Links

FAQs

FAQs from the Community

Before You Start

  • Global Dashboard – this dashboard is displayed after you log in, or if you click on Dashboard from the Global Menu. It contains summary information for all of your projects, and their vulnerabilities. You can click on any Dashboard Box to drill-down for more details.
  • Global Menu – this is the left-hand side menu which is used to navigate the application. It is available to you at all times and provides access to various modules.
  • Page Menu – this is a Menu button which contains drop-down menu of options which are relevent to the page you are viewing. This menu is always located in top-right for each page.
  • Action Menu – this is a sub-menu Menu button which applies to certain pages only. It allows you to select options specific to the related item.
  • Project Dashboard – this is the main page for your project. It can be accessed by clicking on Projects from the Global Menu, then clicking on a project name.
  • Project Menu – this is the Page Menu which is available to you from the Project Dashboard page.
  • Dashboard Box – these boxes are displayed on the Global Dashboard & Project Dashboard. Clicking on these boxes will allow you to drill-down on the information represented by that box.
  • Vulnerability Page – this is the page which includes all details for the vulnerability raised on your project. You can access this page by navigating to your Project Dashboard then clicking on any of the vulnerability Dashboard Boxes, then clicking on the vulnerability name.

Frequently Asked Questions and Answers (FAQs)

Scanning the QR Code doesn't work? I get a code error when I try to log in

If scanning the QR code is resulting in an error when you enter the code (from your app); try to manually enter the Secret (under the QR code) into your authenticator app.
The following guide will help you to manually enter your Secret using iOS + Microsoft Authenticator. It also works on Android and you can try this with other mobile authenticator apps too.
  1. 1.
    Download Microsoft Authenticator from App Store / Play Store
2. Open Microsoft Authenticator and click on the menu in top-right
3. Click on 'Other'
4. Click on 'Or enter code manually'
5. Back on AttackForge, copy the Secret (beneath the QR code) into your authenticator app
6. Log in using the new account created in your authenticator app

How do I create a project?

You can click on 'Create a New Project' button from Projects. When creating a project, you will define what will be tested (e.g. application, infrastructure, etc.), and how it will be tested (by selecting relevant test suites). Don't worry if you don't know details or dates now, you can always add/update later.
When you create a project, you become the Project Owner (note you cannot change the Project Owner). As the Project Owner, only you can define the assets/scope to be tested on the project; and invite people to your project. You can also control what level of access they have e.g:
  • View - this person can view scope, vulnerabilities, test case progress, download reports, export vulnerabilities to JIRA or ServiceNow, participate in chat on Slack, add remediation notes to vulnerabilities, and request retesting. This is typical access role for developers, project managers, or clients.
  • Upload - this person can do everything a View person can + upload files to the workspace.
  • Edit - this person can do everything a View person can + send daily testing commencement/completion emails, upload details and files to the workspace, action and complete test cases, add & manage vulnerabilities including closing vulnerabilities, perform retesting, add and manage attack chains, and upload testing logs.
After you create a project, the next step is to invite relevant people to your project, then start working through test cases and adding vulnerabilities to your project. You can manage access to your project and add vulnerabilities using Project Menu.

How do I invite somebody to my project?

Only Project Owners are allowed to invite a person to a project. If you are the Project Owner, from the Project Menu - select 'Manage Access' option. From here you can see which users have access, administer their privileges to your project, or invite a new person to your project using 'Grant Access' option from Page Menu.

How do I get access to another persons' project?

You need to be invited to a project by the Project Owner. Please contact them to request access to their project.

How can I see all of my projects?

You can access all of your projects by clicking on Projects from the Global Menu. After clicking on a project name, you will be directed to the Project Dashboard. Here you can see all information for the project as well as access Project Menu.

How do I add a vulnerability to a project?

You can add a vulnerability to an asset/scope on a project by selecting ‘Add Vulnerability’ from the Project Menu. When adding a vulnerability, you can use the in-built vulnerability library to pre-populate most of the information for you.
If your vulnerability is not already available in the vulnerability library - you can use the Vulnerability Library module to create a new entry in your library to use on your projects. Only you have access to your library, unless you choose to share it with your Team.
Only project team members with Edit access to a project have permission to add or modify a vulnerability. If you do not have relevant permissions, please speak with your Project Owner (person who invited you to the project).

