GetProjectReportData

This method can be used for the following: Get details in a reporting format for a project you have access to - including project vulnerabilities, test cases and other reporting data;

Parameters

The following URL, Headers and Parameters are required for requests to this API endpoint. Where a parameter is optional, it will be indicated. Otherwise treat all parameters as mandatory.

Headers

POST /api/ss/project/:id/report/:type HTTP/1.1
Host: demo.attackforge.com
X-SSAPI-KEY: APIKey
Content-Type: application/json
Connection: close

Query

id (string)

Identifier for the project.

Example:

GET /api/ss/project/5e48c12ec0376309d73aad71/report/:type HTTP/1.1

type (string)

Type of report. This must be one of the following: raw, csv

Example:

GET /api/ss/project/:id/report/raw HTTP/1.1

excludeBinaries (boolean)

Exclude binaries from the response object. Only applies to type raw.

Example:

GET /api/ss/project/:id/report/raw?excludeBinaries=true HTTP/1.1

vulnerabilityIds (string array) (optional)

Ids for the vulnerabilities to scope the report to.

Example:

{
   "vulnerabilityIds": [
      "6639508f50523053f459d29f"
   ]
}

Example

The following example is a cURL request to get a raw report by the project id.

Request

Include API Token instead of stars in 'X-SSAPI-KEY: ***************************************' parameter.

curl -X POST 'https://localhost:3000/api/ss/project/5eab99471e18050942c7607a/report/raw' -H 'Host: localhost:3000' -H 'X-SSAPI-KEY: ***************************************' -H 'Content-Type: application/json' -H 'Connection: close' -d '{
  "vulnerabilityIds": [
    "6639508f50523053f459d29f"
  ]
}'

Response

Response contains a body. For RAW reports, the body is in JSON format.

