generate_index"/>
<xs:element ref="section" maxOccurs="unbounded"/>
<xs:element ref="appendix" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="meta">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:element ref="subtitle" minOccurs="0"/>
<xs:element ref="collaborators"/>
<xs:element ref="classification"/>
<xs:element ref="version_history"/>
<xs:element ref="company"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="subtitle" type="xs:string"/>
<xs:element name="collaborators">
<xs:complexType>
<xs:sequence>
<xs:element ref="reviewers"/>
<xs:element ref="approver"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="reviewers">
<xs:complexType>
<xs:sequence>
<xs:element ref="reviewer"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="reviewer" type="xs:string"/>
<xs:element name="approver">
<xs:complexType>
<xs:sequence>
<xs:element ref="name"/>
<xs:element ref="bio"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="bio" type="xs:string"/>
<xs:element name="classification" type="xs:NCName"/>
<xs:element name="section">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element name="p" type="block"/>
<xs:element ref="section"/>
<xs:element ref="table"/>
<xs:element ref="ul"/>
<xs:element ref="ol"/>
<xs:element ref="img"/>
<xs:element ref="div"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:ID"/>
<xs:attribute ref="break" use="optional"/>
<xs:attribute ref="visibility" use="optional"/>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:element name="appendix">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice maxOccurs="unbounded">
<xs:element name="p" type="block"/>
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element ref="table"/>
<xs:element ref="ol"/>
<xs:element ref="ul"/>
<xs:element ref="img"/>
<xs:element ref="div"/>
<xs:element ref="section"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:ID"/>
<xs:attribute ref="visibility" use="optional"/>
</xs:complexType>
</xs:element>
<xs:complexType name="block" mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-all"/>
<xs:group ref="placeholders"/>
</xs:choice>
<xs:attribute ref="xml:base"/>
</xs:complexType>
<!-- Placeholders -->
<xs:group name="placeholders">
<xs:choice></xs:choice>
</xs:group>
</xs:schema>

103
xml/dtd/invoice.xsd Normal file
View File

@@ -0,0 +1,103 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" vc:minVersion="1.0" vc:maxVersion="1.1">
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xs:import namespace="http://www.w3.org/2001/XInclude"
schemaLocation="http://www.w3.org/2001/XInclude/XInclude.xsd"/>
<xs:include schemaLocation="common.xsd"/>
<xs:element name="invoice">
<xs:complexType>
<xs:sequence>
<xs:element ref="meta"/>
<xs:element ref="servicesdelivered" minOccurs="1" maxOccurs="1"/>
<xs:element ref="additionalcosts" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:attribute name="invoice_no" type="xs:string"/>
<xs:attribute name="date" type="xs:date" use="optional"/>
<xs:attribute name="denomination" use="optional" default="euro">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="euro"/>
<xs:enumeration value="dollar"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="meta">
<xs:complexType>
<xs:sequence>
<xs:element ref="company"/>
<xs:element ref="client"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="servicesdelivered">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="service" type="entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="additionalcosts">
<xs:complexType>
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element name="cost" type="entry"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType name="entry">
<xs:sequence minOccurs="1" maxOccurs="unbounded">
<xs:element ref="description"/>
<xs:element ref="fee"/>
</xs:sequence>
</xs:complexType>
<xs:element name="description" type="xs:string"/>
<xs:element name="fee">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:integer">
<xs:attribute name="vat" use="optional" default="yes">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="yes"/>
<xs:enumeration value="no"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:complexType name="block" mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-all"/>
<xs:group ref="placeholders"/>
</xs:choice>
<xs:attribute ref="xml:base"/>
</xs:complexType>
<!-- Placeholders -->
<xs:group name="placeholders">
<xs:choice>
<xs:element name="client_long"/>
<xs:element name="client_short"/>
<xs:element name="client_street"/>
<xs:element name="client_city"/>
<xs:element name="client_country"/>
<xs:element name="company_long"/>
<xs:element name="company_short"/>
<xs:element name="company_svc_long"/>
<xs:element name="company_svc_short"/>
<xs:element name="company_legal_rep"/>
<xs:element name="company_poc1"/>
<xs:element name="t_app"/>
<xs:element name="t_app_producer"/>
<xs:element name="p_duration"/>
</xs:choice>
</xs:group>
</xs:schema>

247
xml/dtd/offerte.xsd Normal file
View File

@@ -0,0 +1,247 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" vc:minVersion="1.0" vc:maxVersion="1.1">
<xs:import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/xml.xsd"/>
<xs:import namespace="http://www.w3.org/2001/XInclude"
schemaLocation="http://www.w3.org/2001/XInclude/XInclude.xsd"/>
<xs:include schemaLocation="common.xsd"/>
<xs:element name="offerte">
<xs:complexType>
<xs:sequence>
<xs:element ref="meta"/>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="generate_index"/>
<xs:element maxOccurs="unbounded" ref="section"/>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="annex"/>
<xs:element maxOccurs="unbounded" minOccurs="1" ref="waivers"/>
</xs:sequence>
<xs:attribute ref="xml:lang"/>
</xs:complexType>
</xs:element>
<xs:element name="meta">
<xs:complexType>
<xs:sequence>
<xs:element ref="offered_service_long"/>
<xs:element ref="offered_service_short"/>
<xs:element ref="company"/>
<xs:element ref="targets"/>
<xs:element ref="permission_parties"/>
<xs:element ref="pentestinfo"/>
<xs:element ref="version_history"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="offered_service_long" type="xs:string"/>
<xs:element name="offered_service_short" type="xs:string"/>
<xs:element name="permission_parties">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="1" ref="client"/>
<xs:element maxOccurs="unbounded" minOccurs="0" ref="party"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="party">
<xs:complexType>
<xs:sequence>
<xs:element ref="full_name"/>
<xs:element ref="short_name"/>
<xs:element ref="waiver_rep"/>
<xs:element ref="address"/>
<xs:element ref="city"/>
<xs:element ref="country"/>
<xs:element minOccurs="0" ref="coc"/>
</xs:sequence>
<xs:attribute name="id" type="xs:ID"/>
</xs:complexType>
</xs:element>
<xs:element name="pentestinfo">
<xs:complexType>
<xs:sequence>
<xs:element ref="duration"/>
<xs:element ref="test_planning"/>
<xs:element ref="report_writing"/>
<xs:element ref="report_due"/>
<xs:element ref="nature"/>
<xs:element ref="type"/>
<xs:element ref="fee"/>
<xs:element minOccurs="0" ref="target_application"/>
<xs:element minOccurs="0" ref="target_application_producer"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="fee">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:integer">
<xs:attribute name="denomination" use="optional" default="euro">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="euro"/>
<xs:enumeration value="dollar"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="annex">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice maxOccurs="unbounded">
<xs:element name="p" type="block"/>
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element ref="table"/>
<xs:element ref="ol"/>
<xs:element ref="ul"/>
<xs:element ref="img"/>
<xs:element ref="div"/>
<xs:element ref="section"/>
<xs:element ref="generate_targets"/>
</xs:choice>
</xs:sequence>
<xs:attribute ref="xml:base"/>
<xs:attribute ref="visibility" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="waivers">
<xs:complexType>
<xs:sequence>
<xs:element ref="standard_waiver"/>
<xs:choice>
<xs:element ref="alternative_waiver"/>
</xs:choice>
</xs:sequence>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:element name="standard_waiver">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice maxOccurs="unbounded">
<xs:element name="p" type="block"/>
<xs:element ref="ul"/>
<xs:element ref="generate_targets"/>
</xs:choice>
<xs:element ref="generate_waiver_signature_box"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="alternative_waiver">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice maxOccurs="unbounded">
<xs:element name="p" type="block"/>
<xs:element ref="ul"/>
<xs:element ref="generate_targets"/>
</xs:choice>
<xs:element ref="generate_waiver_signature_box"/>
</xs:sequence>
<xs:attribute name="Ref" use="optional" type="xs:IDREFS"/>
</xs:complexType>
</xs:element>
<xs:element name="generate_waiver_signature_box"/>
<xs:complexType name="block" mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-all"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="generate_permission_parties"/>
<xs:group ref="placeholders"/>
</xs:choice>
<xs:attribute ref="xml:base"/>
</xs:complexType>
<xs:element name="section">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element name="p" type="block"/>
<xs:element ref="section"/>
<xs:element ref="table"/>
<xs:element ref="ul"/>
<xs:element ref="ol"/>
<xs:element ref="img"/>
<xs:element ref="div"/>
<xs:element ref="contact"/>
<xs:element ref="generate_targets"/>
<xs:element ref="generate_offer_signature_box"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="id" use="optional" type="xs:ID"/>
<xs:attribute ref="break" use="optional"/>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:element name="contact">
<xs:complexType>
<xs:sequence>
<xs:element ref="name"/>
<xs:element ref="address"/>
<xs:element ref="email"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="generate_offer_signature_box"/>
<xs:element name="generate_permission_parties"/>
<!-- Placeholders -->
<xs:group name="placeholders">
<xs:choice>
<xs:element name="client_long"/>
<xs:element name="client_short"/>
<xs:element name="client_street"/>
<xs:element name="client_city"/>
<xs:element name="client_country"/>
<xs:element name="client_coc"/>
<xs:element name="client_legal_rep"/>
<xs:element name="client_waiver_rep"/>
<xs:element name="client_poc1"/>
<xs:element name="company_long"/>
<xs:element name="company_short"/>
<xs:element name="company_svc_long"/>
<xs:element name="company_svc_short"/>
<xs:element name="company_legal_rep"/>
<xs:element name="company_poc1"/>
<xs:element name="t_app"/>
<xs:element name="t_app_producer"/>
<xs:element name="p_duration"/>
<xs:element name="p_boxtype"/>
<xs:element name="p_fee"/>
<xs:element name="p_testingduration"/>
<xs:element name="p_reportwritingduration"/>
<xs:element name="p_reportdue"/>
<xs:element name="signee_long"/>
<xs:element name="signee_short"/>
<xs:element name="signee_street"/>
<xs:element name="signee_city"/>
<xs:element name="signee_country"/>
<xs:element name="signee_waiver_rep"/>
</xs:choice>
</xs:group>
</xs:schema>

338
xml/dtd/pentestreport.xsd Normal file
View File

@@ -0,0 +1,338 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning" vc:minVersion="1.0" vc:maxVersion="1.1">
<xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="http://www.w3.org/2001/xml.xsd" />
<xs:import namespace="http://www.w3.org/2001/XInclude" schemaLocation="http://www.w3.org/2001/XInclude/XInclude.xsd"/>
<xs:include schemaLocation="common.xsd"/>
<xs:element name="pentest_report">
<xs:complexType>
<xs:sequence>
<xs:element ref="meta"/>
<xs:element ref="generate_index"/>
<xs:choice maxOccurs="unbounded">
<xs:element ref="section"/>
</xs:choice>
<xs:element maxOccurs="unbounded" ref="appendix"/>
</xs:sequence>
<xs:attribute name="findingCode" use="required" type="xs:NCName"/>
<xs:attribute name="findingNumberingBase" use="optional" default="Report">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="Report"/>
<xs:enumeration value="Section"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="meta">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:element ref="client"/>
<xs:element ref="targets"/>
<xs:element ref="pentestinfo" minOccurs="0"/>
<xs:element ref="collaborators"/>
<xs:element ref="classification"/>
<xs:element ref="version_history"/>
<xs:element ref="company"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="pentestinfo">
<xs:complexType>
<xs:sequence>
<xs:element ref="duration"/>
<xs:element ref="test_planning"/>
<xs:element ref="report_writing"/>
<xs:element ref="report_due"/>
<xs:element ref="nature"/>
<xs:element ref="type"/>
<xs:element minOccurs="0" ref="target_application"/>
<xs:element minOccurs="0" ref="target_application_producer"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="collaborators">
<xs:complexType>
<xs:sequence>
<xs:element ref="reviewers"/>
<xs:element ref="approver"/>
<xs:element ref="pentesters"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="reviewers">
<xs:complexType>
<xs:sequence>
<xs:element ref="reviewer"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="reviewer" type="xs:string"/>
<xs:element name="approver">
<xs:complexType>
<xs:sequence>
<xs:element ref="name"/>
<xs:element ref="bio"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="pentesters">
<xs:complexType>
<xs:sequence>
<xs:element maxOccurs="unbounded" ref="pentester"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="pentester">
<xs:complexType>
<xs:sequence>
<xs:element ref="name"/>
<xs:element ref="bio"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="bio" type="xs:string"/>
<xs:element name="classification" type="xs:NCName"/>
<xs:element name="appendix">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice maxOccurs="unbounded">
<xs:element ref="generate_testteam"/>
<xs:element name="p" type="block"/>
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element ref="table"/>
<xs:element ref="ol"/>
<xs:element ref="ul"/>
<xs:element ref="img"/>
<xs:element ref="div"/>
<xs:element ref="section"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:ID"/>
<xs:attribute ref="visibility" use="optional"/>
</xs:complexType>
</xs:element>
<xs:element name="generate_testteam">
<xs:complexType/>
</xs:element>
<xs:element name="section">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element name="p" type="block"/>
<xs:element ref="section"/>
<xs:element ref="table"/>
<xs:element ref="ul"/>
<xs:element ref="ol"/>
<xs:element ref="img"/>
<xs:element ref="div"/>
<xs:element ref="generate_targets"/>
<xs:element ref="generate_recommendations"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="generate_findings"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="finding"/>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="non-finding"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:ID"/>
<xs:attribute ref="break" use="optional"/>
<xs:attribute ref="visibility" use="optional"/>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:element name="non-finding">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice minOccurs="0" maxOccurs="unbounded">
<xs:element ref="pre"/>
<xs:element ref="code"/>
<xs:element name="p" type="block"/>
<xs:element ref="table"/>
<xs:element ref="ul"/>
<xs:element ref="ol"/>
<xs:element ref="img"/>
<xs:element ref="section"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:ID"/>
<xs:attribute ref="break" use="optional"/>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:element name="generate_recommendations">
<xs:complexType>
<xs:attribute name="Ref" use="optional" type="xs:IDREF"/>
</xs:complexType>
</xs:element>
<xs:element name="generate_findings">
<xs:complexType>
<xs:attribute name="Ref" use="optional" type="xs:IDREF"/>
</xs:complexType>
</xs:element>
<xs:element name="finding">
<xs:complexType>
<xs:sequence>
<xs:element ref="title"/>
<xs:choice minOccurs="0">
<xs:element name="p"/>
</xs:choice>
<xs:element ref="description"/>
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element ref="description_summary"/>
</xs:choice>
<xs:element ref="technicaldescription"/>
<xs:element ref="impact"/>
<xs:element ref="recommendation"/>
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element ref="recommendation_summary"/>
</xs:choice>
</xs:sequence>
<xs:attribute name="id" use="required" type="xs:ID"/>
<xs:attribute name="threatLevel" use="optional" default="N/A">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="N/A"/>
<xs:enumeration value="Unknown"/>
<xs:enumeration value="Low"/>
<xs:enumeration value="Moderate"/>
<xs:enumeration value="Elevated"/>
<xs:enumeration value="High"/>
<xs:enumeration value="Extreme"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="type" use="required"/>
<xs:attribute name="break" use="optional">
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="before"/>
<xs:enumeration value="after"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute ref="xml:base"/>
</xs:complexType>
</xs:element>
<xs:element name="description">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded" minOccurs="0">
<xs:element name="p" type="block"/>
<xs:element name="ol"/>
<xs:element name="ul"/>
<xs:element name="img"/>
<xs:element name="table"/>
<xs:element ref="pre"/>
<xs:element ref="code"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="description_summary">
<xs:complexType mixed="true">
<xs:sequence maxOccurs="unbounded" minOccurs="0">
<xs:element name="p" type="block"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="technicaldescription">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded" minOccurs="0">
<xs:element name="p" type="block"/>
<xs:element name="ol"/>
<xs:element name="ul"/>
<xs:element name="img"/>
<xs:element name="table"/>
<xs:element ref="pre"/>
<xs:element ref="code"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="impact">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded" minOccurs="0">
<xs:element name="p" type="block"/>
<xs:element name="ol"/>
<xs:element name="ul"/>
<xs:element name="img"/>
<xs:element name="table"/>
<xs:element ref="pre"/>
<xs:element ref="code"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="recommendation">
<xs:complexType mixed="true">
<xs:choice maxOccurs="unbounded" minOccurs="0">
<xs:element name="p" type="block"/>
<xs:element name="ol"/>
<xs:element name="ul"/>
<xs:element name="img"/>
<xs:element name="table"/>
<xs:element ref="pre"/>
<xs:element ref="code"/>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="recommendation_summary">
<xs:complexType mixed="true">
<xs:sequence maxOccurs="unbounded" minOccurs="0">
<xs:element name="p" type="block"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:complexType name="block" mixed="true">
<xs:choice maxOccurs="unbounded">
<xs:group ref="inline-all"/>
<xs:group ref="placeholders"/>
</xs:choice>
<xs:attribute ref="xml:base"/>
</xs:complexType>
<!-- Placeholders -->
<xs:group name="placeholders">
<xs:choice>
<xs:element name="client_long"/>
<xs:element name="client_short"/>
<xs:element name="client_street"/>
<xs:element name="client_city"/>
<xs:element name="client_country"/>
<xs:element name="company_long"/>
<xs:element name="company_short"/>
<xs:element name="company_svc_long"/>
<xs:element name="t_app"/>
<xs:element name="t_app_producer"/>
<xs:element name="p_duration"/>
<xs:element name="p_boxtype"/>
<xs:element name="p_testingduration"/>
<xs:element name="p_reportwritingduration"/>
<xs:element name="p_reportdue"/>
</xs:choice>
</xs:group>
</xs:schema>

