AttackForge
Search
K
Comment on page

2023

2023-10-31

[ENT + CORE] Vulnerability Form Builder

One of the most requested and highly anticipated features has arrived – Vulnerability Form Builder!
You now have full control over how your vulnerability form can be built:
  • Re-arrange all of your existing fields into your preferred display order
  • Create custom sections, then group and order your fields into their relevant sections
  • Re-name and re-order existing sections
  • Use logic to show relevant vulnerability sections and fields based on the testing types assigned to the project
  • Improved vulnerability page view to match your preferred vulnerability user experience
Vulnerability Form Builder provides unprecedented levels of customization when it comes to how you want to create and view your vulnerabilities.
You can create custom sections and fields for different types of security testing, for example red team assessments, pentests, configuration reviews, code reviews, social engineering, etc.
You can combine sections and fields and choose when you want them to be displayed.
For example - your project might include web application, infrastructure and mobile application testing. You can show the relevant sections and fields based on the types of testing assigned to the project.
We have also improved the way vulnerability fields are presented when viewing the vulnerability. Your sections and display order are now fully supported, helping you to group and highlight the most important information for your remediation teams and customers.

Re-arrange your vulnerability fields the way in which you want

You can now completely re-arrange all of your fields and sections! Don’t want to follow the standard layout? No worries, adjust it to how YOU want it.

Create custom sections, then group and order your fields into their relevant sections

You can now create custom sections to group your vulnerability fields into where they belong, according to you.

Re-name and re-order existing sections

Existing sections can be re-named, re-ordered or even dismantled. When we say you have full control – we really mean it!

Use logic to show relevant vulnerability sections and fields based on the testing types assigned to the project

Hide Expressions are now supported on sections.
Project fields are now also supported in vulnerability hide expressions.
This means you can create vulnerability forms which are relevant to your projects – creating a more personalized vulnerability experience!

Improved vulnerability page view to match your preferred vulnerability user experience

When viewing a vulnerability, you will now see the relevant sections and fields for that vulnerability.
You can also control the order in which the sections and fields are displayed, so you can view the data the way you and your customers need it!

[ALL ] ReportGen v2.8

We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes the much-anticipated ReportGen CLI tool; ReportGen NodeJS library; support for testing your Combined Report templates; one (1) new option; two (2) new styles; and support for charts in loops - adding even more power to your reports!.

Introducing ReportGen CLI and NodeJS library

This release comes with two new ways you can build or program your reports.
The ReportGen Command Line Interface (CLI) tool is ideal for people who prefer to build pentest reports on the command line; and combine ReportGen into an existing automation or pipeline.
You can create automations combining ReportGen CLI with Self-Service API Events.
For example, you can create real-time automated PDF reports and have them securely emailed to your customers, posted to a Slack/Teams channel, or uploaded to a ticket.
For more information on how to do this, check out our Blog.
The ReportGen NodeJS library is ideal for people who want to simply "import" ReportGen into their existing codebase or scripts and build custom penetration testing reports easily and effortlessly natively in your own code.
You can download ReportGen CLI and NodeJS library directly from NPM.

Combined Reports now supported

Building Combined Reports has never been easier – now you can use the ReportGen browser tool to create and test your Combined Report templates.
These reports combine multiple project JSON files, to create a single report using data from multiple projects.
To do this, simply select multiple JSON files on the 'Select Your JSON File' step when using the ReportGen browser tool.
For more information on Combined Reports, visit the Support Centre.

New Option: Enable/Disable Image Figure

This release introduces a new option which allows you to enable or disable automated figures which are inserted for every inline image contained within the styled tags.
You can disable automated figures as follows:
{@..._styled(“image_figure”:“none”)}
For more information on how to enable this option, visit this link.

New Style: Image Display Style

This release introduces a new style which allows you to independently set a style for inline images contained within the styled tags.
This allows you to have finer control over the styling which is applied to the images.
For example, this guide will show you how to automatically apply a border to every inline image in your report, using this new style.
For more information on how to apply this style, visit this link.

