Datatypes and Variables

NASL allows for the assignment of values to variables that can be manipulated by a NASL script. Unlike a strongly typed language such as C, NASL does not require you to predefine a variable’s type. In NASL, the variable type is determined automatically when a variable is assigned a specific value. NASL recognizes two valid datatypes: scalars and arrays. A scalar can be a number or a string, while an array is a collection of scalars.

Numbers: NASL allows variables to hold integer values—for example, the number 11. It is also possible to assign numeric values to variables using a hexadecimal representation. You write hexadecimal numbers in NASL using a leading “0x” prefix. For example, the hexadecimal number 0x1b holds the value 27 when represented as an integer in base-10 notation. Type the following script into a file:

h=0x1b;

display (“The value of h is “,h,”\n”);

Now run it using the NASL interpreter to see the output:

[notroot]$ nasl hex.nasl

The value of h is 27

It is also possible to input numerical values in octal notation form, which uses base- 8 notation by placing a leading “0” prefix. For example, the x and y are equivalent in the following example:

x=014; #octal

y=12; #decimal

Strings: A string is a collection of characters. abcdefg, Hello World, and Boeing 747 are all examples of strings. Consider the following NASL script:

mystring=”Hello. I am a string!\n”;

display(mystring);

The \n at the end of mystring is an escape character and is equivalent to a newline character. Table 1-1 lists common escape characters applicable to NASL.

Table 1-1. Escape characters

Note that a string inside double quotes (“) is left as is. Therefore, if you define a string using double quotes, escape sequences will not be translated. Also note that the display( ) function calls the string( ) function before displaying data on the console, and it is the string( ) function that converts the escape sequences. That is why our escape sequences are translated in the preceding examples even though we define them using double quotes.

Arrays and Hashes: An array is a collection of numbers or strings that can be indexed using a numeric subscript. Consider the following NASL script:

myarray=make_list(1,”two”);

display(“The value of the first item is “,myarray[0],” \n”);

display(“The value of the second item is “,myarray[1],” \n”);

The script displays the following when executed:

The value of the first item is 1

The value of the second item is two

Notice that the array subscripts begin at 0, and that is why the first element is obtained using the [0] subscript.

Like arrays, hashes are also collections of numbers or strings. However, elements in hashes have a key value associated with them that can be used to obtain the element. You can use the make_array( ) function call to define a hash. Because every element must have an associated key value, the function call requires an even number of arguments. The following is a definition of a hash that contains port numbers for the Telnet protocol (port 23) and HTTP (port 80):

myports=make_array(‘telnet’,23,’http’,80);

Now, myports[‘telnet’] gives you the value of 23, while myports[‘http’] evaluates to 80.

Local and Global Variables

Variables exist only within the blocks in which they are defined. A block is a collection of statements enclosed by special statements such as loops and function calls. For example, if you define a variable within a particular function call, it will not exist when the function call returns. At times, it is necessary to define variables that should exist globally; in such cases you should use global_var to define them:

global_var myglobalvariable;

Variables are local by default. You can also use local_var to state this explicitly.