9
xml/dtd/xi.xsd Normal file
View File

@@ -0,0 +1,9 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.w3.org/2001/XInclude" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xi="http://www.w3.org/2001/XInclude">
<xs:import schemaLocation="pentestreport.xsd"/>
<xs:element name="include">
<xs:complexType>
<xs:attribute name="href" use="required"/>
</xs:complexType>
</xs:element>
</xs:schema>

117
xml/dtd/xml.xsd Normal file
View File

@@ -0,0 +1,117 @@
<?xml version='1.0'?>
<!DOCTYPE xs:schema PUBLIC "-//W3C//DTD XMLSCHEMA 200102//EN" "XMLSchema.dtd" >
<xs:schema targetNamespace="http://www.w3.org/XML/1998/namespace" xmlns:xs="http://www.w3.org/2001/XMLSchema" xml:lang="en">
<xs:annotation>
<xs:documentation>
See http://www.w3.org/XML/1998/namespace.html and
http://www.w3.org/TR/REC-xml for information about this namespace.
This schema document describes the XML namespace, in a form
suitable for import by other schema documents.
Note that local names in this namespace are intended to be defined
only by the World Wide Web Consortium or its subgroups. The
following names are currently defined in this namespace and should
not be used with conflicting semantics by any Working Group,
specification, or document instance:
base (as an attribute name): denotes an attribute whose value
provides a URI to be used as the base for interpreting any
relative URIs in the scope of the element on which it
appears; its value is inherited. This name is reserved
by virtue of its definition in the XML Base specification.
lang (as an attribute name): denotes an attribute whose value
is a language code for the natural language of the content of
any element; its value is inherited. This name is reserved
by virtue of its definition in the XML specification.
space (as an attribute name): denotes an attribute whose
value is a keyword indicating what whitespace processing
discipline is intended for the content of the element; its
value is inherited. This name is reserved by virtue of its
definition in the XML specification.
Father (in any context at all): denotes Jon Bosak, the chair of
the original XML Working Group. This name is reserved by
the following decision of the W3C XML Plenary and
XML Coordination groups:
In appreciation for his vision, leadership and dedication
the W3C XML Plenary on this 10th day of February, 2000
reserves for Jon Bosak in perpetuity the XML name
xml:Father
</xs:documentation>
</xs:annotation>
<xs:annotation>
<xs:documentation>This schema defines attributes and an attribute group
suitable for use by
schemas wishing to allow xml:base, xml:lang or xml:space attributes
on elements they define.
To enable this, such a schema must import this schema
for the XML namespace, e.g. as follows:
&lt;schema . . .>
. . .
&lt;import namespace="http://www.w3.org/XML/1998/namespace"
schemaLocation="http://www.w3.org/2001/03/xml.xsd"/>
Subsequently, qualified reference to any of the attributes
or the group defined below will have the desired effect, e.g.
&lt;type . . .>
. . .
&lt;attributeGroup ref="xml:specialAttrs"/>
will define a type which will schema-validate an instance
element with any of those attributes</xs:documentation>
</xs:annotation>
<xs:annotation>
<xs:documentation>In keeping with the XML Schema WG's standard versioning
policy, this schema document will persist at
http://www.w3.org/2001/03/xml.xsd.
At the date of issue it can also be found at
http://www.w3.org/2001/xml.xsd.
The schema document at that URI may however change in the future,
in order to remain compatible with the latest version of XML Schema
itself. In other words, if the XML Schema namespace changes, the version
of this document at
http://www.w3.org/2001/xml.xsd will change
accordingly; the version at
http://www.w3.org/2001/03/xml.xsd will not change.
</xs:documentation>
</xs:annotation>
<xs:attribute name="lang" type="xs:language">
<xs:annotation>
<xs:documentation>In due course, we should install the relevant ISO 2- and 3-letter
codes as the enumerated possible values . . .</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="space" default="preserve">
<xs:simpleType>
<xs:restriction base="xs:NCName">
<xs:enumeration value="default"/>
<xs:enumeration value="preserve"/>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
<xs:attribute name="base" type="xs:anyURI">
<xs:annotation>
<xs:documentation>See http://www.w3.org/TR/xmlbase/ for
information about this attribute.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attributeGroup name="specialAttrs">
<xs:attribute ref="xml:base"/>
<xs:attribute ref="xml:lang"/>
<xs:attribute ref="xml:space"/>
</xs:attributeGroup>
</xs:schema>

6
xml/dtd/xsi.xsd Normal file
View File

@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xi="http://www.w3.org/2001/XInclude">
<xs:import schemaLocation="pentestreport.xsd"/>
<xs:import namespace="http://www.w3.org/2001/XInclude" schemaLocation="xi.xsd"/>
<xs:attribute name="noNamespaceSchemaLocation"/>
</xs:schema>

2
xml/findings/README.md Normal file
View File

@@ -0,0 +1,2 @@
# findings
Contains all findings in XML format. Note that you can always get the most up-to-date boilerplate findings from the *ROS pentesters library*.

BIN
xml/graphics/logo-original.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
xml/graphics/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

1
xml/graphics/logo.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 395 KiB

BIN
xml/graphics/logo_alt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.8 KiB

1
xml/graphics/logo_alt.svg Normal file
View File

@@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" fill-rule="evenodd" stroke-miterlimit="1.414" viewBox="0 0 3508 2481" clip-rule="evenodd" stroke-linejoin="round"><circle cx="1454.89" cy="1482.45" r="420.139" fill="#E96117" transform="translate(529.81 -461.18) scale(.8414)"/><path fill="#fff" d="M1776.416 571.452c19.032-14.946 40.342-18.905 63.45-14.085-.49 4.944 3.335 8.125 6.935 10.167 11.19 6.35 16.82 15.9 19.2 28.167.48 2.44 3.21 4.68 5.34 6.49 1.95 1.64 4.54 2.5 6.76 3.85 3.92 2.39 3.37 5.88.2 7.59-6.05 3.29-3.89 8.96-4.02 13.27-.13 4.5 2.81 9.04 3.99 13.65.57 2.2.68 4.77.13 6.96-1.49 5.94-1.03 7.02 4.74 8.15 14.53 2.84 28.61 7.49 40.09 16.77 10.31 8.33 16.03 20.06 17.31 33.64.54 5.76 1.14 11.62 2.73 17.15 4.96 17.2 10.55 34.22 15.61 51.38 3.81 12.93 7.06 26.03 10.79 38.97 3.38 11.72 2.85 23.36.51 35.13-2.11 10.64-4.27 21.29-5.69 32.03-.81 6.13-.02 12.46-.31 18.68-.6 12.73-3.63 24.48-11.83 34.91-3.39 4.32-4.84 10.5-6.19 16.07-7.69 31.89-21.29 61.09-39.85 87.99-12.14 17.61-24.28 35.25-37.34 52.15-5.92 7.66-14.07 13.87-25.02 12.48-3.41-.43-7.13-1.52-9.89-3.46-13.02-9.2-27.08-15.55-42.66-19.38-11.01-2.71-21.3-8.19-32.17-11.63-20.85-6.6-41.67-13.58-62.94-18.49-10.715-2.48-22.445-1.52-33.626-.78-13.68.9-27.066 4.1-39.69 9.72-5.616 2.5-10.91 5.73-16.505 8.27-10.004 4.57-20.06 9.05-30.24 13.18-3.546 1.44-6.16-.16-6.47-4.41-.08-1.08-.15-2.89-.71-3.11-5.9-2.27-1.445-8.21-4.225-11.48 1.59-1.23 3.063-2.71 4.824-3.63 1.582-.82 3.49-1.02 6.36-1.8-3.348-1.47-5.27-2.32-7.19-3.16 1.72-3.61 2.97-7.53 5.23-10.76 9.71-13.79 25.162-18.08 39.86-23.69 5.18-1.97 10.08-4.79 14.823-7.68 6.5-3.95 12.53-9.16 20.92-7.15 2.63.63 5.4 1.76 7.47 3.45 10.12 8.19 21.19 11.298 34.07 8.07 7.557-1.895 15.337-2.885 23.01-4.286l.12-2.04c-18.284-6.715-35.08-17.31-55-19.87-5.14-.66-10.04-3.12-15.18-3.89-13.303-1.995-24.83-8.914-37.4-12.913-1.233-.4-2.61-.48-3.78-1.006-1.7-.77-3.29-1.81-4.923-2.73 1.23-1.49 2.18-3.66 3.75-4.32 4.216-1.76 8.7-2.87 13.08-4.21 3.12-.96 6.22-2.01 9.39-2.78 7.41-1.84 14.794-4.64 22.3-5.04 13.076-.7 25.435-3.32 37.596-8.082 12.12-4.742 17.48-2.08 22.15 10.06 4.66 12.12 12.628 20.27 25.487 23.83 17.47 4.82 34.91 9.86 52.09 15.61 10.17 3.406 19.83 8.36 28.72 12.198 8.15-19.64 16.78-40.23 25.22-60.892 2.04-5 4.15-10.15 4.98-15.43.64-4.03-.07-8.56-1.25-12.55-5.97-20.24-5.73-40.05 4.3-58.91 5.065-9.53 11.89-17.78 22.683-21.7 6.15-2.23 4.757-8.41 5.837-12.95 1.5-6.27-5.42-24.7-9.722-29.08-1.27 1.46-2.62 2.99-3.96 4.52-.465-.31-.93-5.39-1.4-5.7v-2.18l-2.485-.77c1.09-2.12-2.11-5.57-.87-8l-3.57-2.38c4.47-4.79-1.17-10.8-3.53-14.61-7-11.3-13.66-23.1-27.06-28.38-1.01-.4-2.07-1.112-2.71-1.98-6.33-8.5-16.3-12.25-24.12-18.77-5.74-4.78-11.43-9.84-16.163-15.58-13.01-15.76-28.28-28.44-46.77-37.28-18.75-8.95-35.312-21.335-52.3-33.14-8.043-5.59-17.29-9.89-26.56-13.12-5.57-1.94-12.263-.99-18.45-.81-6.29.18-10.28-1.62-11.62-8.47-.92-4.652-3.43-8.972-4.85-13.56-3.667-11.85 2.813-15.33 11.66-17.73 11.73-3.18 17.93 4.07 23.86 10.887 10.01 11.513 22.614 18.3 36.51 23.32 16.03 5.79 32.23 11.12 48.16 17.162 6.44 2.44 12.36 6.236 18.43 9.36.104-6.557-4.69-11.816-12.58-13.56-9.01-1.99-10.407-2.9-10.31-11.456.05-4.4-1.717-6.913-4.66-8.955-4.93-3.41-9.934-6.84-15.28-9.51-14.015-7.01-27.62-14.54-38.603-26.017-15.39-16.08-34.74-26.9-52.73-39.52-4.24-2.98-8.95-5.49-13.78-7.337-2.36-.893-5.96-.6-8.18.63-4.894 2.73-9.31 6.33-13.838 9.688-3.11 2.31-6.09 2.72-9.16.01-3.49-3.05-7.03-6.04-10.5-9.12-6.85-6.062-6.08-11.62 1.35-15.445-.79-2.62-2.66-6.83-2.05-7.24 2.76-1.8 6.41-3.78 9.41-3.36 5.04.7 9.423.313 14.24-1.305 3.1-1.04 7.27-.675 10.394.53 7.67 2.947 14.896 7.006 22.495 10.14 12.104 5 24.23 10.003 36.59 14.306 18.727 6.52 35.926 15.87 53.305 25.305 16.12 8.755 27.22 23.43 42.888 32.3 1.97 1.12 5.32 3.174 6.04 2.54 3.15-2.77 6.37-6.05 7.87-9.828"/></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.7 KiB

BIN
xml/graphics/logo_alt_cutout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

1
xml/graphics/logo_alt_cutout.svg Normal file
View File

@@ -0,0 +1 @@
<svg xmlns="http://www.w3.org/2000/svg" fill-rule="evenodd" stroke-miterlimit="1.4142" viewBox="0 0 3508 2481" clip-rule="evenodd" stroke-linejoin="round"><path fill="#E96117" d="M1753.94 432.631c195.1 0 353.5 158.398 353.5 353.5s-158.4 353.499-353.5 353.499-353.5-158.397-353.5-353.499c0-195.102 158.4-353.5 353.5-353.5zm22.47 138.821c19.03-14.946 40.35-18.905 63.45-14.085-.48 4.944 3.34 8.125 6.94 10.166 11.19 6.349 16.82 15.901 19.2 28.168.47 2.436 3.2 4.68 5.33 6.486 1.94 1.642 4.54 2.497 6.76 3.847 3.91 2.391 3.37 5.873.19 7.589-6.05 3.285-3.89 8.96-4.02 13.263-.13 4.501 2.81 9.034 3.99 13.653.56 2.199.67 4.77.12 6.958-1.49 5.94-1.03 7.02 4.74 8.151 14.53 2.84 28.61 7.486 40.09 16.768 10.31 8.325 16.03 20.059 17.31 33.644.54 5.754 1.14 11.621 2.74 17.15 4.95 17.196 10.54 34.212 15.6 51.38 3.81 12.926 7.05 26.022 10.79 38.97 3.38 11.712 2.84 23.356.5 35.129-2.11 10.637-4.26 21.291-5.69 32.029-.82 6.132-.02 12.46-.31 18.681-.6 12.73-3.63 24.475-11.84 34.91-3.39 4.32-4.84 10.496-6.18 16.065-7.7 31.883-21.3 61.086-39.85 87.986-12.14 17.6-24.28 35.24-37.35 52.15-5.92 7.66-14.07 13.87-25.03 12.48-3.41-.43-7.13-1.52-9.89-3.47-13.02-9.19-27.08-15.55-42.66-19.38-11.01-2.72-21.3-8.19-32.17-11.63-20.85-6.6-41.67-13.58-62.94-18.5-10.72-2.48-22.45-1.52-33.63-.79-13.68.9-27.06 4.1-39.68 9.72-5.62 2.51-10.91 5.73-16.51 8.28-10 4.57-20.06 9.04-30.24 13.18-3.55 1.43-6.16-.17-6.47-4.41-.08-1.09-.15-2.89-.71-3.11-5.9-2.27-1.44-8.21-4.22-11.49 1.59-1.24 3.06-2.72 4.82-3.63 1.58-.83 3.49-1.03 6.36-1.8-3.35-1.48-5.27-2.32-7.19-3.16 1.72-3.61 2.97-7.54 5.23-10.76 9.71-13.8 25.16-18.08 39.86-23.7 5.18-1.97 10.08-4.79 14.82-7.68 6.51-3.95 12.54-9.16 20.92-7.15 2.64.63 5.4 1.76 7.48 3.45 10.12 8.19 21.19 11.29 34.08 8.06 7.55-1.89 15.33-2.88 23.01-4.28l.12-2.04c-18.29-6.72-35.08-17.314-55-19.873-5.15-.658-10.05-3.122-15.18-3.887-13.31-1.997-24.83-8.916-37.4-12.915-1.24-.4-2.61-.473-3.78-1.002-1.71-.765-3.29-1.805-4.93-2.728 1.23-1.485 2.18-3.662 3.75-4.32 4.21-1.755 8.7-2.869 13.08-4.213 3.12-.956 6.22-2.003 9.39-2.779 7.41-1.834 14.79-4.635 22.3-5.034 13.07-.698 25.43-3.319 37.59-8.083 12.12-4.748 17.48-2.082 22.15 10.057 4.66 12.122 12.62 20.273 25.48 23.828 17.47 4.821 34.91 9.861 52.1 15.61 10.17 3.403 19.82 8.359 28.72 12.199 8.15-19.641 16.78-40.235 25.22-60.896 2.04-5.006 4.15-10.153 4.98-15.429.64-4.034-.07-8.562-1.25-12.55-5.97-20.239-5.73-40.05 4.3-58.911 5.07-9.529 11.89-17.787 22.68-21.702 6.15-2.227 4.76-8.415 5.84-12.949 1.5-6.277-5.43-24.705-9.73-29.082-1.27 1.457-2.62 2.987-3.96 4.523-.47-.315-.93-5.389-1.4-5.698v-2.177l-2.49-.771c1.09-2.12-2.11-5.569-.87-7.999-1.58-1.052-1.24-.827-3.58-2.379 4.47-4.793-1.17-10.806-3.53-14.614-7-11.295-13.66-23.097-27.06-28.379-1.01-.399-2.07-1.113-2.71-1.98-6.33-8.499-16.3-12.251-24.11-18.765-5.75-4.781-11.43-9.838-16.17-15.576-13.01-15.761-28.28-28.446-46.77-37.283-18.75-8.949-35.32-21.336-52.3-33.137-8.05-5.586-17.29-9.889-26.56-13.118-5.58-1.94-12.27-.99-18.46-.81-6.28.18-10.28-1.62-11.62-8.466-.92-4.657-3.43-8.977-4.85-13.562-3.66-11.857 2.82-15.334 11.67-17.736 11.73-3.178 17.93 4.067 23.86 10.885 10 11.515 22.61 18.298 36.5 23.316 16.04 5.794 32.24 11.126 48.17 17.168 6.44 2.441 12.36 6.232 18.43 9.354.11-6.553-4.69-11.812-12.58-13.556-9.01-1.992-10.4-2.903-10.31-11.459.05-4.398-1.71-6.913-4.66-8.955-4.92-3.414-9.93-6.84-15.27-9.512-14.02-7.009-27.62-14.541-38.61-26.016-15.4-16.076-34.74-26.899-52.73-39.522-4.24-2.975-8.95-5.49-13.78-7.335-2.36-.894-5.96-.602-8.18.63-4.9 2.729-9.31 6.329-13.84 9.687-3.11 2.312-6.09 2.722-9.16.017-3.49-3.049-7.03-6.042-10.5-9.113-6.85-6.063-6.08-11.621 1.35-15.446-.79-2.621-2.66-6.829-2.05-7.234 2.76-1.805 6.41-3.78 9.41-3.364 5.04.704 9.42.315 14.24-1.302 3.09-1.04 7.27-.675 10.39.529 7.67 2.948 14.9 7.007 22.5 10.142 12.1 5.001 24.23 10.001 36.59 14.305 18.72 6.519 35.92 15.874 53.3 25.307 16.12 8.758 27.22 23.428 42.89 32.299 1.97 1.119 5.32 3.178 6.04 2.543 3.15-2.768 6.37-6.053 7.87-9.827l6.72 1.797z"/></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.9 KiB

BIN
xml/graphics/logo_large.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
xml/graphics/logo_marcus.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.3 KiB

BIN
xml/graphics/logo_medium.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.3 KiB

BIN
xml/graphics/logo_square.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
xml/graphics/screenshot.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

2
xml/non-findings/README.md Normal file
View File

@@ -0,0 +1,2 @@
# non-findings
Contains all non-findings in XML format. Note that you can always get the most up-to-date boilerplate non-findings from the *ROS pentesters library*.