{
    "timestamp": "2021-11-08T05:05:25.825Z",
    "project":
    {
        "name": "Bat Portal Pentest",
        "code": "PROJECT XYZ",
        "created": "2021-11-08T05:05:25.825Z",
        "groups":
        [
            {
                "name": "Wayne Technologies"
            }
        ]
    },
    "projectCustomTags":
    [
        {
            "ClientName": "Wayne Technologies"
        }
    ],
    "projectCustomFields":
    [
        {
            "customer_size": "5000+ Employees"
        },
        {
            "compliance_requirements":
            [
                "PCI DSS",
                "HIPAA"
            ]
        }
    ],
    "executive_summary":
    {
        "total_unique_vulnerabilities": 28,
        "total_critical_vulnerabilities": 1,
        "total_high_vulnerabilities": 7,
        "total_medium_vulnerabilities": 6,
        "total_low_vulnerabilities": 11,
        "total_informational_vulnerabilities": 3,
        "total_testcases": 142,
        "total_completed_testcases": 11,
        "total_not_tested_testcases": 125,
        "total_in_progress_testcases": 4,
        "total_not_applicable_testcases": 2,
        "total_zero_day_vulnerabilities": 1,
        "total_easily_exploitable_vulnerabilities": 12,
        "notes": "AttackForge was engaged by...",
        "files":
        [
            {
                "fileName": "screenshot.png",
                "fileType": "image/png",
                "fileSizeKB": "8064",
                "fileBase64": "data:image/png;base64,iVBORw0..."
            }
        ]
    },
    "testing_summary":
    {
        "start_date": "Mon Jun 14 2021",
        "progress": "9%",
        "end_date": "Wed Jun 23 2021",
        "total_assets_with_vulnerabilities": 28,
        "total_assets_with_vulnerabilities_not_fixed": 11,
        "total_assets_with_vulnerabilities_fixed": 13,
        "total_assets_with_vulnerabilities_retesting": 3,
        "assets":
        [
            "batportal.attackforge.com",
            "192.168.0.1"
        ],
        "assets_details":
        [
            {
                "id": "620f1707c66ef8821d35ee1d",
                "name": "13.56.222.64",
                "library_id": "60b3439187c9a3002f60c6f8",
                "library_created": "2021-05-30T07:49:37.207Z",
                "library_updated": "2022-02-22T02:07:17.730Z",
                "library_name": "13.56.222.64",
                "type": "API",
                "external_id": "EXT ID",
                "details": "DETAILS",
                "assetCustomFields":
                [
                    {
                        "test": "CUSTOM FIELD"
                    }
                ]
            }
        ],
        "project_team":
        [
            "Batman - Client",
            "Lucius Fox - Project Manager",
            "Robin - Pentest Lead"
        ],
        "retesting_history":
        [
            {
                "created": "2021-11-08T05:05:25.825Z",
                "retesting_round": 1,
                "retesting_round_status": "Completed",
                "retesting_round_actioned_by": "Robin",
                "retesting_custom_round_name": "Retest Round 1",
                "retesting_custom_status_name": "Completed Retest for Bat Portal",
                "vulnerabilities":
                [
                    {
                        "vulnerability": "Session Fixation",
                        "vulnerability_id": "5bdd2508128aa82e0040a814"
                    },
                    {
                        "vulnerability": "Strict Transport Security Policy Not Enforced",
                        "vulnerability_id": "5bdd276b128aa82e0040a832"
                    }
                ],
                "vulnerabilitiesNotTested":
                [
                    {
                        "vulnerability": "Inconsistent Access Control",
                        "vulnerability_id": "5bdd22ec128aa82e0040a7fc"
                    },
                    {
                        "vulnerability": "Persistent Cross Site Scripting",
                        "vulnerability_id": "5bdd232c128aa82e0040a7ff"
                    },
                    {
                        "vulnerability": "Cookie With Secure Flag Missing",
                        "vulnerability_id": "5bdd2659128aa82e0040a826"
                    },
                    {
                        "vulnerability": "Cookie Without HTTPOnly Flag Set",
                        "vulnerability_id": "5bdd268c128aa82e0040a829"
                    }
                ]
            },
            {
                "created": "2021-11-08T05:05:25.825Z",
                "retesting_round": 1,
                "retesting_round_status": "Requested",
                "retesting_round_actioned_by": "Robin",
                "retesting_custom_round_name": "Retest Round 1",
                "retesting_custom_status_name": "Requested Retest for Bat Portal",
                "vulnerabilities":
                [
                    {
                        "vulnerability": "Inconsistent Access Control",
                        "vulnerability_id": "5bdd22ec128aa82e0040a7fc"
                    },
                    {
                        "vulnerability": "Persistent Cross Site Scripting",
                        "vulnerability_id": "5bdd232c128aa82e0040a7ff"
                    },
                    {
                        "vulnerability": "Session Fixation",
                        "vulnerability_id": "5bdd2508128aa82e0040a814"
                    },
                    {
                        "vulnerability": "Cookie With Secure Flag Missing",
                        "vulnerability_id": "5bdd2659128aa82e0040a826"
                    },
                    {
                        "vulnerability": "Cookie Without HTTPOnly Flag Set",
                        "vulnerability_id": "5bdd268c128aa82e0040a829"
                    },
                    {
                        "vulnerability": "Strict Transport Security Policy Not Enforced",
                        "vulnerability_id": "5bdd276b128aa82e0040a832"
                    }
                ],
                "vulnerabilitiesNotTested":
                []
            }
        ],
        "project_notes":
        [
            {
                "created": "2020-06-18T22:48:42.937Z",
                "modified": "2020-06-18T22:50:33.990Z",
                "note": "Pentester was sick.",
                "note_raw": "...HTML...",
                "created_by": "Robin"
            }
        ]
    },
    "vulnerabilities_summary":
    {
        "totalCriticalVulnerabilitiesAllAssets": 1,
        "totalHighVulnerabilitiesAllAssets": 7,
        "totalMediumVulnerabilitiesAllAssets": 6,
        "totalLowVulnerabilitiesAllAssets": 11,
        "totalInfoVulnerabilitiesAllAssets": 3,
        "critical":
        [
            {
                "title": "Unrestricted Upload of File with Dangerous Type",
                "retest_status": "Fixed",
                "total_affected_assets": 1,
                "total_affected_assets_fixed": 1,
                "total_affected_assets_retesting": 0,
                "total_affected_assets_not_fixed": 0
            }
        ],
        "high":
        [
            {
                "title": "Inconsistent Access Control",
                "retest_status": "Fixed",
                "total_affected_assets": 1,
                "total_affected_assets_fixed": 1,
                "total_affected_assets_retesting": 0,
                "total_affected_assets_not_fixed": 0
            }
        ],
        "medium":
        [
            {
                "title": "Reflected Cross Site Scripting",
                "retest_status": "Fixed",
                "total_affected_assets": 1,
                "total_affected_assets_fixed": 1,
                "total_affected_assets_retesting": 0,