New Style: Image Description Style

This release introduces a new style which allows you to independently set a style for inline image descriptions contained within the styled tags.
This allows you to have finer control over the styling which is applied to the descriptions which appear beneath the inline images, for example the captions or filenames.
For more information on how to apply this style, visit this link.

Charts now supported in loops

You can now create charts inside loops. For example, this is useful if you are creating a new chart for every vulnerability.

[ENT + CORE] Improved Writeup Access Controls

We have improved the access controls you can set on your Writeups libraries.
You can now independently assign View or Edit access to every Writeups library, including the Main, Imports, Project and Custom libraries.
This means you can give people access to see writeups in a particular library, without having to risk them making any changes.
You can assign View access to allow users see the writeups, link them to their vulnerabilities on projects, or even create derivatives in a library they have Edit access to.
Access to libraries can now be assigned to any user based on their Role, membership on Groups, or individual assignment.
If you are using Groups, you can now assign those groups to the libraries – making Writeups library access easier to manage.
You also no longer need to assign the Library Moderator role. The new Writeups access controls will be applied based on your configuration settings, without having to change any user’s personal settings or user role.

[ENT + CORE] New File Uploads & Inline Images

You can now upload files and evidence, and set inline images, for the following:
  • Writeups
  • Remediation Notes
  • Test Cases
  • Test Case Notes
This means you can now:
  • Configure images/diagrams/illustrations to support your vulnerability descriptions, attack scenarios and remediation recommendations. You only need to set this one time during creation/editing of the writeup in your library.
  • Capture your remediation evidence directly against the remediation notes for every round of retesting. Even your engineers and customers can upload evidence too against their remediation notes!
You can also:
  • Configure images/diagrams/illustrations to support your test case details and execution flows. You only need to set this one-time during creation/editing of the test case in your library.
  • Capture your test case evidence directly against the test case notes.
You can also display these images in your reports using the {@..._styled} tags and the files are also available via the Self-Service APIs.

[ENT + CORE] User Experience Enhancements

Preserved Table Filters, Sorting and State

We have improved the user experience when interacting with tables in AttackForge.
Now, when you make any changes to your projects or vulnerability tables, for example when you filter your data, sort your columns, or even view data from a particular table page – if you navigate away from the table, for example you click on a link to view the data – when you come back to the table, everything remains preserved as if you never left the table!
This makes it easier to configure your tables with your preferred filtering and sorting and ensure that AttackForge remembers that for you for the duration of your session.

Responsive Design for Narrow and Wide/4K Screens

We have redesigned the user interface to better support narrow screens, wide screens and high-resolution 4K screens.
There is now more information presented on every screen, making it easier to see the important information you need without having to scroll the page or table.
It also supports better dashboards and analytics views.

Access Entire Asset Tables on Project Create or Project Scope

You can now filter and view all asset-related data when creating a project, as well as viewing and managing scope on a project after creation.
This makes it easier to find the exact assets you need to include on your project, as well as bulk actions for easy application to projects.

Suppress Email Notifications on Review Notes

You can now suppress email notifications when creating review notes.
This can help to reduce email noise during review cycles and focus notifications on the areas that matter most.

Drag-and-drop table settings

You can now drag-and-drop your columns in your table settings.
This makes it easier to re-organise your tables into your preferred viewing style.

Preview images by clicking on them

Now you can click on any inline image and open it in an image previewer.

Edit Remediation Notes and Test Case Notes

You can now edit your remediation notes and test case notes.
This applies to owners of the record, or Administrators.

New columns for vulnerability, test case and user tables

We have added more data columns in more places.
Vulnerability tables now include Status Last Updated datetime.
Users table also now includes login type i.e. local or SSO.
Test cases table also includes a count for all linked vulnerabilities for each test case.

View linked Project Request from Project, and vice-versa

You can now see the linked project request from the project dashboard and navigate to it.
You can also navigate to a linked project from the actioned project request.

Edit Test Cases from the Project Test Case page

There is now a shortcut button to edit a test case in the Test Suites module directly from the project test case page.
This makes it easier to make changes to test cases when required.

Back to MFA QR code

When you are now enrolling your mobile authentication app for MFA by scanning the QRcode, there is an option to go back to the QRcode in case there are issues when trying to enter in the code.