2
xml/notes/README.md Normal file
View File

@@ -0,0 +1,2 @@
# notes
This folder holds all email correspondence and other notes

BIN
xml/rosbot/LiberationMono-Bold.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationMono-BoldItalic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationMono-Italic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationMono-Regular.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSans-Bold.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSans-BoldItalic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSans-Italic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSans-Regular.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSansNarrow-Bold.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSansNarrow-BoldItalic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSansNarrow-Italic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSansNarrow-Regular-webfont.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSerif-Bold.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSerif-BoldItalic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSerif-Italic.ttf Normal file
View File

Binary file not shown.

BIN
xml/rosbot/LiberationSerif-Regular.ttf Normal file
View File

Binary file not shown.

484
xml/rosbot/fop.conf Normal file
View File

@@ -0,0 +1,484 @@
<?xml version="1.0"?>
<!-- $Id: fop.xconf 1616312 2014-08-06 19:19:31Z gadams $ -->
<!--
This is an example configuration file for FOP.
This file contains the same settings as the default values
and will have no effect if used unchanged.
Relative config url's will be resolved relative to
the location of this file.
-->
<!-- NOTE: This is the version of the configuration -->
<fop version="1.1">
<base>.</base>
<font-base>.</font-base>
<!-- Source resolution in dpi (dots/pixels per inch) for determining the size of pixels in SVG and bitmap images, default: 72dpi -->
<source-resolution>72</source-resolution>
<!-- Target resolution in dpi (dots/pixels per inch) for specifying the target resolution for generated bitmaps, default: 72dpi -->
<target-resolution>72</target-resolution>
<!-- Default page-height and page-width, in case value is specified as auto -->
<default-page-settings height="29.7cm" width="21cm"/>
<!-- Information for specific renderers -->
<!-- Uses renderer mime type for renderers -->
<renderers>
<renderer mime="application/pdf">
<filterList>
<!-- provides compression using zlib flate (default is on) -->
<value>flate</value>
<!-- encodes binary data into printable ascii characters (default off)
This provides about a 4:5 expansion of data size -->
<!-- <value>ascii-85</value> -->
<!-- encodes binary data with hex representation (default off)
This filter is not recommended as it doubles the data size -->
<!-- <value>ascii-hex</value> -->
</filterList>
<fonts>
<!-- embedded fonts -->
<!--
This information must exactly match the font specified
in the fo file. Otherwise it will use a default font.
For example,
<fo:inline font-family="Arial" font-weight="bold" font-style="normal">
Arial-normal-normal font
</fo:inline>
for the font triplet specified by:
<font-triplet name="Arial" style="normal" weight="bold"/>
If you do not want to embed the font in the pdf document
then do not include the "embed-url" attribute.
The font will be needed where the document is viewed
for it to be displayed properly.
possible styles: normal | italic | oblique | backslant
possible weights: normal | bold | 100 | 200 | 300 | 400
| 500 | 600 | 700 | 800 | 900
(normal = 400, bold = 700)
-->
<!--
<font metrics-url="arial.xml" kerning="yes" embed-url="arial.ttf">
<font-triplet name="Arial" style="normal" weight="normal"/>
<font-triplet name="ArialMT" style="normal" weight="normal"/>
</font>
<font metrics-url="arialb.xml" kerning="yes" embed-url="arialb.ttf">
<font-triplet name="Arial" style="normal" weight="bold"/>
<font-triplet name="ArialMT" style="normal" weight="bold"/>
</font>
-->
<!--
<directory recursive="true">/Library/Fonts/</directory>
-->
<font kerning="yes" embed-url="LiberationSansNarrow-Regular-webfont.ttf">
<font-triplet name="LiberationSansNarrow" style="normal" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationSansNarrow-Bold.ttf">
<font-triplet name="LiberationSansNarrow" style="normal" weight="bold"/>
</font>
<font kerning="yes" embed-url="LiberationSansNarrow-Italic.ttf">
<font-triplet name="LiberationSansNarrow" style="italic" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationSansNarrow-BoldItalic.ttf">
<font-triplet name="LiberationSansNarrow" style="italic" weight="bold"/>
</font>
<font kerning="yes" embed-url="LiberationMono-Regular.ttf">
<font-triplet name="LiberationMono" style="normal" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationMono-Bold.ttf">
<font-triplet name="LiberationMono" style="normal" weight="bold"/>
</font>
<font kerning="yes" embed-url="LiberationMono-Italic.ttf">
<font-triplet name="LiberationMono" style="italic" weight="normal"/>
</font>
<font kerning="yes" embed-url="LiberationMono-BoldItalic.ttf">
<font-triplet name="LiberationMono" style="italic" weight="bold"/>
</font>
</fonts>
</renderer>
<renderer mime="application/x-afp">
<!--
The bit depth and type of images produced
(this is the default setting)
-->
<images mode="b+w" bits-per-pixel="8"/>
<renderer-resolution>240</renderer-resolution>
<line-width-correction>2.5</line-width-correction>
<resource-group-file>resources.afp</resource-group-file>
<fonts>
<!--
Below is an example using raster font configuration using FOP builtin base-14 font metrics.
for Times Roman, Helvetica and Courier.
Depending on AFP raster and outline font availability on your installation you will
most likely need to modify the configuration provided below.
See http://xmlgraphics.apache.org/fop/trunk/output.html#afp-configuration
for details of FOP configuration for AFP
-->
<!-- Times Roman -->
<font>
<afp-font name="Times Roman" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0N20060" base14-font="TimesRoman"/>
<afp-raster-font size="7" characterset="C0N20070" base14-font="TimesRoman"/>
<afp-raster-font size="8" characterset="C0N20080" base14-font="TimesRoman"/>
<afp-raster-font size="9" characterset="C0N20090" base14-font="TimesRoman"/>
<afp-raster-font size="10" characterset="C0N20000" base14-font="TimesRoman"/>
<afp-raster-font size="11" characterset="C0N200A0" base14-font="TimesRoman"/>
<afp-raster-font size="12" characterset="C0N200B0" base14-font="TimesRoman"/>
<afp-raster-font size="14" characterset="C0N200D0" base14-font="TimesRoman"/>
<afp-raster-font size="16" characterset="C0N200F0" base14-font="TimesRoman"/>
<afp-raster-font size="18" characterset="C0N200H0" base14-font="TimesRoman"/>
<afp-raster-font size="20" characterset="C0N200J0" base14-font="TimesRoman"/>
<afp-raster-font size="24" characterset="C0N200N0" base14-font="TimesRoman"/>
<afp-raster-font size="30" characterset="C0N200T0" base14-font="TimesRoman"/>
<afp-raster-font size="36" characterset="C0N200Z0" base14-font="TimesRoman"/>
</afp-font>
<font-triplet name="Times" style="normal" weight="normal"/>
<font-triplet name="TimesRoman" style="normal" weight="normal"/>
<font-triplet name="Times Roman" style="normal" weight="normal"/>
<font-triplet name="Times-Roman" style="normal" weight="normal"/>
<font-triplet name="Times New Roman" style="normal" weight="normal"/>
<font-triplet name="TimesNewRoman" style="normal" weight="normal"/>
<font-triplet name="serif" style="normal" weight="normal"/>
</font>
<!-- Times Roman Italic -->
<font>
<afp-font name="Times Roman Italic" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0N30060" base14-font="TimesItalic"/>
<afp-raster-font size="7" characterset="C0N30070" base14-font="TimesItalic"/>
<afp-raster-font size="8" characterset="C0N30080" base14-font="TimesItalic"/>
<afp-raster-font size="9" characterset="C0N30090" base14-font="TimesItalic"/>
<afp-raster-font size="10" characterset="C0N30000" base14-font="TimesItalic"/>
<afp-raster-font size="11" characterset="C0N300A0" base14-font="TimesItalic"/>
<afp-raster-font size="12" characterset="C0N300B0" base14-font="TimesItalic"/>
<afp-raster-font size="14" characterset="C0N300D0" base14-font="TimesItalic"/>
<afp-raster-font size="16" characterset="C0N300F0" base14-font="TimesItalic"/>
<afp-raster-font size="18" characterset="C0N300H0" base14-font="TimesItalic"/>
<afp-raster-font size="20" characterset="C0N300J0" base14-font="TimesItalic"/>
<afp-raster-font size="24" characterset="C0N300N0" base14-font="TimesItalic"/>
<afp-raster-font size="30" characterset="C0N300T0" base14-font="TimesItalic"/>
<afp-raster-font size="36" characterset="C0N300Z0" base14-font="TimesItalic"/>
</afp-font>
<font-triplet name="Times" style="italic" weight="normal"/>
<font-triplet name="TimesRoman" style="italic" weight="normal"/>
<font-triplet name="Times Roman" style="italic" weight="normal"/>
<font-triplet name="Times-Roman" style="italic" weight="normal"/>
<font-triplet name="Times New Roman" style="italic" weight="normal"/>
<font-triplet name="TimesNewRoman" style="italic" weight="normal"/>
<font-triplet name="serif" style="italic" weight="normal"/>
</font>
<!-- Times Roman Bold -->
<font>
<afp-font name="Times Roman Bold" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0N40060" base14-font="TimesBold"/>
<afp-raster-font size="7" characterset="C0N40070" base14-font="TimesBold"/>
<afp-raster-font size="8" characterset="C0N40080" base14-font="TimesBold"/>
<afp-raster-font size="9" characterset="C0N40090" base14-font="TimesBold"/>
<afp-raster-font size="10" characterset="C0N40000" base14-font="TimesBold"/>
<afp-raster-font size="11" characterset="C0N400A0" base14-font="TimesBold"/>
<afp-raster-font size="12" characterset="C0N400B0" base14-font="TimesBold"/>
<afp-raster-font size="14" characterset="C0N400D0" base14-font="TimesBold"/>
<afp-raster-font size="16" characterset="C0N400F0" base14-font="TimesBold"/>
<afp-raster-font size="18" characterset="C0N400H0" base14-font="TimesBold"/>
<afp-raster-font size="20" characterset="C0N400J0" base14-font="TimesBold"/>
<afp-raster-font size="24" characterset="C0N400N0" base14-font="TimesBold"/>
<afp-raster-font size="30" characterset="C0N400T0" base14-font="TimesBold"/>
<afp-raster-font size="36" characterset="C0N400Z0" base14-font="TimesBold"/>
</afp-font>
<font-triplet name="Times" style="normal" weight="bold"/>
<font-triplet name="TimesRoman" style="normal" weight="bold"/>
<font-triplet name="Times Roman" style="normal" weight="bold"/>
<font-triplet name="Times-Roman" style="normal" weight="bold"/>
<font-triplet name="Times New Roman" style="normal" weight="bold"/>
<font-triplet name="TimesNewRoman" style="normal" weight="bold"/>
<font-triplet name="serif" style="normal" weight="bold"/>
</font>
<!-- Times Roman Italic Bold -->
<font>
<afp-font name="Times Roman Italic Bold" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0N50060" base14-font="TimesBoldItalic"/>
<afp-raster-font size="7" characterset="C0N50070" base14-font="TimesBoldItalic"/>
<afp-raster-font size="8" characterset="C0N50080" base14-font="TimesBoldItalic"/>
<afp-raster-font size="9" characterset="C0N50090" base14-font="TimesBoldItalic"/>
<afp-raster-font size="10" characterset="C0N50000" base14-font="TimesBoldItalic"/>
<afp-raster-font size="11" characterset="C0N500A0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="12" characterset="C0N500B0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="14" characterset="C0N500D0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="16" characterset="C0N500F0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="18" characterset="C0N500H0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="20" characterset="C0N500J0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="24" characterset="C0N500N0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="30" characterset="C0N500T0" base14-font="TimesBoldItalic"/>
<afp-raster-font size="36" characterset="C0N500Z0" base14-font="TimesBoldItalic"/>
</afp-font>
<font-triplet name="Times" style="italic" weight="bold"/>
<font-triplet name="TimesRoman" style="italic" weight="bold"/>
<font-triplet name="Times Roman" style="italic" weight="bold"/>
<font-triplet name="Times-Roman" style="italic" weight="bold"/>
<font-triplet name="Times New Roman" style="italic" weight="bold"/>
<font-triplet name="TimesNewRoman" style="italic" weight="bold"/>
<font-triplet name="serif" style="italic" weight="bold"/>
</font>
<!-- Helvetica -->
<font>
<afp-font name="Helvetica" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0H20060" base14-font="Helvetica"/>
<afp-raster-font size="7" characterset="C0H20070" base14-font="Helvetica"/>
<afp-raster-font size="8" characterset="C0H20080" base14-font="Helvetica"/>
<afp-raster-font size="9" characterset="C0H20090" base14-font="Helvetica"/>
<afp-raster-font size="10" characterset="C0H20000" base14-font="Helvetica"/>
<afp-raster-font size="11" characterset="C0H200A0" base14-font="Helvetica"/>
<afp-raster-font size="12" characterset="C0H200B0" base14-font="Helvetica"/>
<afp-raster-font size="14" characterset="C0H200D0" base14-font="Helvetica"/>
<afp-raster-font size="16" characterset="C0H200F0" base14-font="Helvetica"/>
<afp-raster-font size="18" characterset="C0H200H0" base14-font="Helvetica"/>
<afp-raster-font size="20" characterset="C0H200J0" base14-font="Helvetica"/>
<afp-raster-font size="24" characterset="C0H200N0" base14-font="Helvetica"/>
<afp-raster-font size="30" characterset="C0H200T0" base14-font="Helvetica"/>
<afp-raster-font size="36" characterset="C0H200Z0" base14-font="Helvetica"/>
</afp-font>
<font-triplet name="Helvetica" style="normal" weight="normal"/>
<font-triplet name="Arial" style="normal" weight="normal"/>
<font-triplet name="sans-serif" style="normal" weight="normal"/>
<font-triplet name="any" style="normal" weight="normal"/>
</font>
<!-- Helvetica Italic -->
<font>
<afp-font name="Helvetica Italic" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0H30060" base14-font="HelveticaOblique"/>
<afp-raster-font size="7" characterset="C0H30070" base14-font="HelveticaOblique"/>
<afp-raster-font size="8" characterset="C0H30080" base14-font="HelveticaOblique"/>
<afp-raster-font size="9" characterset="C0H30090" base14-font="HelveticaOblique"/>
<afp-raster-font size="10" characterset="C0H30000" base14-font="HelveticaOblique"/>
<afp-raster-font size="11" characterset="C0H300A0" base14-font="HelveticaOblique"/>
<afp-raster-font size="12" characterset="C0H300B0" base14-font="HelveticaOblique"/>
<afp-raster-font size="14" characterset="C0H300D0" base14-font="HelveticaOblique"/>
<afp-raster-font size="16" characterset="C0H300F0" base14-font="HelveticaOblique"/>
<afp-raster-font size="18" characterset="C0H300H0" base14-font="HelveticaOblique"/>
<afp-raster-font size="20" characterset="C0H300J0" base14-font="HelveticaOblique"/>
<afp-raster-font size="24" characterset="C0H300N0" base14-font="HelveticaOblique"/>
<afp-raster-font size="30" characterset="C0H300T0" base14-font="HelveticaOblique"/>
<afp-raster-font size="36" characterset="C0H300Z0" base14-font="HelveticaOblique"/>
</afp-font>
<font-triplet name="Helvetica" style="italic" weight="normal"/>
<font-triplet name="Arial" style="italic" weight="normal"/>
<font-triplet name="sans-serif" style="italic" weight="normal"/>
</font>
<!-- Helvetica (Semi) Bold -->
<font>
<afp-font name="Helvetica (Semi) Bold" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0H40060" base14-font="HelveticaBold"/>
<afp-raster-font size="7" characterset="C0H40070" base14-font="HelveticaBold"/>
<afp-raster-font size="8" characterset="C0H40080" base14-font="HelveticaBold"/>
<afp-raster-font size="9" characterset="C0H40090" base14-font="HelveticaBold"/>
<afp-raster-font size="10" characterset="C0H40000" base14-font="HelveticaBold"/>
<afp-raster-font size="11" characterset="C0H400A0" base14-font="HelveticaBold"/>
<afp-raster-font size="12" characterset="C0H400B0" base14-font="HelveticaBold"/>
<afp-raster-font size="14" characterset="C0H400D0" base14-font="HelveticaBold"/>
<afp-raster-font size="16" characterset="C0H400F0" base14-font="HelveticaBold"/>
<afp-raster-font size="18" characterset="C0H400H0" base14-font="HelveticaBold"/>
<afp-raster-font size="20" characterset="C0H400J0" base14-font="HelveticaBold"/>
<afp-raster-font size="24" characterset="C0H400N0" base14-font="HelveticaBold"/>
<afp-raster-font size="30" characterset="C0H400T0" base14-font="HelveticaBold"/>
<afp-raster-font size="36" characterset="C0H400Z0" base14-font="HelveticaBold"/>
</afp-font>
<font-triplet name="Helvetica" style="normal" weight="bold"/>
<font-triplet name="Arial" style="normal" weight="bold"/>
<font-triplet name="sans-serif" style="normal" weight="bold"/>
</font>
<!-- Helvetica Italic (Semi) Bold -->
<font>
<afp-font name="Helvetica Italic (Semi) Bold" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0H50060" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="7" characterset="C0H50070" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="8" characterset="C0H50080" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="9" characterset="C0H50090" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="10" characterset="C0H50000" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="11" characterset="C0H500A0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="12" characterset="C0H500B0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="14" characterset="C0H500D0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="16" characterset="C0H500F0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="18" characterset="C0H500H0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="20" characterset="C0H500J0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="24" characterset="C0H500N0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="30" characterset="C0H500T0" base14-font="HelveticaBoldOblique"/>
<afp-raster-font size="36" characterset="C0H500Z0" base14-font="HelveticaBoldOblique"/>
</afp-font>
<font-triplet name="Helvetica" style="italic" weight="bold"/>
<font-triplet name="Arial" style="italic" weight="bold"/>
<font-triplet name="sans-serif" style="italic" weight="bold"/>
</font>
<!-- Courier -->
<font>
<afp-font name="Courier" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0420060" base14-font="Courier"/>
<afp-raster-font size="7" characterset="C0420070" base14-font="Courier"/>
<afp-raster-font size="8" characterset="C0420080" base14-font="Courier"/>
<afp-raster-font size="9" characterset="C0420090" base14-font="Courier"/>
<afp-raster-font size="10" characterset="C0420000" base14-font="Courier"/>
<afp-raster-font size="11" characterset="C04200A0" base14-font="Courier"/>
<afp-raster-font size="12" characterset="C04200B0" base14-font="Courier"/>
<afp-raster-font size="14" characterset="C04200D0" base14-font="Courier"/>
<afp-raster-font size="16" characterset="C04200F0" base14-font="Courier"/>
<afp-raster-font size="18" characterset="C04200H0" base14-font="Courier"/>
<afp-raster-font size="20" characterset="C04200J0" base14-font="Courier"/>
<afp-raster-font size="24" characterset="C04200N0" base14-font="Courier"/>
<afp-raster-font size="30" characterset="C04200T0" base14-font="Courier"/>
<afp-raster-font size="36" characterset="C04200Z0" base14-font="Courier"/>
</afp-font>
<font-triplet name="Courier" style="normal" weight="normal"/>
<font-triplet name="monospace" style="normal" weight="normal"/>
</font>
<!-- Courier Italic -->
<font>
<afp-font name="Courier Italic" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0430060" base14-font="CourierOblique"/>
<afp-raster-font size="7" characterset="C0430070" base14-font="CourierOblique"/>
<afp-raster-font size="8" characterset="C0430080" base14-font="CourierOblique"/>
<afp-raster-font size="9" characterset="C0430090" base14-font="CourierOblique"/>
<afp-raster-font size="10" characterset="C0430000" base14-font="CourierOblique"/>
<afp-raster-font size="11" characterset="C04300A0" base14-font="CourierOblique"/>
<afp-raster-font size="12" characterset="C04300B0" base14-font="CourierOblique"/>
<afp-raster-font size="14" characterset="C04300D0" base14-font="CourierOblique"/>
<afp-raster-font size="16" characterset="C04300F0" base14-font="CourierOblique"/>
<afp-raster-font size="18" characterset="C04300H0" base14-font="CourierOblique"/>
<afp-raster-font size="20" characterset="C04300J0" base14-font="CourierOblique"/>
<afp-raster-font size="24" characterset="C04300N0" base14-font="CourierOblique"/>
<afp-raster-font size="30" characterset="C04300T0" base14-font="CourierOblique"/>
<afp-raster-font size="36" characterset="C04300Z0" base14-font="CourierOblique"/>
</afp-font>
<font-triplet name="Courier" style="italic" weight="normal"/>
<font-triplet name="monospace" style="italic" weight="normal"/>
</font>
<!-- Courier Bold -->
<font>
<afp-font name="Courier Bold" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0440060" base14-font="CourierBold"/>
<afp-raster-font size="7" characterset="C0440070" base14-font="CourierBold"/>
<afp-raster-font size="8" characterset="C0440080" base14-font="CourierBold"/>
<afp-raster-font size="9" characterset="C0440090" base14-font="CourierBold"/>
<afp-raster-font size="10" characterset="C0440000" base14-font="CourierBold"/>
<afp-raster-font size="11" characterset="C04400A0" base14-font="CourierBold"/>
<afp-raster-font size="12" characterset="C04400B0" base14-font="CourierBold"/>
<afp-raster-font size="14" characterset="C04400D0" base14-font="CourierBold"/>
<afp-raster-font size="16" characterset="C04400F0" base14-font="CourierBold"/>
<afp-raster-font size="18" characterset="C04400H0" base14-font="CourierBold"/>
<afp-raster-font size="20" characterset="C04400J0" base14-font="CourierBold"/>
<afp-raster-font size="24" characterset="C04400N0" base14-font="CourierBold"/>
<afp-raster-font size="30" characterset="C04400T0" base14-font="CourierBold"/>
<afp-raster-font size="36" characterset="C04400Z0" base14-font="CourierBold"/>
</afp-font>
<font-triplet name="Courier" style="normal" weight="bold"/>
<font-triplet name="monospace" style="normal" weight="bold"/>
</font>
<!-- Courier Italic Bold -->
<font>
<afp-font name="Courier Italic Bold" type="raster" codepage="T1V10500" encoding="Cp500">
<afp-raster-font size="6" characterset="C0450060" base14-font="CourierBoldOblique"/>
<afp-raster-font size="7" characterset="C0450070" base14-font="CourierBoldOblique"/>
<afp-raster-font size="8" characterset="C0450080" base14-font="CourierBoldOblique"/>
<afp-raster-font size="9" characterset="C0450090" base14-font="CourierBoldOblique"/>
<afp-raster-font size="10" characterset="C0450000" base14-font="CourierBoldOblique"/>
<afp-raster-font size="11" characterset="C04500A0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="12" characterset="C04500B0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="14" characterset="C04500D0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="16" characterset="C04500F0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="18" characterset="C04500H0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="20" characterset="C04500J0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="24" characterset="C04500N0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="30" characterset="C04500T0" base14-font="CourierBoldOblique"/>
<afp-raster-font size="36" characterset="C04500Z0" base14-font="CourierBoldOblique"/>
</afp-font>
<font-triplet name="Courier" style="italic" weight="bold"/>
<font-triplet name="monospace" style="italic" weight="bold"/>
</font>
<!--
Configure double-byte (CID Keyed font (Type 0)) AFP fonts with type="CIDKeyed".
example:
<font>
<afp-font type="CIDKeyed" encoding="UnicodeBigUnmarked"
codepage="T1120000" characterset="CZJHMNU"
base-uri="fonts" />
<font-triplet name="J-Heisei Mincho" style="normal" weight="normal" />
</font>
-->
</fonts>
</renderer>
<renderer mime="application/postscript">
<!-- This option forces the PS renderer to rotate landscape pages -->
<!--auto-rotate-landscape>true</auto-rotate-landscape-->
<!-- This option lets you specify additional options on an XML handler -->
<!--xml-handler namespace="http://www.w3.org/2000/svg">
<stroke-text>false</stroke-text>
</xml-handler-->
</renderer>
<renderer mime="application/vnd.hp-PCL">
</renderer>
<!-- MIF does not have a renderer
<renderer mime="application/vnd.mif">
</renderer>
-->
<renderer mime="image/svg+xml">
<format type="paginated"/>
<link value="true"/>
<strokeText value="false"/>
</renderer>
<renderer mime="application/awt">
</renderer>
<renderer mime="image/png">
<!--transparent-page-background>true</transparent-page-background-->
</renderer>
<renderer mime="image/tiff">
<!--transparent-page-background>true</transparent-page-background-->
<!--compression>CCITT T.6</compression-->
</renderer>
<renderer mime="text/xml">
</renderer>
<!-- RTF does not have a renderer
<renderer mime="text/rtf">
</renderer>
-->
</renderers>
</fop>

