2023
2023-10-31
Vulnerability Form Builder
One of the most requested and highly anticipated features has arrived – Vulnerability Form Builder!
You now have full control over how your vulnerability form can be built:
Re-arrange all of your existing fields into your preferred display order
Create custom sections, then group and order your fields into their relevant sections
Re-name and re-order existing sections
Use logic to show relevant vulnerability sections and fields based on the testing types assigned to the project
Improved vulnerability page view to match your preferred vulnerability user experience
Vulnerability Form Builder provides unprecedented levels of customization when it comes to how you want to create and view your vulnerabilities.
You can create custom sections and fields for different types of security testing, for example red team assessments, pentests, configuration reviews, code reviews, social engineering, etc.
You can combine sections and fields and choose when you want them to be displayed.
For example - your project might include web application, infrastructure and mobile application testing. You can show the relevant sections and fields based on the types of testing assigned to the project.
We have also improved the way vulnerability fields are presented when viewing the vulnerability. Your sections and display order are now fully supported, helping you to group and highlight the most important information for your remediation teams and customers.
Re-arrange your vulnerability fields the way in which you want
You can now completely re-arrange all of your fields and sections! Don’t want to follow the standard layout? No worries, adjust it to how YOU want it.
Create custom sections, then group and order your fields into their relevant sections
You can now create custom sections to group your vulnerability fields into where they belong, according to you.
Re-name and re-order existing sections
Existing sections can be re-named, re-ordered or even dismantled. When we say you have full control – we really mean it!
Use logic to show relevant vulnerability sections and fields based on the testing types assigned to the project
Hide Expressions are now supported on sections.
Project fields are now also supported in vulnerability hide expressions.
This means you can create vulnerability forms which are relevant to your projects – creating a more personalized vulnerability experience!
Improved vulnerability page view to match your preferred vulnerability user experience
When viewing a vulnerability, you will now see the relevant sections and fields for that vulnerability.
You can also control the order in which the sections and fields are displayed, so you can view the data the way you and your customers need it!
ReportGen v2.8
We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes the much-anticipated ReportGen CLI tool; ReportGen NodeJS library; support for testing your Combined Report templates; one (1) new option; two (2) new styles; and support for charts in loops - adding even more power to your reports!.
Introducing ReportGen CLI and NodeJS library
This release comes with two new ways you can build or program your reports.
The ReportGen Command Line Interface (CLI) tool is ideal for people who prefer to build pentest reports on the command line; and combine ReportGen into an existing automation or pipeline.
You can create automations combining ReportGen CLI with Self-Service API Events.
For example, you can create real-time automated PDF reports and have them securely emailed to your customers, posted to a Slack/Teams channel, or uploaded to a ticket.
The ReportGen NodeJS library is ideal for people who want to simply "import" ReportGen into their existing codebase or scripts and build custom penetration testing reports easily and effortlessly natively in your own code.
Combined Reports now supported
Building Combined Reports has never been easier – now you can use the ReportGen browser tool to create and test your Combined Report templates.
These reports combine multiple project JSON files, to create a single report using data from multiple projects.
To do this, simply select multiple JSON files on the 'Select Your JSON File' step when using the ReportGen browser tool.
New Option: Enable/Disable Image Figure
This release introduces a new option which allows you to enable or disable automated figures which are inserted for every inline image contained within the styled tags.
You can disable automated figures as follows:
{@..._styled(“image_figure”:“none”)}
New Style: Image Display Style
This release introduces a new style which allows you to independently set a style for inline images contained within the styled tags.
This allows you to have finer control over the styling which is applied to the images.
New Style: Image Description Style
This release introduces a new style which allows you to independently set a style for inline image descriptions contained within the styled tags.
This allows you to have finer control over the styling which is applied to the descriptions which appear beneath the inline images, for example the captions or filenames.
Charts now supported in loops
You can now create charts inside loops. For example, this is useful if you are creating a new chart for every vulnerability.
Improved Writeup Access Controls
We have improved the access controls you can set on your Writeups libraries.
You can now independently assign View or Edit access to every Writeups library, including the Main, Imports, Project and Custom libraries.
This means you can give people access to see writeups in a particular library, without having to risk them making any changes.
You can assign View access to allow users see the writeups, link them to their vulnerabilities on projects, or even create derivatives in a library they have Edit access to.
