Custom Fields & Forms
AttackForge supports ability to create custom fields & forms. This can help to capture information which is relevant to your organization and customers.
Custom fields can be accessed in the application, in JSON exports and also via the Self-Service API.
You can create custom fields & forms for the following:
- Project Request
- Project Creation
- Vulnerability Write-ups
- Vulnerabilities
- Assets
- Portfolios
To set custom fields, you must be an Administrator. Start by clicking on Administration module, then click on any of the following sections:
- Portfolios
- Projects
- Assets
- Vulnerabilities
- Writeups
AttackForge supports the following custom field types:
- Input field
- Text Area
- Select
- Multi-Select
- Datepicker
- Table
Input fields display a single-line input box within the relevant forms.
When creating an input field, the following options are available:
- Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
- Placeholder Value - This is the default value that will be displayed in the forms.
- Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
- Info - This is a custom information message that will display to the user when they have selected the field or are entering information into the field.
- Required - This is used to determine whether the field is mandatory or optional in the forms.
- Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
- Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
Text area fields display multi-line input box within the relevant forms. Text area can be resized by the user within the form if additional space is needed. This option is useful if user is required to enter paragraphs of text.
When creating a text area field, the following options are available:
- Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
- Placeholder Value - This is the default value that will be displayed in the forms.
- Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
- Info - This is a custom information message that will display to the user when they have selected the field or are entering information into the field.
- Required - This is used to determine whether the field is mandatory or optional in the forms.
- Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
- Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
Select fields display a drop-down menu with a single item select within the relevant forms. User can only select one option.
When creating a select field, the following options are available:
- Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
- Default Select Option - This is the default option that will be selected on the forms.
- Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
- Info - This is a custom information message that will display to the user when they have selected the field or are entering information into the field.
- Required - This is used to determine whether the field is mandatory or optional in the forms.
- Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
- Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
- Add Select Option - this button will create a new option for the menu. The menu must have at least one option.
- Option - The option is the text that will be displayed in the drop-down menu within the form.
- Value - The value is the data that will represent this option when it is selected by a user.
Multi-select fields displays a drop-down menu with a multi-item select within the relevant forms. User can select one or more options.
When creating a multi-select field, the following options are available:
- Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
- Default Select Options - This is the default options that will be selected on the forms. You can specify multiple options by separating each option with a comma e.g. pcidss,hipaa
- Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
- Info - This is a custom information message that will display to the user when they have selected the field or are entering information into the field.
- Required - This is used to determine whether the field is mandatory or optional in the forms.
- Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
- Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
- Add Select Option - this button will create a new option for the menu. The menu must have at least one option.
- Option - The option is the text that will be displayed in the drop-down menu within the form.
- Value - The value is the data that will represent this option when it is selected by a user.
The datepicker fields display a calendar where the user can select a single date.
When creating a datepicker field, the following options are available:
- Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
- Placeholder Date - This is the default date that will be displayed in the forms.
- Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
- Info - This is a custom information message that will display to the user when they have selected the field or are entering information into the field.
- Required - This is used to determine whether the field is mandatory or optional in the forms.
- Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
- Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
The table field displays ability to define columns, where the user can then create rows of data against these columns.
When creating a table field, the following options are available:
- Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
- Label - This is the label that will be displayed in the form for this table.
- Info - This is a custom information message that will display to the user when they have selected the field or are entering information into the field.
- Required - This is used to determine whether the table is mandatory or optional in the forms.
- Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
You can then add columns by clicking Add Column. Each column has the following options:
- Type - Input field, Text Area, Select, Multi-Select or Datepicker
- Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
- Default Value / Selected Options - depending on the Type, this will allow you to specify default selected options/value for this field.
- Label - This is the label that will be displayed in the form for this table.
- Required - This is used to determine whether the table is mandatory or optional in the forms.
The form will present all of the columns (fields) for the user to enter, and ability to add rows.
Hide expressions or conditions are used to hide a field until some condition is met.
Using the example below, let's say we have two (2) custom fields for a project request:
- project_type - this field allows the person requesting the project to pick what type of project they are requesting, for example a web app pentest, vulnerability scan, code review, etc.
- application_url - this field is used to capture the URL for the application IF the person is requesting a web app pentest.
Let's say we want to hide the application_url field until the user has selected 'Web App Pentest' from the project_type select menu.
We would enter the following hide condition into the application_url field:
custom.project_type !== "web_app_pentest"
This hide condition states: Hide this field WHILE project_type is NOT EQUAL to web_app_pentest
As a result, the project request form will not show this field until the user has selected 'Web App Pentest' as the type of assessment they are requesting.
