Category Archives: Dradis_Pro

Posts about features, announcements and updates of Dradis Professional Edition.

Follow the OSSTMM v3 methodology with Dradis

You can now follow the OSSTMM v3 (Open Source Security Testing Methodology Manual) in your projects. Today we’ve added a new bundle to our Extras section. Extras is where we post report templates, methodologies and checklists for our community to grab and use.

Not familiar with the OSSTMM yet? From their website:

The OSSTMM is about operational security. It is about knowing and measuring how well security works. This methodology will tell you if what you have does what you want it to do and not just what you were told it does.

What you get from utilizing OSSTMM is a deep understanding of the interconnectedness of things. The people, processes, systems, and software all have some type of relationship.

Included in the OSSTMM bundle

The bundle contains methodologies for all the areas covered by OSSTM:

  • Defining a security test
  • Data networks security testing
  • Human security testing
  • Physical security testing
  • Telecommunications security testing
  • Wireless security testing

Included in the bundle is also a project template with the basic project structure you can use to follow the OSSTMM guidance.

Get the OSSTMM v3 methodology bundle and follow the OSSTMM v3 from today.

New in Dradis Pro v1.7

Today we have pushed a new version of Dradis Professional Edition: Dradis Pro v1.7. This is the result of eight months of hard work, a bit longer than usual, but the release is packed with lots of handy improvements.

Here are some changes:

  • New Issue/Evidence architecture: read about why this is a big deal.
  • New all-in-one view (more below).
  • New “by host” and “by issue” reporting (more below).
  • New default project / report template: to make it easy for you to build on top of it.
  • New interface to import Issues from external sources.
  • New Qualys upload plugin.
  • Updated plugins
    • Burp upload
      • Generates Issue/Evidence
      • Is orders of magnitude faster.
      • Integrates with the Plugin Manager.
    • MediaWiki import is now compatible with versions 1.14 -> 1.21
    • Nessus upload generates Issue/Evidence
    • Nexpose upload generates Issue/Evidence
  • Updates and internal improvements:
    • Updated to Rails 3.2.13
    • Improved code block and table styling

All-in-one view

Notes, issues and attachments all in a single place:

A screenshot showing note contents, issues and attachments in one page

And an improved interface to import form external sources:

Screenshot f the new one-click importer

And of course, you also get Dradis’ Smart Refresh goodness:

More screenshots

“By host” and “By issue” reporting

We have discussed multiple times how providing a useful deliverable is part of what makes a pentest firm great. With this release of Dradis Pro we’re introducing even more flexibility to our reporting engine.

byhost-20

It is now possible to write an issue description once and associate it will multiple hosts. Then in your report you can either present each issue along with all the affected hosts (and associated evidence) or the other way round: a host-by-host summary where you least each host under scope along with all the issues that affect it.

byhost-09_small

This flexibility is what saves our users 2 hours of reporting time in every project.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

Read more about Dradis Pro’s time-saving features.

Upcoming in Dradis Pro v1.7: Issues and Evidence

A new release of Dradis Pro is in the making: Dradis Pro v1.7. We continue to evolve our solution based of the feedback we receive from our users.

Starting in Dradis Pro v1.7 we have introduced two new concepts:

  • Issues: these are findings or vulnerabilities. An example would be: “Cross-site scripting“.
  • Evidence: this is where you provide the concrete information / proof-of-concept data for a given instance of the Issue.

For example:

  • The ‘Hackme bank’ application is vulnerable to Cross-site scripting (Issue). There are 7 instances of this issue and here is the information about them (Evidence).
  • The HTTP service in tcp/443 of the 10.0.0.1 host is affected by the Out-of-date Apache Tomcat issue and so is the tcp/8080 service in 10.0.0.2

As you can see, the main benefit of this approach is that you get to describe the Issue once and reuse that description.

To continue with our example, we’d have to create the following project structure:

Here we would add the Out-of-date Apache Tomcat Issue to the all issues node of the project, and then the Evidence for each host will be added in the corresponding node.

By segregating core vulnerability information from the evidence associated with each instance of the issue, we can start doing some powerful things.

