When the WPScan team approached us in late 2019 offering to create an integration for Dradis, we were excited to work together. What goes together better than a WordPress security scanning tool and an easy way to turn those findings into a customized report? Maybe chocolate and peanut butter, but the Dradis WPScan integration is much more likely to result in a more secure website.
Time to update WordPress 😬
WordPress powers 35% of the Internet’s websites from hobby blogs to Fortune 50 companies. WordPress’ ease of use, well-established community, and extensive plugins offerings (55,457 as of this post) make it an attractive option for creating a presence online. Unfortunately, these same charms also make WordPress an easy and frequent target for attack.
In 2011, while investigating his own blog’s security, Ryan Dewhurst created a script that combined testing for WordPress’ vulnerabilities into a single tool. This script, now WPScan, enumerates usernames, plugins, and themes, performs brute force password attacks, and identifies the version of WordPress on a target.
WPScan contributors went on to create WPVulnDB to manage the ever-growing list of known WordPress vulnerabilities in an online database. When used together, WPScan and WPVulnDB API provide realtime detailed vulnerabilities and recommendations in your scan results.
This new Dradis WPScan integration makes it a snap for you to import the results of your WPScan directly to a Dradis Project. Each target maps to a node within your Dradis project, any vulnerabilities found in a plugin, theme, or setup become Dradis issues, and when evidence is available – like a list of enumerated usernames – it is pulled into Dradis as evidence.
Ready to get started with Dradis and WPScan?
The steps to add the Dradis WPScan integration to Dradis CE or Dradis Pro are similar for both editions.
Add or edit the Gemfile.plugins file. The file locations for each edition is listed below
Now you can have your notifications emailed to you when you aren’t working in a Dradis project. Each user can adjust their notification settings to receive them individually as they happen, in a daily digest, or not at all. Get started using email notifications by configuring the mail server on your Dradis Pro instance.
A few @mention enhancements are in this release, including loading an @mentioned user’s profile photo or gravatar so you quickly spot who is in the conversation.
Burp Suite Issue severity
The way that Burp Suite handles severity is different than other integrations. Burp assigns severity to each instance of an issue as evidence and doesn’t assign severity to the issue directly. As a result, this was leading to several pieces of evidence with different severity levels for an issue with no assigned severity in Dradis. Now, Dradis will assign the issue severity using the highest evidence severity level.
Table Sorting
Finding the information you are looking for in a long table is easier with table sorting. Tables in Dradis can be sorted by any column. Click on the column heading of your choice and presto, change-o the table is sorted.
Release Notes
Email notifications
Add notification settings to decide how often to get email notifications
Add a smtp.yml config file to handle the SMTP configuration
Preserve SMTP configuration on updates
Various mention related improvements:
Enhance the mentions box in comments to close when it is open and the page is scrolled.
Fix bug that prevents the mentions dialog from appearing after navigating through the app.
Fix elongated avatar images so they are round once again.
Added avatar images to mentions in comments.
Load Gravatars for users whose email has been set up with gravatar.
Add and update methodology download links to Dradis Portal
Enhancement when adding new nodes to copy node label data between the single and multiple node forms.
All tables can be sorted by column
Bugs fixed:
Fix handling of pipe character in node property tables
Fix projects count not updating in teams view
Fix error on team page when showing primary team
Fix overflow issue where the content would expand out of view
Fix page jump when issues list is collapsed
Fix conflicting version message when updating records with ajax
Fix hamburger dropdown menu functionality.