Support Centre Is Now More Accessible

We have added more ways to access the Support Centre, including from the user actions menu in the navigation bar.

Deleted users show at bottom of users lists

User select fields now group deleted users and present them at the bottom of the list, making it easier to search between active and deleted users.

[ENT + CORE] New Rich-Text Fields

Our AttackForge customer community asked for it, and now it’s here.
Rich-text fields are now supported for the following fields in application and well as in reports and via the Self-Service APIs:
  • Remediation Notes
  • Vulnerability Notes
  • Project Workspace Items
  • Test Cases: Details field and Execution Flows
  • Abuse Cases
  • Test Case Notes
Make sure to update your reporting templates to use the {@..._styled} variation of the relevant tag, to ensure it renders as rich-text in your reports.

[ENT + CORE] New Test Suites & Import Test Cases

You can now easily import test cases into your test suites, in JSON, CSV or AttackForge Community formats.
We have also released a GitHub repository with the latest industry testing standards, which you can now easily import into your test suites.
This helps to keep you up to date on the latest developments in testing standards.
The following standards are now supported:
  • OWASP Web Security Testing Guide Version 4.2
  • OWASP Application Security Verification Standard (ASVS) Version 4 - Level 1
  • OWASP Application Security Verification Standard (ASVS) Version 4 - Level 2
  • OWASP Application Security Verification Standard (ASVS) Version 4 - Level 3
  • OWASP Mobile Application Security Testing Guide (MASTG) Version 2 - Level 1
  • OWASP Mobile Application Security Testing Guide (MASTG) Version 2 - Level 2
  • OSSTMM Version 3 - Human Security Testing
  • OSSTMM Version 3 - Physical Security Testing
  • OSSTMM Version 3 - Wireless Security Testing
  • OSSTMM Version 3 - Telecommunications Security Testing
  • OSSTMM Version 3 - Data Networks Security Testing

[ENT + CORE] Import Writeups

You can now easily import test cases into your test suites, in JSON, CSV or AttackForge Community formats.

[ENT + CORE] New Features

Force user password change on next login

We have added an option which allows Admins to force a local user account to set a new password upon next login.
This is useful if you are inviting new users to your AttackForge and the user is not using the password reset workflow.
This feature can be enabled when creating/inviting the user, or via the users’ access settings page.

Bulk archive, bulk restore and bulk destroy projects

Bulk delete and bulk restore users

Bulk archive and bulk restore assets

We have added bulk actions on the projects, users and assets tables – to help reduce repetitive tasks.
We will be extending these actions over the next few releases to help further to improve efficiency and reduce repetitive tasks in AttackForge.

Import vulnerabilities from Checkmarx SCA

We have added an option to import vulnerabilities from Checkmarx Software Composition Analysis (SCA).
This import option supports JSON and XML export formats.

Review Notes without topics

You can now create review notes without specifying a topic.
This is useful if you have generalized comments relating to entire vulnerabilities or executive summary.

Importing vulnerabilities - improved import feedback & skip duplicate detection

We have improved the user experience for importing vulnerabilities.
Now, when you import vulnerabilities – you can access the results for every vulnerability which was:
  • Created
  • Skipped
  • Failed
  • Not Imported
You can now also skip duplicate detection when importing vulnerabilities.
This could be useful if you need to force an import, regardless of the existing vulnerabilities on the project.

[ENT + CORE] Updates to Self-Service API

In this release we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.

New REST Endpoint: UpdateVulnerabilitySLAs

We added a new endpoint which can be used to programmatically apply or update vulnerability remediation SLAs. See link for more information:

New REST Endpoint: RegenerateAPIKey

We added a new endpoint for programmatic rolling of Self-Service API key for user. See link for more information:

New REST Endpoint: AddTestCasesToTestSuite

We added a new endpoint which allows adding bulk test cases to a test suite. See link for more information:

New REST Endpoint: GetFormConfig

New REST Endpoint: UpdateFormConfig

We added two new endpoints which allows to retrieve and update the new vulnerability form builder config. See links for more information:

New Event: VulnerabilityEvidenceCreated

New Event: VulnerabilityEvidenceUpdated

We added two new events for real-time notifications when evidence is created and updated on vulnerabilities. See links for more information:

New Event: VulnerabilityRemediationNoteCreated

New Event: VulnerabilityRemediationNoteUpdated

We added two new events for real-time notifications when remediation notes are created and updated on vulnerabilities. See links for more information:

GetProjects now supports advanced query filtering

We added support for Advanced Query Filtering for the GetProjects REST endpoint. See link for more information:

GetProject* Endpoints Now Return project_testsuites

We updated all GetProject related endpoints to return the test suite names and ids assigned to the project.