                "total_affected_assets_not_fixed": 0
            }
        ],
        "low":
        [
            {
                "title": "Server Discloses Supporting Technology",
                "retest_status": "Fixed",
                "total_affected_assets": 1,
                "total_affected_assets_fixed": 1,
                "total_affected_assets_retesting": 0,
                "total_affected_assets_not_fixed": 0
            }
        ],
        "informational":
        [
            {
                "title": "Weak Password Policy",
                "retest_status": "Not Fixed",
                "total_affected_assets": 1,
                "total_affected_assets_fixed": 0,
                "total_affected_assets_retesting": 0,
                "total_affected_assets_not_fixed": 0
            }
        ]
    },
    "attackchains":
    [
        {
            "title": "Gain control of Bat Portal application server to ...",
            "order": 1,
            "id": "26n2cnjcv34g7djv7gilxvzow",
            "links":
            [
                {
                    "type": "External Attacker",
                    "icon": "data:image/png;base64,iVBORw0...",
                    "description": "Attacker who has ...",
                    "arrow": "data:image/png;base64,iVBORw0",
                    "order": 1,
                    "mitre_attack": "Initial Access",
                    "mitre_attack_color": "#555555"
                },
                {
                    "type": "Action",
                    "icon": "data:image/png;base64,iVBORw0...",
                    "description": "Log into application and ...",
                    "arrow": "data:image/png;base64,iVBORw0",
                    "order": 2,
                    "mitre_attack": "Discovery",
                    "mitre_attack_color": "#660066"
                },
                {
                    "type": "Exploit Critical Vulnerability",
                    "icon": "data:image/png;base64,iVBORw0",
                    "description": "Attacker identifies vulnerable 'upload Avatar' functionality in ...",
                    "title": "Unrestricted Upload of File with Dangerous Type",
                    "likelihood_of_exploitation": "Likelihood of exploitation: 100%",
                    "discovered": "Discovered in batportal.attackforge.com by Robin on 2018-11-03T04:17:41.584Z",
                    "asset_name": "batportal.attackforge.com",
                    "asset_id": "5bdd276b128aa82e0040a913",
                    "discovered_by_name": "Robin",
                    "discovered_by_id": "5bdd276b128aa82e0040a913",
                    "discovered_timestamp": "2018-11-03T04:17:41.584Z",
                    "arrow": "data:image/png;base64,iVBORw0...",
                    "order": 3,
                    "mitre_attack": "Execution",
                    "mitre_attack_color": "#ffc425"
                }
            ]
        }
    ],
    "vulnerabilities":
    [
        {
            "id": "5ad737feccb39f330a8ef00d",
            "title": "Unrestricted Upload of File with Dangerous Type",
            "priority": "Critical",
            "zero_day": false,
            "easily_exploitable": true,
            "likelihood_of_exploitation": 10,
            "severity": 1,
            "sla": "2022-02-10T01:14:34.975Z",
            "release_date": "2022-02-03T01:14:38.433Z",
            "target_remediation_date": "2022-02-10T06:32:39.435Z",
            "description": "An unrestricted upload of ...",
            "attack_scenario": "Arbitrary code execution is ...",
            "remediation_recommendation": "Assume all input is ...",
            "tags":
            [
                "CWE-434: Unrestricted Upload of File with Dangerous Type",
                "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "CVSSv3.1 Base Score: 9.8"
            ],
            "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "cvssv3_base_score": "9.8",
            "cvssv3_temporal_score": "NA",
            "cvssv3_environmental_score": "NA",
            "affected_assets":
            [
                {
                    "created": "2018-11-03T04:17:41.584Z",
                    "modified": "2018-11-03T04:17:41.584Z",
                    "asset": "batportal.attackforge.com",
                    "id": "5bdd2165128aa82e0040a7ef",
                    "proof_of_concept": "1. Do this... 2. Do that...",
                    "proof_of_concept_raw": "...HTML...",
                    "remediation_status": "Closed on 2018-11-03T04:17:41.584Z",
                    "notes":
                    [
                        {
                            "note": "During testing, it was possible to ..."
                        }
                    ],
                    "remediation_notes":
                    [
                        {
                            "note": "Issue Closed: Issue has been fixed",
                            "created": "2018-11-03T04:17:41.584Z"
                        },
                        {
                            "note": "Attempted to upload ...",
                            "created": "2018-11-03T04:17:41.584Z"
                        }
                    ],
                    "assetCustomTags":
                    [
                        {
                            "Source": "Internal"
                        },
                        {
                            "Category": "Web App"
                        }
                    ],
                    "assetCustomFields":
                    [
                        {
                            "af_sys_affected_endpoint": "https://bat-portal.attackforge.com"
                        }
                    ],
                    "assetLibraryCustomFields":
                    [
                        {
                            "asset_owner": "Bruce Wayne"
                        }
                    ],
                    "alternate_id": "WAYNETECH02-1",
                    "tags":
                    [
                        "cvss3_base_score:10.0",
                        "cvss3_vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                        "cvss_base_score:10.0",
                        "cvss_score_rationale:Unsupported Software",
                        "cvss_score_source:manual",
                        "cvss_vector:CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"
                    ],
                    "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                    "cvssv3_base_score": "10.0",
                    "cvssv3_temporal_score": "NA",
                    "cvssv3_environmental_score": "NA",
                    "testcases":
                    [
                        {
                            "created": "2022-05-24T04:01:55.765Z",
                            "modified": "2022-05-24T04:01:55.765Z",
                            "modifiedBy": "AttackForge Admin",
                            "status": "Not Tested",
                            "title": "001 New Test Case",
                            "testcase_code": "001",
                            "testsuite_name": "001 Test Suite",
                            "abuse_case": "No"
                        }
                    ]
                }
            ],
            "remediation_status": "Closed",
            "evidence":
            [
                {
                    "fileName": "screenshot.png",
                    "fileType": "image/png",
                    "fileSizeKB": "8064",
                    "fileBase64": "data:image/png;base64,iVBORw0..."
                }
            ],
            "vulnerabilityCustomTags":
            [
                {
                    "TLS_weakness": "True"
                },
                {
                    "PCI-related": "True"
                }
            ]
        }
    ],
    "appendix_overview": true,
