Custom Fields & Forms

Overview

AttackForge supports ability to create custom fields & forms. This can help to capture information which is relevant to your organization and customers.
Custom fields can be accessed in the application, in JSON exports and also via the Self-Service API.
You can create custom fields & forms for the following:
  • Project Request
  • Project Creation
  • Vulnerability Library (write-up)
  • Vulnerability (on project)
To set custom fields, you must be an Administrator. Start by clicking on Administration module, then click on Configuration tab.
You can set custom fields from the Vulnerabilities and Projects tabs.
AttackForge supports the following custom field types:
  • Input field
  • Text Area
  • Select
  • Multi-Select
  • Datepicker

Input Fields

Input fields display a single-line input box within the relevant forms.
When creating an input field, the following options are available:
  • Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
  • Placeholder Value - This is the default value that will be displayed in the forms.
  • Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
  • Required - This is used to determine whether the field is mandatory or optional in the forms.
  • Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
  • Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.

Text Area Fields

Text area fields display multi-line input box within the relevant forms. Text area can be resized by the user within the form if additional space is needed. This option is useful if user is required to enter paragraphs of text.
When creating a text area field, the following options are available:
  • Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
  • Placeholder Value - This is the default value that will be displayed in the forms.
  • Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
  • Required - This is used to determine whether the field is mandatory or optional in the forms.
  • Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
  • Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.

Select Fields

Select fields display a drop-down menu with a single item select within the relevant forms. User can only select one option.
When creating a select field, the following options are available:
  • Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
  • Default Select Option - This is the default option that will be selected on the forms.
  • Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
  • Required - This is used to determine whether the field is mandatory or optional in the forms.
  • Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
  • Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
  • Add Select Option - this button will create a new option for the menu. The menu must have at least one option.
    • Option - The option is the text that will be displayed in the drop-down menu within the form.
    • Value - The value is the data that will represent this option when it is selected by a user.

Multi-Select Fields

Multi-select fields displays a drop-down menu with a multi-item select within the relevant forms. User can select one or more options.
When creating a multi-select field, the following options are available:
  • Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
  • Default Select Options - This is the default options that will be selected on the forms. You can specify multiple options by separating each option with a comma e.g. pcidss,hipaa
  • Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
  • Required - This is used to determine whether the field is mandatory or optional in the forms.
  • Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
  • Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.
  • Add Select Option - this button will create a new option for the menu. The menu must have at least one option.
    • Option - The option is the text that will be displayed in the drop-down menu within the form.
    • Value - The value is the data that will represent this option when it is selected by a user.

Datepicker Field

The datepicker fields display a calendar where the user can select a single date.
When creating a datepicker field, the following options are available:
  • Key - This the name of the field (e.g. database field name). This is the reference you will use when referring to this field in the JSON export, ReportGen or via the Self-Service API. The key must be unique, and is limited to alpha-numeric and underscores only.
  • Placeholder Date - This is the default date that will be displayed in the forms.
  • Label - This is the label that will be displayed in the form for this field, as well as in the data tables.
  • Required - This is used to determine whether the field is mandatory or optional in the forms.
  • Display in Tables - This is used to determine whether the field will be displayed as a new column in the relevant tables within the application.
  • Hide Condition - This is used to create a condition to hide the field, until such condition is met. See Hide Conditions for more details.

Hide Conditions

Hide conditions are used to hide a field until some condition is met.
Using the example below, let's say we have two (2) custom fields for a project request:
  • project_type - this field allows the person requesting the project to pick what type of project they are requesting, for example a web app pentest, vulnerability scan, code review, etc.
  • application_url - this field is used to capture the URL for the application IF the person is requesting a web app pentest.
The custom fields set up will appear as follows:
Let's say we want to hide the application_url field until the user has selected 'Web App Pentest' from the project_type select menu.
We would enter the following hide condition into the application_url field:
key.project_type !== "web_app_pentest"
This hide condition states: Hide this field WHILE project_type is NOT EQUAL to web_app_pentest
As a result, the project request form will not show this field until the user has selected 'Web App Pentest' as the type of assessment they are requesting.
Hide conditions support additional logical expressions, such as:
key.project_type !== "web_app_pentest" && key.project_type !== "vuln_scan"
This hide condition states: Hide this field WHILE project_type is NOT EQUAL to web_app_pentest AND project_type is NOT EQUAL to vuln_scan
This is useful if we want this field to display on either a Web App Pentest or Vulnerability Scan.
key.project_type == "web_app_pentest
This hide condition states: Hide this field WHILE project_type is EQUAL to web_app_pentest
key.project_type !== "web_app_pentest" && key.company_name !== undefined
This hide condition states: Hide this field WHILE project_type is NOT EQUAL to web_app_pentest AND company_name is not empty i.e. user has entered a value for company name field
You are not limited to only the examples above. You can use other JavaScript-based expressions to write your conditions.