[ENT + CORE] Video Tutorials

Vulnerability Form Builder

We created a short video on how to effectively use the new Vulnerability Form Builder included in this new release.
The video is available on YouTube: https://www.youtube.com/watch?v=vPZU3LxqvUE

Infrastructure Penetration Test

We also created a short video on how to perform an efficient infrastructure penetration test in AttackForge.
The video is also available on YouTube: https://www.youtube.com/watch?v=IT74fi75-G4

2023-07-31

[ENT + CORE] New Workflows: Grouped Assets on Vulnerabilities

One of the most highly anticipated and requested workflows has just arrived!
Introducing Grouped Assets on Vulnerabilities.
You now have a choice for how you want to create and use vulnerabilities:
  • Create unique vulnerabilities on every project, and assign relevant affected assets to each unique vulnerability;
  • Create individual vulnerabilities for every asset; or
  • Create a combination of unique vulnerabilities and individual vulnerabilities – for ultimate flexibility!
A single vulnerability can now have many affected assets assigned to it.
This can include detailed information for each affected component on every asset.
Using grouped assets on vulnerabilities can help you to:
  • Increase efficiency when working on infrastructure penetration tests;
  • Reduce the overall number of vulnerabilities whilst preserving affected asset data;
  • Reduce effort required for quality review cycles on vulnerabilities;

Improve vulnerability importing with grouped assets

When you next import vulnerabilities on your project – you will have a choice between selecting Individual or Grouped.
Individual will allow you to import your vulnerabilities as you always have.
Whereas Grouped will allow you to automatically group affected assets for each vulnerability.
In the example below, we can see there was a 94% reduction in vulnerabilities, whilst preserving the same amount of data.
This means you can focus your attention on the important vulnerabilities and track their affected assets much more efficiently.
You can view all of the affected assets, and for each asset – see related data for its affected components.
You can configure the Grouping options to adjust the rules for how the grouping is performed.
Once you have made your selection, you can move to the Edit and Review step.
Here you can see the final set of vulnerabilities for selection and make any remaining adjustments as needed prior to import.
You can still choose to configure your import options such as dynamic parser actions and selection of libraries.
Once your import begins, you will be kept update to date with its progress.
And once it’s finished, you will see a summary of the import and option to view the vulnerabilities.
Vulnerabilities with grouped assets will now show in your vulnerability tables, with option to expand each vulnerability to see its asset data.

Register multiple affected assets for every vulnerability

When you next create a vulnerability – you will have a choice when determining how you want the assets to be assigned and tracked on the vulnerability.
You can choose between Individual and Grouped.
Individual will allow you to assign your assets to vulnerabilities as you always have.
Whereas Grouped will allow you to create a single vulnerability and assign all affected assets to the vulnerability.

Capture and retain asset & component data on the vulnerability

Every asset can have its own notes, tags, and components.
Components can be used to track which part(s) of the asset has the vulnerabilities.
Every component can also have its own notes and tags.

Track actioned status for each affected asset

Every asset can be individually tracked and actioned.
This is useful for monitoring the progress against assets on a vulnerability.

[ALL] ReportGen v2.7

We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes two (2) new Pentest Report Templates; support for grouped assets on vulnerabilities; a new support site for ReportGen; two (2) new options; seven (7) new filters; new styles; a new function; support for figures and more - adding even more power to your reports!.

Support for Grouped Assets on Vulnerabilities

Support for grouped assets has been added in this release of ReportGen.
For details on how adjust your template to take advantage of grouped assets, please visit this Support Page.