Hide conditions support additional logical expressions, such as:
custom.project_type !== "web_app_pentest" && custom.project_type !== "vuln_scan"
This hide condition states: Hide this field WHILE project_type is NOT EQUAL to web_app_pentest AND project_type is NOT EQUAL to vuln_scan
This is useful if we want this field to display on either a Web App Pentest or Vulnerability Scan.
custom.project_type == "web_app_pentest
This hide condition states: Hide this field WHILE project_type is EQUAL to web_app_pentest
custom.project_type !== "web_app_pentest" && custom.company_name !== undefined
This hide condition states: Hide this field WHILE project_type is NOT EQUAL to web_app_pentest AND company_name is not empty i.e. user has entered a value for company name field
Another example is showing a field "WEB APP Q1" only when a user selects "Web App" from another field. This example works for both Select & Multi-Select.
custom.test_type == undefined || custom.test_type.length < 1 || custom.test_type.length > 0 && custom.test_type.indexOf("web_app") < 0
You can refer to fields using the following syntax:
- core.<key> - refers to a system field with a well-known key (see sections below)
- custom.<key> - refers to a custom field with a user-defined key
- NOT or ! - used to negate an expression. For example !(core.<key> === "...")
- AND or && - used to and multiple expressions. For example core.<key> === "..." AND core.<key> === "..."
- OR or || - used to or multiple expressions. For example core.<key> === "..." OR core.<key> === "..."
- == - used to check for equivalency. For example core.<key> == "..."
- === - used to check for equality. For example core.<key> === "..."
- !== - used to check for not equivalency. For example core.<key> !== "..."
- > - used to check for greater-than comparison. For example core.<key> > 10
- < - used to check for less-than comparison. For example core.<key> < 10
- >= - used to check for greater-than-or-equals comparison. For example core.<key> >= 10
- <= - used to check for less-than-or-equals comparison. For example core.<key> <= 10
- ( ) - used to group statements together. For example ((core.<key> === "...") AND (core.<key> === "...")) OR ((core.<key> === "...") AND (core.<key> == "..."))
Refers to a string value.
Example: Project Request "name" System Field
This rule will hide the field until the project name on the project request has at least 1 character filled in.
core.name.length < 1
This rule will show the field until the project name on the project request has at least 1 character filled in.
core.name.length > 0
This rule will hide the field until the project name on the project request is exactly "Project Name".
core.name !== "Project Name"
This rule will show the field until the project name on the project request is exactly "Project Name".
core.name === "Project Name"
Refers to a string array / array of strings.
Example: Project Request "testing_to_be_performed" System Field
This rule will hide the field until the user has selected a particular service / test type.
core.testing_to_be_performed === undefined || core.testing_to_be_performed.length < 1 || core.testing_to_be_performed.length > 0 && core.testing_to_be_performed.indexOf("62e0d2b6e326df35c2a4bdf4") < 0
It works as follows:
- core.testing_to_be_performed === undefined || core.testing_to_be_performed.length < 1
- Hide the field if user has not selected any test types
- || core.testing_to_be_performed.length > 0 && core.testing_to_be_performed.indexOf("62e0d2b6e326df35c2a4bdf4") < 0
- Hide the field if user has selected a test type(s), but the test type(s) does not contain the ID of a particular test suite e.g. 62e0d2b6e326df35c2a4bdf4. Note you can get the ID of a test suite by checking the URL when visiting the test suite in the Test Suites module.
ISO date time
Refers to a datetime in ISO format e.g. YYYY-MM-DD-Thh:mm:ss.mmmZ
Example: Project "start_date" System Field
This rule will hide the field until the user has selected a date greater than 1st of January 2023.
core.start_date === undefined || core.start_date < "2023-01-01T00:00:00.000Z"
Refers to an integer i.e. 1, 2 or 10
Example: Vulnerability "exploitability" System Field
This rule will hide the field until the user has selected a Likelihood of Exploitation greater than or equal to 5.
core.exploitability === undefined || core.exploitability < 5
Refers to a boolean i.e. true or false
Example: Vulnerability "zero_day" System Field
This rule will hide the field until the user has selected Yes for Is Zero Day? field.