Access to libraries can now be assigned to any user based on their Role, membership on Groups, or individual assignment.
If you are using Groups, you can now assign those groups to the libraries – making Writeups library access easier to manage.
You also no longer need to assign the Library Moderator role. The new Writeups access controls will be applied based on your configuration settings, without having to change any user’s personal settings or user role.
New File Uploads & Inline Images
You can now upload files and evidence, and set inline images, for the following:
Writeups
Remediation Notes
Test Cases
Test Case Notes
This means you can now:
Configure images/diagrams/illustrations to support your vulnerability descriptions, attack scenarios and remediation recommendations. You only need to set this one time during creation/editing of the writeup in your library.
Capture your remediation evidence directly against the remediation notes for every round of retesting. Even your engineers and customers can upload evidence too against their remediation notes!
You can also:
Configure images/diagrams/illustrations to support your test case details and execution flows. You only need to set this one-time during creation/editing of the test case in your library.
Capture your test case evidence directly against the test case notes.
You can also display these images in your reports using the {@..._styled} tags and the files are also available via the Self-Service APIs.
User Experience Enhancements
Preserved Table Filters, Sorting and State
We have improved the user experience when interacting with tables in AttackForge.
Now, when you make any changes to your projects or vulnerability tables, for example when you filter your data, sort your columns, or even view data from a particular table page – if you navigate away from the table, for example you click on a link to view the data – when you come back to the table, everything remains preserved as if you never left the table!
This makes it easier to configure your tables with your preferred filtering and sorting and ensure that AttackForge remembers that for you for the duration of your session.
Responsive Design for Narrow and Wide/4K Screens
We have redesigned the user interface to better support narrow screens, wide screens and high-resolution 4K screens.
There is now more information presented on every screen, making it easier to see the important information you need without having to scroll the page or table.
It also supports better dashboards and analytics views.
Access Entire Asset Tables on Project Create or Project Scope
You can now filter and view all asset-related data when creating a project, as well as viewing and managing scope on a project after creation.
This makes it easier to find the exact assets you need to include on your project, as well as bulk actions for easy application to projects.
Suppress Email Notifications on Review Notes
You can now suppress email notifications when creating review notes.
This can help to reduce email noise during review cycles and focus notifications on the areas that matter most.
Drag-and-drop table settings
You can now drag-and-drop your columns in your table settings.
This makes it easier to re-organise your tables into your preferred viewing style.
Preview images by clicking on them
Now you can click on any inline image and open it in an image previewer.
Edit Remediation Notes and Test Case Notes
You can now edit your remediation notes and test case notes.
This applies to owners of the record, or Administrators.
New columns for vulnerability, test case and user tables
We have added more data columns in more places.
Vulnerability tables now include Status Last Updated datetime.
Users table also now includes login type i.e. local or SSO.
Test cases table also includes a count for all linked vulnerabilities for each test case.
View linked Project Request from Project, and vice-versa
You can now see the linked project request from the project dashboard and navigate to it.
You can also navigate to a linked project from the actioned project request.
Edit Test Cases from the Project Test Case page
There is now a shortcut button to edit a test case in the Test Suites module directly from the project test case page.
This makes it easier to make changes to test cases when required.
Back to MFA QR code
When you are now enrolling your mobile authentication app for MFA by scanning the QRcode, there is an option to go back to the QRcode in case there are issues when trying to enter in the code.
Support Centre Is Now More Accessible
Deleted users show at bottom of users lists
User select fields now group deleted users and present them at the bottom of the list, making it easier to search between active and deleted users.
New Rich-Text Fields
Our AttackForge customer community asked for it, and now it’s here.
Rich-text fields are now supported for the following fields in application and well as in reports and via the Self-Service APIs:
Remediation Notes
Vulnerability Notes
Project Workspace Items
Test Cases: Details field and Execution Flows
Abuse Cases
Test Case Notes
Make sure to update your reporting templates to use the {@..._styled} variation of the relevant tag, to ensure it renders as rich-text in your reports.
New Test Suites & Import Test Cases
You can now easily import test cases into your test suites, in JSON, CSV or AttackForge Community formats.
This helps to keep you up to date on the latest developments in testing standards.
