April 2017 - Dradis Framework Blog

One of the latest additions in Dradis Pro release 2.6.0 was the attachments API. Until now that was only available using the web interface:

Web interface attachments widget

As documented here that new API endpoint allows to manipulate node attachments via REST requests. Here there are a couple of examples, using curl.

Read attachments associated to a specific node:

curl \
 -H 'Authorization: Token token="iOEFCQDR-miTHNTjiBxObjWC"' \
 -H 'Dradis-Project-Id: 8' \
 http://dradis.ip/pro/api/nodes/18/attachments

The response to this request is a JSON list of attachments in that node:

[
  {
    "filename": "burp.xml",
    "link": "/nodes/18/attachments/burp.xml"
  },
  {
    "filename": "screenshot.png",
    "link": "/nodes/18/attachments/screenshot.png"
  }
]

This is a request to attach some other files to that node:

curl \
 -H 'Authorization: Token token="iOEFCQDR-miTHNTjiBxObjWC"' \
 -H 'Dradis-Project-Id: 8' \
 -X POST \
 -F 'files[]=@/your/local/path/image1.png' -F 'files[]=@/your/local/path/image2.png' \
 http://dradis.ip/pro/api/nodes/18/attachments

The response to this request is a JSON list containing the new attachments info:

[
  {
    "filename": "image1.png",
    "link": "/nodes/18/attachments/image1.png"
  },
  {
    "filename": "image2.png",
    "link": "/nodes/18/attachments/image2.png"
  }
]

In addition in this post we would like to extend that documentation providing examples on how to do that using a programming language. Since Dradis is implemented in ruby, here is how we could do that in ruby.

Using ruby there are many libraries that allow us to perform http requests, from the basic
already included ‘net/http‘ to more high level options like ‘rest_client‘, ‘faraday‘, etc…

We will show basic examples using these three mentioned options.
For each option we provide two examples:

a request to get all attachments in a node
a requests to upload a couple of files to a node (in the attachments endpoint many files can be uploaded with a single request).

If you intend to use the examples below, remember that you should use your virtual appliance IP instead of ‘dradis.ip‘. Also change the token, project id and node id in the examples to your own values.

Attachments API using ‘rest-client’ ruby gem:

First of all we will need to install the ‘rest-client’ ruby gem. It can be installed with:

gem install rest-client

Read attachments associated to a specific node:

require 'rest_client'
RestClient.get(
  'http://dradis.ip/pro/api/nodes/18/attachments',
  {
    'Authorization' => 'Token token="iOEFCQDR-miTHNTjiBxObjWC"',
    'Dradis-Project-Id' => '8'
  }
)

Attach some other files to that node:

require 'rest_client'
RestClient.post(
  'http://dradis.ip/pro/api/nodes/18/attachments',
  {
    'files' => [
      File.new("/your/local/path/image1.png", 'rb'),
      File.new("/your/local/path/image2.png", 'rb')
    ]
  },
  {
    'Authorization' => 'Token token="iOEFCQDR-miTHNTjiBxObjWC"',
    'Dradis-Project-Id' => '8'
  }
)

Attachments API using ‘faraday’ ruby gem:

To install faraday:

gem install faraday

In this case we are trying to reuse the same connection, probably useful when building a script that sends many requests to the same endpoint.

require 'faraday'

# Establish connection
conn = Faraday.new(
  url: 'http://dradis.ip/pro/api/nodes/18/attachments',
  headers: {
    'Authorization' => 'Token token="iOEFCQDR-miTHNTjiBxObjWC"',
    'Dradis-Project-Id' => '8'
  }
) do |faraday|
  faraday.request :multipart
  faraday.adapter :net_http
end

# Read attachments associated to a specific node:
get = conn.get
puts get.body

# Attach some other files to that node
post = conn.post(
  nil,
  {
    'files' => [
      Faraday::UploadIO.new("/your/local/path/image1.png", 'image/png'),
      Faraday::UploadIO.new("/your/local/path/image2.png", 'image/png')
    ]
  }
)
puts post.body

Attachments API using ruby ‘net/http’:

‘net/http’ is part of the ruby standard library, so if you already have ruby nothing else should be installed to run this script. As a counterpart this option works at a lower level than the previous ones, therefore the code looks a bit more complex.

require 'net/http'

uri = URI('http://dradis.ip/pro/api/nodes/18/attachments')

Net::HTTP.start(uri.host, uri.port) do |http|
 
  # Read attachments associated to a specific node:
  get_request = Net::HTTP::Get.new uri
  get_request['Authorization'] = 'Token token="iOEFCQDR-miTHNTjiBxObjWC"'
  get_request['Dradis-Project-Id'] = '8'
  get_response = http.request(get_request)
  puts get_response.body