Pentest Report Template 3.1 and 3.2

This release introduces two (2) new pentest reporting templates:
  • Pentest Report v3.1 - a template showcasing the features available in ReportGen v2.7+
  • Pentest Report v3.2 - a template with minimal logic which can be used out-of-the-box, and has support for grouped assets on vulnerabilities
We have also released an updated example JSON test file which can be used for testing your templates.

GitHub Community Support Site

As part of our mission to support the growing community of AttackForge users, we have released a new dedicated Support Site for ReportGen.
This Support Site provides:
  • Information on getting started with ReportGen;
  • Template examples to achieve common use cases and reporting needs; and
  • Place to ask questions and receive tips and help from our support team and the community.
We hope the new Support Site for ReportGen will make it easier for everyone to build awesome testing reports, with minimal effort!
You can access the new ReportGen Support Site from https://github.com/AttackForge/ReportGen.

New Option: Custom Styles for Individual Rich-Text Fields

You can now assign individual rich-text fields to different custom styles which are in your template.
This feature can be used with {@execSummaryNotesStyled}, {@description_styled}, {@attack_scenario_styled}, {@remediation_recommendation_styled} or any styled custom fields.
For more instructions and details, please visit this Support Page.

New Option: Image Options Supported For All Styled Tags

In the previous release of ReportGen, we added support for including custom options to configure how your image descriptions are displayed in reports.
You can configure the images to show captions; prefer captions; show filename or show nothing.
In this release, we extended this feature to support any styled tags, including your own custom rich-text fields.
For more instructions and details, please visit this Support Page.

Styled Custom Fields

In this release, we added support to render custom rich-text fields.
You need to use the following format for the tag in order to render it in the report:
{@KEY_styled}
Where KEY is substituted for the custom field key for the rich-text field.

Add Figures For Images

All images will now automatically prefix Figure X: to the image description.
This means you no longer need to manually inject figure numbers for each of your images inserted dynamically by ReportGen.
Figure numbers take advantage of Microsoft Word dynamic fields so you can easily update them if you need to manually insert any new images.

New Function: $equalsRegex

You can use this new function to perform an equality comparison for a variable against a value using a Regular Expression test.
It performs a global, case insensitive test. For example, you can use it to test whether data is a URL, or an IP Address.
For more instructions and details, please visit this Support Page.

New Filter: Float

You can convert a number to a floating-point number.
For more instructions and details, please visit this Support Page.

New Filter: Integer

You can convert a number to an integer.
For more instructions and details, please visit this Support Page.

New Filter: Round

You can round a number to the nearest integer.
For more instructions and details, please visit this Support Page.

New Filter: RoundUp

You can round a number up to the nearest integer.
For more instructions and details, please visit this Support Page.

New Filter: RoundDown

You can round a number down to the nearest integer.
For more instructions and details, please visit this Support Page.

New Filter: Capitalize

You can capitalize the tag. The first character will be uppercase, all others lowercase.
For more instructions and details, please visit this Support Page.

New Filter: Titlecase

You can title case the tag. Words will start with uppercase letters, all remaining characters are lowercase.
For more instructions and details, please visit this Support Page.

Styled and Labelled $help

To make debugging easier, we have added styled and label-supported $help functions.
Now when you use the $help function, the browser console will style and color-code it according to whether it relates to Scope or Variables.
In addition, you can pass labels to every $help function to make it easier to debug your template and is especially useful when printing multiple $help statements.
For more instructions and details, please visit this Support Page.

Improvements in Removing Line-breaks Before and After {@rawXML} Tags

Now when you insert any tags in your template which contain rawXML, such as styled tags for rich-text fields - the line breaks above and below the data will be automatically removed. This makes your reports look cleaner and reduces the need for manual post-generation efforts to remove the additional line breaks.

Test Case Workspace Notes

You can now inject your Test Case Workspace Notes into your JSON export, to make the data available for reporting purposes.
To do this, go to the Administration module, and from the Projects menu - select Test Case Workspace Notes from Export Project as JSON Additional Items section.

[ENT + CORE] New Functionality

Image Thumbnails and Preview

You can now view thumbnails for any uploaded image, as well as preview the image within the browser instead of having to download it.