Reporting by host, reporting by issue

On the one hand, some penetration testing firms like to structure their reports by finding. They go through the list of issues identified, providing description, mitigation advice, references, etc. and including all the hosts affected by the issue in each instance.

byhost-20

On the other hand, some prefer to structure their report by host. They list all the hosts in-scope for the engagement and describe each issue that affects them.

Of course there are others that provide these two options in the same report. A section where all the issues are described in detail followed by a host summary where you can quickly see a list of issues affecting a given host.

In order to provide this level of flexibility there needs to be a segregation between the issue details and the instance information.

With the introduction of Issues/Evidence in v1.7, we have just opened the door to all this flexibility.

More information

If you are an existing Dradis Pro user, you can already take advantage of all this features without having to wait until the release of v1.7. We have also prepared a step-by-step reporting guide for you:

Reporting by host, reporting by issue

If you are not a user yet, you can read more about cutting your reporting time, putting external tools to work for you (and not against you) and delivering consistent results with our tool. Get a license and start saving yourself some time today.

BSides London 2013 aftermath

BSides London took place last Wednesday the 24th on the Kensington and Chelsea Town Hall near High Street Kensington tube station in London.

I was really looking forward to this year’s edition as for the first time ever Dradis Pro was a sponsor in a security event. There are a lot of lessons learned on that front alone, but I’ll save them for another post.

It was a really long day. I only finished the slides for the Creating Custom Dradis Framework Plugins workshop around midnight the night before and I got to the venue by 8am to give the organisers a hand with the preparations. On the bright side, we had a really good turnout on the workshop:

BSides_London_2013_276

Creating Custom Dradis Framework plugins in action (more pics)

I think that the final head count was around 500 people both from around the country and from abroad. The downside is that we had to prepare around 500 tote bags with sponsor swag, the upside is that some sponsors provided some really nice goodies 😉

BSides swag by ScotSTS, 7Elements and Dradis Pro

The truth is that running an event such as BSides is a ton of work, and the team do it for free. And it doesn’t cost a penny to attend and you get a really nice free t-shirt:

BSides London t-shirt

I don’t think people thank the organisers enough. Thanks guys! To both the visible faces of the organisation but also to the rest of the conference goons that make all the little moving parts of the event tick.

As usual in this type of event, it’s easy to let yourself be distracted by the social side of things. I managed to finally catch up with a lot of Dradis Community contributors and Dradis Pro users. And hopefully meet a few future ones 😉 I finally put a face to some of the #dc4420 peeps and manage to catch up with some people that I no longer get to see that often.

It always baffles me that after working for a company for the last 5 years you get to meet some of your colleagues in a random security event instead of in the office or in an official company event. I guess that’s the nature of the industry we are on though. It was also good to catch up with ex-colleagues from previous lives.

Even though the scheduling gods decided I had to miss Marion & Rory’s workshop in the morning, I managed to get myself a WiFi Pineapple after Robin’s, just in time to rush to the main hall to catch the closing ceremony.

WiFi Pineapple kit

And before you realise it, the day was over and you are having a pint too many at the official BSides after-party…

Dradis Pro report templates and testing methodologies for download

Ever wanted to create your own Dradis Pro report templates but didn’t know where to start? Wait no more! A few days ago we introduced the Extras page. From there you can download report templates and testing methodologies. The idea is to showcase all the possibilities supported by our reporting engine and lay the ground work so our users can build on top of these templates.

The latest addition has been the OWASP Top 10 – 2013rc checklist. This covers the recently released OWASP Top 10 – 2013 release and contains 60 checks that you can use to test for all the issues in the new Top 10:

  • A1-Injection
  • A2–Broken Authentication and Session Management
  • A3–Cross-Site Scripting (XSS)
  • A4–Insecure Direct Object References
  • A5–Security Misconfiguration
  • A6–Sensitive Data Exposure
  • A7–Missing Function Level Access Control
  • A8-Cross-Site Request Forgery (CSRF)
  • A9-Using Components with Known Vulnerabilities
  • A10–Unvalidated Redirects and Forwards

Below is a list with a few examples of the Dradis Pro report templates (both Word and HTML) that you can find there:

Advanced Word example

Mix everything together: use Dradis notes for your conclusions, sort your findings by severity, filter, group, make use of document properties, etc.