    "appendix_severity": true,
    "testcases":
    [
        {
            "created": "2018-11-03T04:17:41.584Z",
            "modified": "2018-11-03T04:17:41.584Z",
            "modifiedBy": "Robin",
            "title": "Verify all pages and resources by default require ...",
            "status": "Tested",
            "testsuite_name": "Standard Web App Penetration Testing",
            "tags":
            [
                "OWASP ASVS v2.1"
            ],
            "notes":
            [
                {
                    "note": "There was no function discovered to change user password.",
                    "modified": "2018-11-03T04:17:41.584Z",
                    "modifiedBy": "Robin"
                }
            ],
            "evidence":
            [
                {
                    "fileName": "screenshot.png",
                    "fileType": "image/png",
                    "fileSizeKB": "8064",
                    "fileBase64": "data:image/png;base64,iVBORw0..."
                }
            ],
            "is_failed": "Yes",
            "is_remediated": "Yes",
            "remediation_status": "Remediated",
            "linked_vulnerabilities":
            [
                {
                    "id": "5ad737feccb39f330a8ef00d",
                    "title": "Unrestricted Upload of File with Dangerous Type",
                    "priority": "Critical",
                    "zero_day": false,
                    "easily_exploitable": true,
                    "likelihood_of_exploitation": 10,
                    "severity": 1,
                    "sla": "2022-02-10T01:14:34.975Z",
                    "release_date": "2022-02-03T01:14:38.433Z",
                    "target_remediation_date": "2022-02-10T06:32:39.435Z",
                    "description": "An unrestricted upload of ...",
                    "attack_scenario": "Arbitrary code execution is ...",
                    "remediation_recommendation": "Assume all input is ...",
                    "tags":
                    [
                        "CWE-434: Unrestricted Upload of File with Dangerous Type",
                        "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                        "CVSSv3.1 Base Score: 9.8"
                    ],
                    "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                    "cvssv3_base_score": "9.8",
                    "cvssv3_temporal_score": "NA",
                    "cvssv3_environmental_score": "NA",
                    "affected_assets":
                    [
                        {
                            "created": "2018-11-03T04:17:41.584Z",
                            "modified": "2018-11-03T04:17:41.584Z",
                            "asset": "batportal.attackforge.com",
                            "id": "5bdd2165128aa82e0040a7ef",
                            "proof_of_concept": "1. Do this... 2. Do that...",
                            "proof_of_concept_raw": "...HTML...",
                            "remediation_status": "Closed on 2018-11-03T04:17:41.584Z",
                            "notes":
                            [
                                {
                                    "note": "During testing, it was possible to ..."
                                }
                            ],
                            "remediation_notes":
                            [
                                {
                                    "note": "Issue Closed: Issue has been fixed",
                                    "created": "2018-11-03T04:17:41.584Z"
                                },
                                {
                                    "note": "Attempted to upload ...",
                                    "created": "2018-11-03T04:17:41.584Z"
                                }
                            ],
                            "assetCustomTags":
                            [
                                {
                                    "Source": "Internal"
                                },
                                {
                                    "Category": "Web App"
                                }
                            ],
                            "assetCustomFields":
                            [
                                {
                                    "af_sys_affected_endpoint": "https://bat-portal.attackforge.com"
                                }
                            ],
                            "assetLibraryCustomFields":
                            [
                                {
                                    "asset_owner": "Bruce Wayne"
                                }
                            ],
                            "alternate_id": "WAYNETECH02-1",
                            "tags":
                            [
                                "cvss3_base_score:10.0",
                                "cvss3_vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                                "cvss_base_score:10.0",
                                "cvss_score_rationale:Unsupported Software",
                                "cvss_score_source:manual",
                                "cvss_vector:CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"
                            ],
                            "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                            "cvssv3_base_score": "10.0",
                            "cvssv3_temporal_score": "NA",
                            "cvssv3_environmental_score": "NA",
                            "testcases":
                            [
                                {
                                    "created": "2022-05-24T04:01:55.765Z",
                                    "modified": "2022-05-24T04:01:55.765Z",
                                    "modifiedBy": "AttackForge Admin",
                                    "status": "Not Tested",
                                    "title": "001 New Test Case",
                                    "testcase_code": "001",
                                    "testsuite_name": "001 Test Suite",
                                    "abuse_case": "No"
                                }
                            ]
                        }
                    ],
                    "remediation_status": "Closed",
                    "evidence":
                    [
                        {
                            "fileName": "screenshot.png",
                            "fileType": "image/png",
                            "fileSizeKB": "8064",
                            "fileBase64": "data:image/png;base64,iVBORw0..."
                        }
                    ],
                    "vulnerabilityCustomTags":
                    [
                        {
                            "TLS_weakness": "True"
                        },
                        {
                            "PCI-related": "True"
                        }
                    ]
                }
            ]
        }
    ],
    "vulnerability_to_asset_mapping":
    [
        {
            "vulnerability": "Unrestricted Upload of File with Dangerous Type",
            "priority": "Critical",
            "assets":
            [
                {
                    "status": "Fixed",
                    "asset": "batportal.attackforge.com"
                }
            ]
        }
    ],
    "asset_to_vulnerability_mapping":
    [
        {
            "asset": "batportal.attackforge.com",
            "vulnerabilities":
            [
                {
                    "vulnerability": "Unrestricted Upload of File with Dangerous Type",
                    "priority": "Critical",
                    "status": "Fixed"
                }
            ]
        }
    ]
}