104
xml/scripts/findings.py Normal file
View File

@@ -0,0 +1,104 @@
#!/usr/bin/python3
import argparse
import os
import xml.etree.ElementTree as ET
def update_xml(filename, id):
"""
Adds/updates ids for 'appendix', 'finding' and 'non-finding' files according to their filenames.
E.g. filename = 'password_reuse.xml', then <finding id='password_reuse'>.
'appendix', 'finding' and 'non-finding' must be root tags.
:param filename: path + filename to the xml file (e.g. '/path/to/password_reuse.xml')
:param id: filename without extension (e.g. 'password_reuse')
:returns: xml type as str ('appendix', finding', 'non-finding') or None, if none of those three
"""
source_tree = ET.parse(filename)
root = source_tree.getroot()
if root is not None and root.tag in ('appendix', 'finding', 'non-finding'):
root.set('id', id)
else:
return
# write back to file
target_tree = ET.ElementTree(root)
with open(filename, 'wb') as f:
target_tree.write(f)
def get_xml_root_tag(filename):
"""
Returns the root tag of a file if it is either 'appendix', 'finding' or 'non-finding'.
:returns: xml type as str ('appendix', 'finding', 'non-finding') or None, if none of those three
"""
source_tree = ET.parse(filename)
root = source_tree.getroot()
if root is not None and root.tag in ('appendix', 'finding', 'non-finding'):
return root.tag
return
def generate_xiinclude(filename):
"""
Returns a valid xi:include links
:param filename: filename of the xml file to include
:returns: str <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="file" />
"""
return '<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="{0}" />'.format(filename)
def traverse_directory(dir):
"""
Traverse a directory and consider all '.xml' (notice lowercase) files.
:param dir: the directory to traverse
:returns: list of tuples. tuple[0] contains filename with path and extension, tuple[1] contains filename without path and extension
"""
filenames = []
for root, dirs, files in os.walk(dir):
for file in files:
name, ext = os.path.splitext(file)
if ext == '.xml':
filenames.append(('{0}/{1}'.format(root, file), name))
return filenames
def main():
# argparser for directory argument
argparser = argparse.ArgumentParser(description='Script to automatically edit findings/non-findings ids\' to their filenames.')
argparser.add_argument('directory', help='Directory to look for xml files')
argparser.add_argument('-l', '--list_only', help='Don\'t alter xml files, just print xi:include links', required=False, action='store_false')
args = argparser.parse_args()
files = traverse_directory(args.directory)
xiinclude = {
'appendix': [],
'finding': [],
'non-finding': [],
}
# iterate over files
for file in files:
if args.list_only:
update_xml(file[0], file[1])
xml_type = get_xml_root_tag(file[0])
if xml_type:
xiinclude[xml_type].append(generate_xiinclude(file[0]))
# format output
for xml in xiinclude:
print(xml)
for xml_type in xiinclude[xml]:
print(xml_type)
print()
print('Check if the paths are relative to your main report file.')
if __name__ == '__main__':
main()

25
xml/source/client_info.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- This file contains all known information for this client. All elements are MANDATORY. If any piece of information is not available, leave the element empty -->
<!-- Example <invoice_rep></invoice_rep> -->
<client xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="../dtd/offerte.xsd" id="client">
<full_name>Sitting Duck B.V.</full_name>
<!-- long client name, e.g. Sitting Duck B.V. -->
<short_name>Sitting Duck</short_name>
<!-- short client name, e.g. Sitting Duck; if no short name: same as long name -->
<legal_rep>I.M. Portant</legal_rep>
<!-- customer legal representative (to sign offer) -->
<waiver_rep>B.I.G. Wig</waiver_rep>
<!-- customer legal representative (to sign waiver; can be same person as legal_rep) -->
<poc1>Sir Knowsalot</poc1>
<!-- first point of contact for customer (during pentest); can be same person as above -->
<address>Reed Street 42</address>
<postal_code>0000</postal_code>
<city>Pond City</city>
<country>Amazonia</country>
<coc nationality="Dutch">9999999</coc>
<!-- chamber of commerce number; if no chamber of commerce number, please delete the whole element -->
<invoice_rep>D. Ollars</invoice_rep>
<invoice_mail>freemoney@sittingduck.com</invoice_mail>
<vat_no>0000000000B01</vat_no>
</client>

4
xml/source/conclusion.xml Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="conclusion" xml:base="conclusion.xml" break="before">
<title>Conclusion</title>
</section>

4
xml/source/futurework.xml Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="futurework" xml:base="futurework.xml" break="before">
<title>Future Work</title>
</section>

60
xml/source/quickscope.xml Normal file
View File

@@ -0,0 +1,60 @@
<?xml version="1.0" encoding="UTF-8"?>
<quickscope xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xml="http://www.w3.org/XML/1998/namespace">
<!-- Today's date -->
<version date="2015-01-01"/>
<!-- YYYY-MM-DD -->
<!-- COMPANY INFO -->
<xi:include href="client_info.xml"/>
<!-- SERVICE INFO -->
<meta>
<!-- Language the offer should be in (en|nl) -->
<offer_language>en</offer_language>
<!-- Offer type (pentest|basic-scan|load-test|other) -->
<offer_type>pentest</offer_type>
<!-- Required service -->
<!-- Note: is only used when type is 'other', if offer_type is a specific type, service name will be taken from the localisation strings -->
<requested_service>penetration testing services</requested_service>
<!-- Which targets will need to be tested?
(one <target> element for each piece of software/service/server address/location...), delete/add as necessary -->
<targets>
<target></target>
<target></target>
</targets>
</meta>
<!-- Some information about any third parties involved with the software/service to be tested, if applicable.
If not applicable, delete the whole <third_party> element. If more parties are needed, add <third_party> elements -->
<third_party>
<full_name></full_name>
<short_name></short_name>
<!-- Name of the person who will need to sign the waiver for this vendor -->
<waiver_rep></waiver_rep>
<address></address>
<city></city>
<country></country>
</third_party>
<pentest_info>
<!-- How long would you like the test to be? (in days) -->
<days></days>
<!-- Service execution (Use one of the following values: time-boxed, subscription) -->
<nature>time-boxed</nature>
<!-- Testing type (Use one of the following values: crystal-box, black-box, grey-box) -->
<type>crystal-box</type>
<!-- Test planning (when would you like the test to be executed -->
<!-- Ideally something specific like 'December 7th - December 12th, 2015', but another description 'Beginning of December' is fine as well -->
<!-- do not start with a capital letter -->
<planning>TBD</planning>
<!-- Pentest report delivery date (please allow at least 1 week between the end of the pentest and the report delivery date) -->
<delivery>TBD</delivery>
<!-- Do you need/want a code audit? (possible values: yes/no), only for pentest -->
<codeaudit perform="yes"/>
<!-- Is there an application that needs to be tested? Type its name below. If not, please DELETE <application_name> element -->
<application_name></application_name>
<!-- rate (to be filled in by ROS ;) -->
<rate>0</rate>
</pentest_info>
</quickscope>

4
xml/source/resultsinanutshell.xml Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="resultsinanutshell" xml:base="resultsinanutshell.xml">
<title>Results In A Nutshell</title>
</section>

17
xml/source/snippets/company_info.xml Normal file
View File

@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<company>
<full_name>Radically Open Security B.V.</full_name>
<short_name>ROS</short_name>
<legal_rep>Melanie Rieback</legal_rep><!-- ROS legal representative (to sign offerte) -->
<poc1>Melanie Rieback</poc1><!-- first point of contact for ROS -->
<address>Overdiemerweg 28</address>
<postal_code>1111 PP</postal_code>
<city>Diemen</city>
<country>The Netherlands</country>
<phone>+31 6 10 21 32 40</phone>
<email>info@radicallyopensecurity.com</email>
<website>www.radicallyopensecurity.com</website>
<coc>60628081</coc>
<vat_no>853989655B01</vat_no>
<iban>NL06 RABO 0188 2813 12</iban>
</company>

