Template - Filters
UPDATED: Please head over to our new GitHub Support Site for help, examples, tips and tricks: https://github.com/AttackForge/ReportGen
Sort
You can use this filter to sort the data within a tag by a key within scope (or multiple keys).
key - JSON object key available in scope.
asc - sort data by key in ascending order
desc - sort data by key in descending order
To observe the keys available within scope for sorting - use the $help procedure.
Example 1: Single-Key Sort
You can sort by a single key as follows:
The example above will sort all vulnerabilities by their CVSSv3 Baseline score, in ascending order.
You can also sort affected_assets by their CVSSv3 Baseline scores:
Example 2: Multi-Key Sort
You can sort by multiple keys as follows:
The example above will sort all vulnerabilities first by their CVSSv3 Baseline score, in ascending order, then by the vulnerability title, in descending order.
You can also sort affected_assets by their CVSSv3 Baseline scores and asset name:
DateFormat
You can use this filter to adjust the date for a tag to a desired format.
For example:
will return Saturday, June 9, 2007
The full list of supported options are included below for reference.
You can use either a named format (for example fullDate, shortTime) or a mask (for example h:MM:ss TT Z).
Named formats
default
ddd mmm dd yyyy HH:MM:ss
Sat Jun 09 2007 17:46:21
shortDate
m/d/yy
6/9/07
paddedShortDate
mm/dd/yyyy
06/09/2007
mediumDate
mmm d, yyyy
Jun 9, 2007
longDate
mmmm d, yyyy
June 9, 2007
fullDate
dddd, mmmm d, yyyy
Saturday, June 9, 2007
shortTime
h:MM TT
5:46 PM
mediumTime
h:MM:ss TT
5:46:21 PM
longTime
h:MM:ss TT Z
5:46:21 PM EST
isoDate
yyyy-mm-dd
2007-06-09
isoTime
HH:MM:ss
17:46:21
isoDateTime
yyyy-mm-dd'T'HH:MM:sso
2007-06-09T17:46:21+0700
isoUtcDateTime
UTC:yyyy-mm-dd'T'HH:MM:ss'Z'
2007-06-09T22:46:21Z
Mask options
d
Day of the month as digits; no leading zero for single-digit days.
dd
Day of the month as digits; leading zero for single-digit days.
ddd
Day of the week as a three-letter abbreviation.
DDD
"Ysd", "Tdy" or "Tmw" if date lies within these three days. Else fall back to ddd.
dddd
Day of the week as its full name.
DDDD
"Yesterday", "Today" or "Tomorrow" if date lies within these three days. Else fall back to dddd.
m
Month as digits; no leading zero for single-digit months.
mm
Month as digits; leading zero for single-digit months.
mmm
Month as a three-letter abbreviation.
mmmm
Month as its full name.
yy
Year as last two digits; leading zero for years less than 10.
yyyy
Year represented by four digits.
h
Hours; no leading zero for single-digit hours (12-hour clock).
hh
Hours; leading zero for single-digit hours (12-hour clock).
H
Hours; no leading zero for single-digit hours (24-hour clock).
HH
Hours; leading zero for single-digit hours (24-hour clock).
M
Minutes; no leading zero for single-digit minutes.
MM
Minutes; leading zero for single-digit minutes.
N
ISO 8601 numeric representation of the day of the week.
o
GMT/UTC timezone offset, e.g. -0500 or +0230.
p
GMT/UTC timezone offset, e.g. -05:00 or +02:30.
s
Seconds; no leading zero for single-digit seconds.
ss
Seconds; leading zero for single-digit seconds.
S
The date's ordinal suffix (st, nd, rd, or th). Works well with d
.
l
Milliseconds; gives 3 digits.
L
Milliseconds; gives 2 digits.
t
Lowercase, single-character time marker string: a or p.
tt
Lowercase, two-character time marker string: am or pm.
T
Uppercase, single-character time marker string: A or P.
TT
Uppercase, two-character time marker string: AM or PM.
W
ISO 8601 week number of the year, e.g. 4, 42
WW
ISO 8601 week number of the year, leading zero for single-digit, e.g. 04, 42
Z
US timezone abbreviation, e.g. EST or MDT. For non-US timezones, the GMT/UTC offset is returned, e.g. GMT-0500
'...'
, "..."
Literal character sequence. Surrounding quotes are removed.
UTC
Must be the first four characters of the mask. Converts the date from local time to UTC/GMT/Zulu time before applying the mask. The "UTC:" prefix is removed.
HasAny
You can use this filter to check whether at least one value exists in a tag. This can be used to create logic gates or sections within your reports.