Import Assets from NMAP and Masscan

You can now import assets directly to your projects from your NMAP and Masscan files.
This will save you tons of time having to create assets manually!
You can also take advantage of the additional Hostnames and Ports fields if you are using the Assets Module.
These fields will be stored against the Asset in the module, so you can monitor and manage Hostnames and Ports centrally (outside of your projects).
You can also view and modify the data prior to importing.

Download Vulnerability Selection as JSON

You can now export a JSON file for a selection of vulnerabilities only.
This will include all of the reporting data for those vulnerabilities.

Search All Writeups Across All Writeup Libraries on Vulnerability Create/Edit

Now when you create a new vulnerability; or edit an existing vulnerability – you can search all of your Writeups which you have access to, without having to first select a library.

New Custom Field: List

You can now create custom fields using the new ‘List’ type.
Lists are great for assigning multiple inputs for a field, for example creating your own tags or actions.
List types are also the required type when choosing to include Hostnames and Ports on Assets using the new NMAP and Masscan import options.

Bulk Archive Writeups

You can now bulk archive writeups via the Writeups module. This makes it easy to remove unwanted writeups.
Archiving writeups will not impact any of your existing vulnerabilities which already reference those writeups.

Bulk Assign Assets to Test Cases

You can now bulk assign assets to test cases on a project.
This is useful when you need to specify which assets in-scope for testing apply to each test case.

[ENT + CORE] User Experience Improvements

Performance and Search Improvements

We have improved the server performance when searching or accessing any of the following data within AttackForge:
  • Projects
  • Assets
  • Vulnerabilities
  • Writeups
This means you should have lightning-fast response times when loading pages and menus!

View Asset Module Data on Project Scope

Privileged users can now view all of the asset data for in-scope assets directly from the Project Scope page.
This means you no longer need to access the Asset Module in order to get the data, and you can use the advanced filters to search your projects assets!

Send Test Email Notifications for Custom Emails

You can now send test emails for any of the custom time-based emails configured in your Administration options.
This makes it easier to verify that your custom email rules are correctly applied and ensure your emails are looking exactly the way you need them to be!

[ENT + CORE] Updates to Self-Service API

In this release, we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.

GetProjectsAndVulnerabilities now supports advanced query filtering on projects and vulnerabilities

GetVulnerabilities now supports advanced query filtering on writeups

We have updated the GetProjectsAndVulnerabilities endpoint to support q_project and q_vulnerability advanced query filters.
We also updated the GetVulnerabilities endpoint to support the q_writeup advanced query filters.
Advanced query filters allow you to create database-like custom queries which give you the power and flexibility to get the exact data you need.
This saves you the time and hassle of having to create integration code to make multiple queries or filter out the data you do not need.
For more information on how to take advantage of advanced query filters – please visit this Support Page.

New REST Endpoint: DownloadWorkspaceFile

We created a new RESTful API endpoint - DownloadWorkspaceFile - which can be used to download a file from a projects’ workspace.
For more information on how to use this API – please visit this Support Page.

2023-04-17

[ENT + CORE] Custom Fields Upgrade

Set access controls on custom fields! Tailor your custom fields for roles, groups and users

You can now configure view & edit access controls for your custom fields, and apply them to individual roles, groups or users.
This opens a world of new possibilities, for example:
  • Create custom project request forms for different customers, teams, business units or individual users
    • Personalize your project request forms to your customers’ needs and requirements
    • Set up tailored forms for your pentest-as-a-service (PTaaS) to match your customers’ needs or subscription-level
  • Have custom project fields for admin-eyes only, or for pentesters – without your customers seeing them
    • Set project budgets; admin notes; integration fields – ensure confidentiality with access controls
    • Configure project-level information for only your project coordinators or pentesters to see
  • Define custom vulnerability and writeup fields for different pentest teams
    • Create personalized vulnerability and writeup forms for infrastructure teams, application teams, remediation teams, etc.
  • Configure custom vulnerability and writeup fields for different customers
    • Control what vulnerability information is shared with which customers or teams
  • Assign custom asset and portfolio fields for different customers
    • Configure information that is only relevant for specific customer assets or portfolios
You can also preview what your users can see using the ‘view-as’ feature.
This can help you to easily and quickly configure and manage your access controls.
All custom field access controls are also honored via the APIs, so unauthorized users cannot view or edit custom fields they are not supposed to.