Dradis Pro Advanced report template: a screenshot showing the advanced word report

A simple report to get you started

Never created a custom Dradis Pro report template before? No problem, start with this basic template to learn about the inner workings of the engine and in no time you’ll have your custom own report template up and running.

Dradis Pro Basic report template: a screenshot showing a detail of a table in the simple report template

A fancy HTML report

Dradis Pro supports a number of report formats including Word 2010 and HTML. In this case we show you how to create a fairly complex HTML report with the list of issues order by severity, a bit of JavaScript to auto-colour and auto-link external references and some awesome charts to nicely show the risk profile of the environment.

Dradis Pro HTML report template: a screenshot of the HTML report template showing a chart for all the issues

With the help of these samples, creating your own report template has never been easier. Are you ready to give Dradis Pro a try?

New in Dradis Pro v1.6

Today we have pushed a new version of Dradis Professional Edition. This is the result of two months of hard work. It is a shorter release cycle than usual, but there are some good reasons for it. We think it will make our user’s day-to-day work significantly more efficient.

Here are some changes:

  • Improved Word 2010 reporting (more below):
    • The styles you apply in Dradis are kept when generating the report.
    • Easy note filtering and grouping in the report (e.g. list of High-impact findings).
  • New testing methodology support (more below).
  • New Client Manager to group your projects.
  • Fresh look & feel (screenshots).
  • Lots of minor updates:
    • With the new Quick Filter locating clients, projects and users is a breeze!
    • Updated VulnDB HQ plugin to support v2 of the API.
    • Updated to Rails 3.2.8

 

Improved Word 2010 reporting

Creating complex pentest report templates has never been easier. You just need your copy of Word and a few minutes. Of course we have extensive documentation in our support site, but here are the highlights:

Note styles

Add notes in our WYSIWYG editor and the styles will be kept in the report:

Note filters

Word is the only tool you need to create powerful templates

Get the report without breaking a sweat:

 

Testing methodologies

This is a game changer. Tracking progress during an engagement is always a daunting task. No matter how experienced you are, if you don’t play close attention, you might be missing something.

Enter our testing methodology support:

You can define as many methodologies as you need (e.g. webapp, wireless, code review, etc.) and you can add them to your projects. For instance, a typical webapp assessment will have a web testing methodology and maybe a web server checks methodology.

Keep track of progress and split tasks amongst team members. Using a standardized testing methodology is the best way to obtain consistent results.

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your clients. Every time.
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why to give Dradis Professional Edition a try?

Create a report in minutes with Dradis Pro and VulnDB HQ

How long did it take you to create your last pentest report? Days? Hours? Sounds like too much effort for something that should be 80% automated!

Lets see how you can use Dradis Pro and VulnDB HQ to create a pentest report in minutes.

Tracking progress with Dradis Pro

Everybody tracks progress and makes notes while conducting an assessment. However, using Dradis Pro has a few advantages over other methods (e.g notepad).

First you can use testing methodologies to define the steps you need to cover and track your progress:

Of course this is useful both when you’re working alone and when you’re part of team to ensure there is no overlapping.

If everyone is adding their findings to Dradis Pro’s shared repository, generating the report is one click away (keep reading!).

Adding a few findings from your VulnDB account

Say that today is your lucky day, LDAP injection on the login form! You don’t think this is in your private VulnDB HQ repository but search anyway:

Well, it was not in your private repository, but there is an LDAP injection entry in VulnDB HQ’s Public repository that you can use as a baseline. You import it.

You continue with you hack-fu, find a bunch of issues: cross-site scripting, some SQL injection, Axis2 testing servlet, header injection and a few SSL issues. For each of these, you spend 30 seconds searching VulnDB HQ, importing the issue to your project and tweaking the particulars.

Assign everything to the AdvancedWordExport ready category, and you’re done. Fairly painless, no?

And if Dradis is not your cup of tea (?!) you could always connect your VulnDB HQ account to your own tools using our RESTful API (or the convenient vulndbhq Ruby gem).

Report template

Now, the report. We want a high-quality Word 2010 document that we can easily edit and adapt as time passes.

I won’t get into the nitty-gritty details of template building here (there is a Creating Word reports with DradisReports guide in our support site with step-by-step instructions).