67
xml/source/snippets/localisationstrings.xml Normal file
View File

@@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<localised_strings>
<date>
<!-- Note: NOT IMPLEMENTED YET - date localisation requires some Saxon HE hacking and it isn't pretty -->
<format xml:lang="nl">[D1] [MNn] [Y]</format>
<format xml:lang="en">[MNn] [D1], [Y]</format>
</date>
<!-- THIS you can change/expand! -->
<string id="coverpage_offer">
<translation xml:lang="nl">OFFERTE</translation>
<translation xml:lang="en">OFFER</translation>
</string>
<string id="coverpage_service_pentest">
<translation xml:lang="nl">penetratietestdiensten</translation>
<translation xml:lang="en">penetration testing services</translation>
</string>
<string id="coverpage_service_pentest_short">
<translation xml:lang="nl">penetratietest</translation>
<translation xml:lang="en">penetration test</translation>
</string>
<string id="coverpage_service_basic-scan">
<translation xml:lang="nl">basis-securityscandiensten</translation>
<translation xml:lang="en">basic security scan services</translation>
</string>
<string id="coverpage_service_basic-scan">
<translation xml:lang="nl">basis-securityscan</translation>
<translation xml:lang="en">basic scan</translation>
</string>
<string id="coverpage_for">
<translation xml:lang="nl">VOOR</translation>
<translation xml:lang="en">FOR</translation>
</string>
<string id="qs2off_about">
<translation xml:lang="nl">Over <client_short/></translation>
<translation xml:lang="en">About <client_short/></translation>
</string>
<string id="qs2off_infrastructure">
<translation xml:lang="nl">Infrastructuur</translation>
<translation xml:lang="en">Infrastructure</translation>
</string>
<string id="qs2off_reach">
<translation xml:lang="nl">Reikwijdte <company_svc_short/></translation>
<translation xml:lang="en">Reach of <company_svc_short/></translation>
</string>
<string id="waiver_signed">
<translation xml:lang="nl">Getekend</translation>
<translation xml:lang="en">Signed</translation>
</string>
<string id="waiver_signed_on">
<translation xml:lang="nl">op</translation>
<translation xml:lang="en">on</translation>
</string>
<string id="waiver_signed_in">
<translation xml:lang="nl">in</translation>
<translation xml:lang="en">in</translation>
</string>
<string id="waiver_signed_by">
<translation xml:lang="nl">door</translation>
<translation xml:lang="en">by</translation>
</string>
<string id="waiver_signed_for">
<translation xml:lang="nl">namens</translation>
<translation xml:lang="en">for</translation>
</string>
</localised_strings>

42
xml/source/snippets/offerte/en/aboutus.xml Normal file
View File

@@ -0,0 +1,42 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>About <company_long/></title>
<p><company_long/> is the world's first not-for-profit computer security consultancy.
We operate under an innovative new business model whereby we use a Dutch fiscal
entity, called a “Fiscaal Fondswervende Instelling” (Fiscal Fund raising Institution),
as a commercial front-end to send 90% of our profits, tax-free, to a not-for-profit
foundation, Stichting NL net. The NLnet Foundation has supported open-source,
digital rights, and Internet research for almost 20 years.</p>
<p>In contrast to other organizations, our profits do not benefit shareholders,
investors, or founders. Our profits benefit society. As an
organization without a profit-motive, we recruit top-name, ethical security
experts and find like-minded customers that want to use their IT security
budget as a "vote" to support socially responsible entrepreneurship. The rapid
pace of our current growth reflects the positive response the market has to our
idealistic philosophy and innovative business model.</p>
<p><company_long/> has a number of values that we describe as our
“Core Principles.” These are:</p>
<ul>
<li><b>No sketchy stuff</b><br/>
We don't build surveillance systems, hack activists, sell exploits to
intelligence agencies, or anything of the sort. If a job is even remotely
morally questionable, we simply won't do it.</li>
<li><b>Open-Source</b><br/>
Releasing ALL tools and frameworks, we build as open-source on our website.</li>
<li><b>Teach to fish</b><br/>
During engagements, we will not only share our results with your company,
but also provide a step-by-step description of how to perform the same
audit or procedure without us. We want to demystify what we're doing.
It's not rocket science, and we genuinely want to help your company
improve its security posture, even if it costs us repeat business.</li>
<li><b>IoCs for free</b><br/>Releasing ALL collected threat intelligence
(Indicators of Compromise) into an open-source database that everyone can freely use.
(Sanitized in agreement with customers.)</li>
<li><b>Zero days</b><br/>
We don't sell zero-days - we responsibly disclose them!</li>
</ul>
<p>For more information about <company_long/>, we refer you to our website:
<a href="http://www.radicallyopensecurity.com">www.radicallyopensecurity.com</a>.</p>
</section>

16
xml/source/snippets/offerte/en/black-box.xml Normal file
View File

@@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="blackboxing">
<title>The Black-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of information
about the target environment, architecture, and/or applications that the customer
initially shares with the pentesters. With Black-Box testing, pentesters
are given no information whatsoever about the target(s). With Crystal-Box testing,
pentesters are given all information requested about the target(s), including
source code (when relevant), access to developers or system management, etc..
<br />
<br />
In this case <company_short/> will conduct a black-Box test.
</p>
</section>
<!-- end of template -->

40
xml/source/snippets/offerte/en/codeauditmethodology.xml Normal file
View File

@@ -0,0 +1,40 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Code Audit</title>
<p><company_short/> will perform a code audit to aid pentesting. During a
code audit, we manually examine the code of an application to ensure there
are no security vulnerabilities and use our understanding of the code to
guide our pentesting. If vulnerabilities are found, we document those and
suggest ways to fix them. This is done by highly-trained penetration testers
who can both review the raw code as well as interpret the findings of the
automated scans, putting them into context.</p>
<p>During the code audit portion of penetration tests, we take the following
criteria into account:</p>
<ol>
<li>Risk Assessment and "Threat Modeling"<br/>
In this step, we analyze the risks of a particular application or system.
Threat Modeling is a specific, structured approach to risk analysis that
enables us to identify, qualify, and address the security risks, thus
dovetailing with the Code Review process. For example, user data is
sacred. We focus on encrypted storage, discover if <client_short/> employees
have a backdoor into data, and cut loose stolen devices by wiping them
remotely and revoking accounts.</li>
<li>Purpose and Context<br/>
Here we focus on risks, especially in the quick and easy sharing of
internal documents and itineraries. Account details aren't so secret
when we know who will be in meetings, but what's being discussed is secret.</li>
<li>Complexity<br/>
The complexity of the system is in the frameworks that support the web
application. We'd ignore those and focus only on the custom code and
backend code. We would also
focus on implementation mistakes and known flaws in the systems. For
example, we'd ensure you're using the latest versions of software,
but we wouldn't delve into the framework itself. Since we assume the
code is written by a team, it should be clearly-written code. If you have
several full-release versions, there will undoubtedly be several revisions
and audits on that code.</li>
</ol>
<p>For more information, please refer to this link:
<a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a></p>
</section>

21
xml/source/snippets/offerte/en/conditions.xml Normal file
View File

@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Terms and Conditions</title>
<!-- snippet --><p><company_short/> will only perform the <company_svc_short/>
if it has obtained the permission from <generate_permission_parties/>
as set out in the penetration testing waiver, attached as <b>Annex 2</b>,
or provided in a separate document.</p>
<p><company_short/> performs this assignment on the basis of its general
terms and conditions, which are attached to this offer as Annex 1.
<company_short/> rejects any general terms and conditions used by
<client_short/>.</p>
<p>In order to agree to this offer, please sign this letter in duplicate
and return it to:</p>
<contact>
<name><company_legal_rep/></name>
<address><company_long/><br/>Overdiemerweg 28<br/>1111 PP Diemen</address>
<email>melanie@radicallyopensecurity.com</email>
</contact>
<generate_offer_signature_box/>
</section>

17
xml/source/snippets/offerte/en/crystal-box.xml Normal file
View File

@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<section id="crystalboxing">
<title>The Crystal-Box Pentesting Method</title>
<p>
Crystal-box vs. black-box pentesting refers to the amount of information about the target environment, architecture, and/or applications the customer initially shares with the pentesters. With black-box testing, pentesters are given no information whatsoever about the target(s). With crystal-box testing, pentesters are given all information requested about the target(s), including source-code (when relevant), access to developers or system management, etc.
</p>
<p>
<company_short/> will conduct crystal-box pentesting, which is the preferred
method. Unlike real-world attackers who have all of the time in the world,
penetration testing tends to happen within a limited time frame. Crystal-box
pentesting allows us to make the most efficient use of the time allotted, thus
maximizing the number of vulnerabilities that can be found. Additionally
crystal-box pentesting fits naturally hand-in-hand with the "Peek Over Our Shoulder" option that <company_short/> offers to <client_short/>.
</p>
</section>
<!-- end of template -->

25
xml/source/snippets/offerte/en/disclaimer.xml Normal file
View File

@@ -0,0 +1,25 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Disclaimer</title>
<p>It is possible that in the course of the penetration testing, <company_short/>
might hinder the operations of the Targets or cause damage to the Targets.
<client_short/> gives permission for this, to the extent that <company_short/>
does not act negligent or recklessly. <client_short/> also warrants it has the
authority to give such permission.</p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is
secure. <company_short/>, instead, has an obligation to make reasonable
efforts (in Dutch: “<i>inspanningsverplichting</i>”) to perform the
agreed services.</p>
<p><company_short/> and <client_short/> agree to take reasonable measures to
maintain the confidentiality of information and personal data they gain
access to in the course of performing the penetration test within the
Targets. Both parties will use the information and data they receive or
access only for the purposes outlined in this agreement.
<company_short/> warrants that all core-team members, external freelancers,
and volunteers it engages to perform the penetration test have signed a
non-disclosure agreement (NDA). </p>
</section>

4
xml/source/snippets/offerte/en/engagementtime.xml Normal file
View File

@@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- snippet --><p>Based on the information provided, we expect
this to be an <p_duration/>-day engagement. The planning of this engagement
is as follows:</p>

93
xml/source/snippets/offerte/en/examplewaiver.xml Normal file
View File

@@ -0,0 +1,93 @@
<section id="waiver-example">
<title>ANNEX 2 Example Pentest Waiver</title>
<p><b><i>(Full Client Name)</i> (“<i>(Client)</i>”)</b>, with its registered
office at Somestreet, Somecity, Earth,
Milkyway, and duly represented by <i>(Client's CISO)</i></p>
<p><b>WHEREAS:</b></p>
<p>A. <i>(Client)</i> wants some of its systems tested, <company_long/>
(“<company_short/>”) has offered to perform such testing for <i>(Client)</i>
and <i>(Client)</i> has accepted this offer. The assignment will be performed
by <company_short/>'s core-team members, external freelancers, and/or volunteers
(the “Consultants”).</p>
<p>B. Some of the activities performed by <company_short/> and the Consultants
during the course of this assignment could be considered illegal, unless
<i>(Client)</i> has given permission for these activities. <company_short/>
and the Consultant will only perform such activities if they have received the
required permission.</p>
<p>C. <i>(Client)</i> is willing to give such permission to <company_short/>,
the Consultants, and any other person <company_short/> might employ
or engage for the assignment.</p>
<p><b>DECLARES AS FOLLOWS:</b></p>
<p>1. <i>(Client)</i> is aware that <company_short/> will perform penetration
testing services on the <i>(Client)</i>'s following systems, as
described below. The services are intended to gain insight in the security of
these systems. To do so, <company_short/> will access these systems, attempt to
find vulnerabilities, and gain further access and elevated privileges by
exploiting any vulnerabilities found. <company_short/> will test the following
targets (the “Targets”):
<ul>
<li>Target system</li>
</ul>
</p>
<p>2. <i>(Client)</i> hereby grants <company_short/> and the Consultants on a
date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove, and turn off any security measures protecting
the Targets;</p>
<p>c. copy, intercept, record, amend, delete, and render unusable or inaccessible
any data stored on, processed by, or transferred via the Targets; and</p>
<p>d. hinder the access or use of the Targets,</p>
<p>but <i>(Client)</i> only grants the permission for these activities to the
extent that (i) such activities are necessary to perform the assignment and
(ii) such activities do not disrupt the normal business operations of <i>(Client)</i>.</p>
<p>3. The permission under Article 1 extends to all systems on which the Targets
run, or which <company_short/> or the Consultant might encounter while performing
the assignment, regardless of whether these systems are owned by third parties.</p>
<p>4. <i>(Client)</i> warrants that it has the legal authority to give the
permission set out under Articles 1 and 2. It also warrants it has obtained the
necessary permissions from any third parties referred to under Article 3.</p>
<p>5. Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then
<i>(Client)</i> will co-operate fully with <company_short/> in defending against
this investigation or proceedings, including by providing any evidence it has
which relates to this investigation or these proceedings.</p>
<br/>
<table cols="48 433">
<tbody>
<tr>
<td rowspan="4">
Signed
</td>
<td>
on __________________________________
</td>
</tr>
<tr>
<td>
in __________________________________
</td>
</tr>
<tr>
<td>
by __________________________________
</td>
</tr>
<tr>
<td>
for <i>(Full Client Name)</i>
</td>
</tr>
</tbody>
</table>
</section>

197
xml/source/snippets/offerte/en/generaltermsandconditions.xml Normal file
View File