Example

The following example is a cURL request to get a csv report by the project id.

Request

Include API Token instead of stars in 'X-SSAPI-KEY: ***************************************' parameter.

curl -X GET 'https://demo.attackforge.com/api/ss/project/5bdd20d8128aa82e0040a75d/report/csv' -H 'Host: demo.attackforge.com' -H 'X-SSAPI-KEY: ***************************************' -H 'Content-Type: text/csv' -H 'Connection: close' > vulnerabilities.csv

Response

Response contains a body. For CSV reports, the body is in CSV format. Using cURL, save the output with > filename.csv

The following vulnerability fields are returned in the CSV:

Status - Open / Ready for Retest / Closed
Priority- Critical / High / Medium / Low / Info
Vulnerability - vulnerability title
Affected Targets - asset name
Likelihood Of Exploitation - 1-10
Zeroday - Yes / No
Description - description for the vulnerability
Attack Scenario - attack scenario for the vulnerability
Recommendation - remediation recommendation for the vulnerability
Notes - array of notes e.g. [{"note":"..."}]
Proof of Concept - steps to reproduce the vulnerability
Tags - array of strings e.g. ["tag 1", "tag 2", ...]
ReportGen Tags - array of ReportGen tags e.g. [{"name":"...", "value":"..."}]
Custom Fields - array of custom fields e.g. [{"name":"...", "value":"..."}]