The following standards are now supported:
OWASP Web Security Testing Guide Version 4.2
OWASP Application Security Verification Standard (ASVS) Version 4 - Level 1
OWASP Application Security Verification Standard (ASVS) Version 4 - Level 2
OWASP Application Security Verification Standard (ASVS) Version 4 - Level 3
OWASP Mobile Application Security Testing Guide (MASTG) Version 2 - Level 1
OWASP Mobile Application Security Testing Guide (MASTG) Version 2 - Level 2
OSSTMM Version 3 - Human Security Testing
OSSTMM Version 3 - Physical Security Testing
OSSTMM Version 3 - Wireless Security Testing
OSSTMM Version 3 - Telecommunications Security Testing
OSSTMM Version 3 - Data Networks Security Testing
Import Writeups
You can now easily import test cases into your test suites, in JSON, CSV or AttackForge Community formats.
New Features
Force user password change on next login
We have added an option which allows Admins to force a local user account to set a new password upon next login.
This is useful if you are inviting new users to your AttackForge and the user is not using the password reset workflow.
This feature can be enabled when creating/inviting the user, or via the users’ access settings page.
Bulk archive, bulk restore and bulk destroy projects
Bulk delete and bulk restore users
Bulk archive and bulk restore assets
We have added bulk actions on the projects, users and assets tables – to help reduce repetitive tasks.
We will be extending these actions over the next few releases to help further to improve efficiency and reduce repetitive tasks in AttackForge.
Import vulnerabilities from Checkmarx SCA
We have added an option to import vulnerabilities from Checkmarx Software Composition Analysis (SCA).
This import option supports JSON and XML export formats.
Review Notes without topics
You can now create review notes without specifying a topic.
This is useful if you have generalized comments relating to entire vulnerabilities or executive summary.
Importing vulnerabilities - improved import feedback & skip duplicate detection
We have improved the user experience for importing vulnerabilities.
Now, when you import vulnerabilities – you can access the results for every vulnerability which was:
Created
Skipped
Failed
Not Imported
You can now also skip duplicate detection when importing vulnerabilities.
This could be useful if you need to force an import, regardless of the existing vulnerabilities on the project.
Updates to Self-Service API
In this release we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.
New REST Endpoint: UpdateVulnerabilitySLAs
We added a new endpoint which can be used to programmatically apply or update vulnerability remediation SLAs. See link for more information:
New REST Endpoint: RegenerateAPIKey
We added a new endpoint for programmatic rolling of Self-Service API key for user. See link for more information:
New REST Endpoint: AddTestCasesToTestSuite
We added a new endpoint which allows adding bulk test cases to a test suite. See link for more information:
New REST Endpoint: GetFormConfig
New REST Endpoint: UpdateFormConfig
We added two new endpoints which allows to retrieve and update the new vulnerability form builder config. See links for more information:
New Event: VulnerabilityEvidenceCreated
New Event: VulnerabilityEvidenceUpdated
We added two new events for real-time notifications when evidence is created and updated on vulnerabilities. See links for more information:
New Event: VulnerabilityRemediationNoteCreated
New Event: VulnerabilityRemediationNoteUpdated
We added two new events for real-time notifications when remediation notes are created and updated on vulnerabilities. See links for more information:
GetProjects now supports advanced query filtering
We added support for Advanced Query Filtering for the GetProjects REST endpoint. See link for more information:
GetProject* Endpoints Now Return project_testsuites
We updated all GetProject related endpoints to return the test suite names and ids assigned to the project.
Video Tutorials
Vulnerability Form Builder
We created a short video on how to effectively use the new Vulnerability Form Builder included in this new release.
Infrastructure Penetration Test
We also created a short video on how to perform an efficient infrastructure penetration test in AttackForge.
2023-07-31
New Workflows: Grouped Assets on Vulnerabilities
One of the most highly anticipated and requested workflows has just arrived!
Introducing Grouped Assets on Vulnerabilities.
You now have a choice for how you want to create and use vulnerabilities:
Create unique vulnerabilities on every project, and assign relevant affected assets to each unique vulnerability;
Create individual vulnerabilities for every asset; or
Create a combination of unique vulnerabilities and individual vulnerabilities – for ultimate flexibility!
A single vulnerability can now have many affected assets assigned to it.
This can include detailed information for each affected component on every asset.