Fix node merging bug when `services_extras` properties are present
Fix cross-project info rendering
Prevent content block group names to be whitespaces only
Fix displaying of content blocks with no block groups
Limit project name length when viewing a project
Removed bullet style in node modals
Validate parent node project
Integration enhancements:
Burp: Make `issue.severity` available at the Issue level
Nessus: Fixed bullet points formatting to handle internal text column widths
Nexpose: Wrap ciphers in code blocks
Netsparker: Fix link parsing of issue.external_references
Jira: Loading custom (required) fields from JIRA by IssueType and Project
REST/JSON API enhancements:
Fix disappearing owner when assigning authors to a Project using the API
Set the “by” attribute for item revisions when using the API
Another Hacker Summer Camp is in the books. As always, there was a lot to see and do – more than any single human could hope to fit into a month, much less a week. Even so, I made it to Black Hat Tools Arsenal, BSides Las Vegas, DEF CON, and volunteered for the Diana Initiative. After a year and a half of working on the Security Roots team, I met Daniel in person and we promptly started talking shop in the middle of a Mandalay Bay hallway. I took a few hours to celebrate a milestone with a fantastic dinner and show. All of that in six days and though it was exhausting, I can’t wait to return.
Daniel and Tabatha snuck into this photo late. Photo credit to the Black Hat Tools Arsenal team.
My introduction to the hacker community was at BSides Orlando a few years back. Initially, I admit that was a bit intimidated to attend a hacker conference. Portrayed in the media as egotistical superbrains or criminals hiding beneath black hoodies ready to drain your bank account, hackers aren’t presented as a welcoming bunch. While those elements exist, what I found there and continue to experience was a group of people eager to share their knowledge and answer my constant questions. The energy and collaborative spirit of the community had me hooked. I was hungry to learn more and later that same year, I volunteered at BSides Las Vegas.
BSides Las Vegas
This year I returned to BSides Las Vegas as a volunteer with the Diana Initiative. Thanks to the generosity of BSides we had an early check-in table for Diana attendees. Much of my day I spent sharing details on the Diana Initiative from how it began, where to find tickets, to how to get involved. The overwhelmingly positive feedback was supportive of the need to increase diversity in information security. I didn’t much chance to check out the talks but there are a few on my list to watch.
Black Hat Tools Arsenal
Daniel presenting at Black Hat Tools Arsenal 2019
Black Hat is the corporate side of the whole week and had a slightly different energy. I joined Daniel for the Dradis presentation at the Tools Arsenal. In my mind, I would show up in my Dradis shirt, hand out a few stickers, and take pictures of Daniel showcasing Dradis CE. Once there, I embraced the opportunity to chat with customers and talk with people about Dradis. I found myself repeating, “If it has been a while, give Dradis CE another look – so much has changed.”Â
DEF CON 27
Welcome to DEF CON 27
It can be challenging to make connections at a conference this size. Unlike other large events I’ve attended, smaller distinct groups within the con space allow you to focus your attention and find like-minded folks. No matter your interest, there is a group. There are villages, workshops, talks, meetups, parties, and one of my favorite spaces – hallcon. Finding someone to talk to is pretty easy since #badgelife has most attendees wearing roughly a pound of gear on a lanyard around Las Vegas. This year’s DEF CON badge game worked particularly well to strike up hallway conversations while asking to “boop” someone’s badge.
Tabatha’s badges. A small amount compared to some.
Our staff pirate Christoffer’s post piqued my interest in maritime security, so I made it a point to stop by the inaugural Hack the Sea village. There was a good bit of discussion about the security of our seas even in casual conversation outside of the village, ranging from ICS to the antiquated technologies observed or used onboard. I visited the IoT village long enough to swear off of my existing IoT devices (but not really). While I was there, I cheered on friends that were competing in the IoT CTF.
The evenings held additional opportunities to connect with other attendees, just as varied as the talk and villages. Who doesn’t love a blanket fort? Blanketfortcon has you covered (see what I did there?) with an adult size blanket fort and bounce pad. Hacker Jeopardy is always hilarious, but I laughed the hardest during “Whose Slide Is It Anyways” watching contestants present using a slide deck they had never seen. Parties ranged from bass-thumping events going long into the early morning to more subdued gatherings with board games and great conversation.