How do I upload a file?

You can access your project workspace to upload files from your Project Menu by selecting ‘Upload Files’ or 'Workspace' options.
You need to be provided with Upload or Edit access in order to be able to access & upload files to your project workspace.

How do I download a vulnerability report?

You can download a vulnerability report using any of the methods below:
  • Project Action Menu: You can access this menu from the Projects screen, then clicking on Action Menu for the project you wish to download the report.
  • Project Dashboard: You can download a report by clicking on Project Menu and selecting ‘Download Vulnerability Report’.
  • Reporting Module: You can access Reporting module from the Global Menu. Here you can download a report for all of your projects.

How do I customize my vulnerability reports?

You can customize your vulnerability reports by selecting ‘Customize Vulnerability Reports’ option from Project Menu; or by clicking on ‘Customize Vulnerability Reports’ button from Reporting module.
You can select from pre-built templates for Executives, Risk Managers, Auditor’s and 3rd Parties, and Developers; or you can build custom report structure to suit your needs.
Reporting options are saved to your profile so you do not need to update it every time you download a report.

How do I request a retest?

You can request a retest by clicking on ‘Retesting’ option from the Project Menu. From here, use the Page Menu to select ‘Request Retest’ option.
Before you request a retest – ensure that you have flagged each of the vulnerabilities you would like to include in the retest. You can do this by accessing the Vulnerability Page and using the Page Menu to select ‘Ready for Retesting’ option.

How do I add remediation notes to a vulnerability?

You can add remediation notes to a vulnerability by selecting ‘Add Remediation Note’ option from the Page Menu on the Vulnerability Page.
Remediation notes are tracked and incorporated in audit trail for related vulnerability. You can see remediation notes and audit trail by selecting ‘Remediation Notes’ tab from Vulnerability Page; or by downloading a report.

How do I close and/or re-open a vulnerability?

You can close or re-open a vulnerability by selecting ‘Open/Close Vulnerability’ option from the Page Menu on the Vulnerability Page.
Only project team members with Edit access to a project have permission to close & re-open a vulnerability. If you do not have relevant permissions, please speak with your Project Owner (person who invited you to the project).

How can I see the number of vulnerabilities found last month/year?

By clicking on Analytics from the Global Menu, you can see analytics and trends data relating to your projects and assets. You can click on the buttons or text to drill-down on the information represented by the chart or trend.
You can click on the ‘Filter Analytics’ button in the top-right corner (where Page Menu is typically located) to open a Filtering menu. Here you can adjust the analytics to filter on specific dates.

How do I find or search vulnerabilities across all my systems and assets?

You can search vulnerabilities for a given asset/system using the Search module located on Global Menu.
From here, use the drop-down fields to select the asset/system you would like to search.
If you would like to search for a specific vulnerability and you don’t know which project or asset/system it belongs to – click on ‘Vulnerabilities’ Dashboard Box from Global Dashboard and use pagination filter to select ‘Show 5000 entries’. Now use the Search bar top-right above the table to keyword search for vulnerability name.

How do I update test cases?

You can update one or multiple test cases by selecting ‘Test Cases’ option from the Project Menu.
To update individual test cases – click on the text within the Status column and adjust accordingly.
To update multiple test cases – use the Page Menu to select ‘Edit Multiple Testcases’ option, then select individual test cases or use the Page Menu again to add all test cases. You can then use the Page Menu to set the selected test cases to desired status.
Only project team members with Edit access to a project have permission to update test cases. If you do not have relevant permissions, please speak with your Project Owner (person who invited you to the project).

Why did I not receive an email notification that testing has started/stopped for the day?

Project team members with Edit permissions can inform everybody on the project that they have started or stopped testing by selecting ‘Send Daily Commencement Email’ option or ‘Send Daily Completion Email’ option from the Project Menu.
If you have not received an email, please check with [email protected] to see if you have accidentally unsubscribed from the email mailing list, or check with your Project Owner to confirm that testing has started or stopped.
Only project team members with Edit access to a project have permission to email project team members on testing activity. If you do not have relevant permissions, please speak with your Project Owner (person who invited you to the project).