New custom field types: Table, Rich-Text, User & Group

You can now configure custom fields with the following types:
  • Table
  • Rich-text
  • User(s)
  • Group(s)
These new types allow you to capture information on projects, vulnerabilities, assets, writeups, portfolios and test cases in ways never seen before in AttackForge.
Combining these new custom field types with the new ability to set access controls on custom fields, you can have this information available only to people with need-to-know.
  • Table custom fields
Table custom fields are a great way to collect and use data in AttackForge and in your reports which is in a tabular format.
For example, you may be performing a configuration or firewall review and the data from your tools only outputs into CSV or tables.
Now you can easily import that data from the APIs, edit the data in the application, and display the data in your reports.
  • Rich-text custom fields
Rich-text custom fields have been one of the most requested custom field types – and its finally here!
You can set up rich-text enabled custom fields to use for your writeups or vulnerabilities, and best of all – it is supported in reports as well, so you can have custom styled fields easily and effortlessly showing for your customers. This also means you can enter data using lists, or create sections in your data using headings, or even highlight code snippets.
  • User custom fields
User custom fields open the door to possibilities to assign users in AttackForge to projects or vulnerabilities.
For example, you may want to create Peer Review and Tech Review fields on your vulnerabilities and assign users accordingly.
Or you may want to associate a Level 1 Owner and a Level 2 Owner to certain vulnerabilities. This is all now possible.
User custom fields support single-select and multi-select, for cases when either one or many users can be assigned.
  • Group custom fields
Group custom fields also opens many possibilities, such as assigning groups to vulnerabilities.
For example, you may want to associate a particular group to a vulnerability who are tasked with responsibility to fix it.
Group custom fields support single-select and multi-select, for cases when either one or many groups can be assigned.

New custom field category: Test Cases

We have added support for a new category of custom fields – test cases.
You can now define custom fields on your test cases and have this information available to your pentesters or customers.
We have also extended support for this new category in the Self-Service APIs.

Configure rich-text information messages for custom fields

You can now assign a custom information message to display in the information panel when users are completing your custom fields.
This is useful to help guide users on what information to enter in or select when filling in forms within your AttackForge.

UX improvements on (re)ordering custom fields

You can now reorder your custom fields using drag-and-drop or clicking on the up and down buttons.
This makes it easy and efficient to set up your forms the way you need them to look.

[ENT + CORE] New Configuration

Set access controls on reporting templates! Tailor your reports for roles, groups and users

You can now configure access controls on your reporting templates. This makes it possible to:
  • Have different reports for different customers
  • Personalize reports to your customers needs, for example add their logo or only the data that they need
  • Separate reports that your security team uses to that of your customers
  • Tailor reports for different business units, without conflict!

Delegate adding project test suites and abuse cases to other roles and users

You can now delegate the ability to add test suites and abuse cases on projects to other roles and users.
This makes it possible to now allow your pentesters to have authority to perform this action when needed.
These delegations can be applied to entire roles from Administration page, or to individual users via the User --> Access --> Delegations feature.

Configure presets for custom import mapping rules

You can now configure custom rules for your pentesters to use when performing an import of vulnerabilities.
These rules work as dynamic custom parser actions, telling AttackForge how to map the imported vulnerability to a correct entry in your chosen writeups library.
It’s a great timesaver and made even more efficient now that you can save predefined rules and let your pentesters chose the relevant rule (and extend upon it) when importing.
Custom rules can be configured in Administration --> Vulnerabilities.

Change login page background color

You can now configure a custom background color for your login page.

[ALL] ReportGen v2.6

We have just released our biggest update ever (v2.6) for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes a new Pentest Report Template (v3); support for charts; four (4) new functions; three (3) new filters; new options; new styles, new variables and updates to existing filters and functions add even more power to your reports!
All examples mentioned in these release notes can be found on the homepage of the ReportGen tool.