Diana Initiative
If I am up at 6 am in Las Vegas, it is for one of two reasons; I am still up from the night before or I am volunteering somewhere. These days it is 100% the latter option, and I was excited to join the Diana Initiate staff to run registration. It turns out I particularly enjoy running registration and check-in, which I can only attribute this to having a generally sunny disposition and a love of spreadsheets. After months of hard work with the rest of the team, it was a gift to greet attendees, speakers, and sponsors and to witness their excitement for the days ahead.
Lodrina Cherne and Tabatha with MaliciousLife swag for Diana Initiative. Photo credit Lodrina Cherne
Diana Initiative has grown from its initial years held in hotel suites and for the first time organized convention space at the Westin. This year Diana Initiative had 65 speakers across three tracks that covered both technical and non-technical skills, several villages, and a CTF. It was a nice break from the noise and crowds of the DEF CON and fostered a welcoming environment for attendees, many at Hacker Summer Camp for the first time. The quieter gathering, smaller size, and inclusivity made for an inviting atmosphere to new faces and established security professionals alike.
Do the thing.
Attending camp this year felt different than my last visit. There are noticeably more women in attendance, to the credit of organizations like WoSEC, WISP, Women’s Society of Cyberjustu, and Diana Initiative. There was plenty of evidence of the work that organizers and volunteers have put in to create an inclusive and safe week including the DEF CON support hotline and improved Code of Conduct. It was incredibly inspiring to connect with the many people that are elevating diversity and bringing change in this fantastic community.
Throughout the week, everyone I spoke with remarked that there is room for everyone in information security; quoting struggles finding qualified candidates and too-large workloads. Increasing the number of women not only brings more workers to the industry, but each person brings a unique lens to approach privacy and security challenges. No matter who you are or what your background, consider this your invitation. Show up, do the work, learn the things, and take your place. And then, share what you know. See you next year!
Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.
Node Methodology
Add a methodology to a node containing the details appropriate for that node type. Create and apply methodology templates to ensure everyone on the team knows the next steps for that node. Project methodologies are still available; these new methodologies bring the same consistency to nodes.
Merging Nodes
If you have ended up duplicate nodes in your project, you can now merge them and preserve any findings related to that node. The new node merge action moves all associated Notes, Evidence, Attachment, and Activities from the source node into the target node.
Highlight Inside Code Blocks
Call attention to the most important details within a code block. Wrap the section with $${{ }}$$ to highlight it in yellow. The highlights transfer to your final report using styling updated in your report template.
Collapsable Sidebars
If your project has a long list of issues or attachments, it can be unwieldy to quickly access the import fields at the bottom to add more. The sidebars are now collapsable using the chevron at the top of the list and are expanded by default. Issues, Report content, and Nodes received this UI update to help you move through a cleaner interface.
Release Notes
Allow nodes to have an associated methodology
Highlight code snippets.
Better new board form empty name handling
Fix migration paths during database setup
Collapsable sidebar in issues
Collapsable sidebar in report content
Better placeholder syntax in Issuelib
Contributor dashboard redesign
Fix screenshot validator when Textile screenshot links have captions
Add Node merging feature
REST/JSON API:
New coverage: Tester users
Word reports:
Add CodeHighlight style support
Add-on enhancements:
Nexpose: Add risk-score attribute to nodes
Nmap: Add port.service.tunnel field to the port template
Remediation tracker: tickets can be assigned to testers and contributors, and contributors can see their tickets too.
Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.
What’s new in Dradis Pro v3.3
Auto-Save
There are few things more frustrating than losing work in progress when your connection drops, browser crashes, or you close the wrong tab. Dradis now automatically saves your changes every few seconds to help avoid this problem. When you return to work, and auto-saved data is available, restore your work from the browser’s cached version.
Configuration Kits
Get started with Dradis Pro with a click of a button using kits. Use a Dradis kit to set up an instance tailored to your needs just by uploading a single file. A single kit zip file can quickly import and configure a project, report, issue, and evidence templates and properties, Rules Engine rules, methodologies, and sample projects. Admins can still tweak and configure Dradis manually; kits offer a simple way to jumpstart setup.