Using grouped assets on vulnerabilities can help you to:
Increase efficiency when working on infrastructure penetration tests;
Reduce the overall number of vulnerabilities whilst preserving affected asset data;
Reduce effort required for quality review cycles on vulnerabilities;
Improve vulnerability importing with grouped assets
When you next import vulnerabilities on your project – you will have a choice between selecting Individual or Grouped.
Individual will allow you to import your vulnerabilities as you always have.
Whereas Grouped will allow you to automatically group affected assets for each vulnerability.
In the example below, we can see there was a 94% reduction in vulnerabilities, whilst preserving the same amount of data.
This means you can focus your attention on the important vulnerabilities and track their affected assets much more efficiently.
You can view all of the affected assets, and for each asset – see related data for its affected components.
You can configure the Grouping options to adjust the rules for how the grouping is performed.
Once you have made your selection, you can move to the Edit and Review step.
Here you can see the final set of vulnerabilities for selection and make any remaining adjustments as needed prior to import.
You can still choose to configure your import options such as dynamic parser actions and selection of libraries.
Once your import begins, you will be kept update to date with its progress.
And once it’s finished, you will see a summary of the import and option to view the vulnerabilities.
Vulnerabilities with grouped assets will now show in your vulnerability tables, with option to expand each vulnerability to see its asset data.
Register multiple affected assets for every vulnerability
When you next create a vulnerability – you will have a choice when determining how you want the assets to be assigned and tracked on the vulnerability.
You can choose between Individual and Grouped.
Individual will allow you to assign your assets to vulnerabilities as you always have.
Whereas Grouped will allow you to create a single vulnerability and assign all affected assets to the vulnerability.
Capture and retain asset & component data on the vulnerability
Every asset can have its own notes, tags, and components.
Components can be used to track which part(s) of the asset has the vulnerabilities.
Every component can also have its own notes and tags.
Track actioned status for each affected asset
Every asset can be individually tracked and actioned.
This is useful for monitoring the progress against assets on a vulnerability.
ReportGen v2.7
We have just released another massive update for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes two (2) new Pentest Report Templates; support for grouped assets on vulnerabilities; a new support site for ReportGen; two (2) new options; seven (7) new filters; new styles; a new function; support for figures and more - adding even more power to your reports!.
Support for Grouped Assets on Vulnerabilities
Support for grouped assets has been added in this release of ReportGen.
Pentest Report Template 3.1 and 3.2
This release introduces two (2) new pentest reporting templates:
Pentest Report v3.1 - a template showcasing the features available in ReportGen v2.7+
Pentest Report v3.2 - a template with minimal logic which can be used out-of-the-box, and has support for grouped assets on vulnerabilities
We have also released an updated example JSON test file which can be used for testing your templates.
GitHub Community Support Site
As part of our mission to support the growing community of AttackForge users, we have released a new dedicated Support Site for ReportGen.
This Support Site provides:
Information on getting started with ReportGen;
Template examples to achieve common use cases and reporting needs; and
Place to ask questions and receive tips and help from our support team and the community.
We hope the new Support Site for ReportGen will make it easier for everyone to build awesome testing reports, with minimal effort!
New Option: Custom Styles for Individual Rich-Text Fields
You can now assign individual rich-text fields to different custom styles which are in your template.
This feature can be used with {@execSummaryNotesStyled}, {@description_styled}, {@attack_scenario_styled}, {@remediation_recommendation_styled} or any styled custom fields.
New Option: Image Options Supported For All Styled Tags
In the previous release of ReportGen, we added support for including custom options to configure how your image descriptions are displayed in reports.
You can configure the images to show captions; prefer captions; show filename or show nothing.
In this release, we extended this feature to support any styled tags, including your own custom rich-text fields.
Styled Custom Fields
In this release, we added support to render custom rich-text fields.
You need to use the following format for the tag in order to render it in the report:
{@KEY_styled}
Where KEY is substituted for the custom field key for the rich-text field.
Add Figures For Images
All images will now automatically prefix Figure X: to the image description.
This means you no longer need to manually inject figure numbers for each of your images inserted dynamically by ReportGen.
Figure numbers take advantage of Microsoft Word dynamic fields so you can easily update them if you need to manually insert any new images.
New Function: $equalsRegex
You can use this new function to perform an equality comparison for a variable against a value using a Regular Expression test.