This filter accepts the following parameters:
[REQUIRED] Values to search - List of strings i.e. ['SQL','xss']
[OPTIONAL] Case Insensitive search - true/false. False by default. E.g. hasAny:['SQL','xss']:true
This filter returns true or false.
The example below combines this filter with the 'Includes' filter to print a list of all CVEs found on the affected asset, along with a section heading 'Associated CVEs'. If no CVEs are found, it will print 'No CVEs Identified'.
Filter
You can use this filter to select objects within a list that match a particular condition.
For example, if you wanted to filter your vulnerabilities by critical AND easily exploitable you could use the following:
Another example is filtering affected assets based on remediation status AND priority. Note this example applies the filter to the {#affected_assets} and utilises "parent" to access the priority from the vulnerability.
Another example is applying the filter against custom tags. This example assumes you have defined a custom tag with name/key "owasp_top_10" and value of "yes".
Another example is applying the filter against custom fields. This example assumes you have defined a custom field with name/key "owasp_top_10" and value of "yes".
Another example is applying the filter combined with functions. This example will create a new list of all OWASP Top 10 vulnerabilities that can be referenced anywhere further in the report. This example assumes you have defined a custom tag with name/key "owasp_top_10" and value of "yes".
Example of pushing into new list using parent objects:
Example of pushing into new list using scope:
The following operators are supported when using this filter:
NOT or ! - used to negate an expression. For example !(priority == "Critical")
AND or && - used to and multiple expressions. For example priority == "Critical" AND zero_day == true
OR or || - used to or multiple expressions. For example priority == "Critical" OR priority == "High"
== - used to check for equivalency. For example priority == "Critical"
=== - used to check for equality. For example priority === "Critical"
!== - used to check for not equivalency. For example priority !== "Critical"
> - used to check for greater-than comparison. For example likelihood_of_exploitation > 5
< - used to check for less-than comparison. For example likelihood_of_exploitation < 5
>= - used to check for greater-than-or-equals comparison. For example likelihood_of_exploitation >= 5
<= - used to check for less-than-or-equals comparison. For example likelihood_of_exploitation <= 5
( ) - used to group statements together. For example (priority == "Critical") AND (zero_day == true) OR ((priority == "Critical") AND (likelihood_of_exploitation >= 8))
HasAll
You can use this filter to check whether all supplied values exist in a tag. This can be used to create logic gates or sections within your reports.
This filter accepts the following parameters:
[REQUIRED] Values to search - List of strings i.e. ['SQL','xss']
[OPTIONAL] Case Insensitive search - true/false. False by default. E.g. hasAny:['SQL','xss']:true
This filter returns true or false.
The example prints 'OWASP Top 10 & CWE Top 25' for all affected assets which have both tags 'OWASP Top 10' & 'CWE Top 25'. If both matching tags are not found, it will print 'Not OWASP Top 10 & CWE Top 25'.
FilterBy
You can use this filter in order to extract filtered data for vulnerabilities using various conditions.
Currently the following conditions are supported:
filterBy:'AffectedAssetProperties'
filterBy:'AffectedAssetCustomTags'
filterBy:'AffectedAssetCustomFields'
filterBy:'AffectedAssetCustomTags-CountVulns'
filterBy:'AffectedAssetCustomFields-CountVulns'
!IMPORTANT: CustomFields are used in the exact same way as CustomTags within this filter.
filterBy:'AffectedAssetProperties'
This filter can be used to retrieve a set of vulnerabilities where the affected assets meet certain conditions.
For example, you can return a list of vulnerabilities and their affected assets which are closed.
Or you can extend the filter to match multiple AND or OR conditions. For example, you can return a list of vulnerabilities and their affected assets which are either open or ready for retest.
This filter works with any key:value pair on affected_assets. If you are unsure which properties you can use this filter on, try using the Helper function to see which fields are available to you.
filterBy:'AffectedAssetCustomTags'
This filter can be used to retrieve a list of vulnerabilities which have affected assets that meet conditions in their custom tags.
The following example will return a list of vulnerabilities which have affected assets that have at least one custom tag that is set to Source = External. This is useful for reporting on External Vulnerabilities in your report.
{#vulnerabilities | filterBy:'AffectedAssetCustomTags':['Source:External']}
Loop through vulnerabilities.
Apply filterBy filter with following parameters:
AffectedAssetCustomTags - this instructs the filter to use this condition
['Source:External'] - this instructs the filter to only return vulnerabilities and their affected assets which specifically have a custom tag which equals Source = External.
{priority} - {title}
Print priority and title of vulnerability which meets the filter.
{#affected_assets}
Loop through affected assets on the vulnerability.
{asset}
Print name of the affected asset.
This filter supports an array of custom tags when inputting conditions, as well as AND and OR operators.
For example, using an AND operator with multiple custom tag conditions:
This will return a list of critical vulnerabilities which have affected assets that have both custom tags Source = External and OWASPTop10 = True.
You can also omit the AND operator, as this filter uses AND condition by default.
For example, using an OR operator with multiple custom tag conditions:
This will return a list of critical vulnerabilities which have affected assets that have either custom tags Source = External or OWASPTop10 = True.
filterBy:'AffectedAssetCustomTags-CountVulns'
This filter can be used to retrieve a count of vulnerabilities which have affected assets that meet conditions in their custom tags.
The following example will return a count of vulnerabilities which have affected assets that have at least one custom tag that is set to Source = External. This is useful for reporting on total number of External Vulnerabilities in your report.
{vulnerabilities | filterBy:'AffectedAssetCustomTags-CountVulns':['Source:External']}
Apply filterBy filter with following parameters:
AffectedAssetCustomTags-CountVulns - this instructs the filter to use this condition
['Source:External'] - this instructs the filter to only count vulnerabilities where their affected assets specifically have a custom tag which equals Source = External.
This filter supports an array of custom tags when inputting conditions, as well as AND and OR operators.
For example, using an AND operator with multiple custom tag conditions:
This will return a count of critical vulnerabilities which have affected assets that have both custom tags Source = External and OWASPTop10 = True.
You can also omit the AND operator, as this filter uses AND condition by default.
For example, using an OR operator with multiple custom tag conditions:
This will return a count of critical vulnerabilities which have affected assets that have either custom tags Source = External or OWASPTop10 = True.
Example - using Scope or Variables in your filter
FilterBy supports the use of Scope or Variables in your filter criteria. For example, you can search a custom field without knowing the exact criteria you are search for.
The example below will loop over every 'Testing Phase' in the project custom fields, then filter the vulnerabilities by each testing phase, then print the 'Testing Phase' and it's vulnerabilities at the end. This is ideal if you have multi-phase projects and you want to print a section which has vulnerabilities for each phase.
Includes
You can check to see if a tag contains a specified value, or array of values, and continue if true/exists.
{#vulnerabilities}
Loop through vulnerabilities.
{#title | includes:['SQL Injection','Cross Site Scripting']}
Check to see if the title of the vulnerability contains the values "SQL Injection" or "Cross Site Scripting", and if so proceed. Otherwise stop. This filter also includes partial matches e.g. "Blind SQL Injection" would also return true.
{priority} - {title}
Print priority and title of vulnerability assuming that it includes or partially includes
"SQL Injection" or "Cross Site Scripting" in the title.
You can also use this filter on string arrays (lists) - for example if you want to only show CVE tags for a vulnerability you can use the following:
The template above will print the title of each vulnerability, and loop through each vulnerability checking if the tag contains 'CVE' or 'cve' anywhere within the tag, and if so, it will print it.
Includes also supports Scope and Variables.
Scope Example:
Variables Example:
Excludes
You can check to see if a tag does not contain a specified value, or array of values, and continue if true/doesn't exist.
{#vulnerabilities}
Loop through vulnerabilities.
{#title | excludes:['SQL Injection','Cross Site Scripting']}
Check to see if the title of the vulnerability does not contain the values "SQL Injection" or "Cross Site Scripting", and if so proceed. Otherwise stop. This filter also includes partial matches e.g. "Blind SQL Injection" would also return true.
{priority} - {title}
Print priority and title of vulnerability assuming that it does not include or partially include
"SQL Injection" or "Cross Site Scripting" in the title.
Excludes also supports Scope and Variables.
Replace
You can use the replace filter to replace data.
For example, say you had some assets that looked like this:
https://application.com
And you wanted to remove the https:// part so it appears as follows:
application.com
You could do the following:
ReplaceRegExp
You can use the replace filter with a regular expression to replace data.
For example, say you had some assets that looked like this:
https://application.com?query=1
And you wanted to remove the ?query=1 part so it appears as follows:
https://application.com
You could do the following:
Resize
You can use the resize filter to resize images. It works by setting a fixed width in pixels for which each image will be upscaled or downscaled to match. The height will be automatically adjusted to match the same ratio.
Example resizing images in Steps to Reproduce (Proof of Concept) to 300 pixels wide:
Split
You can use the split function to split data based on a separator - and return a list of items.
For example, assuming you have tags in this format:
<LHS>:<RHS>
And you only want to show the right-hand-side (RHS), you could do the following:
This example makes use of the split filter as well as functions. Functions are used as a way to instruct the logic to skip over the first iteration of the loop (LHS) and then print everything after that <RHS>.
SplitRegExp
You can use the splitRegExp function to split data based on a Regular Expression separator - and return a list of items.
For example, if you wanted to only display the 1st paragraph of the vulnerability description, you could do the following:
This example works as follows:
Loop through every vulnerability
Print the title of the vulnerability
Define a variable "SplitDecriptionOnParagraph" which determines how many paragraphs to print, e.g. 1 (only first paragraph)
Split description on double-newline ‘\n\n’ which indicates new paragraph. This creates a list/array of paragraphs.
Loop through each paragraph
If variable is less than or equal to the amount of paragraphs we want to keep (e.g. 1) – print it.
For each iteration of the loop, increment the variable counter
Index
You can use this filter to access an item in an array using its index number.
For example, if you needed to access the first vulnerability in a list - you can do the following:
Search
You can use this filter to search for a value in a string, and return the results (substring) if found.
For example, if you had asset names which looked like the following:
https://application.com/route/api/1
http://application.com/route/api/2
And you wanted to only return the following:
/route/api/1
/route/api/2
You can do the following:
The example above works by first removing the https:// and http:// part of the asset, then searching for the first forward slash character, then returning the remaining data if found.
Store
You can store custom data in arbitrarily defined tags using this filter.
For example we can create a new custom tag called 'AllVulns' and reference it, along with its data, later in the template as follows:
{#vulnerabilities}{#title | store:’AllVulns’:this}{/}{/}
Loop through vulnerabilities.
Define a new custom tag called 'AllVulns'
Store the value of this in the new custom tag. In the context of {#vulnerabilities} - this will be equal to the vulnerability
{#$storedAllVulns}
Loop through the new custom tag we created above called AllVulns
You must include #$stored prefix in order to use this new custom tag
{priority} {title}
Print priority & title of vulnerability.
A more complex example includes how to create a custom tag that will hold all of the Critical Web Application vulnerabilities found on the project. This includes using ReportGen custom tags for affected_assets:
{#vulnerabilities}
Loop through vulnerabilities.
{#priority == “Critical”}
Check if vulnerability priority is equal to Critical, then proceed
This check is used to ascertain the vulnerability is a Critical vulnerability
{#affected_assets}
Loop through affected assets on the vulnerability
{#assetCustomTags}
Loop through custom ReportGen tags on the affected asset
{#Source == "Web"}
Check if custom ReportGen tag has key/name "Source" and a value "Web"
This check is used to ascertain the vulnerability is a Web Application vulnerability
{#title | store:’CriticalWebVulns’:this:’affected_assets’:’assetCustomTags’:[‘Source:Web’]}
Define a new custom tag called 'CriticalWebVulns'
Store the value of this which in this case is the vulnerability itself
Check if any of the custom affected asset tags contain any of the key/value pairs supplied, in this case ‘Source:Web’ – note this is an array, you can add more values, it is an OR operator
{/} {/} {/} {/} {/} {/}
Close all of the open loops (see above)
{#$storedCriticalWebVulns}
Loop through the new custom tag we created above called CriticalWebVulns. This custom tag now contains Critical vulnerabilities which have affected assets which have custom tags indicating they are web application vulnerabilities
You must include #$stored prefix in order to use this new custom tag
{priority} {title}
Print priority & title of vulnerability.
Find
You can search a tag which contains an array of objects to return an object which meets a specific condition
{#vulnerabilities | find:"title":"Missing X-XSS-Protection Header"}
Loop through vulnerabilities and search each one until it finds a vulnerability with a title equal to Missing X-XSS-Protection Header, then return the vulnerability.
{title}
Print title of vulnerability, in this case it would be "Missing X-XSS-Protection Header" as that is the vulnerability which was returned from the list of vulnerabilities.
FindVulns
You can use this filter to find a vulnerability based on a Title & Priority.
For example, if you wanted to create a report which shows all Assets on the project, and their Vulnerabilities (Asset to Vulnerability table or mapping) - you can achieve that using this filter. Note this requires using the store filter in combination with findVulns filter as follows:
{#vulnerabilities}{#title | store:’allVulns’:this}{/}{/}
Loop through vulnerabilities.
Define a new custom tag called 'allVulns'
Store the value of this which in this case is the vulnerability itself
{#assetVulnerabilityMapping}
Loop through Asset-to-Vulnerability mapping
{asset}
Print the name of the asset
{#vulnerabilities}
Loop through vulnerabilities linked to the Asset
NOTE: This is different to {#vulnerabilities} referenced at line 1 above.
{priority} - {status} - {vulnerability}
Print the priority, remediation status & name of the vulnerability
{#vulnerabilities | findVuln:’allVulns’:this.vulnerability:this.priority}
Find the vulnerability (from list of all project vulnerabilities) where it matches the name/title & priority of the current vulnerability linked to the asset
{description}
Print the description of the vulnerability linked to the asset
{attack_scenario}
Print the attack scenario of the vulnerability linked to the asset
{remediation_recommendation}
Print the remediation recommendation of the vulnerability linked to the asset
Unique
You can use a 'unique' filter to check if a value has already been printed in the report, and if so, it will skip printing it again.
{#vulnerabilities}
Loop through vulnerabilities.
{#priority == “Critical”}
Select vulnerabilities which have a priority of ‘Critical’.
{#affected_assets}
Loop through Affected Assets for each Critical vulnerability.
{#assetCustomTags}
Loop through Custom Tags for each Affected Asset for each Critical vulnerability.
{#Source == “Internal”}
Check to see whether a Custom Tag ‘Source’ exists, and if so check to see if it’s value is “Internal”.
{#title | unique:'InternalVulnsTable'}
This is a condition against the ‘title’ field for a vulnerability
This condition will check to see whether the value is unique (i.e. it hasn’t already been used/printed). This is useful to prevent printing duplicate values when looping through affected assets, for example vulnerability title.
This function works by taking 2 arguments – Key & Value. In the example above, Key = {title} e.g. Blind SQL Injection; and Value = ‘InternalVulnsTable’
This function will check to see if the Key/Value pair has already been printed in the report, and if so, it will skip printing it again – for example to avoid duplicating printing of vulnerability title for each affected asset in a table containing list of Internal Vulnerabilities.
{title}
Print title of vulnerability.
Count
You can use a 'count' filter to set an arbitrary counter for a condition, then reference that counter later on.
{#vulnerabilities}
Loop through vulnerabilities.
{#priority == “Critical”}
Select vulnerabilities which have a priority of ‘Critical’.
{#affected_assets}
Loop through Affected Assets for each Critical vulnerability.
{#assetCustomTags}
Loop through Custom Tags for each Affected Asset for each Critical vulnerability.
{#Source == “Internal”}
Check to see whether a Custom Tag ‘Source’ exists, and if so check to see if it’s value is “Internal”.
{#title | unique:'InternalVulnsTable' | count:'InternalVulnsTableCritical'}
We are chaining together the 'unique' filter with the 'count' filter against the ‘title’ field for a vulnerability
For details on how the 'unique' filter works - see above.
Count filter works by taking 2 arguments – Key & Value. In the example above, Key = {title} e.g. Blind SQL Injection; and Value = ‘InternalVulnsTableCritical’
This function will count the number of times it is executed and store the result in a tag called $countVALUE where VALUE = ‘InternalVulnsTableCritical’
Because we are chaining this filter with another filter - in this case the 'unique' filter - the unique filter condition must be met first before this function executes and counter is incremented.
For example, if the dataset had 3 unique Critical vulnerabilities - $countInternalVulnsTableCritical will be equal to 3.
{title}
Print title of vulnerability.
{#$countInternalVulnsTableCritical}
Access the new dynamic tag '$countInternalVulnsTableCritical' created when we ran count:'InternalVulnsTableCritical'
{$countInternalVulnsTableCritical}
Print the value of the counter for 'InternalVulnsTableCritical'
IsArray
You can check if a value is an array:
IsBoolean
You can check if a value is a boolean:
IsInteger
You can check if a value is an integer:
IsString
You can check if a value is a string:
Trim
You can trim the whitespace before and after a tag using the following filter:
Float
You can convert a number to a floating point number. Decimal number e.g. '2' is optional and defaults to 2 if no option is provided. If the conversion doesn’t work it will return 0.0.
Integer
You can convert a number to an integer. If the conversion doesn’t work it will return 0.
Round
You can round a number to the nearest integer.
RoundUp
You can round a number up to the nearest integer.
RoundDown
You can round a number down to the nearest integer.
Capitalize
You can capitalize the tag. The first character will be uppercase, all others lowercase.
Titlecase
You can titlecase the tag. Words will start with uppercase letters, all remaining characters are lowercase.
Uppercase
You can uppercase a tag:
Lowercase
You can lowercase a tag:
Last updated