Category Archives: VulnDB_HQ

Posts about features, announcements and updates of the VulnDB HQ service.

VulnDB API update + new VulnDB Help site

Leave a reply

We have improved VulnDB API and have a new (and better) Help site. Read on to find out more about these changes.

VulnDB HQ is a tool to manage your vulnerability descriptions so you can reuse them across reports. It also lets you create and share testing methodologies so every project is delivered to the same high quality standard.

The VulnDB logo

We have recently migrated the VulnDB Help site to a new location at:

http://vulndbhq.com/help/

Apart from the new look & feel (which we hope you like) we’ve made a few significant improvements in the API itself:

Strict SSL requirement

The API was accessible over plain-text HTTP due to a misconfiguration, we have completely disabled this.

Token-based authentication

Say your goodbyes to HTTP Basic authentication and welcome the new token-based authentication overlords.

Visit your Profile page to get your own API token which can be used to authenticate API request by means of a custom HTTP header.

A screenshot of the section of the Profile page showing the token

Lost your token or you suspect it was compromised? Want to deny access to your account to all 3rd party applications? Regenerate your token and you are good to go.

Better examples

We’ve improved the examples for each of the API methods with a proof-of-concept `curl` request along with the sample of any data that has to be submitted to the request. We also show response codes and content returned by the server so you know what to expect.

tl; dr;

Find answers to your VulnDB API questions at http://vulndbhq.com/help/

Note that we have not bumped the version number to introduce these changes. This is because the main interfaces, media formats, end points and data types have not changed.

VulnDB HQ: a few small productivity boosters

Leave a reply

We have a new Dashboard for VulnDB HQ:

It presents your private repo’s changes before anything else and we’ve also mixed Page and Methodology entries so get a proper view of recent changes.

Oh, and did you notice the handy links on the sidebar box? We’ve added some additional boxes here and there with links and contextual help:

Last but not least, something those of you with a few hundred entries will find really useful. We’ve added a super fast quick search box to the Pages module. No Ajax, no server round-trip, no nothing, it just hides everything you’re not interested in:

So that’s it for now.

Even when we are not adding brand new features we are still figuring out what bits and pieces we could improve that will make the experience a lot better. Stay tuned for updates!

And be sure to let us know your thoughts on what other improvements you’d like us to add.

The @VulndbHQ Team

Create a report in minutes with Dradis Pro and VulnDB HQ

Leave a reply

How long did it take you to create your last pentest report? Days? Hours? Sounds like too much effort for something that should be 80% automated!

Lets see how you can use Dradis Pro and VulnDB HQ to create a pentest report in minutes.

Tracking progress with Dradis Pro

Everybody tracks progress and makes notes while conducting an assessment. However, using Dradis Pro has a few advantages over other methods (e.g notepad).

First you can use testing methodologies to define the steps you need to cover and track your progress:

Of course this is useful both when you’re working alone and when you’re part of team to ensure there is no overlapping.

If everyone is adding their findings to Dradis Pro’s shared repository, generating the report is one click away (keep reading!).

Adding a few findings from your VulnDB account

Say that today is your lucky day, LDAP injection on the login form! You don’t think this is in your private VulnDB HQ repository but search anyway:

Well, it was not in your private repository, but there is an LDAP injection entry in VulnDB HQ’s Public repository that you can use as a baseline. You import it.

You continue with you hack-fu, find a bunch of issues: cross-site scripting, some SQL injection, Axis2 testing servlet, header injection and a few SSL issues. For each of these, you spend 30 seconds searching VulnDB HQ, importing the issue to your project and tweaking the particulars.

Assign everything to the AdvancedWordExport ready category, and you’re done. Fairly painless, no?

And if Dradis is not your cup of tea (?!) you could always connect your VulnDB HQ account to your own tools using our RESTful API (or the convenient vulndbhq Ruby gem).

Report template

Now, the report. We want a high-quality Word 2010 document that we can easily edit and adapt as time passes.

I won’t get into the nitty-gritty details of template building here (there is a Creating Word reports with DradisReports guide in our support site with step-by-step instructions).

We will use a fairly simple approach, I’ve created a template based of one of Word’s default styles (Home > Styles > Change Style > Formal). Just add the headings you need and a few Content Controls. Here is what ours look like:

It starts with a table with some information about the project (name, client, dates, team, etc.).

Then the Exec Summary with a Conclusions section (sorry, you’ll have to adjust this with your own conclusions!) and a Summary of Findings list which will contain just the Title of each finding.

Then a Technical Details section that contains issue descriptions for each of the vulnerabilities we’ve identified during the report.

Note that you only have to create the template the first time, and then reuse it for every project. The template you see above took me about 10 minutes to create.

One last thing: the properties

Yes, we could add the project specifics like the client name and dates and everything else by hand. However, chances are that your report template is a bit more complex than the one in this example and that you’ll have your client’s name in multiple places and that some of the other information will also be repeated.