Project Request Custom Fields

From the Configuration tab in the Administration module, click on Projects then click on Add Custom Project Request Field
Add the custom fields you would like displayed in the forms and data tables. Set the options as required for each field, then click Update
You can view the custom fields in the following forms, pages and tables:
  • Request a New Project / Edit Project Request forms
  • Viewing a Project Request page
  • Approve Project Request with Updates form
  • Pending Requests table in Projects Module
  • Actioned Requests table in Projects Module

Project Custom Fields

From the Configuration tab in the Administration module, click on Projects then click on Add Custom Project Field
Add the custom fields you would like displayed in the forms and data tables. Set the options as required for each field, then click Update
You can view the custom fields in the following forms, pages and tables:
  • Create New Project / Edit Project forms
  • Approve Project Request form
  • Projects and Archived Projects tables in Projects Module

Vulnerability Library Custom Fields

From the Configuration tab in the Administration module, click on Vulnerabilities then click on Add Custom Vulnerability Library Field
Add the custom fields you would like displayed in the forms and data tables. Set the options as required for each field, then click Update
You can view the custom fields in the following forms, pages and tables:
  • Create a New Vulnerability in Library / Edit Vulnerability in Library forms
  • Viewing a vulnerability in the library
  • Viewing a vulnerability on a project
  • Main Vulnerabilities, Imported Vulnerabilities and Project Vulnerabilities tables in Vulnerability Library Module

Vulnerability Custom Fields

From the Configuration tab in the Administration module, click on Vulnerabilities then click on Add Custom Vulnerability Field
Add the custom fields you would like displayed in the forms and data tables. Set the options as required for each field, then click Update
You can view the custom fields in the following forms, pages and tables:
  • Create a New Vulnerability on Project/ Edit Vulnerability on Project forms
  • Viewing a vulnerability on a project
  • Project vulnerabilities table

Linked Project Key

When setting up your project request custom fields & project custom fields, you may have some fields which overlap each other i.e. capture same data, for example customer name might be a field on both project requests and manually created projects.
When approving a project request with updates, you will see a combination of project request custom fields and project custom fields in the same form. To avoid the fields showing up twice, you can map the project request custom field to the project custom field.

Custom System Fields

You can set custom fields for well-known system fields which provide additional functionality in AttackForge.

Sys Field - Affected Endpoint

The following system field can be used to capture the affected endpoint details for a vulnerability on a project. This is useful for tracking and remediating every individual case where a vulnerability has been identified on an asset.
  • af_sys_affected_endpoint
This field can be used to capture additional details for an affected asset on a vulnerability, for example URLs, IP & Port, etc.
To set up this custom system field, go to Administration --> Configuration --> Vulnerabilities --> Vulnerability Custom Fields and create an Input or Text Area field with a key af_sys_affected_endpoint
Now when a vulnerability is created or modified on a project, the new field will be displayed after selecting the affected asset(s).
You can enter one or more affected endpoints using either comma-separated values (,), semi-colon separated values(;), or new lines. A new vulnerability will be created for each affected endpoint.
You can view the affected endpoint for each vulnerability, and also modify it when editing a vulnerability.
You can also view the affected endpoint for each vulnerability within the assets module.
When importing vulnerabilities on a project via the user interface, AttackForge will automatically attempt to identify the affected endpoint from the tool and include it when importing the vulnerabilities.
Currently this feature is limited to certain tools only.
You can also access this field in your custom reports as follows:
Last modified 14d ago