I receive too many email notifications. How can I stop it?

You can opt to stop receiving emails by clicking ‘Unsubscribe’ button from a system generated email you have previously received.
Note this will stop sending you all emails, including any password reset emails. If you need to reset your password and you cannot log in, you need to contact [email protected]

How can I update my email address?

As a security measure, you cannot update your email address directly. You will need to contact [email protected] and they can perform this for you.

How can I update my password?

You can update your passphrase by clicking on Profile from the drop-down menu in the top right of the screen and using Page Menu to select ‘Change Passphrase’ option.
You can also update your passphrase using the ‘Forgot Password’ link from the login page.

How can I update my profile?

You can update your profile by clicking on Profile from the drop-down menu in the top right of the screen and using Page Menu to select ‘Edit Profile’, ‘Modify Avatar’ or ‘Update Name’ options.

How can I reset my 2FA?

You can update your 2FA by clicking on Profile from the drop-down menu in the top right of the screen and using Page Menu to select ‘Reset 2FA Code’.

How do I sign-out / log-off?

You can sign-out or log-off from your active session by clicking ‘Sign out’ button from the drop-down menu in the top right of the screen.

Why do Attack Chains show up as [?] in DOCX report instead of pictures?

Attack Chains in DOCX reports use a font to represent the images in the chains. In order to display the images, you need to have the font ‘Font Awesome’ installed on your computer. It is free to download and install.
You can access Font Awesome from: https://fontawesome.com/

How can I upgrade to Pro?

You can upgrade to Pro by visiting your Profile and using drop-down menu to select Upgrade to Pro, or visiting Analytics or Test Suite Builder.

What are the limitations for free accounts?

As a Free user, you get access to most features within AttackForge, however there are some limitations:
  • You can create up to 10 projects
  • You can add up to 5 assets/scope to each project
  • You can invite up to 20 persons to your projects
  • You can upload up to 200 files
  • You do not have access to Analytics
  • You can't invite people to join your Team, however you can still receive invites
  • You do not have access to Test Suite Builder - this is where you create & define which test cases will be assigned & tested for a given project

Is there an Enterprise version of AttackForge?

Yes! visit https://attackforge.com/attackforge-enterprise.html for more details or contact us at [email protected]

How can I create more projects?

Easy - sign up to be a Pro user and get access to our Pro-Perks, which includes unlimited projects plus many other benefits - see Pro-Perks.

How do I add a person to my team?

Easy - sign up to be a Pro user and get access to our Pro-Perks, which includes ability to invite people to join your team so you can collaborate and pool together your vulnerability libraries and test suites, plus many other benefits - see Pro-Perks.

Who can see my projects and vulnerabilities?

As Project Owner, only people you give access to via 'Manage Access' option from your Project Menu, as well as our administrators.

How long is a project visible/accessible?

Until the Project Owner delete's the project.

I accidentally deleted my project - can I get it back?

In most cases Yes - however there is only a short window for this, you need to Contact us as soon as possible.

How can I see who else is on my project?

If you are the Project Owner, navigate to 'Manage Access' option from your Project Menu.
If you are not the Project Owner, click on 'View Project Team' from the Project Menu to see all project team members. You can then click on their name to view their profile.

How do I add or change scope/assets on my project?

From Project Menu, select 'Scope' option to access assets/systems which are in-scope for the given project. You can update the scope in-line by adjusting the value and selecting tick-box to save it. You can also add new scope by using the Page Menu.
Only a Project Owner can update or delete the scope assigned to a project.

Why can't I add somebody to my Team?

The person you are inviting to join your Team must already be an existing user in AttackForge. Please ensure the person has an account already created, and that you are inviting that person using the same email address that they registered with.

Which browsers are supported?

At present, AttackForge is designed to support following browsers and versions:
  • Chrome 53+
  • Firefox 48+
  • Safari 9+
  • Internet Explorer 11+
Although previous versions of supported browsers may work, we are not actively supporting versions prior to those stated above.