It performs a global, case insensitive test. For example, you can use it to test whether data is a URL, or an IP Address.
New Filter: Float
You can convert a number to a floating-point number.
New Filter: Integer
You can convert a number to an integer.
New Filter: Round
You can round a number to the nearest integer.
New Filter: RoundUp
You can round a number up to the nearest integer.
New Filter: RoundDown
You can round a number down to the nearest integer.
New Filter: Capitalize
You can capitalize the tag. The first character will be uppercase, all others lowercase.
New Filter: Titlecase
You can title case the tag. Words will start with uppercase letters, all remaining characters are lowercase.
Styled and Labelled $help
To make debugging easier, we have added styled and label-supported $help functions.
Now when you use the $help function, the browser console will style and color-code it according to whether it relates to Scope or Variables.
In addition, you can pass labels to every $help function to make it easier to debug your template and is especially useful when printing multiple $help statements.
Improvements in Removing Line-breaks Before and After {@rawXML} Tags
Now when you insert any tags in your template which contain rawXML, such as styled tags for rich-text fields - the line breaks above and below the data will be automatically removed. This makes your reports look cleaner and reduces the need for manual post-generation efforts to remove the additional line breaks.
Test Case Workspace Notes
You can now inject your Test Case Workspace Notes into your JSON export, to make the data available for reporting purposes.
To do this, go to the Administration module, and from the Projects menu - select Test Case Workspace Notes from Export Project as JSON Additional Items section.
New Functionality
Image Thumbnails and Preview
You can now view thumbnails for any uploaded image, as well as preview the image within the browser instead of having to download it.
Import Assets from NMAP and Masscan
You can now import assets directly to your projects from your NMAP and Masscan files.
This will save you tons of time having to create assets manually!
You can also take advantage of the additional Hostnames and Ports fields if you are using the Assets Module.
These fields will be stored against the Asset in the module, so you can monitor and manage Hostnames and Ports centrally (outside of your projects).
You can also view and modify the data prior to importing.
Download Vulnerability Selection as JSON
You can now export a JSON file for a selection of vulnerabilities only.
This will include all of the reporting data for those vulnerabilities.
Search All Writeups Across All Writeup Libraries on Vulnerability Create/Edit
Now when you create a new vulnerability; or edit an existing vulnerability – you can search all of your Writeups which you have access to, without having to first select a library.
New Custom Field: List
You can now create custom fields using the new ‘List’ type.
Lists are great for assigning multiple inputs for a field, for example creating your own tags or actions.
List types are also the required type when choosing to include Hostnames and Ports on Assets using the new NMAP and Masscan import options.
Bulk Archive Writeups
You can now bulk archive writeups via the Writeups module. This makes it easy to remove unwanted writeups.
Archiving writeups will not impact any of your existing vulnerabilities which already reference those writeups.
Bulk Assign Assets to Test Cases
You can now bulk assign assets to test cases on a project.
This is useful when you need to specify which assets in-scope for testing apply to each test case.
User Experience Improvements
Performance and Search Improvements
We have improved the server performance when searching or accessing any of the following data within AttackForge:
Projects
Assets
Vulnerabilities
Writeups
This means you should have lightning-fast response times when loading pages and menus!
View Asset Module Data on Project Scope
Privileged users can now view all of the asset data for in-scope assets directly from the Project Scope page.
This means you no longer need to access the Asset Module in order to get the data, and you can use the advanced filters to search your projects assets!
Send Test Email Notifications for Custom Emails
You can now send test emails for any of the custom time-based emails configured in your Administration options.
This makes it easier to verify that your custom email rules are correctly applied and ensure your emails are looking exactly the way you need them to be!
Updates to Self-Service API
In this release, we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.
GetProjectsAndVulnerabilities now supports advanced query filtering on projects and vulnerabilities
GetVulnerabilities now supports advanced query filtering on writeups
We have updated the GetProjectsAndVulnerabilities endpoint to support q_project and q_vulnerability advanced query filters.
We also updated the GetVulnerabilities endpoint to support the q_writeup advanced query filters.
Advanced query filters allow you to create database-like custom queries which give you the power and flexibility to get the exact data you need.
This saves you the time and hassle of having to create integration code to make multiple queries or filter out the data you do not need.
New REST Endpoint: DownloadWorkspaceFile
We created a new RESTful API endpoint - DownloadWorkspaceFile - which can be used to download a file from a projects’ workspace.