@@ -0,0 +1,197 @@
<?xml version="1.0" encoding="UTF-8"?>
<annex>
<title>Annex 1<br/>General Terms and Conditions</title>
<p><b>What is this document?</b></p>
<p>These are the general terms and conditions (in Dutch: “<i>algemene voorwaarden</i>”)
of <company_long/> (<company_short/>). This version of the general terms and conditions
is dated 15 July 2014.</p>
<p>In the spirit of <company_short/>'s philosophy, <company_short/> wants these
general terms and conditions to be as understandable as possible. If you have any
questions, feel free to ask for clarification.</p>
<p><b>What is <company_long/>?</b></p>
<p><company_short/> is a private limited liability company under Dutch law located
in Amsterdam, The Netherlands. It is registered at the Dutch Chamber of Commerce
under no. 60628081.</p>
<p><b>To what do these terms and conditions apply?</b></p>
<p>These general terms and conditions apply to all agreements between <company_short/>
and the customer. <company_short/> rejects any terms and conditions used by the
customer. The parties can only deviate from these general terms and conditions
in writing. These general terms and conditions are also intended to benefit any
person employed or engaged by <company_short/> during the performance of an assignment.</p>
<p><b>How does <company_short/> agree on an assignment?</b></p>
<p><company_short/> wants both parties to have a clear picture of an assignment
before it starts. This means there only is an agreement between <company_short/>
and the customer after <company_short/> sends a written offer containing the key
terms of the agreement and the customer subsequently accepts the offer.
Communications other than the written offer do not form part of the agreement.
<company_short/> can rescind an offer until it is accepted by the customer.</p>
<p><b>What can the customer expect from <company_short/>?</b></p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is secure.
<company_short/> instead has an obligation to make reasonable efforts
(in Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.</p>
<p><company_short/> will make reasonable efforts to perform the assignment in
accordance with the plan set out in the offer (if any). If <company_short/>
expects it will not fulfill the plan as documented, it will let the customer
know without delay. <company_short/> is not automatically deemed to be in default
if it doesn't meet the plan.</p>
<p><company_short/> will make reasonable efforts to avoid disruption of the
customer's operations and damage to its owned or operated systems, but it
cannot guarantee that this will be avoided. The customer agrees
to this. <company_short/> is not obliged to restore the systems or recover any
data deleted or amended in the course of the assignment.</p>
<p><b>What can <company_short/> expect from the customer?</b></p>
<p>The customer will provide <company_short/> with all means necessary to allow
<company_short/> to perform the agreed services. If <company_short/> needs explicit
permission from the customer to perform its services (for example, when doing
penetration tests) the customer gives this permission. The customer also warrants
that it has the legal authority to give this permission.</p>
<p><b>How do the parties handle confidential information?</b></p>
<p><company_short/> and the customer will not disclose to others confidential
information and personal data they receive from each other or gain access to in
the course of an assignment. <company_short/> has the right to disclose this
information and data to persons engaged by <company_short/>, but only if these
persons have a similar confidentiality obligation vis-á-vis <company_short/>.
Any person will only use the information and data it receives or gains access
to for the purposes following from the agreement. Both parties will take reasonable
measures to maintain the confidentiality of the information and data they received
or gained access to, and will ensure that persons engaged by them do the same.</p>
<p><b>What does <company_short/> do with vulnerabilities it finds in the course
of an assignment?</b></p>
<p>If <company_short/> in the course of an assignment finds a vulnerability which
might affect the customer, it will report this to the customer. If a vulnerability
might affect third parties as well, <company_short/> retains the right to disclose
this vulnerability also to others than the customer. It will only do so after
having given the customer a reasonable period to take measures minimising the
impact of the vulnerability, in line with responsible disclosure best practices.</p>
<p><b>What does <company_short/> do with indicators of compromise it finds?</b></p>
<p>If <company_short/> in the course of an assignment finds indicators of
compromise, such as malware signatures and IP-addresses, it will report this to
the customer. <company_short/> retains the right to also publish this information
in a publicly accessible database. It will only do so after it has given the
customer the opportunity to object to the publication of data which would
negatively impact the customer.</p>
<p><b>Who owns the products developed in the course of the assignment?</b></p>
<p><company_short/> retains any intellectual property rights in products developed
for an assignment, such as software and reports. <company_short/>, however, wants
to teach as many customers as possible 'how to fish'.</p>
<p>For software it developed, this means that <company_short/> gives the customer
a permanent, non-exclusive, transferable, sub-licensable, worldwide license to
distribute and use the software in source and binary forms, with or without
modification (very similar to the BSD-license). If <company_short/>'s software
is based on other software which is provided under a license which restricts
<company_short/>'s ability to license its own software (such as the GPLv3 license),
the more restrictive license will apply.</p>
<p>For other products it developed, such as reports and analyses, <company_short/>
gives the customer the same license, but this license is exclusive to the customer
and does not contain the right to modification. The latter condition is intended
to ensure that the customer will not change <company_short/>'s products, such as
reports and analyses. <company_short/> retains the right to reuse these products,
for example for training and marketing purposes. <company_short/> will remove any
confidential information from these products before publication.</p>
<p><company_short/> retains title to any property transferred to the customer
until all outstanding payments by the customer have been done in full (in Dutch:
<i>eigendomsvoorbehoud</i>”). <company_short/> also only gives a license after
all outstanding payments have been done in full.</p>
<p><b>Who will perform the assignment?</b></p>
<p><company_short/> has the right to appoint the persons who will perform the
assignment. It has the right to replace a person with someone with at least the
same expertise, but only after having consulted with the customer. This means
that section 7:404 Dutch Civil Code (in Dutch: “<i>Burgerlijk Wetboek</i>”) is
excluded.</p>
<p>Due to the nature of <company_short/>'s business, <company_short/> regularly
works with freelancers for the performance of its assignments. <company_short/>
has the right to engage third parties, including freelancers, in the course of
the performance of an assignment.</p>
<p><company_short/> wants to be able to use the expertise of its entire team to
help with an assignment. This means that in the course of an assignment, it is
possible that the persons performing the assignment will consult with and be
advised by others in <company_short/>'s team. These others will of course be
bound by the same confidentiality obligations as the persons performing the assignment.</p>
<p><b>What happens when the scope of the assignment is bigger than agreed?</b></p>
<p><company_short/> and the customer will attempt to precisely define the scope
of the assignment before <company_short/> starts. If during the course of the
assignment, the scope turns out to be bigger than expected, <company_short/>
will report this to the customer and make a written offer for the additional work.</p>
<p><b>How is payment arranged?</b></p>
<p>All amounts in <company_short/>'s offers are in Euros, excluding VAT and
other applicable taxes, unless agreed otherwise.</p>
<p>For assignments where the parties agreed to an hourly fee, <company_short/>
will send an invoice after each month. For other assignments, <company_short/>
will send an invoice after completion of the assignment, and at moments set out
in the offer (if any). The customer must pay an invoice within 30 days of the
invoice date.</p>
<p><company_short/> may, prior to an assignment, agree on the payment of a
deposit by the customer. <company_short/> will settle deposits with interim
payments or the final invoice for the assignment.</p>
<p>If the payment is not received before the agreed term, the client will be
deemed to be in default without prior notice. <company_short/> will then have
the right to charge the statutory interest (in Dutch: “<i>wettelijke rente</i>”)
and any judicial and extrajudicial (collection) costs (in Dutch:
<i>gerechtelijke- en buitengerechtelijke (incasso)kosten</i>”).</p>
<p>If the customer cancels or delays the assignment two weeks before it starts,
<company_short/> is entitled to charge the customer 50% of the agreed price.
If the customer cancels or delays the assignment after it already started,
<company_short/> is entitled to charge the customer 100% of the agreed price.
<company_short/> is entitled to charge a pro rata percentage in the case of
cancellation or delay shorter than two weeks before the start of the assignment
(i.e. a cancellation one week before the assignment would entitle <company_short/>
to charge 75% of the agreed price).</p>
<p><b>For what can <company_short/> be held liable?</b></p>
<p>Any liability of <company_short/> resulting from or related to the performance
of an assignment, shall be limited to the amount that is paid out in that
specific case under an applicable indemnity insurance of <company_short/>,
if any, increased by the amount of the applicable deductible (in Dutch:
<i>eigen risico</i>”) which under that insurance shall be borne by <company_short/>.
If no amount is paid out under an insurance, these damages are limited to the
amount already paid for the assignment, with a maximum of EUR 10.000.
Each claim for damages shall expire after a period of one month from the day
following the day on which the customer became aware or could reasonably
be aware of the existence of the damages.</p>
<p>To make things clear, <company_short/> is not liable if a person associated
with <company_short/> acts contrary to any confidentiality or non-compete
obligation vis-á-vis the customer or a third party, this person might have
agreed to in another engagement.</p>
<p>What happens when third parties lodge a claim or initiate criminal proceedings
against <company_short/>?</p>
<p>The customer shall indemnify <company_short/> and any person employed or
engaged by <company_short/> for any claims of third parties which are in any
way related to the activities of <company_short/> and any person employed or
engaged by <company_short/> for the customer.</p>
<p>Should a third party lodge a claim against <company_short/> or any of the
consultants it engaged or employed as a result of the performance of the assignment
for the customer, then the customer will co-operate fully with <company_short/>
in defending against this claim, including by providing to <company_short/> any
evidence it has which relates to this claim.
Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then the customer
will also co-operate fully with <company_short/> in defending against this
investigation or proceedings, including by providing any evidence it has which
relates to this investigation or these proceedings.</p>
<p>The customer shall reimburse <company_short/> and any person employed or
engaged by <company_short/> all costs of legal defence and all damages in
relation to these claims, investigations or proceedings. This provision does
not apply to the extent a claim, investigation, or proceeding is the result of
the intent or recklessness (in Dutch: “<i>opzet of bewuste roekeloosheid</i>”)
of <company_short/> or a person employed or engaged by <company_short/>.</p>
<p><b>When is this agreement terminated and what happens then?</b></p>
<p>Each of the parties may terminate the agreement wholly or partly without
prior notice if the other party is declared bankrupt or is being wound up or if
the other party's affairs are being administered by the court
(in Dutch: “surséance van betaling”).</p>
<p><b>When can <company_short/> not be expected to perform the assignment?</b></p>
<p>In the case of force majeure (in Dutch: “<i>overmacht</i>”) as a result of
which <company_short/> cannot reasonably be expected to perform the assignment,
the performance will be suspended. Situations of force majeure include cases
where means, such as soft- and hardware, which are prescribed by the customer
do not function well. The agreement may be terminated by either party if a
situation of force majeure has continued longer than 90 days. The customer will
then have to pay the amount for the work already performed pro rata.</p>
<p><b>Which law applies and which court is competent?</b></p>
<p>Dutch law applies to the legal relationship between <company_short/> and its
customers. Any dispute between <company_short/> and a customer will be resolved
in the first instance exclusively by the District Court (in Dutch:
<i>rechtbank</i>”) of Amsterdam, the Netherlands.</p>
</annex>

17
xml/source/snippets/offerte/en/grey-box.xml Normal file
View File

@@ -0,0 +1,17 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="greyboxing">
<title>The Grey-Box Pentesting Method</title>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting refers to the amount of information
regarding the target environment, architecture, and/or applications that is
initially shared by the customer with the pentesters. With Black-Box testing,
pentesters are given no information whatsoever about the target(s). With
Crystal-Box testing, pentesters are given all information requested about the target(s),
including source-code (when relevant), access to developers or system management, etc..
<br />
<br />
<company_short/> will conduct Gray-Box testing, which means that partial information is
given on the target.
</p>
</section>

11
xml/source/snippets/offerte/en/introandscope.xml Normal file
View File

@@ -0,0 +1,11 @@
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Introduction</title>
<p><client_long/> (hereafter “<b><client_short/></b>”), with its registered office
at <client_street/>, <client_city/>, <client_country/>, has requested <company_long/>
(hereafter “<b><company_short/></b>”) to perform <company_svc_long/>.
Motivation for this request is that <client_short/> wishes to get a better
insight in ...</p>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>
</section>

67
xml/source/snippets/offerte/en/methodology.xml Normal file
View File

@@ -0,0 +1,67 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Pentest Methodology</title>
<p>During the execution of penetration tests, <company_long/> broadly follows
the following steps:</p>
<ol>
<li>Requirements Gathering and Scoping; </li>
<li>Discovery;</li>
<li>Validation;</li>
<li>Information Collection;</li>
<li>Threat and Vulnerability Analysis;</li>
<li>Exploitation;</li>
<li>Reporting;</li>
</ol>
<p><b>Step 1: Requirements Gathering and Scoping</b> <br/>
The expectations of both parties are discussed and agreements are made regarding
how to conduct the test(s). For example, contact details and the pentest's scope
are documented.</p>
<p><b>Step 2: Discovery</b><br/>
As much information as possible about the target organization and target objects
is collected. This information is passively gathered, primarily from public sources.</p>
<p><b>Step 3: Validation</b><br/>
All customer-specified systems are cross-referenced with findings from the
Discovery step. We do this to ensure that discovered systems are legal property
of the customer and to verify the scope with the customer.</p>
<p><b>Step 4: Information Collection</b><br/>
Information from Step 2 is now used to actively collect information about the
system. Activities conducted during this phase may include:
Determining which parts of the various components will be investigated;
Testing for the presence of known vulnerabilities, using automated tests;
Identifying the offered services and fingerprinting the software used for them.</p>
<p><b>Step 5: Threat and Vulnerability Analysis</b><br/>
Potential threats and vulnerabilities are indexed, based upon the collected information.</p>
<p><b>Step 6: Exploitation</b><br/>
Attempt to use vulnerabilities of the various components.
The diverse applications and components of the client's infrastructure are
relentlessly probed for frequently occurring design, configuration, and
programming errors.</p>
<p>Note: <company_long/> uses open-source scanning tools to get its bearings,
but generally performs most of the exploitation by hand.</p>
<p><b>Step 7: Reporting</b><br/>
After finishing the audit, a report will be delivered where the step-by-step
approach, results, and discovered vulnerabilities are described. The report and
results will be presented to the responsible project leader or manager at the
client's office.</p>
<p>Steps 4-6 may be repeated multiple times per test. For example, access may be
acquired in an external system, which serves as a stepping-stone to the internal network.
The internal network will then be explored in Steps 4 and 5, and exploited in Step 6.</p>
<!--DO NOT INCLUDE ANY OF THESE-->
<!--xi:include href="crystal-box.xml"/-->
<!--xi:include href="black-box.xml"/-->
<!--xi:include href="grey-box.xml"/-->
</section>

128
xml/source/snippets/offerte/en/methodology_loadtest.xml Normal file
View File

@@ -0,0 +1,128 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<!-- for an example load testing offer, ask other writers!-->
<title>Load testing</title>
<p>The aim of load testing is to measure what realistic level of performance a
service deployment is capable of delivering, or whether it meets a specific
performance requirement, in a consistent and repeatable way. For web sites
and applications it usually involves simulating multiple visitors using the
site's features in various ways. This sets it apart from DDoS testing, which
is much more indiscriminate. For load testing, <company_long/>
generally executes the following steps:
</p>
<ol>
<li>Establishing the aim of the load test;</li>
<li>Defining user types to simulate;</li>
<li>Choosing appropriate test volumes;</li>
<li>Collecting URLs and form data for each user type;</li>
<li>Implementing user simulation scripts;</li>
<li>Running appropriate load tests;</li>
<li>Reporting results;</li>
</ol>
<p>
<b>Step 1: Establishing the aim of the load test</b>
<br/>
Load testing needs a well-defined purpose to be useful. There is usually an
underlying reason for wanting to load test, for example users may have
complained your site is slow, or you're evaluating new technology and want
to see whether it brings performance improvements. These reasons boil down
to running some specific tests, usually one or more of:
<ul>
<li>How much activity a system can cope with before it starts to fail (maximum
simultaneous users, maximum request rate)
</li>
<li>What level of performance can be sustained for a given load (average
response time for a fixed number of users)
</li>
<li>What level of load meets a given performance requirement (maximum
users while remaining below a target average response time)
</li>
</ul>
The last two are inverses of each other. A single test is only of moderate
interest - load tests are most useful when repeated so that multiple results
may be compared. It's important that the tests remain consistent, otherwise
they may not be compared meaningfully. Load testing may even be automated as
part of your site's development process so that changes can be evaluated for
performance before deployment.
</p>
<p>
<b>Step 2: Defining user types to simulate</b>
<br/>
Most web sites can group their users into general categories that can be
used as a basis for simulations, for example, a basic browser that looks at
the home and contact pages; a new user trying out some basic features; a
power user that understands the system and uses specific features
repeatedly.
</p>
<p>
<b>Step 3: Choosing appropriate test volumes</b>
<br/>
To provide realistic results it's important to choose test sizes
(simultaneous user count) that are appropriate for the size of the site, and
representative proportions of each user type. An example specification might
be 1000 simultaneous users split into 40% basic browsers, 40% new users, 20%
power users. Multiple tests can be run with different counts and user type
mixes.
</p>
<p>
<b>Step 4: Collecting URLs and form data for each user type</b>
<br/>
Each user type needs a sequence of URL requests and form submissions that
represents their activity. This can be done either by capturing HTTP traffic
using a proxy or by manual inspection of forms and URLs.
</p>
<p>
<b>Step 5: Implementing user simulation scripts</b>
<br/>
Test scripts can be created automatically (effectively replaying captured
URL sequences) or manually for tests requiring finer detail or greater
realism. Turning captured URLs into a user script can be complex and time
consuming - for example when the results of one request need to be
incorporated into a later form submission.
</p>
<p>
<b>Step 6: Running the load tests</b>
<br/>
Combining the user simulation scripts with the test volume settings in a
load testing system produces a working load test. Load tests can be run over
varying time periods, from a few minutes to hours or even days, depending on
the aims of the test. Intense load tests can impose enormous stress on web
sites, often to the point of failure, so they need to be undertaken
carefully and with regard for possible denial of service or downtime they
may cause.
</p>
<p>
<b>Step 7: Reporting results</b>
<br/>
Most load testing tools can generate useful output immediately, but they
often need filtering and interpretation to fulfil the aims of the test.
<company_short/>
has the necessary experience to produce comprehensible reports from the
flood of data that load testing generates.
</p>
<p>Steps 3 and 6 may be repeated for different usage scenarios. For example,
if the test aim is to see if supposed performance enhancements have had a
positive effect, the same test would be run before and after the changes to
allow comparison. In a fixed load test, multiple passes could be run with
100, 500, 1000, 2000 users, or a maximum load test using a slow increase
from 100 to 10000 users to see how far it gets before problems appear.
</p>
<p>There are many load testing tools of varying levels of sophistication,
including Apache's simple "ab" and more complex "JMeter" projects, the
Selenium project for fine-detail browser simulation.
<company_long/>
prefers to use open-source tools such as these. There are also online
commercial services that are useful for testing very large loads that
would otherwise be difficult and expensive to configure from scratch.
</p>
</section>

51
xml/source/snippets/offerte/en/phishing.xml Normal file
View File

@@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<section>
<title>Social Engineering: Phishing</title>
<p> <company_short/>
will engage in social-engineering-based attacks. As requested,
the focus will be on sending phishing emails to test how vulnerable
the selected targets are to this approach.
</p>
<p>For phishing to be successful it is important that
<company_short/>
has detailed information on the targets. Providing
<company_short/>
with a list of target names, roles, email addresses, departments, and
any other useful information, in advance will save significant research
time.
</p>
<p>The phishing process includes these stages:<br/>
<ul>
<li>Research target information</li>
<li>Group related targets</li>
<li>Create pretexts suitable for one or more groups</li>
<li>Build/adapt tools and services to implement the attack</li>
<li>Send mailings to the groups</li>
<li>Gather &amp; analyze results</li>
<li>Report conclusions</li>
</ul>
</p>
<p>First, targets are divided into groups, dependent upon their
departments, roles and interests. Next, content that might appeal to
each group is created or adapted into appropriate phishing pretexts. The
content may be new, using fictional company names, or based on existing
company information and content if pretexts need to be very realistic.
The mailings are usually sent using existing chat operated tools (and
<client_short/> may observe the process if interested), or alternatively
<company_short/>
may create something new, if the situation calls for it.
</p>
<p>To record which targets click message links, <company_short/>
uses click-tracking redirects, in the same way most email newsletters
do. When a target clicks on a link in a phishing mail, their email
address, IP address, and the name of the mailing is sent to us and
logged. Once a victim's click has been recorded, he/she is removed from
the target list as a single successful click is per target is sufficient
for the purposes of these benign attacks. Clicks may happen seconds,
days or weeks after sending, so it's important to wait for results to
accumulate. When sufficient mailings have been sent, and enough data has
(hopefully) been received, the logged results are analyzed and presented
in the final report.
</p>
</section>

21
xml/source/snippets/offerte/en/planningandpayment.xml Normal file
View File

@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Planning and Payment</title>
<p><company_short/> will uphold the following dates for the planning of the services:</p>
<ul>
<li><company_short/> performs a <company_svc_short/> on <p_testingduration/>.</li>
<li><company_short/> delivers the final report <p_reportdue/>.</li>
</ul>
<!-- snippet --><p>
Our fixed-fee price quote for the above described penetration
testing services is <p_fee/>.- excl. VAT and out-of-pocket expenses.
<company_short/> will send an invoice after completion of this assignment.
<client_short/> will pay the agreed amount within 30 days of the invoice date.
</p>
<!-- snippet --><p>
Any additional work will be charged separately. An hourly
rate for additional work will be agreed upon before starting this work.
</p>
</section>

11
xml/source/snippets/offerte/en/prerequisites.xml Normal file
View File

@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Prerequisites</title>
<p>In order to perform this audit, <company_short/> will need access to:</p>
<!--Example of most common scenario, change if necessary!! :-->
<ul>
<li>Test accounts</li>
<li>Test environment</li>
<li>Contact information of system administrators, in case of emergencies</li>
</ul>
</section>

38
xml/source/snippets/offerte/en/projectoverview.xml Normal file
View File

@@ -0,0 +1,38 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Project Overview</title><!-- section with an overview of ROS activities -->
<!-- snippet --><p><company_short/> will perform <company_svc_long/>
for <client_short/> of the systems described below. The services are intended
to gain insight into the security of these systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities, and gain
further access and elevated privileges by exploiting any vulnerabilities
found.</p>
<!-- snippet --><p><company_short/> will test the following targets
(the “<b>Targets</b>”):</p>
<generate_targets/>
<!-- snippet --><p><company_short/> will test for the presence of the
most common vulnerabilities, using both publicly available vulnerability
scanning tools and manual testing. <company_short/> shall perform a
<p_duration/>-day, <p_boxtype/>, intrusive test via the internet.</p>
<!-- snippet --> <!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is possible that in the course of the penetration
testing, <company_short/> might hinder the operations of the Targets or
cause damage to the Targets. <client_short/> gives permission for this, to
the extent that <company_short/> does not act negligently or
recklessly. <client_short/> also warrants it has the authority to give such
permission.</p-->
<!-- snippet --><!--Not Needed if Disclaimer is Included; Duplicate Text-->
<!--p>It is important to understand the limits of
<company_short/>'s services. <company_short/> does not (and cannot)
give guarantees that something is secure. <company_short/> instead has
an obligation to make reasonable efforts (in Dutch:
“<i>inspanningsverplichting</i>”) to perform the agreed services.</p-->
<!--REMOVE commented-out text above if not including Disclaimer-->
</section>