Are mobile browser's supported?

For best results, it is recommended to access AttackForge from a laptop or desktop device.
However AttackForge does support responsive design so it will work on most mobile devices.

My tags have disappeared?

Please ensure you do not have any duplicate tags, as this will cause them to disappear.

My files are not uploading?

If you are a non-pro user, there is a maximum upload of 200 files.
Also check your filename to ensure it does not contain any strings which are considered banned file extensions, such as .exe, .php, .asp, etc.

How do I add screenshots to the Steps to Reproduce Vulnerability or in the Notes within the PDF, HTML or DOCX reports?

You can add screenshots within Steps to Reproduce Vulnerability or in the Notes using {{{file_name}}}. Make sure there is only three curly braces or it will not work.

I want to use the import vulnerabilities functionality however it requires an API key which I can’t find anywhere?

To access your API Key – please navigate to your project that you want to import vulnerabilities to and click on ‘Import Vulnerabilities’ from the project menu. Your API key is hidden by default, you can click the button to Show Your API Key or you can click button to copy it directly to your clipboard. In order to import vulnerabilities, you will need both your Project Key and your API Key – both are available from Import Vulnerabilities page on your project.

I have a PRO subscription. Is it $70/month for all the organization or just for a single user?

AttackForge Pro subscription is licensed on a per-user basis. AttackForge Enterprise is licensed on a per number of projects with unlimited users.

Can AttackForge be installed on-premise or as a dedicated cloud instance for my organisation?

Yes. This is available for AttackForge Enterprise. There is an on-premise deployment model which can be run in an offline/air-gapped environment, and a dedicated cloud instance deployment as well. Please contact us at [email protected] for any additional information.

How often are new features released?

Frequently. Our target it to release new functionality once per month.

Why is there a limit to 500 vulnerabilities per project on AttackForge.com?

AttackForge.com is a multi-tenant shared environment. The limit - which applies to all users - is in place to prevent abuse of application resources by any individual user.

After the import of vulnerabilities, the message said there was some vulnerabilities skipped?

The import process detected duplicate vulnerabilities on your project and skipped them.

How do I use My Team module?

My Team functionality is available to Pro users. You can share your custom library entries for your vulnerability library & test suite builder with members of your team and vice-versa – to save time/effort on recreating issues and test suites.

Can I modify test cases to fit my needs?

Yes. This is available for AttackForge Pro users. As a Pro user you can access the Test Suite Builder – here you can define your own custom methodologies to use on projects.

When I upload evidence to a test case, can I also include a comment/tag to be included in the report?

Yes, there is an ability to add a note as well as evidence for every test case.

What is the purpose of Test Suites? How are they used?

Test Suites are checklists that you apply to a project. Test suites define the methodology that will be performed during testing. For example, AttackForge already includes industry standard methodologies for Web, API & Mobile assessments using OWASP Application Security Verification Standard; or infrastructure based assessment using OSSTTM – however as a Pro user you can define your own Test Suites to suit your own methodology or requirements.

What is the purpose of Attack Chains? How are they used?

Attack Chains help to tell a story and provide a narrative based on key objectives reached during the pentest. They are very effective with executives and non-security/non-technical people - as they aim to keep narrative high-level so everyone can understand the sequence of events that unfolded which lead to an objective or attacker end-goal.
An example might be a Red team assessment showing how as an external attacker, breached perimeter through sequence of events/chained exploits or issues, then once on inside – demonstrate lateral movement which ultimately lead to domain admin or other flags/objectives.
Another example might be showing how an attacker can get remote command execution on the application server by chaining various issues, for example insecure file upload + IDOR or path traversal which triggers an uploaded shell.

When we test multiple hosts/assets, and add the same finding for those hosts/assets - this will not be counted as a unique finding in the report. Why does it happen?