2023-04-17
Custom Fields Upgrade
Set access controls on custom fields! Tailor your custom fields for roles, groups and users
You can now configure view & edit access controls for your custom fields, and apply them to individual roles, groups or users.
This opens a world of new possibilities, for example:
Create custom project request forms for different customers, teams, business units or individual users
Personalize your project request forms to your customers’ needs and requirements
Set up tailored forms for your pentest-as-a-service (PTaaS) to match your customers’ needs or subscription-level
Have custom project fields for admin-eyes only, or for pentesters – without your customers seeing them
Set project budgets; admin notes; integration fields – ensure confidentiality with access controls
Configure project-level information for only your project coordinators or pentesters to see
Define custom vulnerability and writeup fields for different pentest teams
Create personalized vulnerability and writeup forms for infrastructure teams, application teams, remediation teams, etc.
Configure custom vulnerability and writeup fields for different customers
Control what vulnerability information is shared with which customers or teams
Assign custom asset and portfolio fields for different customers
Configure information that is only relevant for specific customer assets or portfolios
You can also preview what your users can see using the ‘view-as’ feature.
This can help you to easily and quickly configure and manage your access controls.
All custom field access controls are also honored via the APIs, so unauthorized users cannot view or edit custom fields they are not supposed to.
New custom field types: Table, Rich-Text, User & Group
You can now configure custom fields with the following types:
Table
Rich-text
User(s)
Group(s)
These new types allow you to capture information on projects, vulnerabilities, assets, writeups, portfolios and test cases in ways never seen before in AttackForge.
Combining these new custom field types with the new ability to set access controls on custom fields, you can have this information available only to people with need-to-know.
Table custom fields
Table custom fields are a great way to collect and use data in AttackForge and in your reports which is in a tabular format.
For example, you may be performing a configuration or firewall review and the data from your tools only outputs into CSV or tables.
Now you can easily import that data from the APIs, edit the data in the application, and display the data in your reports.
Rich-text custom fields
Rich-text custom fields have been one of the most requested custom field types – and its finally here!
You can set up rich-text enabled custom fields to use for your writeups or vulnerabilities, and best of all – it is supported in reports as well, so you can have custom styled fields easily and effortlessly showing for your customers. This also means you can enter data using lists, or create sections in your data using headings, or even highlight code snippets.
User custom fields
User custom fields open the door to possibilities to assign users in AttackForge to projects or vulnerabilities.
For example, you may want to create Peer Review and Tech Review fields on your vulnerabilities and assign users accordingly.
Or you may want to associate a Level 1 Owner and a Level 2 Owner to certain vulnerabilities. This is all now possible.
User custom fields support single-select and multi-select, for cases when either one or many users can be assigned.
Group custom fields
Group custom fields also opens many possibilities, such as assigning groups to vulnerabilities.
For example, you may want to associate a particular group to a vulnerability who are tasked with responsibility to fix it.
Group custom fields support single-select and multi-select, for cases when either one or many groups can be assigned.
New custom field category: Test Cases
We have added support for a new category of custom fields – test cases.
You can now define custom fields on your test cases and have this information available to your pentesters or customers.
We have also extended support for this new category in the Self-Service APIs.
Configure rich-text information messages for custom fields
You can now assign a custom information message to display in the information panel when users are completing your custom fields.
This is useful to help guide users on what information to enter in or select when filling in forms within your AttackForge.
UX improvements on (re)ordering custom fields
You can now reorder your custom fields using drag-and-drop or clicking on the up and down buttons.
This makes it easy and efficient to set up your forms the way you need them to look.
New Configuration
Set access controls on reporting templates! Tailor your reports for roles, groups and users
You can now configure access controls on your reporting templates. This makes it possible to:
Have different reports for different customers
Personalize reports to your customers needs, for example add their logo or only the data that they need
Separate reports that your security team uses to that of your customers
Tailor reports for different business units, without conflict!
Delegate adding project test suites and abuse cases to other roles and users
You can now delegate the ability to add test suites and abuse cases on projects to other roles and users.
This makes it possible to now allow your pentesters to have authority to perform this action when needed.
These delegations can be applied to entire roles from Administration page, or to individual users via the User --> Access --> Delegations feature.