Thankfully we can define document properties from within Dradis Pro (see the DradisReports: using custom document properties guide for more information):

There you go. Now we can re-export and voila, the report is complete:

  • Total reporting time: 1 click.
  • Overhead during the test for importing issues from your VulnDB HQ account: ~30 seconds each?

We rest our case.

Would you like to know more?

We recommend you start with:

VulnDB HQ – Manage what you know

Leave a reply

We have reached an important milestone in the development of VulnDB HQ: it is now possible to manage testing methodologies through the service.

Will this make people’s lives meaningfully better? We hope so! This is why we think it is a great idea:

  • These will be organic documents, easy to use and easy to update. Forget storing a Word document in a network share to never again update it.
  • Did someone in the team find a cool resource or tool? Add it so everyone uses it from now on.
  • Some testing projects are not that common (IBM MQ review anyone?), if you save your notes today, they will be available for you next time round when you need them.
  • Do you need to quickly bring up to speed someone in a new technology for a last-minute requirement? With a testing methodology to follow that’s a lot easier.

Oh, and of course, we will build up a public repository of testing methodologies and will share it with our users.

Without further ado, here are some screenshots of the methodology builder:

Excited yet? Visit us at http://vulndbhq.com/, learn more about why you should use VulnDB HQ or take a Tour of the service.

VulnDB HQ API v2

2 Replies

A few days ago we released v2 of the API for VulnDB HQ, our platform to manage vulnerability databases.

A lot of work has happened in the background to pave the way to a more stable and comprehensive API. From the consumer perspective we now have a dedicated endpoint for API access (i.e. /api/) and can specify API versions via the Accept HTTP header. You can read all about it in the VulnDB HQ API v2 guide in our support site.

To make everyone’s life easier we’ve also open sourced a Ruby client-side library to make it easy for you to integrate VulnDB HQ with your own tools and systems. You can find it in our GitHub page:

https://github.com/securityroots/vulndbhq

We hope you find this useful!

VulnDB HQ: tracking entries in the Public library

Leave a reply

It is now possible to fork one of the pages in the Public repository and create a private copy in your repo.

Apart form the last modified date, every Public entry now features a Fork this page link in its header:

Once you click on it, you are presented with an editor that gives you the chance to make a few changes before you save a copy in your private repo:

Entries in your repo that have been forked from an upstream Public page are clearly tagged:

And you get notified whenever the original page you branched from has been updated:

That’s it for now. We will be adding more advanced features to this process in the near future.

Copying your VulnDB entries across to your VulnDB HQ account

Leave a reply

A few months ago we launched VulnDB HQ our platform to build and manage a database of entries for your reports (take a tour if you want to know more).

Some of our users have asked us what is the best way to port your legacy Vuln::DB entries into your VulnDB HQ account. First, you can use the API to build a custom script (checkout VulnDB HQ API v1 in our support site).

Alternatively you can use our migration script (vulndb_bridge.rb):

As you can see, this is a fairly basic Ruby script that leverages Rails’ ActiveResource library to communicate with both applications.

For instance, if your legacy Vuln::DB instance has the vulndb.local local DNS and your VulnDB HQ account is sg1.vulndbhq.com you should invoke the script as follows:

./vulndb_bridge.rb http://vulndb.local https://user%40domain.com:password@sg1.vulndbhq.com

Remember that the ‘@’ symbol in your email needs to be URL-encoded! Read more about authentication in the API guide.

Hope you find this useful.

Keep an eye on us: @vulndbhq

New in Vuln::DB

Leave a reply

Ever needed to access Vuln::DB but did not have network connectivity? Maybe you want to finish up a report on the plane back home but you cannot VPN to the office?

Enter the new Vuln::DB client. A cross-platform offline client that lets you take your entire Vuln::DB repository with you anywhere you are.

Vuln::DB is our easy-to-manage vulnerability database solution that lets your team create consistent and up-to-date issues for your reports. It integrates out-of-the-box with Dradis Professional Edition to generate customized reports in no time. Find out more:

http://securityroots.com/vulndb/

New features in Vuln::DB

Leave a reply

A new release of Vuln::DB (our vulnerability database product) was released this week with some exciting features to make our user’s day-to-day work a bit easier:

New write/preview editor
Our Textile editor now has a preview feature so you do not need to wait until you save before you can check out how your entry is going to be formatted:

screenshot-04

screenshot-05

Latest entries RSS feed
Your team can keep an eye on the latest entries added to the common vulnerability database through the new RSS feed:

Resizable text areas across the app
Notice the little blue icon on the bottom right corner of the text area below? That’s right, you can resize any text area in Vuln::DB. You never know when you’ll need more space.

Do you want to know more? Visit the Vuln::DB product page or contact us.