Introducing Pentest Report Template v3

This release introduces a new contemporary pentest reporting template - showcasing the possibilities now available in ReportGen v2.5+.
The new Pentest Report Template v3 includes:
  • Logic for a multi-phase project e.g. Web App Pentest + Infrastructure
  • Redesigned Executive Summary, using custom Charts
  • Redesigned Summary Findings
  • Redesigned Vulnerability Details with more information and enhancements
  • Redesigned Test Cases Details
This new template can be downloaded directly from within the ReportGen tool.

Introducing Charts

You can now create custom charts in your reports! The following charts are supported:
  • Vertical Bar Charts
  • Horizontal Bar Charts
  • Pie Charts
  • Donut Charts
Charts work with any data. You can create charts for your vulnerabilities, exec summary, test cases, attack chains or even categorize your data.
Charts also support Scope and Variables.
Every chart comes with configuration options (e.g. colors, font sizes, spacing, etc.) so you can configure and style the chart to your preferences.

New variable type: Dictionary

A Dictionary is a flat list of key:value pairs. It can be useful for capturing dynamic data, or for grouping data.
You can refer to the Dictionary anywhere you need it in your report.
Dictionary is supported on the following Functions: $declare, $push, $assign, and $keys.
  • Example 1: Using a Dictionary to count all affected assets for every vulnerability, then prints the count alongside the vulnerability name.
  • Example 2: Using a Dictionary to store every phase of testing e.g. Web App, Ext. Infrastructure, Int. Infrastructure etc. along with each vulnerability associated to each phase of testing, then print the phase and its vulnerabilities.

Combining filters in functions

We have made it possible to now combine Filters with your Functions!
This can be achieved in two (2) different ways:
  • Example 1: Using a Filter inside the Function
  • Example 2: Chaining a Filter to the output of a Function

New styled text: description, attack scenario and recommendations

For AttackForge Core and Enterprise users, you can now style your vulnerability descriptions, attack scenarios and remediation recommendations!
These tags will render a styled version based on the style set in-app using the WYSIWYG editor.
To switch over to the new styled tags, update your template to include the new tags.
{@description_styled}
{@attack_scenario_styled}
{@remediation_recommendation_styled}

New styles: AF Normal and AF List

We have added support for two (2) new styles:
  • AF Normal which can be used to create a custom style for normal text inserted via the {@..._styled} tags.
  • AF List which can be used to create a custom style for bullet and numbered lists inserted via the {@..._styled} tags.
These new styles provide the ability to have custom formatting for how your normal text and lists are displayed in your reports when using the {@..._styled} tags.
To get started, create two new styles inside your Word template with the names 'AF Normal' and 'AF List'. Then apply a format to these styles.
When ReportGen builds your report, it will automatically map to these styles for you.

New option: configure image descriptions

This option can be set against the {@proof_of_concept_styled} tag in order to adjust how the filename or caption is displayed under an image.
  • image_description: caption - will display the caption if it exists, otherwise will display nothing.
  • image_description: prefer-caption - will display the caption if it exists, otherwise will display filename.
  • image_description: caption - will display the filename.
  • image_description: none - will display no caption or filename.

New function: $keys

You can use this new filter to retrieve the value for a Dictionary.
  • Example: Using a Dictionary to count all affected assets for every vulnerability, then prints the count alongside the vulnerability name.

New function: $isFirst

Use this function to check if you are in the first iteration of a loop.
For example, if you want to add a section heading BEFORE printing the vulnerability titles.
Another example is if you want to check if it IS NOT the first iteration of a loop.

New function: $isLast

Use this function to check if you are in the last iteration of a loop.
For example, if you want to add an extra line break after every vulnerability title except for the last.
Another example is if you want to check if it IS the last iteration of a loop.

New function: $index

Use this function to print the current index of the loop you are iterating over.
You can use this filter to search for a value in a string and return the results (substring) if found.

New filter: Index

You can use this filter to access an item in an array using its index number.

Sort on custom tags and custom fields

We have now made it easy to perform a custom sort based on your custom tags or custom fields!

[ENT + CORE] New Functionality

Create a report with selected vulnerabilities only

You can now select one or more vulnerabilities, can create a custom report with only that selection.
This is useful when you need to get a report out to different teams, with only the context for vulnerabilities which are relevant to that team.
</