PreviousGetProjectReport NextGetProjectRequests

Last updated 1 year ago

{ "timestamp": "2021-11-08T05:05:25.825Z", "project": { "name": "Bat Portal Pentest", "code": "PROJECT XYZ", "created": "2021-11-08T05:05:25.825Z", "groups": [ { "name": "Wayne Technologies" } ] }, "projectCustomTags": [ { "ClientName": "Wayne Technologies" } ], "projectCustomFields": [ { "customer_size": "5000+ Employees" }, { "compliance_requirements": [ "PCI DSS", "HIPAA" ] } ], "executive_summary": { "total_unique_vulnerabilities": 28, "total_critical_vulnerabilities": 1, "total_high_vulnerabilities": 7, "total_medium_vulnerabilities": 6, "total_low_vulnerabilities": 11, "total_informational_vulnerabilities": 3, "total_testcases": 142, "total_completed_testcases": 11, "total_not_tested_testcases": 125, "total_in_progress_testcases": 4, "total_not_applicable_testcases": 2, "total_zero_day_vulnerabilities": 1, "total_easily_exploitable_vulnerabilities": 12, "notes": "AttackForge was engaged by...", "files": [ { "fileName": "screenshot.png", "fileType": "image/png", "fileSizeKB": "8064", "fileBase64": "data:image/png;base64,iVBORw0..." } ] }, "testing_summary": { "start_date": "Mon Jun 14 2021", "progress": "9%", "end_date": "Wed Jun 23 2021", "total_assets_with_vulnerabilities": 28, "total_assets_with_vulnerabilities_not_fixed": 11, "total_assets_with_vulnerabilities_fixed": 13, "total_assets_with_vulnerabilities_retesting": 3, "assets": [ "batportal.attackforge.com", "192.168.0.1" ], "assets_details": [ { "id": "620f1707c66ef8821d35ee1d", "name": "13.56.222.64", "library_id": "60b3439187c9a3002f60c6f8", "library_created": "2021-05-30T07:49:37.207Z", "library_updated": "2022-02-22T02:07:17.730Z", "library_name": "13.56.222.64", "type": "API", "external_id": "EXT ID", "details": "DETAILS", "assetCustomFields": [ { "test": "CUSTOM FIELD" } ] } ], "project_team": [ "Batman - Client", "Lucius Fox - Project Manager", "Robin - Pentest Lead" ], "retesting_history": [ { "created": "2021-11-08T05:05:25.825Z", "retesting_round": 1, "retesting_round_status": "Completed", "retesting_round_actioned_by": "Robin", "retesting_custom_round_name": "Retest Round 1", "retesting_custom_status_name": "Completed Retest for Bat Portal", "vulnerabilities": [ { "vulnerability": "Session Fixation", "vulnerability_id": "5bdd2508128aa82e0040a814" }, { "vulnerability": "Strict Transport Security Policy Not Enforced", "vulnerability_id": "5bdd276b128aa82e0040a832" } ], "vulnerabilitiesNotTested": [ { "vulnerability": "Inconsistent Access Control", "vulnerability_id": "5bdd22ec128aa82e0040a7fc" }, { "vulnerability": "Persistent Cross Site Scripting", "vulnerability_id": "5bdd232c128aa82e0040a7ff" }, { "vulnerability": "Cookie With Secure Flag Missing", "vulnerability_id": "5bdd2659128aa82e0040a826" }, { "vulnerability": "Cookie Without HTTPOnly Flag Set", "vulnerability_id": "5bdd268c128aa82e0040a829" } ] }, { "created": "2021-11-08T05:05:25.825Z", "retesting_round": 1, "retesting_round_status": "Requested", "retesting_round_actioned_by": "Robin", "retesting_custom_round_name": "Retest Round 1", "retesting_custom_status_name": "Requested Retest for Bat Portal", "vulnerabilities": [ { "vulnerability": "Inconsistent Access Control", "vulnerability_id": "5bdd22ec128aa82e0040a7fc" }, { "vulnerability": "Persistent Cross Site Scripting", "vulnerability_id": "5bdd232c128aa82e0040a7ff" }, { "vulnerability": "Session Fixation", "vulnerability_id": "5bdd2508128aa82e0040a814" }, { "vulnerability": "Cookie With Secure Flag Missing", "vulnerability_id": "5bdd2659128aa82e0040a826" }, { "vulnerability": "Cookie Without HTTPOnly Flag Set", "vulnerability_id": "5bdd268c128aa82e0040a829" }, { "vulnerability": "Strict Transport Security Policy Not Enforced", "vulnerability_id": "5bdd276b128aa82e0040a832" } ], "vulnerabilitiesNotTested": [] } ], "project_notes": [ { "created": "2020-06-18T22:48:42.937Z", "modified": "2020-06-18T22:50:33.990Z", "note": "Pentester was sick.", "note_raw": "...HTML...", "created_by": "Robin" } ] }, "vulnerabilities_summary": { "totalCriticalVulnerabilitiesAllAssets": 1, "totalHighVulnerabilitiesAllAssets": 7, "totalMediumVulnerabilitiesAllAssets": 6, "totalLowVulnerabilitiesAllAssets": 11, "totalInfoVulnerabilitiesAllAssets": 3, "critical": [ { "title": "Unrestricted Upload of File with Dangerous Type", "retest_status": "Fixed", "total_affected_assets": 