core.zero_day === undefined || core.zero_day === false
- name (string | undefined)
- code (string | undefined)
- org_code (string | undefined)
- start_date (ISO date time | undefined)
- end_date (ISO date time | undefined)
- timeframe (ISO date time | undefined, ISO date time | undefined)
- linked_groups (string[] | undefined)
- linked_portfolio_streams (string[portfolioId/streamId] | undefined)
- scope (string[] | string | undefined)
- test_suites (string | undefined)
- vuln_scoring_system ('CVSS v3.1 Baseline' | 'CVSS v3.1 Baseline + Temporal' | 'CVSS v3.1 Baseline + Temporal + Environmental' | undefined)
- vuln_code (string | undefined)
- sla_apply_method ('Automatic' | 'Manual' | undefined)
- name (string | undefined)
- code (string | undefined)
- linked_groups (string[] | undefined)
- onsite_testing_required ('Yes' | 'No' | undefined)
- reason_testing_is_required (string | undefined)
- desired_test_window ('Mon-Fri (Business Hours)' | 'Mon-Fri (Non-Business Hours)' | 'Weekends (Sat/Sun)' | undefined)
- testing_to_be_performed (string[] | string | undefined)
- scope (string[] | undefined)
- desired_start_date (string | undefined)
- desired_end_date (string | undefined)
- org_code (string | undefined)
- writeup_library (string | undefined)
- writeup (string | undefined)
- assets (string[])
- zero_day (true | false | undefined)
- visibility_to_project_team (true | false | undefined)
- priority ('Critical' | 'High' | 'Medium' | 'Low' | 'Info' | undefined)
- exploitability (number | undefined)
- steps_to_reproduce (string | undefined)
- notes (string[] | undefined)
- tags (string[] | undefined)
- associated_test_cases (string[] | undefined)
- library (string | undefined)
- import_source (string | undefined)
- import_source_id (string | undefined)
- projects
- template (string | undefined)
- title (string | undefined)
- description (string | undefined)
- attack_scenario (string | undefined)
- remediation_recommendation (string | undefined)
- severity (number | undefined)
- exploitability (number | undefined)
- impact_on_confidentiality ('High' | 'Medium' | 'Low' | 'None' | undefined)
- impact_on_integrity ('High' | 'Medium' | 'Low' | 'None' | undefined)
- impact_on_availability ('High' | 'Medium' | 'Low' | 'None' | undefined)
- tags (string[] | undefined)
- name (string | undefined)
- type (string | undefined)
- id (string | undefined)
- details (string | undefined)
- linked_groups (string[] | undefined)
- name (string | undefined)
- code (string | undefined)
- description (string | undefined)
- level1_owner (string | undefined)
- level2_owner (string | undefined)
- level3_owner (string | undefined)
- tags (string[] | undefined)
From the Administration module, click on Projects then click on Add Custom Field in Project Requests section.
Add the custom fields you would like displayed in the forms and tables. Set the options as required for each field, then click Update.
You can view the custom fields in the following forms, pages and tables:
- Request a New Project / Edit Project Request forms
- Viewing a Project Request page
- Approve Project Request with Updates form
- Pending Requests table in Projects Module
- Actioned Requests table in Projects Module
From the Administration module, click on Projects then click on Add Custom Field in Projects section.
Add the custom fields you would like displayed in the forms and tables. Set the options as required for each field, then click Update.
You can view the custom fields in the following forms, pages and tables:
- Create New Project / Edit Project forms
- Approve Project Request form
- Project Dashboard
- Projects and Archived Projects tables in Projects Module
From the Administration module, click on Writeups then click on Add Custom Field.
Add the custom fields you would like displayed in the forms and tables. Set the options as required for each field, then click Update.
You can view the custom fields in the following forms, pages and tables:
- Create a New Writeup / Edit Writeup forms
- Viewing a writeup in the library
- Viewing a vulnerability on a project
- Writeups tables in Writeups Module
From the Administration module, click on Vulnerabilities then click on Add Custom Field.
Add the custom fields you would like displayed in the forms and tables. Set the options as required for each field, then click Update.
You can view the custom fields in the following forms, pages and tables:
- Create a New Vulnerability / Edit Vulnerability forms
- Viewing a vulnerability on a project
- Vulnerabilities tables
From the Administration module, click on Assets then click on Add Custom Field.
Add the custom fields you would like displayed in the forms and tables. Set the options as required for each field, then click Update.
You can view the custom fields in the following forms, pages and tables:
- Create or Update an Asset within Asset Module
- Viewing an Asset within Assets module
- Assets table
From the Administration module, click on Portfolios then click on Add Custom Field.
Add the custom fields you would like displayed in the forms and tables. Set the options as required for each field, then click Update.