The PDF, DOCX & HTML reports focus on unique findings – to make reports more practical, actionable and concise.
Using the following example for a project:
  • Three (3) vulnerabilities
    • CRITICAL – Blind SQL Injection – Asset X – Steps to Reproduce / POC: Step1-Step2-Step3
    • CRITICAL – Blind SQL Injection – Asset Y – Steps to Reproduce / POC: StepA-StepB-StepC
    • CRITICAL – Blind SQL Injection – Asset Z – Steps to Reproduce / POC: StepX-StepXX-StepXXX
The report will show One (1) Unique Vulnerability – CRITICAL Blind SQL Injection – and display all results for each affected asset below:
Vulnerability: Blind SQL Injection
Priority: Critical Description: ….
Attack Scenario: ….
Recommendation: ….
Tags: ….
Affected Assets:
  1. 1.
    Asset X
    1. 1.
      Steps to Reproduce / POC: Step1-Step2-Step3
  2. 2.
    Asset Y
    1. 1.
      Steps to Reproduce / POC: StepA-StepB-StepC
  3. 3.
    Asset Z
    1. 1.
      Steps to Reproduce / POC: StepX-StepXX-StepXXX
Now if the Steps to Reproduce / POC are exactly the same between the assets e.g. all have: Step1-Step2-Step3, the report will render as follows:
Vulnerability: Blind SQL Injection
Priority: Critical Description: ….
Attack Scenario: ….
Recommendation: ….
Tags: ….
Affected Assets:
  1. 1.
    Asset X
    1. 1.
      Steps to Reproduce / POC: Step1-Step2-Step3
  2. 2.
    Assets Equally Affected As Above:
    1. 1.
      Asset Y
    2. 2.
      Asset Z

I am doing a pentest for the client, and the report will be presented as part of PCI DSS audit. How can I mark the relevant findings as PCI-DSS related?

PCI DSS has some specific requirement for pentesting. Please check with PCI Council and consult your local specialist for the detailed instruction and structure. Make sure that you follow those recommendations.
You can build a dedicated PCI DSS DOCX template and then use it with AttackForge ReportGen to generate reports in line with your QSA requirements.

Can AttackForge integrate with my Identity and Access Management solution?

Yes. This functionality is available in AttackForge Enterprise.

I have created a project and assigned a test suite. After starting the testing, I now need to add more test cases. I have added the test cases on the Test Suite but it's not showing on my project?

In order to preserve integrity of the test cases assigned to any given project, we do not allow new test cases on Test Suites to apply retrospectively to projects.
This will help to avoid a situation where a project has been completed, then Test suite is updated, and all of a sudden past projects are no longer completed because they have had new test cases added.

I like ReportGen tool. Is there a guide or a manual how to use it?

We have a video tutorial on YouTube which shows how to use the tool: https://youtu.be/TYKkRD_q8Pk
Essentially you select your DOCX template which contains the meta tags, then you select your JSON export file (it needs to be downloaded before) - and the report will automatically download in the tool/browser.
The DOCX template file provided by AttackForge contains the meta tags that map to the JSON file, you simply need to incorporate them into your own report template, or take the AttackForge template and adjust it to your own requirements.
The ReportGen tool is built in DOCXTemplater which has detailed FAQs and user guides: https://docxtemplater.com/
You can find mapping of tags to your project data in the browser console of the ReportGen tool (after you run an import). This can help you to map the content of your project to your report template.

When I Try To Save Data, It Shows The HTML Escaped Values?

When you try to save data in AttackForge, you may encounter an issue where the following characters are escaped (note this is not a complete list):
  • < escapes to &lt;
  • > escapes to &gt;
  • & escapes to &amp;
  • " escapes to &quot;
AttackForge utilises strict input sanitization, escaping, encoding, and validation.
As frustrating as this may be for you, please be aware that it is a necessary safe guard and security control to help prevent certain types of attacks against our platform, to keep your data safe.
You can substitute the characters with other whitelisted characters which are available, you can also use the literal text equivalent e.g. less than, grater than, etc.
Please be aware that this limitation does not apply to the Steps to Reproduce / Proof of Concept field when creating or updating a vulnerability. This ensures you can include valid non-escaped payloads.

Contact Us For Support

If you have read through the FAQ and are still experiencing issues, please contact us at [email protected]. We will try our best to get back to you as quickly as we can.