3
xml/source/snippets/offerte/en/setoutscope.xml Normal file
View File

@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<p>This offer sets out the scope of the work and the terms and conditions under
which <company_short/> will perform these services.</p>

52
xml/source/snippets/offerte/en/teamandreporting.xml Normal file
View File

@@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Team and Reporting</title>
<section>
<title>Team</title>
<p><company_short/> may perform the activities with its core-team
members, external freelancers, and/or volunteers.</p>
<p>First point of contact for this assignment shall be:</p>
<ul>
<li><company_poc1/> (<company_short/>)</li>
<li><client_poc1/> (<client_short/>)</li>
</ul>
<!-- remove this for non pentesting offers-->
<p>Our penetration tests are run a bit like a Capture The Flag
(CTF) competition:
<!-- remove this for non pentesting offers-->
<company_long/> has a geographically distributed team
and we use online infrastructure (RocketChat, GitLabs, etc.)
to coordinate our work. This enables us to invite the
customer to send several technical people from their
organization to join our <company_svc_short/> team on a volunteer basis.
Naturally, we extend this invitation to <client_short/> as well.</p>
<p>Throughout the course of the audit, we intend to actively
brainstorm with <client_short/> about both the <company_svc_short/> and the process.
This is a continuous learning experience for both us and you.
Also, in our experience, a tight feedback loop with the customer
greatly improves both the quality and focus of the engagement.</p>
</section>
<section>
<title>Reporting</title>
<p><company_short/> will report to <client_short/> on the <company_svc_short/>.
This report will include the steps it has taken during the
test and the vulnerabilities it has found. It will include
recommendations but not comprehensive solutions on how to address
these vulnerabilities.</p>
<p>A sample Pentest report can be found here</p>
<ul>
<li><a href="https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf">https://github.com/radicallyopensecurity/templates/blob/master/sample-report/REP_SittingDuck-pentestreport-v10.pdf</a></li>
</ul>
<p>One of <company_short/>'s Core Principles is the Teach
To Fish principle otherwise known as the 'Peek over our
Shoulder' (PooS) principle. We strive to structure our
services so they can also serve as a teaching or training
opportunity for our customers.</p>
</section>
</section>

80
xml/source/snippets/offerte/en/waiver.xml Normal file
View File

@@ -0,0 +1,80 @@
<?xml version="1.0" encoding="UTF-8"?>
<waivers>
<standard_waiver>
<title><company_svc_short/> - WAIVER</title>
<p><b><i><signee_long/></i> (<i><signee_short/></i>)</b>, with its registered office at <signee_street/>,
<signee_city/>, <signee_country/> and duly represented by <b><signee_waiver_rep/></b></p>
<p>
<b>WHEREAS:</b>
</p>
<p>A. <client_short/> wants some of its systems to be tested,
<company_long/> (“<company_short/>”) has offered to perform
such testing for <client_short/> and
<client_short/> has accepted this offer.
The assignment will be performed by <company_short/>' core-team members, external
freelancers, and/or volunteers (the “Consultants”).</p>
<p>B. Some of the activities performed by
<company_short/> and the
Consultants during the course of this assignment could be considered
illegal, unless <signee_short/> has given permission for
these activities. <company_short/>
and the Consultant will only perform such activities if they have received
the required permission.</p>
<p>C. <signee_short/> is
willing to give such permission to <company_short/>, the Consultants and any
other person <company_short/> might
employ or engage for the assignment.</p>
<p>
<b>DECLARES AS FOLLOWS:</b>
</p>
<p>1. <signee_short/> is
aware that <company_short/> will
perform <company_svc_long/> of the
following systems of <signee_short/>, as described
below. The services are intended to gain insight in the security of these
systems. To do so, <company_short/>
will access these systems, attempt to find vulnerabilities and gain further
access and elevated privileges by exploiting any vulnerabilities found.
<company_short/> will test the
following targets (the “<b>Targets</b>”):</p>
<generate_targets/>
<p>2. <signee_short/>
hereby grants <company_short/> and
the Consultants on a date to be confirmed by email the broadest permission
possible to perform the assignment, including the permission to:</p>
<p>a. enter and use the Targets;</p>
<p>b. circumvent, breach, remove and turn off
any security measures protecting the Targets;</p>
<p>c. copy, intercept, record, amend, delete,
render unusable or inaccessible any data stored on, processed by or
transferred via the Targets; and</p>
<p>d. hinder the access or use of the
Targets,</p>
<p>but <signee_short/>
only grants the permission for these activities to the extent that (i) such
activities are necessary to perform the assignment and (ii) such activities
do not disrupt the normal business operations of <signee_short/>.</p>
<p>3. The permission under Article 1 extends
to all systems on which the Targets run, or which <company_short/> or the Consultant might
encounter while performing the assignment, regardless of whether these
systems are owned by third parties.</p>
<p>4. <signee_short/>
warrants that it has the legal authority to give the permission set out
under Articles 1 and 2. It also warrants it has obtained the necessary
permissions from any third parties referred to under Article 3.</p>
<p>5. Should the public prosecutor initiate an
investigation or criminal proceedings against <company_short/> or any of the consultants it
engaged or employed as a result of the performance of the assignment for the
customer, then <signee_short/> will co-operate fully
with <company_short/> in defending
against this investigation or proceedings, including by providing any
evidence it has which relates to this investigation or these
proceedings.</p>
<generate_waiver_signature_box/>
</standard_waiver>
</waivers>

39
xml/source/snippets/offerte/nl/aboutus.xml Normal file
View File

@@ -0,0 +1,39 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Over ons <company_long/></title>
<p><company_long/> is 's werelds eerste non-profit computer security consultancy bedrijf.
Wij zijn een <i>Fiscaal Fondswervende Instelling</i> en in die hoedanigheid kunnen we 90 procent van onze winst
belastingvrij aan non-profit stichting NLnet doneren. Stichting NLnet ondersteunt al bijna twintig jaar
open-source, digitale rechten en internet onderzoek.</p>
<p>Onze winst worden dus niet uitgekeerd aan aandeelhouders, investeerders of eigenaren.
Met de winst dienen we de maatschappij. Omdat wij geen winstoogmerk hebben kunnen we de beste ethische
veiligheidsexperts rekruteren. Met onze kernwaarden trekken we gelijkgestemde klanten aan. Wij stellen onze klanten
in staat om met IT veiligheidsbudgetten sociaal verantwoord ondernemen te ondersteunen.
Het hoge tempo waarmee wij groeien weerspiegelt de positieve respons van de markt op onze idealistische
filosofie en ons innovatieve business model.</p>
<p><company_long/> heeft een aantal waarden die wij beschrijven als onze
"Kernwaarden." Deze zijn:</p>
<ul>
<li><b>Openheid van zaken</b><br/>
Wij bouwen geen toezichtssystemen, we helpen geen hacking activisten, we verkopen geen <i>exploits</i>
aan geheime diensten of iets in die richting. Als een opdracht ons moreel verwerpelijk lijkt, nemen
we die niet aan. </li>
<li><b>Open-Source</b><br/>
Wij geven ALLE tools en frameworks, die wij open-source bouwen, vrij op onze website.</li>
<li><b>Leren vissen</b><br/>
Tijdens de samenwerken delen wij niet alleen de resultaten met onze opdrachtgevers, maar
geven wij ook een stapsgewijze beschrijving waarmee klanten in de toekomst zelf de
veiligheid van hun systemen kunnen testen. Wij willen graag inzichtelijk maken wat we doen. Het is geen
hogere wiskunde. We helpen klanten om hun kennis en houding ten aanzien van veiligheid te verbeteren.</li>
<li><b>Gratis IoCs</b><br/>
Wij geven ALLE verzamelde bedreigingen (<i>Indicators of Compromise</i>) vrij in
een open-source <i>database</i> die iederen gratis kan gebruiken (Opgeschoond in
overeenstemming met klanten).</li>
<li><b>Zero days</b><br/>
Wij verkopen geen <i>'Zero days' exploits</i> (nuldagenaanval) - wij brengen ze op verantwoorde wijze aan het licht!</li>
</ul>
<p>Voor meer informatie over <company_long/> verwijzen wij u naar onze website:
<a href="http://www.radicallyopensecurity.com">www.radicallyopensecurity.com</a>.</p>
</section>

13
xml/source/snippets/offerte/nl/black-box.xml Normal file
View File

@@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<p>
<!--snippet -->Crystal-Box vs. Black-Box pentesting verwijst naar de hoeveelheid
informatie over het doelwit; de omgeving, architectuur, en/of applicaties die de klant
in eerste instantie deelt met de pentesters. Bij Black-Box testing ontvangen de
pentesters helemaal geen informatie over het doelwit. Bij Crystal-Box tests
ontvangen de pentesters alle informatie die opgevraagd wordt betreffende het doelwit,
inclusief broncode (wanneer dit relevant is), toegang tot ontwikkelaars of systeembeheer, etc...
<br />
In dit geval zal <company_short/> een Black-Box test uitvoeren.
</p>
<!-- end of template -->

41
xml/source/snippets/offerte/nl/codeauditmethodology.xml Normal file
View File

@@ -0,0 +1,41 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Broncode Audit</title>
<p><company_short/> zal een broncode audit uitvoeren ter ondersteuning van pentesting.
Gedurende een code audit onderzoeken wij handmatig de broncode van een applicatie
om te verzekeren dat er geen kwetsbaarheden in de beveiliging zitten en gebruiken wij
ons begrip van de code om het pentesten te leiden. Als er kwetsbaarheden gevonden worden
documenteren wij deze en komen met suggesties om deze op te lossen. Dit wordt gedaan
door goed-getrainde penetratie testers die zowel raw code kunnen herzien,
als het interpreteren van de bevindingen van de geautomatiseerde scans, wat het in context brengt.</p>
<p>Tijdens het code audit gedeelte van penetratie tests nemen wij de volgende criteria mee:</p>
<ol>
<li>Risico Beoordeling en "Dreiging Modellering"<br/>
In deze stap analyseren wij de risico's van een bepaalde applicatie of systeem.
Dreiging Modellering is een specifieke, gestructureerde aanpak voor risico
analyse dat ons in staat stelt om beveiligingsrisico's te identificeren,
kwalificeren en te addresseren. Dit is de reden voor de vervlechting met
het proces van Code Herziening. Bijvoorbeeld: Gebruiksgegevens zijn heilig.
Wij focussen op versleutelde opslag, ontdekken of <client_short/> werknemers
een "backdoor" in hun data hebben en snijden gestolen toestellen af
door deze op afstand te wissen en accounts in te trekken.</li>
<li>Doel en Context<br/>
Hier focussen wij op de risico's, voornamelijk in het snel en gemakkelijk
delen van interne documenten en routebeschrijvingen. Accountgegevens
zijn niet zo geheim als wij weten wie in een vergadering zit, maar
wat besproken wordt geheim is.</li>
<li>Complexiteit<br/>
De complexiteit van het systeem zit hem in de frameworks die de
webapplicatie ondersteunen. Wij zouden deze negeren en ons alleen richten
op de "custom" en backend code, waarvan wij weten dat het gebaseerd is
op .NET/ C#. We zouden ons ook focussen op implementatiefouten en bekende
fouten in de systemen. Bijvoorbeeld: We zouden bevestigen of u de laatste
versie van de software gebruikt, maar we zouden niet delven in het framework zelf.
Omdat wij aannemen dat de code is geschreven door een team zal dit waarschijnlijk duidelijk
geschreven code zijn. Als u meerdere full-release versies heeft, zullen er
ongetwijfeld meerdere code revisies en audits op deze code zijn.</li>
</ol>
<p>Voor meer informatie verwijzen wij u naar de volgende link:
<a href="https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents">https://www.owasp.org/index.php/OWASP_Code_Review_V2_Table_of_Contents</a></p>
</section>

21
xml/source/snippets/offerte/nl/conditions.xml Normal file
View File

@@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Algemene voorwaarden</title>
<!-- snippet --><p><company_short/> zal alleen de <company_svc_short/>
uitvoeren als het de toestemming heeft gekregen van <generate_permission_parties/>
zoals uiteengezet in de penetration test verklaring, bijgevoegd als <b>Annex 2</b>,
of verschafd als los document.</p>
<p><company_short/> voert deze opdracht uit op basis van de algemene voorwaarden,
die bijgevoegd zijn als Annex 1.
<company_short/> weigert alle algemene voorwaarden die gebruikt worden door
<client_short/>.</p>
<p>Om akkoord te gaan met dit aanbod, tekent u deze brief in tweevoud en retourneert
deze naar:</p>
<contact>
<name><company_legal_rep/></name>
<address><company_long/><br/>Overdiemerweg 28<br/>1111 PP Diemen</address>
<email>melanie@radicallyopensecurity.com</email>
</contact>
<generate_offer_signature_box/>
</section>

20
xml/source/snippets/offerte/nl/crystal-box.xml Normal file
View File

@@ -0,0 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--snippet -->
<p>
Crystal-Box vs. Black-Box pentesting verwijst naar de hoeveelheid
informatie over de doelwit omgeving, architectuur, en/of applicaties die de klant
in eerste instantie deelt met de pentesters. Bij Black-Box testing ontvangen de
pentester helemaal geen informatie over het doelwit. Bij Crystal-Box tests
ontvangen de pentesters alle informatie die opgevraagd wordt betreffende het doelwit,
inclusief source code (wanneer dit relevant is), toegang tot developers of systeembeheer, etc...
<br />
<br />
<company_short/> zal een Crystal-Box pentest uitvoeren, wat de voorkeursmethode is.
In tegenstelling tot "real world" aanvallers, die alle tijd van de wereld hebben,
vinden pentests plaats in een beperkt tijdsbestek. Crystal-Box pentesting biedt ons
de mogelijkheid om zo efficiënt mogelijk onze tijd te benutten, wat zorgt voor
een maximalisatie van het aantal kwetsbaarheden die kunnen worden gevonden.
Daarnaast sluit de Crystal-Box pentest het beste aan bij de "Meekijken over de Schouder"
optie die <company_short/> aanbiedt aan <client_short/>.
</p>
<!-- end of template -->

24
xml/source/snippets/offerte/nl/disclaimer.xml Normal file
View File

@@ -0,0 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Vrijwaring</title>
<p>Het is mogelijk dat in de loop van het penetratie testen <company_short/>
de operaties van het doelwit hindert of hier schade aan toebrengt.
<client_short/> geeft hier toestemming voor, onder voorbehoud dat <company_short/>
hier niet nalatig of roekeloos mee omgaat. <client_short/> waarborgt dit ook en heeft de bevoegdheid om
hier toestemming voor te geven.</p>
<p>Het is van belang om de limitaties van de diensten van <company_short/> te begrijpen.
<company_short/> geeft geen (en kan geen) garanties geven dat iets veilig is.
<company_short/>, heeft in plaats daarvan, een wettelijke inspanningsverplichting
voor de uit te voeren diensten.</p>
<p><company_short/> en <client_short/> komen hierbij overeen dat redelijke maatregelen
worden getroffen om, de vertrouwelijkheid van informatie en persoonlijke
gegevens van de doelwitten waar zij toegang tot krijgen
in de loop van het uitvoeren van de penetratie test, in stand wordt gehouden.
Beide partijen zullen de informatie en data die zij ontvangen of waar zij toegang tot krijgen
alleen gebruiken ten behoeve van de doelen die beschreven zijn in deze overeenkomst.
<company_short/> garandeert dat alle kern-leden, externe freelancers en vrijwilligers
die betrokken zijn bij het uitvoeren van de penetratie test een geheimhoudingsverklaring (NDA) hebben getekend.</p>
</section>

3
xml/source/snippets/offerte/nl/engagementtime.xml Normal file
View File

@@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- snippet --><p>Gebaseerd op de verstrekte informatie, verwachten wij dat het dienstverband <p_duration/> dagen duurt.
De planning van dit dienstverband is als volgt:</p>

197
xml/source/snippets/offerte/nl/generaltermsandconditions.xml Normal file
View File