You can view the custom fields in the following forms, pages and tables:
- Create or Update a Portfolio within Portfolios Module
- Viewing a portfolio
- Portfolios table
When setting up your project request custom fields & project custom fields, you may wish to have come data from the project request captured and stored on the project as well. This can be achieved using the Linked Project Key on the Project Request custom fields.
The following example will:
- create a custom field on Projects to capture project status notes "project_notes".
- create a custom field on Project Requests to capture additional notes from the customer "customer_notes".
- Map the additional notes from the customer "customer_notes" to the project status notes "project_notes" when the request is getting approved and project is getting set up.
You can create and update custom fields using the Self-Service APIs and the import vulnerabilities application API.
Custom fields do not need to be configured in the administration settings in order to be created or updated via the APIs. However, if the custom field Key matches one that is already defined in the admin settings, it will be automatically typed to that setting when presented in the user interface.
When importing custom fields, you must supply a Key and a Value for each custom field as follows:
"custom_fields": [
{
"key": "something",
"value": "some value..."
}
]
The Key must meet the following conditions:
- is lowercase letters, uppercase letters, numbers or underscores.
- cannot start with underscore.
The Value must meeting the following conditions:
- is String, String Array, or Array of Objects
Strings are used to store data for Input fields, Text Area fields, Date-picker fields, and Select fields.
An example of a custom field with a string is as follows:
"custom_fields": [
{
"key": "something",
"value": "...lorem ipsum..."
}
]
If intending to use the data for a Date-picker, you must supply it as a UTC string e.g. 2021-06-03T23:15:33.008Z
"custom_fields": [
{
"key": "something",
"value": "2021-06-03T23:15:33.008Z"
}
]
String Arrays are used to store data for Multi-Select fields.
An example of a custom field with a string array is as follows:
"custom_fields": [
{
"key": "something",
"value": [
"hello",
"goodbye"
]
}
]
Array of Objects are used to store data in tabular format for Table fields.
Every object is considered a row of data.
Every key in the object is considered a column of data.
Therefore a 2x2 table:
column1 | column2 |
|---|---|
hello | goodbye |
goodbye | hello |
Can be represented as follows:
"custom_fields": [
{
"key": "table1",
"value": [
{
"column1": "hello",
"column2": "goodbye"
},
{
"column1": "goodbye",
"column2": "hello"
}
]
}
]
The objects must have a Key and Value.
The Key must meet the following conditions:
- is lowercase letters, uppercase letters, numbers or underscores.
- cannot start with underscore.
The Value must meeting the following conditions:
- is String or String Array
"custom_fields": [
{
"key": "something",
"value": [
{
"column1": "...lorem ipsum...",
"column2": [
"hello",
"goodbye"
]
}
]
}
]
You can also delete a custom field by passing null to the Value as follows:
"custom_fields": [
{
"key": "something",
"value": null
}
]
You can set custom fields for well-known system fields which provide additional functionality in AttackForge.
The following system field can be used to create a template steps to reproduce / proof of concept that will be automatically copied to the POC field when creating a new vulnerability.
- Vulnerability Library Custom Field - af_sys_steps_to_reproduce
To set up this custom system field, go to Administration --> Writeups --> Custom Fields and create a Text Area field with a key af_sys_steps_to_reproduce
Now when a vulnerability is created or modified in the library, the new field will be displayed.
Now when that writeup is selected when adding a new vulnerability on a project, the template steps to reproduce / proof of concept that will be automatically copied to the POC field.
The following system field can be used to capture the affected endpoint details for a vulnerability on a project. This is useful for tracking and remediating every individual case where a vulnerability has been identified on an asset.
- Vulnerability Custom Field - af_sys_affected_endpoint
This field can be used to capture additional details for an affected asset on a vulnerability, for example URLs, IP & Port, etc.
To set up this custom system field, go to Administration --> Vulnerabilities --> Custom Fields and create an Input or Text Area field with a key af_sys_affected_endpoint
Now when a vulnerability is created or modified on a project, the new field will be displayed after selecting the affected asset(s).
You can enter one or more affected endpoints using either comma-separated values (,) semi-colon separated values(;) or new lines. A new vulnerability will be created for each affected endpoint.
You can view the affected endpoint for each vulnerability, and also modify it when editing a vulnerability.
You can also view the affected endpoint for each vulnerability within the assets module.
When importing vulnerabilities on a project via the user interface, AttackForge will automatically attempt to identify the affected endpoint from the tool and include it when importing the vulnerabilities. Currently this feature is limited to certain tools only.
You can also access this field in your custom reports as follows:
Last modified 2h ago