We will use a fairly simple approach, I’ve created a template based of one of Word’s default styles (Home > Styles > Change Style > Formal). Just add the headings you need and a few Content Controls. Here is what ours look like:

It starts with a table with some information about the project (name, client, dates, team, etc.).

Then the Exec Summary with a Conclusions section (sorry, you’ll have to adjust this with your own conclusions!) and a Summary of Findings list which will contain just the Title of each finding.

Then a Technical Details section that contains issue descriptions for each of the vulnerabilities we’ve identified during the report.

Note that you only have to create the template the first time, and then reuse it for every project. The template you see above took me about 10 minutes to create.

One last thing: the properties

Yes, we could add the project specifics like the client name and dates and everything else by hand. However, chances are that your report template is a bit more complex than the one in this example and that you’ll have your client’s name in multiple places and that some of the other information will also be repeated.

Thankfully we can define document properties from within Dradis Pro (see the DradisReports: using custom document properties guide for more information):

There you go. Now we can re-export and voila, the report is complete:

  • Total reporting time: 1 click.
  • Overhead during the test for importing issues from your VulnDB HQ account: ~30 seconds each?

We rest our case.

Would you like to know more?

We recommend you start with:

New in Dradis Pro v1.5

Today we have pushed a new version of Dradis Professional Edition. This is the result of four months of hard work.

Changes include:

  • Upgraded look & feel (screenshots).
  • Improved Word 2012 reporting:
    • Custom screenshots.
    • Custom document properties.
    • Fully integrated with support for note re-ordering.
  • Drag’n’drop file uploads with pre-upload preview.
  • New Plugin Manager (more below).
  • New Note Templates (more below).
  • New Format Cheat Sheet (more below).
  • Lots of minor updates:
    • Updated NeXpose plugin.
    • Improved Forgotten password.
    • Improved markup editor with full-screen support.
    • Updated to Rails 3.2.6

Plugin Manager

The Plugin Manager puts all the Dradis Plugins plugins to work for your organization.

You can now customize how the different plugins create their notes. This means that all plugins can generate notes in exactly the format you need for your report template.

This is how the main interface looks like:

And the note template editor with live preview:

That’s right, you can map from the plugin’s native fields into the fields you need for your report. That’s going to save you an incredible amount of time!

Note Templates

Tired of typing the same fields in your new notes again and again? With this release we introduce note templates:

Create templates that include the fields that you will need for your reports, or different templates for different clients. Then whenever you are adding a new note you will be able to choose whether you want an empty note or to use one of the templates:

Format Cheat Sheet

Not familiar with Textile markup? No problem! Now the note editor features a mini cheat sheet with some of the styles you are most likely to need to create rich notes:

Still not a Dradis Pro user?

These are some of the benefits you are missing out:

  • Less time writing reports
  • Provide a consistent experience to your customers
  • Pro is reliable, up-to-date and with comes with quality support

Read more in Why to give Dradis Professional Edition a try?

Dradis 2.9 released!

New plugins

Updated plugins

  • Nessus upload plugin is orders of magnitude faster.
  • Nikto upload plugin is orders of magnitude faster.
  • Nmap upload plugin is orders of magnitude faster.
  • VulnDB import plugin (to support VulnDB HQ integration)

Internals

  • Updated First Time User’s Wizard.
  • Updated to Rails 3.2

download now

New in Dradis Pro v1.2

A new version of Dradis Pro is available to download. Apart from performance tweaks and bug fixes the major improvements in this release are smart refresh and project templates.

Project templates

Project methodologies can be used to provide a template for new projects.

It is likely that project of a given class (e.g. webapp assessment) will have a similar structure (e.g. scope, authentication, access control, etc.).

You can use a project methodology to create a template that contains the standard nodes and notes required for a specific project class.

You can also use the methodology to ensure that certain checks are always performed (e.g. verify logout implementation) ensuring that all your projects are consistent.

Smart refresh

Get instant updates with the information your team mates are adding to your Dradis project:

Dradis 2.8 smart Ajax refresh por etdsoft

[this feature will also be available in the upcoming community Dradis 2.8]

Want to give it a try?

If you would like to give Dradis Pro a try, please contact us or ping us on Twitter: @securityroots.

Find out more:
http://securityroots.com/dradispro/