  # Attach some other files to that node:
  BOUNDARY = "AaB03x"
  file1 = '/your/local/path/image1.png'
  file2 = '/your/local/path/image2.png'

  post_body = []

  post_body << "--#{BOUNDARY}\r\n"

  post_body << "Content-Disposition: form-data; name=\"files[]\"; filename=\"#{File.basename(file1)}\"\r\n"
  post_body << "Content-Type: image/png\r\n"
  post_body << "\r\n"
  post_body << File.read(file1)

  post_body << "\r\n--#{BOUNDARY}\r\n"

  post_body << "Content-Disposition: form-data; name=\"files[]\"; filename=\"#{File.basename(file2)}\"\r\n"
  post_body << "Content-Type: image/png\r\n"
  post_body << "\r\n"
  post_body << File.read(file2)

  post_body << "\r\n--#{BOUNDARY}--\r\n"

  post_request = Net::HTTP::Post.new uri
  post_request['Authorization'] = 'Token token="iOEFCQDR-miTHNTjiBxObjWC"'
  post_request['Dradis-Project-Id'] = '8'
  post_request.body = post_body.join
  post_request["Content-Type"] = "multipart/form-data, boundary=#{BOUNDARY}"

  post_response = http.request(post_request)
  puts post_response.body
end

Final thoughts

In conclusion, sending requests to the API should be easy enough from any programming language. In the ruby case, using a specialized gem seems like the best choice.

Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you create the same reports, in a fraction of the time.

Our first 2017 release, Dradis Pro v2.6 is loaded with some very interesting features to coordinate your team and generate better reports, faster.

The highlights of Dradis Pro v2.6

Better support for security testing methodologies (see below)
- Organize tasks in a Kanban board (we ❤️ Trello too!)
- Provide additional context, gather results, or set a due date for each task.
- Assign tasks to different team members.
- Keep Notes and information on each task.
- Export Methodology details into your reports.
Merge multiple Issues in your project (see below)
Local Profile Pics (not just Gravatars!)
Redesigned error pages with the data you need for troubleshooting.
Edit / delete links for Evidence, Issues, and Notes from the sidebar.
Attachments HTTP API endpoint.
Validate Evidence fields.
Automatically generated Evidence Template.
Add-on enhancements:
- Updated Nessus Plugin to support files that are missing a plugin_output tag.
- Updated Qualys Plugin to better handle tags in report content.
- Updated Burp Plugin to detect non-base64 encoded files and binary request/response data.
- Updated the Burp-Dradis connector to correct HTTPS errors.
Word reports:
- Methodology and Task content controls let you provide fine-grained information about your testing methodology as part of your deliverables.
Fix XSS in Issues diff view.
Bugs fixed: #84, #104, #164, #206, #280, #316

A quick video summary of what’s new in this release:

Methodologies becomes a 1st class citizen of the framework

Methodologies now contain Lists and Tasks. Create custom Lists, add Tasks to the Lists, and move the cards from one List to the next.

You can also set due dates, assign cards to team members, and create fields within Task descriptions that can export into your reports.

Combine issues

Combine multiple Issues using our new merge feature. Just find and select the Issues that you want to combine:

You can combine them into a brand new Issue or into one of the existing Issues.

Ready to upgrade to v2.6?

Still not using Dradis in your team?

These are some of the benefits you’re missing out:

Automated reports, generate the same reports your clients know and love in a fraction of the time.
Combine the output from 19+ different tools (including Qualys, Metasploit, Burp…) into a single report.
Deliver consistent results. Never forget any steps. Always know what has been covered and what is still ahead.
Everyone on the same page: all information available across the team.
Dradis Professional is reliable, up-to-date and with comes with quality support

Read more about Dradis Pro’s time-saving features, what our users are saying, or if you want to start from the beginning, read the 1-page summary.

Dradis Framework Blog

Information management for security teams

Monthly Archives: April 2017

Attachments API using ruby

Attachments API using ‘rest-client’ ruby gem:

Attachments API using ‘faraday’ ruby gem:

Attachments API using ruby ‘net/http’:

Final thoughts

New in Dradis Pro v2.6

The highlights of Dradis Pro v2.6

Methodologies becomes a 1st class citizen of the framework

Combine issues

Still not using Dradis in your team?

Attachments API using ‘rest-client’ ruby gem:

Attachments API using ‘faraday’ ruby gem:

Attachments API using ruby ‘net/http’:

Final thoughts

Share this:

The highlights of Dradis Pro v2.6

Methodologies becomes a 1st class citizen of the framework

Combine issues

Still not using Dradis in your team?

Share this: