GetProjectReportData
This method can be used for the following: Get details in a reporting format for a project you have access to - including project vulnerabilities, test cases and other reporting data;
Parameters
The following URL, Headers and Parameters are required for requests to this API endpoint. Where a parameter is optional, it will be indicated. Otherwise treat all parameters as mandatory.
Headers
POST /api/ss/project/:id/report/:type HTTP/1.1
Host: demo.attackforge.com
X-SSAPI-KEY: APIKey
Content-Type: application/json
Connection: close
Query
id (string)
Identifier for the project.
Example:
GET /api/ss/project/5e48c12ec0376309d73aad71/report/:type HTTP/1.1
type (string)
Type of report. This must be one of the following: raw, csv
Example:
GET /api/ss/project/:id/report/raw HTTP/1.1
excludeBinaries (boolean)
Exclude binaries from the response object. Only applies to type raw.
Example:
GET /api/ss/project/:id/report/raw?excludeBinaries=true HTTP/1.1
vulnerabilityIds (string array) (optional)
Ids for the vulnerabilities to scope the report to.
Example:
{
"vulnerabilityIds": [
"6639508f50523053f459d29f"
]
}
Example
The following example is a cURL request to get a raw report by the project id.
Request
Include API Token instead of stars in 'X-SSAPI-KEY: ***************************************' parameter.
curl -X POST 'https://localhost:3000/api/ss/project/5eab99471e18050942c7607a/report/raw' -H 'Host: localhost:3000' -H 'X-SSAPI-KEY: ***************************************' -H 'Content-Type: application/json' -H 'Connection: close' -d '{
"vulnerabilityIds": [
"6639508f50523053f459d29f"
]
}'
Response
Response contains a body. For RAW reports, the body is in JSON format.
{
"timestamp": "2021-11-08T05:05:25.825Z",
"project":
{
"name": "Bat Portal Pentest",
"code": "PROJECT XYZ",
"created": "2021-11-08T05:05:25.825Z",
"groups":
[
{
"name": "Wayne Technologies"
}
]
},
"projectCustomTags":
[
{
"ClientName": "Wayne Technologies"
}
],
"projectCustomFields":
[
{
"customer_size": "5000+ Employees"
},
{
"compliance_requirements":
[
"PCI DSS",
"HIPAA"
]
}
],
"executive_summary":
{
"total_unique_vulnerabilities": 28,
"total_critical_vulnerabilities": 1,
"total_high_vulnerabilities": 7,
"total_medium_vulnerabilities": 6,
"total_low_vulnerabilities": 11,
"total_informational_vulnerabilities": 3,
"total_testcases": 142,
"total_completed_testcases": 11,
"total_not_tested_testcases": 125,
"total_in_progress_testcases": 4,
"total_not_applicable_testcases": 2,
"total_zero_day_vulnerabilities": 1,
"total_easily_exploitable_vulnerabilities": 12,
"notes": "AttackForge was engaged by...",
"files":
[
{
"fileName": "screenshot.png",
"fileType": "image/png",
"fileSizeKB": "8064",
"fileBase64": "data:image/png;base64,iVBORw0..."
}
]
},
"testing_summary":
{
"start_date": "Mon Jun 14 2021",
"progress": "9%",
"end_date": "Wed Jun 23 2021",
"total_assets_with_vulnerabilities": 28,
"total_assets_with_vulnerabilities_not_fixed": 11,
"total_assets_with_vulnerabilities_fixed": 13,
"total_assets_with_vulnerabilities_retesting": 3,
"assets":
[
"batportal.attackforge.com",
"192.168.0.1"
],
"assets_details":
[
{
"id": "620f1707c66ef8821d35ee1d",
"name": "13.56.222.64",
"library_id": "60b3439187c9a3002f60c6f8",
"library_created": "2021-05-30T07:49:37.207Z",
"library_updated": "2022-02-22T02:07:17.730Z",
"library_name": "13.56.222.64",
"type": "API",
"external_id": "EXT ID",
"details": "DETAILS",
"assetCustomFields":
[
{
"test": "CUSTOM FIELD"
}
]
}
],
"project_team":
[
"Batman - Client",
"Lucius Fox - Project Manager",
"Robin - Pentest Lead"
],
"retesting_history":
[
{
"created": "2021-11-08T05:05:25.825Z",
"retesting_round": 1,
"retesting_round_status": "Completed",
"retesting_round_actioned_by": "Robin",
"retesting_custom_round_name": "Retest Round 1",
"retesting_custom_status_name": "Completed Retest for Bat Portal",
"vulnerabilities":
[
{
"vulnerability": "Session Fixation",
"vulnerability_id": "5bdd2508128aa82e0040a814"
},
{
"vulnerability": "Strict Transport Security Policy Not Enforced",
"vulnerability_id": "5bdd276b128aa82e0040a832"
}
],
"vulnerabilitiesNotTested":
[
{
"vulnerability": "Inconsistent Access Control",
"vulnerability_id": "5bdd22ec128aa82e0040a7fc"
},
{
"vulnerability": "Persistent Cross Site Scripting",
"vulnerability_id": "5bdd232c128aa82e0040a7ff"
},
{
"vulnerability": "Cookie With Secure Flag Missing",
"vulnerability_id": "5bdd2659128aa82e0040a826"
},
{
"vulnerability": "Cookie Without HTTPOnly Flag Set",
"vulnerability_id": "5bdd268c128aa82e0040a829"
}
]
},
{
"created": "2021-11-08T05:05:25.825Z",
"retesting_round": 1,
"retesting_round_status": "Requested",
"retesting_round_actioned_by": "Robin",
"retesting_custom_round_name": "Retest Round 1",
"retesting_custom_status_name": "Requested Retest for Bat Portal",
"vulnerabilities":
[
{
"vulnerability": "Inconsistent Access Control",
"vulnerability_id": "5bdd22ec128aa82e0040a7fc"
},
{
"vulnerability": "Persistent Cross Site Scripting",
"vulnerability_id": "5bdd232c128aa82e0040a7ff"
},
{
"vulnerability": "Session Fixation",
"vulnerability_id": "5bdd2508128aa82e0040a814"
},
{
"vulnerability": "Cookie With Secure Flag Missing",
"vulnerability_id": "5bdd2659128aa82e0040a826"
},
{
"vulnerability": "Cookie Without HTTPOnly Flag Set",
"vulnerability_id": "5bdd268c128aa82e0040a829"
},
{
"vulnerability": "Strict Transport Security Policy Not Enforced",
"vulnerability_id": "5bdd276b128aa82e0040a832"
}
],
"vulnerabilitiesNotTested":
[]
}
],
"project_notes":
[
{
"created": "2020-06-18T22:48:42.937Z",
"modified": "2020-06-18T22:50:33.990Z",
"note": "Pentester was sick.",
"note_raw": "...HTML...",
"created_by": "Robin"
}
]
},
"vulnerabilities_summary":
{
"totalCriticalVulnerabilitiesAllAssets": 1,
"totalHighVulnerabilitiesAllAssets": 7,
"totalMediumVulnerabilitiesAllAssets": 6,
"totalLowVulnerabilitiesAllAssets": 11,
"totalInfoVulnerabilitiesAllAssets": 3,
"critical":
[
{
"title": "Unrestricted Upload of File with Dangerous Type",
"retest_status": "Fixed",
"total_affected_assets": 1,
"total_affected_assets_fixed": 1,
"total_affected_assets_retesting": 0,
"total_affected_assets_not_fixed": 0
}
],
"high":
[
{
"title": "Inconsistent Access Control",
"retest_status": "Fixed",
"total_affected_assets": 1,
"total_affected_assets_fixed": 1,
"total_affected_assets_retesting": 0,
"total_affected_assets_not_fixed": 0
}
],
"medium":
[
{
"title": "Reflected Cross Site Scripting",
"retest_status": "Fixed",
"total_affected_assets": 1,
"total_affected_assets_fixed": 1,
"total_affected_assets_retesting": 0,
"total_affected_assets_not_fixed": 0
}
],
"low":
[
{
"title": "Server Discloses Supporting Technology",
"retest_status": "Fixed",
"total_affected_assets": 1,
"total_affected_assets_fixed": 1,
"total_affected_assets_retesting": 0,
"total_affected_assets_not_fixed": 0
}
],
"informational":
[
{
"title": "Weak Password Policy",
"retest_status": "Not Fixed",
"total_affected_assets": 1,
"total_affected_assets_fixed": 0,
"total_affected_assets_retesting": 0,
"total_affected_assets_not_fixed": 0
}
]
},
"attackchains":
[
{
"title": "Gain control of Bat Portal application server to ...",
"order": 1,
"id": "26n2cnjcv34g7djv7gilxvzow",
"links":
[
{
"type": "External Attacker",
"icon": "data:image/png;base64,iVBORw0...",
"description": "Attacker who has ...",
"arrow": "data:image/png;base64,iVBORw0",
"order": 1,
"mitre_attack": "Initial Access",
"mitre_attack_color": "#555555"
},
{
"type": "Action",
"icon": "data:image/png;base64,iVBORw0...",
"description": "Log into application and ...",
"arrow": "data:image/png;base64,iVBORw0",
"order": 2,
"mitre_attack": "Discovery",
"mitre_attack_color": "#660066"
},
{
"type": "Exploit Critical Vulnerability",
"icon": "data:image/png;base64,iVBORw0",
"description": "Attacker identifies vulnerable 'upload Avatar' functionality in ...",
"title": "Unrestricted Upload of File with Dangerous Type",
"likelihood_of_exploitation": "Likelihood of exploitation: 100%",
"discovered": "Discovered in batportal.attackforge.com by Robin on 2018-11-03T04:17:41.584Z",
"asset_name": "batportal.attackforge.com",
"asset_id": "5bdd276b128aa82e0040a913",
"discovered_by_name": "Robin",
"discovered_by_id": "5bdd276b128aa82e0040a913",
"discovered_timestamp": "2018-11-03T04:17:41.584Z",
"arrow": "data:image/png;base64,iVBORw0...",
"order": 3,
"mitre_attack": "Execution",
"mitre_attack_color": "#ffc425"
}
]
}
],
"vulnerabilities":
[
{
"id": "5ad737feccb39f330a8ef00d",
"title": "Unrestricted Upload of File with Dangerous Type",
"priority": "Critical",
"zero_day": false,
"easily_exploitable": true,
"likelihood_of_exploitation": 10,
"severity": 1,
"sla": "2022-02-10T01:14:34.975Z",
"release_date": "2022-02-03T01:14:38.433Z",
"target_remediation_date": "2022-02-10T06:32:39.435Z",
"description": "An unrestricted upload of ...",
"attack_scenario": "Arbitrary code execution is ...",
"remediation_recommendation": "Assume all input is ...",
"tags":
[
"CWE-434: Unrestricted Upload of File with Dangerous Type",
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSSv3.1 Base Score: 9.8"
],
"cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cvssv3_base_score": "9.8",
"cvssv3_temporal_score": "NA",
"cvssv3_environmental_score": "NA",
"affected_assets":
[
{
"created": "2018-11-03T04:17:41.584Z",
"modified": "2018-11-03T04:17:41.584Z",
"asset": "batportal.attackforge.com",
"id": "5bdd2165128aa82e0040a7ef",
"proof_of_concept": "1. Do this... 2. Do that...",
"proof_of_concept_raw": "...HTML...",
"remediation_status": "Closed on 2018-11-03T04:17:41.584Z",
"notes":
[
{
"note": "During testing, it was possible to ..."
}
],
"remediation_notes":
[
{
"note": "Issue Closed: Issue has been fixed",
"created": "2018-11-03T04:17:41.584Z"
},
{
"note": "Attempted to upload ...",
"created": "2018-11-03T04:17:41.584Z"
}
],
"assetCustomTags":
[
{
"Source": "Internal"
},
{
"Category": "Web App"
}
],
"assetCustomFields":
[
{
"af_sys_affected_endpoint": "https://bat-portal.attackforge.com"
}
],
"assetLibraryCustomFields":
[
{
"asset_owner": "Bruce Wayne"
}
],
"alternate_id": "WAYNETECH02-1",
"tags":
[
"cvss3_base_score:10.0",
"cvss3_vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvss_base_score:10.0",
"cvss_score_rationale:Unsupported Software",
"cvss_score_source:manual",
"cvss_vector:CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"
],
"cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvssv3_base_score": "10.0",
"cvssv3_temporal_score": "NA",
"cvssv3_environmental_score": "NA",
"testcases":
[
{
"created": "2022-05-24T04:01:55.765Z",
"modified": "2022-05-24T04:01:55.765Z",
"modifiedBy": "AttackForge Admin",
"status": "Not Tested",
"title": "001 New Test Case",
"testcase_code": "001",
"testsuite_name": "001 Test Suite",
"abuse_case": "No"
}
]
}
],
"remediation_status": "Closed",
"evidence":
[
{
"fileName": "screenshot.png",
"fileType": "image/png",
"fileSizeKB": "8064",
"fileBase64": "data:image/png;base64,iVBORw0..."
}
],
"vulnerabilityCustomTags":
[
{
"TLS_weakness": "True"
},
{
"PCI-related": "True"
}
]
}
],
"appendix_overview": true,
"appendix_severity": true,
"testcases":
[
{
"created": "2018-11-03T04:17:41.584Z",
"modified": "2018-11-03T04:17:41.584Z",
"modifiedBy": "Robin",
"title": "Verify all pages and resources by default require ...",
"status": "Tested",
"testsuite_name": "Standard Web App Penetration Testing",
"tags":
[
"OWASP ASVS v2.1"
],
"notes":
[
{
"note": "There was no function discovered to change user password.",
"modified": "2018-11-03T04:17:41.584Z",
"modifiedBy": "Robin"
}
],
"evidence":
[
{
"fileName": "screenshot.png",
"fileType": "image/png",
"fileSizeKB": "8064",
"fileBase64": "data:image/png;base64,iVBORw0..."
}
],
"is_failed": "Yes",
"is_remediated": "Yes",
"remediation_status": "Remediated",
"linked_vulnerabilities":
[
{
"id": "5ad737feccb39f330a8ef00d",
"title": "Unrestricted Upload of File with Dangerous Type",
"priority": "Critical",
"zero_day": false,
"easily_exploitable": true,
"likelihood_of_exploitation": 10,
"severity": 1,
"sla": "2022-02-10T01:14:34.975Z",
"release_date": "2022-02-03T01:14:38.433Z",
"target_remediation_date": "2022-02-10T06:32:39.435Z",
"description": "An unrestricted upload of ...",
"attack_scenario": "Arbitrary code execution is ...",
"remediation_recommendation": "Assume all input is ...",
"tags":
[
"CWE-434: Unrestricted Upload of File with Dangerous Type",
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CVSSv3.1 Base Score: 9.8"
],
"cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cvssv3_base_score": "9.8",
"cvssv3_temporal_score": "NA",
"cvssv3_environmental_score": "NA",
"affected_assets":
[
{
"created": "2018-11-03T04:17:41.584Z",
"modified": "2018-11-03T04:17:41.584Z",
"asset": "batportal.attackforge.com",
"id": "5bdd2165128aa82e0040a7ef",
"proof_of_concept": "1. Do this... 2. Do that...",
"proof_of_concept_raw": "...HTML...",
"remediation_status": "Closed on 2018-11-03T04:17:41.584Z",
"notes":
[
{
"note": "During testing, it was possible to ..."
}
],
"remediation_notes":
[
{
"note": "Issue Closed: Issue has been fixed",
"created": "2018-11-03T04:17:41.584Z"
},
{
"note": "Attempted to upload ...",
"created": "2018-11-03T04:17:41.584Z"
}
],
"assetCustomTags":
[
{
"Source": "Internal"
},
{
"Category": "Web App"
}
],
"assetCustomFields":
[
{
"af_sys_affected_endpoint": "https://bat-portal.attackforge.com"
}
],
"assetLibraryCustomFields":
[
{
"asset_owner": "Bruce Wayne"
}
],
"alternate_id": "WAYNETECH02-1",
"tags":
[
"cvss3_base_score:10.0",
"cvss3_vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvss_base_score:10.0",
"cvss_score_rationale:Unsupported Software",
"cvss_score_source:manual",
"cvss_vector:CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"
],
"cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"cvssv3_base_score": "10.0",
"cvssv3_temporal_score": "NA",
"cvssv3_environmental_score": "NA",
"testcases":
[
{
"created": "2022-05-24T04:01:55.765Z",
"modified": "2022-05-24T04:01:55.765Z",
"modifiedBy": "AttackForge Admin",
"status": "Not Tested",
"title": "001 New Test Case",
"testcase_code": "001",
"testsuite_name": "001 Test Suite",
"abuse_case": "No"
}
]
}
],
"remediation_status": "Closed",
"evidence":
[
{
"fileName": "screenshot.png",
"fileType": "image/png",
"fileSizeKB": "8064",
"fileBase64": "data:image/png;base64,iVBORw0..."
}
],
"vulnerabilityCustomTags":
[
{
"TLS_weakness": "True"
},
{
"PCI-related": "True"
}
]
}
]
}
],
"vulnerability_to_asset_mapping":
[
{
"vulnerability": "Unrestricted Upload of File with Dangerous Type",
"priority": "Critical",
"assets":
[
{
"status": "Fixed",
"asset": "batportal.attackforge.com"
}
]
}
],
"asset_to_vulnerability_mapping":
[
{
"asset": "batportal.attackforge.com",
"vulnerabilities":
[
{
"vulnerability": "Unrestricted Upload of File with Dangerous Type",
"priority": "Critical",
"status": "Fixed"
}
]
}
]
}
Example
The following example is a cURL request to get a csv report by the project id.
Request
Include API Token instead of stars in 'X-SSAPI-KEY: ***************************************' parameter.
curl -X GET 'https://demo.attackforge.com/api/ss/project/5bdd20d8128aa82e0040a75d/report/csv' -H 'Host: demo.attackforge.com' -H 'X-SSAPI-KEY: ***************************************' -H 'Content-Type: text/csv' -H 'Connection: close' > vulnerabilities.csv
Response
Response contains a body. For CSV reports, the body is in CSV format. Using cURL, save the output with > filename.csv
The following vulnerability fields are returned in the CSV:
Status - Open / Ready for Retest / Closed
Priority- Critical / High / Medium / Low / Info
Vulnerability - vulnerability title
Affected Targets - asset name
Likelihood Of Exploitation - 1-10
Zeroday - Yes / No
Description - description for the vulnerability
Attack Scenario - attack scenario for the vulnerability
Recommendation - remediation recommendation for the vulnerability
Notes - array of notes e.g. [{"note":"..."}]
Proof of Concept - steps to reproduce the vulnerability
Tags - array of strings e.g. ["tag 1", "tag 2", ...]
ReportGen Tags - array of ReportGen tags e.g. [{"name":"...", "value":"..."}]
Custom Fields - array of custom fields e.g. [{"name":"...", "value":"..."}]
Last updated