Azure DevOps / VSTS
Send any issue from a Dradis project to Azure DevOps (formerly Visual Studio Team Services / Team Foundation Server) to create a Work Item. Once sent, the Issue in Dradis displays the state of Work Item so you can keep track of remediation activities without leaving Dradis.
Dradis Professional Edition is a collaboration and reporting tool for information security teams that will help you deliver the results of security assessments, in a fraction of the time without the time-wasting frustration of creating manual reports.
What’s new in Dradis Pro v3.2
Here is Rachael with a quick video summary of what’s new in this release:
Integrated CVSSv3 Calculator
Quickly generate a CVSSv3 Risk score for an individual issue directly in Dradis. The CVSSv3 score calculator is now included as a tab on each issue for handy access. Edit the values on the calculator to populate the issue’s CVSSv3 details, including a valid vector string, with no need to copy and paste!
IssueLibrary ships with Dradis Pro⛵
Ever wish that the IssueLibrary wasn’t a separate installation and upgrade process from Dradis Pro? Wish no more! IssueLibrary is now bundled with Dradis Pro.
If you haven’t been using IssueLibrary, now is your pain-free opportunity to give it a spin. Cultivate a collection of your finest vulnerability descriptions to reuse across your Dradis Pro projects.
Already have vulnerability descriptions in another format outside of Dradis? Reach out to our support team and they can set you up to easily migrate them into IssueLibrary.
Upgrading from an earlier version of the IssueLibrary? You must first remove IssueLibrary before applying the DUP by deleting the IssueLibrary line from /opt/dradispro/dradispro/current/Gemfile.plugins.
IssueLibrary API endpoints
The IssueLibrary is the newest API endpoint to be added to Dradis Pro. Use this new endpoint to create, update, retrieve and delete IssueLibrary entries. Check out the IssueLibrary API guide for examples to get started.
For this release, we’ve squashed some pesky bugs and updated the system and its add-ons with new features that will make your team’s life easier.
The highlights of Dradis Pro v3.1
Added comments, subscriptions and notifications to notes
Added comments, subscriptions and notifications to evidence
Added comments, subscriptions and notifications to methodology cards
Pre-flight tool upload validator
Fix default tags creation bug
Allow numeric fields to be 0 when validating
Fix BI engine load error (hook into model load and not ActiveRecord load)
Fix overflow bug when editing report templates (issue sorting tab)
Updated how add-ons hook into the main menu
Fix error pages
Renamed clients to teams in the backend
Fix blockcode characters displaying incorrectly
Fix red dot still being displayed on the first visit to the page that caused the single unread notification
Fix wrong ‘There are no comments’ message
Escape HTML in comments
Track activities when multiple-creating evidence
Fix BI custom project properties
Better engine manifest hooks
Keep lists and cards order when exporting as XML
When errors found validating evidence, report with evidence id
Add-on enhancements:
Note and evidence comments in export/import in dradis-projects
Fix usage of set_property to use set_service in Nexpose plugin
Netsparker: Update cleanup_html to format content + add new fields
A quick video summary of what’s new in this release:
Comments for methodology cards, evidence, and notes
Comments, notifications, and subscriptions introduced in Dradis v3.0 have been extended to include methodology cards, notes, and evidence in projects. You can leave a comment tagging another user, subscribe to be notified of comments and receive notifications for cards, notes, evidence, and issues. All comments are included during project import/export with dradis-project.
Checking for empty fields
Dradis will check for empty fields when saving a field required by your template and when validating your project before exporting a report. Catching and correcting these empty fields before generating your report will help prevent the dreaded ambiguous cell mapping Word error.
Pre-flight tool upload validator
While uploading output from a tool into a project, Dradis will check your Plugin Manager configuration against your report template configuration. If your template is configured to require a “Recommendations” field but no #[recommendation]# field is defined in the Plugin Manager for this output file type, Dradis will throw a warning.
