Creating Vulnerabilities

Overview

When creating a vulnerability in AttackForge, we assign it to an asset on the project scope. There are two (2) methods you can use to create a vulnerability:
    1.
    Add Vulnerability
    2.
    Import Vulnerability
Considering that adding vulnerabilities is part of the role for a pentester or assessor - only users with Edit access to the project can perform this function.

Adding Vulnerabilities

To add a vulnerability on a project, select Add Vulnerability from the project menu.

Step 1: Select Your Library

Select the relevant library.
    Main Vulnerabilities contains the majority of the vulnerability write-ups/templates.
    Imported Vulnerabilities contains write-ups/templates for vulnerabilities that have been imported from tools and scanners.
    Project Vulnerabilities is where you can define and create project-specific vulnerability write-ups/templates. This is useful if the vulnerability contains sensitive information or data you do not want shared with other users for other projects.

Step 2: Select Vulnerability From Library

Select the write-up/template from the chosen library. Hovering over an entry in the library will show you the details in the right-hand side. You can use keywords to search your library.
If you cannot find a vulnerability write-up/template you wish to use, you can create a new entry in the relevant libraries by clicking on Create button.

Step 3: Select Affected Assets

Select one or more assets (scope) which are affected by the vulnerability.

Step 4: Score Vulnerability

If you are using manual scoring (which you adjust from Edit Project option on project menu) you will have option to manually select the Likelihood of Exploitation and Priority.
If you are using the CVSS scoring, you will see in-app calculator which will automatically determine the CVSS score for you and adjust Likelihood of Exploitation and Priority accordingly, including adding CVSS scores + vector string as tags (see Step 5).

Step 5: Add Steps to Reproduce (Proof-of-Concept) & Supporting Notes

Include detailed steps to reproduce the issue. This is a rich-text field so you can include HTML payloads.
Also you can include additional asset-level notes which relate to the finding. This is an optional field. You can add as many notes as needed.

Step 6: Select Visibility & Modify Tags

By default, vulnerabilities are set to be immediately visible. This means any project team member can see the vulnerabilities right away. This is by design, to help information flow faster to the right people and to reduce Time-To-Remediate (TTR). However you can choose to set Visibility to No which will place the vulnerability in the Pending state. Only users with Edit permissions on the project will be able to see the vulnerability (for quality review, tech review, peer review).
By default, tags will be assigned based on the vulnerability template in the library. However you can add additional tags if required. Note if using CVSS scoring - additional tags related to scores are automatically created for you.

Step 7: Set Custom Fields

You can set custom fields by clicking Add ReportGen Custom Tag button.
This is useful if you are using sections within your custom reports, or exporting custom fields for vulnerabilities into your tools. You can enter any name and value for the custom fields.
In addition your Admins can pre-load custom tags for you via the Administration module.
Where possible, try linking test cases to the vulnerability. This will help developers / engineers better understand what you were testing when it lead to discovery of this issue, which in turn provides knowledge transfer to help them avoid making same mistakes in the future.
You can link multiple test cases.

Step 9: Upload Evidence

Upload any files and supporting evidence such as screenshots. If you want the screenshots to appear in-line in either the Steps to Reproduce or Notes sections when report is generated, you can click Add to Steps to Reproduce button or use shorthand syntax {{{YOUR_FILE_NAME}}}
The vulnerability (or vulnerabilities) will now be registered and assigned to the affected assets on the project. You can view them from the project dashboard. They will be automatically included in all on-demand reporting.

Importing Vulnerabilities

To import a vulnerability on a project, select Import Vulnerabilities from the project or quick actions menu.
Select a tool you wish to import from, for example Nessus, BURP, Qualys, etc.
After you select a tool, you will be prompted to select the output file from the tool in order to parse the data. See example below for Nessus.
Once the data has been parsed, you can then select the vulnerabilities you wish to import into your project.
You can click on the vulnerability to preview the data which will be imported.
You can update any of the vulnerability details in-line by clicking on the data.
Once you have made your selection, click Import Vulnerabilities button and the vulnerabilities will be imported to your project. A summary of the import will be displayed in the notification boxes.
Now go back to your project dashboard and observer the vulnerabilities have been imported.
If you need to import data via the API, select API from the selection of import tools. The API is detailed and includes sample cURL request to help get you started.
If a vulnerability template does not exist in the library, it will be automatically created for you. The next time you try to add the vulnerability, it will map to the existing template in the library.
Similarly if the affected asset does not exist on the project, it will be automatically created for you. The next time you try to add a vulnerability on the same affected asset, it will map to the existing asset on the project.
Last modified 27d ago