1, "total_affected_assets_fixed": 1, "total_affected_assets_retesting": 0, "total_affected_assets_not_fixed": 0 } ], "high": [ { "title": "Inconsistent Access Control", "retest_status": "Fixed", "total_affected_assets": 1, "total_affected_assets_fixed": 1, "total_affected_assets_retesting": 0, "total_affected_assets_not_fixed": 0 } ], "medium": [ { "title": "Reflected Cross Site Scripting", "retest_status": "Fixed", "total_affected_assets": 1, "total_affected_assets_fixed": 1, "total_affected_assets_retesting": 0, "total_affected_assets_not_fixed": 0 } ], "low": [ { "title": "Server Discloses Supporting Technology", "retest_status": "Fixed", "total_affected_assets": 1, "total_affected_assets_fixed": 1, "total_affected_assets_retesting": 0, "total_affected_assets_not_fixed": 0 } ], "informational": [ { "title": "Weak Password Policy", "retest_status": "Not Fixed", "total_affected_assets": 1, "total_affected_assets_fixed": 0, "total_affected_assets_retesting": 0, "total_affected_assets_not_fixed": 0 } ] }, "attackchains": [ { "title": "Gain control of Bat Portal application server to ...", "order": 1, "id": "26n2cnjcv34g7djv7gilxvzow", "links": [ { "type": "External Attacker", "icon": "data:image/png;base64,iVBORw0...", "description": "Attacker who has ...", "arrow": "data:image/png;base64,iVBORw0", "order": 1, "mitre_attack": "Initial Access", "mitre_attack_color": "#555555" }, { "type": "Action", "icon": "data:image/png;base64,iVBORw0...", "description": "Log into application and ...", "arrow": "data:image/png;base64,iVBORw0", "order": 2, "mitre_attack": "Discovery", "mitre_attack_color": "#660066" }, { "type": "Exploit Critical Vulnerability", "icon": "data:image/png;base64,iVBORw0", "description": "Attacker identifies vulnerable 'upload Avatar' functionality in ...", "title": "Unrestricted Upload of File with Dangerous Type", "likelihood_of_exploitation": "Likelihood of exploitation: 100%", "discovered": "Discovered in batportal.attackforge.com by Robin on 2018-11-03T04:17:41.584Z", "asset_name": "batportal.attackforge.com", "asset_id": "5bdd276b128aa82e0040a913", "discovered_by_name": "Robin", "discovered_by_id": "5bdd276b128aa82e0040a913", "discovered_timestamp": "2018-11-03T04:17:41.584Z", "arrow": "data:image/png;base64,iVBORw0...", "order": 3, "mitre_attack": "Execution", "mitre_attack_color": "#ffc425" } ] } ], "vulnerabilities": [ { "id": "5ad737feccb39f330a8ef00d", "title": "Unrestricted Upload of File with Dangerous Type", "priority": "Critical", "zero_day": false, "easily_exploitable": true, "likelihood_of_exploitation": 10, "severity": 1, "sla": "2022-02-10T01:14:34.975Z", "release_date": "2022-02-03T01:14:38.433Z", "target_remediation_date": "2022-02-10T06:32:39.435Z", "description": "An unrestricted upload of ...", "attack_scenario": "Arbitrary code execution is ...", "remediation_recommendation": "Assume all input is ...", "tags": [ "CWE-434: Unrestricted Upload of File with Dangerous Type", "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CVSSv3.1 Base Score: 9.8" ], "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvssv3_base_score": "9.8", "cvssv3_temporal_score": "NA", "cvssv3_environmental_score": "NA", "affected_assets": [ { "created": "2018-11-03T04:17:41.584Z", "modified": "2018-11-03T04:17:41.584Z", "asset": "batportal.attackforge.com", "id": "5bdd2165128aa82e0040a7ef", "proof_of_concept": "1. Do this... 2. Do that...", "proof_of_concept_raw": "...HTML...", "remediation_status": "Closed on 2018-11-03T04:17:41.584Z", "notes": [ { "note": "During testing, it was possible to ..." } ], "remediation_notes": [ { "note": "Issue Closed: Issue has been fixed", "created": "2018-11-03T04:17:41.584Z" }, { "note": "Attempted to upload ...", "created": "2018-11-03T04:17:41.584Z" } ], "assetCustomTags": [ { "Source": "Internal" }, { "Category": "Web App" } ], "assetCustomFields": [ { "af_sys_affected_endpoint": "https://bat-portal.attackforge.com" } ], "assetLibraryCustomFields": [ { "asset_owner": "Bruce Wayne" } ], "alternate_id": "WAYNETECH02-1", "tags": [ "cvss3_base_score:10.0", "cvss3_vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvss_base_score:10.0", "cvss_score_rationale:Unsupported Software", "cvss_score_source:manual", "cvss_vector:CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C" ], "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvssv3_base_score": "10.0", "cvssv3_temporal_score": "NA", "cvssv3_environmental_score": "NA", "testcases": [ { "created": "2022-05-24T04:01:55.765Z", "modified": "2022-05-24T04:01:55.765Z", "modifiedBy": "AttackForge Admin", "status": "Not Tested", "title": "001 New Test Case", "testcase_code": "001", "testsuite_name": "001 Test Suite", "abuse_case": "No" } ] } ], "remediation_status": "Closed", "evidence": [ { "fileName": "screenshot.png", "fileType": "image/png", "fileSizeKB": "8064", "fileBase64": "data:image/png;base64,iVBORw0..." } ], "vulnerabilityCustomTags": [ { "TLS_weakness": "True" }, { "PCI-related": "True" } ] } ], "appendix_overview": true, "appendix_severity": true, "testcases": [ { "created": "2018-11-03T04:17:41.584Z", "modified": "2018-11-03T04:17:41.584Z", "modifiedBy": "Robin", "title": "Verify all pages and resources by default require ...", "status": "Tested", "testsuite_name": "Standard Web App Penetration Testing", "tags": [ "OWASP ASVS v2.1" ], "notes": [ { "note": "There was no function discovered to change user password.", "modified": "2018-11-03T04:17:41.584Z", "modifiedBy": "Robin" } ], "evidence": [ { "fileName": "screenshot.png", "fileType": "image/png", "fileSizeKB": "8064", "fileBase64": "data:image/png;base64,iVBORw0..." } ], "is_failed": "Yes", "is_remediated": "Yes", "remediation_status": "Remediated", "linked_vulnerabilities": [ { "id": "5ad737feccb39f330a8ef00d", "title": "Unrestricted Upload of File with Dangerous Type", "priority": "Critical", "zero_day": false, "easily_exploitable": true, "likelihood_of_exploitation": 10, "severity": 1, "sla": "2022-02-10T01:14:34.975Z", "release_date": "2022-02-03T01:14:38.433Z", "target_remediation_date": "2022-02-10T06:32:39.435Z", "description": "An unrestricted upload of ...", "attack_scenario": "Arbitrary code execution is ...", "remediation_recommendation": "Assume all input is ...", "tags": [ "CWE-434: Unrestricted Upload of File with Dangerous Type", "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "CVSSv3.1 Base Score: 9.8" ], "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvssv3_base_score": "9.8", "cvssv3_temporal_score": "NA", "cvssv3_environmental_score": "NA", "affected_assets": [ { "created": "2018-11-03T04:17:41.584Z", "modified": "2018-11-03T04:17:41.584Z", "asset": "batportal.attackforge.com", "id": "5bdd2165128aa82e0040a7ef", "proof_of_concept": "1. Do this... 2. Do that...", "proof_of_concept_raw": "...HTML...", "remediation_status": "Closed on 2018-11-03T04:17:41.584Z", "notes": [ { "note": "During testing, it was possible to ..." } ], "remediation_notes": [ { "note": "Issue Closed: Issue has been fixed", "created": "2018-11-03T04:17:41.584Z" }, { "note": "Attempted to upload ...", "created": "2018-11-03T04:17:41.584Z" } ], "assetCustomTags": [ { "Source": "Internal" }, { "Category": "Web App" } ], "assetCustomFields": [ { "af_sys_affected_endpoint": "https://bat-portal.attackforge.com" } ], "assetLibraryCustomFields": [ { "asset_owner": "Bruce Wayne" } ], "alternate_id": "WAYNETECH02-1", "tags": [ "cvss3_base_score:10.0", "cvss3_vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvss_base_score:10.0", "cvss_score_rationale:Unsupported Software", "cvss_score_source:manual", "cvss_vector:CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C" ], "cvssv3_vector": "/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "cvssv3_base_score": "10.0", "cvssv3_temporal_score": "NA", "cvssv3_environmental_score": "NA", "testcases": [ { "created": "2022-05-24T04:01:55.765Z", "modified": "2022-05-24T04:01:55.765Z", "modifiedBy": "AttackForge Admin", "status": "Not Tested", "title": "001 New Test Case", "testcase_code": "001", "testsuite_name": "001 Test Suite", "abuse_case": "No" } ] } ], "remediation_status": "Closed", "evidence": [ { "fileName": "screenshot.png", "fileType": "image/png", "fileSizeKB": "8064", "fileBase64": "data:image/png;base64,iVBORw0..." } ], "vulnerabilityCustomTags": [ { "TLS_weakness": "True" }, { "PCI-related": "True" } ] } ] } ], "vulnerability_to_asset_mapping": [ { "vulnerability": "Unrestricted Upload of File with Dangerous Type", "priority": "Critical", "assets": [ { "status": "Fixed", "asset": "batportal.attackforge.com" } ] } ], "asset_to_vulnerability_mapping": [ { "asset": "batportal.attackforge.com", "vulnerabilities": [ { "vulnerability": "Unrestricted Upload of File with Dangerous Type", "priority": "Critical", "status": "Fixed" } ] } ] }