@@ -0,0 +1,197 @@
<?xml version="1.0" encoding="UTF-8"?>
<annex>
<title>Annex 1<br/>General Terms and Conditions</title>
<p><b>What is this document?</b></p>
<p>These are the general terms and conditions (in Dutch: “<i>algemene voorwaarden</i>”)
of <company_long/> (<company_short/>). This version of the general terms and conditions
is dated 15 July 2014.</p>
<p>In the spirit of <company_short/>'s philosophy, <company_short/> wants these
general terms and conditions to be as understandable as possible. If you have any
questions, feel free to ask for clarification.</p>
<p><b>What is <company_long/>?</b></p>
<p><company_short/> is a private limited liability company under Dutch law located
in Amsterdam, The Netherlands. It is registered at the Dutch Chamber of Commerce
under no. 60628081.</p>
<p><b>To what do these terms and conditions apply?</b></p>
<p>These general terms and conditions apply to all agreements between <company_short/>
and the customer. <company_short/> rejects any terms and conditions used by the
customer. The parties can only deviate from these general terms and conditions
in writing. These general terms and conditions are also intended to benefit any
person employed or engaged by <company_short/> during the performance of an assignment.</p>
<p><b>How does <company_short/> agree on an assignment?</b></p>
<p><company_short/> wants both parties to have a clear picture of an assignment
before it starts. This means there only is an agreement between <company_short/>
and the customer after <company_short/> sends a written offer containing the key
terms of the agreement and the customer subsequently accepts the offer.
Communications other than the written offer do not form part of the agreement.
<company_short/> can rescind an offer until it is accepted by the customer.</p>
<p><b>What can the customer expect from <company_short/>?</b></p>
<p>It is important to understand the limits of <company_short/>'s services.
<company_short/> does not (and cannot) give guarantees that something is secure.
<company_short/> instead has an obligation to make reasonable efforts
(in Dutch: “<i>inspanningsverplichting</i>”) to perform the agreed services.</p>
<p><company_short/> will make reasonable efforts to perform the assignment in
accordance with the plan set out in the offer (if any). If <company_short/>
expects it will not fulfill the plan as documented, it will let the customer
know without delay. <company_short/> is not automatically deemed to be in default
if it doesn't meet the plan.</p>
<p><company_short/> will make reasonable efforts to avoid disruption of the
customer's operations and damage to its owned or operated systems, but it
cannot guarantee that this will be avoided. The customer agrees
to this. <company_short/> is not obliged to restore the systems or recover any
data deleted or amended in the course of the assignment.</p>
<p><b>What can <company_short/> expect from the customer?</b></p>
<p>The customer will provide <company_short/> with all means necessary to allow
<company_short/> to perform the agreed services. If <company_short/> needs explicit
permission from the customer to perform its services (for example, when doing
penetration tests) the customer gives this permission. The customer also warrants
that it has the legal authority to give this permission.</p>
<p><b>How do the parties handle confidential information?</b></p>
<p><company_short/> and the customer will not disclose to others confidential
information and personal data they receive from each other or gain access to in
the course of an assignment. <company_short/> has the right to disclose this
information and data to persons engaged by <company_short/>, but only if these
persons have a similar confidentiality obligation vis-á-vis <company_short/>.
Any person will only use the information and data it receives or gains access
to for the purposes following from the agreement. Both parties will take reasonable
measures to maintain the confidentiality of the information and data they received
or gained access to, and will ensure that persons engaged by them do the same.</p>
<p><b>What does <company_short/> do with vulnerabilities it finds in the course
of an assignment?</b></p>
<p>If <company_short/> in the course of an assignment finds a vulnerability which
might affect the customer, it will report this to the customer. If a vulnerability
might affect third parties as well, <company_short/> retains the right to disclose
this vulnerability also to others than the customer. It will only do so after
having given the customer a reasonable period to take measures minimising the
impact of the vulnerability, in line with responsible disclosure best practices.</p>
<p><b>What does <company_short/> do with indicators of compromise it finds?</b></p>
<p>If <company_short/> in the course of an assignment finds indicators of
compromise, such as malware signatures and IP-addresses, it will report this to
the customer. <company_short/> retains the right to also publish this information
in a publicly accessible database. It will only do so after it has given the
customer the opportunity to object to the publication of data which would
negatively impact the customer.</p>
<p><b>Who owns the products developed in the course of the assignment?</b></p>
<p><company_short/> retains any intellectual property rights in products developed
for an assignment, such as software and reports. <company_short/>, however, wants
to teach as many customers as possible 'how to fish'.</p>
<p>For software it developed, this means that <company_short/> gives the customer
a permanent, non-exclusive, transferable, sub-licensable, worldwide license to
distribute and use the software in source and binary forms, with or without
modification (very similar to the BSD-license). If <company_short/>'s software
is based on other software which is provided under a license which restricts
<company_short/>'s ability to license its own software (such as the GPLv3 license),
the more restrictive license will apply.</p>
<p>For other products it developed, such as reports and analyses, <company_short/>
gives the customer the same license, but this license is exclusive to the customer
and does not contain the right to modification. The latter condition is intended
to ensure that the customer will not change <company_short/>'s products, such as
reports and analyses. <company_short/> retains the right to reuse these products,
for example for training and marketing purposes. <company_short/> will remove any
confidential information from these products before publication.</p>
<p><company_short/> retains title to any property transferred to the customer
until all outstanding payments by the customer have been done in full (in Dutch:
<i>eigendomsvoorbehoud</i>”). <company_short/> also only gives a license after
all outstanding payments have been done in full.</p>
<p><b>Who will perform the assignment?</b></p>
<p><company_short/> has the right to appoint the persons who will perform the
assignment. It has the right to replace a person with someone with at least the
same expertise, but only after having consulted with the customer. This means
that section 7:404 Dutch Civil Code (in Dutch: “<i>Burgerlijk Wetboek</i>”) is
excluded.</p>
<p>Due to the nature of <company_short/>'s business, <company_short/> regularly
works with freelancers for the performance of its assignments. <company_short/>
has the right to engage third parties, including freelancers, in the course of
the performance of an assignment.</p>
<p><company_short/> wants to be able to use the expertise of its entire team to
help with an assignment. This means that in the course of an assignment, it is
possible that the persons performing the assignment will consult with and be
advised by others in <company_short/>'s team. These others will of course be
bound by the same confidentiality obligations as the persons performing the assignment.</p>
<p><b>What happens when the scope of the assignment is bigger than agreed?</b></p>
<p><company_short/> and the customer will attempt to precisely define the scope
of the assignment before <company_short/> starts. If during the course of the
assignment, the scope turns out to be bigger than expected, <company_short/>
will report this to the customer and make a written offer for the additional work.</p>
<p><b>How is payment arranged?</b></p>
<p>All amounts in <company_short/>'s offers are in Euros, excluding VAT and
other applicable taxes, unless agreed otherwise.</p>
<p>For assignments where the parties agreed to an hourly fee, <company_short/>
will send an invoice after each month. For other assignments, <company_short/>
will send an invoice after completion of the assignment, and at moments set out
in the offer (if any). The customer must pay an invoice within 30 days of the
invoice date.</p>
<p><company_short/> may, prior to an assignment, agree on the payment of a
deposit by the customer. <company_short/> will settle deposits with interim
payments or the final invoice for the assignment.</p>
<p>If the payment is not received before the agreed term, the client will be
deemed to be in default without prior notice. <company_short/> will then have
the right to charge the statutory interest (in Dutch: “<i>wettelijke rente</i>”)
and any judicial and extrajudicial (collection) costs (in Dutch:
<i>gerechtelijke- en buitengerechtelijke (incasso)kosten</i>”).</p>
<p>If the customer cancels or delays the assignment two weeks before it starts,
<company_short/> is entitled to charge the customer 50% of the agreed price.
If the customer cancels or delays the assignment after it already started,
<company_short/> is entitled to charge the customer 100% of the agreed price.
<company_short/> is entitled to charge a pro rata percentage in the case of
cancellation or delay shorter than two weeks before the start of the assignment
(i.e. a cancellation one week before the assignment would entitle <company_short/>
to charge 75% of the agreed price).</p>
<p><b>For what can <company_short/> be held liable?</b></p>
<p>Any liability of <company_short/> resulting from or related to the performance
of an assignment, shall be limited to the amount that is paid out in that
specific case under an applicable indemnity insurance of <company_short/>,
if any, increased by the amount of the applicable deductible (in Dutch:
<i>eigen risico</i>”) which under that insurance shall be borne by <company_short/>.
If no amount is paid out under an insurance, these damages are limited to the
amount already paid for the assignment, with a maximum of EUR 10.000.
Each claim for damages shall expire after a period of one month from the day
following the day on which the customer became aware or could reasonably
be aware of the existence of the damages.</p>
<p>To make things clear, <company_short/> is not liable if a person associated
with <company_short/> acts contrary to any confidentiality or non-compete
obligation vis-á-vis the customer or a third party, this person might have
agreed to in another engagement.</p>
<p>What happens when third parties lodge a claim or initiate criminal proceedings
against <company_short/>?</p>
<p>The customer shall indemnify <company_short/> and any person employed or
engaged by <company_short/> for any claims of third parties which are in any
way related to the activities of <company_short/> and any person employed or
engaged by <company_short/> for the customer.</p>
<p>Should a third party lodge a claim against <company_short/> or any of the
consultants it engaged or employed as a result of the performance of the assignment
for the customer, then the customer will co-operate fully with <company_short/>
in defending against this claim, including by providing to <company_short/> any
evidence it has which relates to this claim.
Should the public prosecutor initiate an investigation or criminal proceedings
against <company_short/> or any of the consultants it engaged or employed as a
result of the performance of the assignment for the customer, then the customer
will also co-operate fully with <company_short/> in defending against this
investigation or proceedings, including by providing any evidence it has which
relates to this investigation or these proceedings.</p>
<p>The customer shall reimburse <company_short/> and any person employed or
engaged by <company_short/> all costs of legal defence and all damages in
relation to these claims, investigations or proceedings. This provision does
not apply to the extent a claim, investigation, or proceeding is the result of
the intent or recklessness (in Dutch: “<i>opzet of bewuste roekeloosheid</i>”)
of <company_short/> or a person employed or engaged by <company_short/>.</p>
<p><b>When is this agreement terminated and what happens then?</b></p>
<p>Each of the parties may terminate the agreement wholly or partly without
prior notice if the other party is declared bankrupt or is being wound up or if
the other party's affairs are being administered by the court
(in Dutch: “surséance van betaling”).</p>
<p><b>When can <company_short/> not be expected to perform the assignment?</b></p>
<p>In the case of force majeure (in Dutch: “<i>overmacht</i>”) as a result of
which <company_short/> cannot reasonably be expected to perform the assignment,
the performance will be suspended. Situations of force majeure include cases
where means, such as soft- and hardware, which are prescribed by the customer
do not function well. The agreement may be terminated by either party if a
situation of force majeure has continued longer than 90 days. The customer will
then have to pay the amount for the work already performed pro rata.</p>
<p><b>Which law applies and which court is competent?</b></p>
<p>Dutch law applies to the legal relationship between <company_short/> and its
customers. Any dispute between <company_short/> and a customer will be resolved
in the first instance exclusively by the District Court (in Dutch:
<i>rechtbank</i>”) of Amsterdam, the Netherlands.</p>
</annex>

10
xml/source/snippets/offerte/nl/introandscope.xml Normal file
View File

@@ -0,0 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns:xi="http://www.w3.org/2001/XInclude">
<title>Inleiding</title>
<p><client_long/> (hierna “<b><client_short/></b>”), statutair gevestigd te
<client_street/>, <client_city/>, <client_country/>, heeft <company_long/> (hierna
<b><company_short/></b>”) verzocht een <company_svc_long/> uit te voeren. Motivatie
voor dit verzoek is dat <client_short/> een beter inzicht wenst te krijgen in ...</p>
<p>Deze offerte beschrijft de scope van het werk en de voorwaarden waaronder <company_short/> deze diensten zal uitvoeren.</p>
</section>

58
xml/source/snippets/offerte/nl/methodology.xml Normal file
View File

@@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<section>
<title>Pentest Methodologie</title>
<p>Tijdens het uitvoeren van de penetratie tests volgt <company_long/> in grote lijnen de volgende stappen:</p>
<ol>
<li>Benodigdheden Verzamelen en Scoping; </li>
<li>Ontdekking;</li>
<li>Validatie;</li>
<li>Informatieverzameling;</li>
<li>Analyse van Bedreigingen en Kwetsbaarheden;</li>
<li>Exploitatie;</li>
<li>Rapportage;</li>
</ol>
<p><b>Step 1: Benodigdheden Verzamelen en Scoping</b> <br/>
De verwachtingen van beide partijen worden besproken en overeenkomsten worden gemaakt
betreffende het uitvoeren van de test(s). Bijvoorbeeld, contactgegevens en de
scope van de pentest worden vastgelegd.</p>
<p><b>Step 2: Ontdekking</b><br/>
Zo veel mogelijk informatie betreffende de "target" organisatie en de "target" objecten
wordt verzameld. Deze informatie wordt passief verzameld, voornamelijk uit publieke bronnen.</p>
<p><b>Step 3: Validatie</b><br/>
Alle door de klant gespecificeerde systemen worden kruisverwezen met de bevindingen
van de Ontdekking stap. Wij doen dit om te garanderen dat de ontdekte systemen
wettelijk eigendom van de klant zijn en om de scope met de klant te verifiëren.</p>
<p><b>Step 4: Informatieverzameling</b><br/>
Informatie uit Stap 2 wordt hier gebruikt om actief informatie betreffende de
systemen te verzamelen. Activiteiten gedurende deze fase kunnen het volgende inhouden:
Vaststellen welke onderdelen van de verscheidene componenten zullen worden onderzocht;
Testen op de aanwezigheid van bekende kwetsbaarheden, gebruikmakend van automatische tests;
De aangeboden diensten identificeren en de voor hen gebruikte software te "fingerprinten."</p>
<p><b>Step 5: Analyse van Bedreigingen en Kwetsbaarheden</b><br/>
Potentiële bedrijgingen en kwetsbaarheden worden geïndexeerd, gebaseerd op de verzamelde informatie.</p>
<p><b>Step 6: Exploitatie</b><br/>
Hier wordt gepoogd om kwetsbaarheden van de verscheidene componenten te gebruiken.
De diverse applicaties en componenten van de klants infrastructuur worden
meedogenloos gesondeerd voor frequent voorkomende design-, configuratie- en programmeerfouten.</p>
<p>Notitie: <company_long/> gebruikt als basis open-source scanning tools, maar
voert in het algemeen de meeste exploitatie handmatig uit.</p>
<p><b>Step 7: Rapportage</b><br/>
Na het afronden van de verificatie zal een rapport worden geleverd met een stapsgewijze benadering,
waarbij resultaten en ontdekte kwetsbaarheden worden beschreven. Het rapport en de resultaten
zullen worden gepresenteerd aan de verantwoordelijke projectleider of -manager in het kantoor van de klant.</p>
<p>Stappen 4-6 kunnen meerdere malen herhaald worden per test. Voorbeeld: Toegang kan worden
verkregen in een extern systeem dat fungeert als een opstapje tot het interne netwerk.
Het interne netwerk zal vervolgens worden verkend in Stappen 4 en 5, om vervolgens te worden geëxploiteerd in Stap 6.</p>
</section>

65
xml/source/snippets/offerte/nl/methodology_basic-scan.xml Normal file
View File

@@ -0,0 +1,65 @@
<?xml version="1.0" encoding="UTF-8"?>
<section id="basicscanmethodology">
<title><company_svc_short/> methodologie</title>
<p>Tijdens het uitvoeren van de <company_svc_long/> volgt <company_long/> in grote lijnen de volgende stappen:</p>
<ol>
<li>vaststellen van vereisten en scoping</li>
<li>uitvoeren van scans</li>
<li>analyseren van bedreigingen en kwetsbaarheden</li>
<li>rapporteren van bevindingen</li>
</ol>
<p><b>Stap 1: vaststellen van vereisten en scoping</b> <br/>
De verwachtingen van beide partijen worden besproken en er worden afspraken
gemaakt betreffende het uitvoeren van de test(s). De benodige vereisten zoals
de contactgegevens en het bereik van de <company_svc_short/> worden vastgesteld.
</p>
<p><b>Stap 2: uitvoeren van scans</b><br/>
In deze fase worden automatische scans uitgevoerd die op het doelwit van toepassing
zijn. Bijvoorbeeld:
<ul>
<li>Het identificeren van aangeboden diensten en de
daarbij gebruikte software <i>fingerprinten</i>.</li>
<li>Het maken van een <i>basic</i> oppervlakte scan om bekende kwetsbaarheden
in de gebruikte software en protocollen op te sporen. Tijdens een <i>basic</i>
scan worden ontdekte 'gaten' in de beveiliging door ons niet geexploiteerd. </li>
<li>Het testen op veel voorkomende, bekende configuratiefouten in de software.
Dit zijn met name instellingen op het gebied van authenticatiemechanismen,
toegangsrechten en encryptie. Configuratiefouten in zelf ontwikkelde of exotische
software vallen hier niet onder.</li>
</ul>
</p>
<p><b>Stap 3: analyseren van kwetsbaarheden</b><br/>
Op basis van de verzamelde informatie worden potentiële kwetsbaarheden geïndexeerd.
De kwetsbaarheden worden geanalyseerd om overduidelijke <i>false positives</i>
er uit te filteren (niet alle scans produceren automatisch betrouwbare resultaten).
</p>
<p><b>Stap 4: rapporteren van bevindingen</b><br/>
Na afronding van de analyse wordt een rapport opgeleverd waarin onze
stapsgewijze benadering, de resultaten en gevonden kwetsbaarheden worden beschreven.
Het rapport dat <client_short/> oplevert bevat geen management samenvatting; <client_short/>
voegt deze zelf toe.
</p>
<p>
Na het doorlopen van bovengenoemde stappen kan <client_short/> een goed beeld
schetsen van de beveiligingsstatus van het doelwit. Een echte aanvaller zou \
deze analyse uitvoeren voordat een daadwerkelijke aanval wordt gepleegd.
Het resultaat van deze scan kan niet worden gebruikt om aan te tonen of aan
bepaalde <i>security</i> certificeringen is voldaan. Het resultaat uit een
penetratietest kan daar wel voor worden gebruikt. Bij een penetratietest wordt
gebruik gemaakt van de gevonden exploits om dieper liggende kwetsbaarheden in
kaart te brengen. Een pentest kan daarom worden gezien als de daadwerkelijke
aanval op het systeem.
</p>
</section>

Some files were not shown because too many files have changed in this diff Show More