Configure presets for custom import mapping rules
You can now configure custom rules for your pentesters to use when performing an import of vulnerabilities.
These rules work as dynamic custom parser actions, telling AttackForge how to map the imported vulnerability to a correct entry in your chosen writeups library.
It’s a great timesaver and made even more efficient now that you can save predefined rules and let your pentesters chose the relevant rule (and extend upon it) when importing.
Custom rules can be configured in Administration --> Vulnerabilities.
Change login page background color
You can now configure a custom background color for your login page.
ReportGen v2.6
We have just released our biggest update ever (v2.6) for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes a new Pentest Report Template (v3); support for charts; four (4) new functions; three (3) new filters; new options; new styles, new variables and updates to existing filters and functions add even more power to your reports!
All examples mentioned in these release notes can be found on the homepage of the ReportGen tool.
Introducing Pentest Report Template v3
This release introduces a new contemporary pentest reporting template - showcasing the possibilities now available in ReportGen v2.5+.
The new Pentest Report Template v3 includes:
Logic for a multi-phase project e.g. Web App Pentest + Infrastructure
Redesigned Executive Summary, using custom Charts
Redesigned Summary Findings
Redesigned Vulnerability Details with more information and enhancements
Redesigned Test Cases Details
This new template can be downloaded directly from within the ReportGen tool.
Introducing Charts
You can now create custom charts in your reports! The following charts are supported:
Vertical Bar Charts
Horizontal Bar Charts
Pie Charts
Donut Charts
Charts work with any data. You can create charts for your vulnerabilities, exec summary, test cases, attack chains or even categorize your data.
Charts also support Scope and Variables.
Every chart comes with configuration options (e.g. colors, font sizes, spacing, etc.) so you can configure and style the chart to your preferences.
New variable type: Dictionary
A Dictionary is a flat list of key:value pairs. It can be useful for capturing dynamic data, or for grouping data.
You can refer to the Dictionary anywhere you need it in your report.
Dictionary is supported on the following Functions: $declare, $push, $assign, and $keys.
Example 1: Using a Dictionary to count all affected assets for every vulnerability, then prints the count alongside the vulnerability name.
Example 2: Using a Dictionary to store every phase of testing e.g. Web App, Ext. Infrastructure, Int. Infrastructure etc. along with each vulnerability associated to each phase of testing, then print the phase and its vulnerabilities.
Combining filters in functions
We have made it possible to now combine Filters with your Functions!
This can be achieved in two (2) different ways:
Example 1: Using a Filter inside the Function
Example 2: Chaining a Filter to the output of a Function
New styled text: description, attack scenario and recommendations
For AttackForge Core and Enterprise users, you can now style your vulnerability descriptions, attack scenarios and remediation recommendations!
These tags will render a styled version based on the style set in-app using the WYSIWYG editor.
To switch over to the new styled tags, update your template to include the new tags.
New styles: AF Normal and AF List
We have added support for two (2) new styles:
AF Normal which can be used to create a custom style for normal text inserted via the {@..._styled} tags.
AF List which can be used to create a custom style for bullet and numbered lists inserted via the {@..._styled} tags.
These new styles provide the ability to have custom formatting for how your normal text and lists are displayed in your reports when using the {@..._styled} tags.
To get started, create two new styles inside your Word template with the names 'AF Normal' and 'AF List'. Then apply a format to these styles.
When ReportGen builds your report, it will automatically map to these styles for you.
New option: configure image descriptions
This option can be set against the {@proof_of_concept_styled} tag in order to adjust how the filename or caption is displayed under an image.
image_description: caption - will display the caption if it exists, otherwise will display nothing.
image_description: prefer-caption - will display the caption if it exists, otherwise will display filename.
image_description: caption - will display the filename.
image_description: none - will display no caption or filename.
New function: $keys
You can use this new filter to retrieve the value for a Dictionary.
Example: Using a Dictionary to count all affected assets for every vulnerability, then prints the count alongside the vulnerability name.
New function: $isFirst
Use this function to check if you are in the first iteration of a loop.
For example, if you want to add a section heading BEFORE printing the vulnerability titles.
Another example is if you want to check if it IS NOT the first iteration of a loop.
New function: $isLast
Use this function to check if you are in the last iteration of a loop.
For example, if you want to add an extra line break after every vulnerability title except for the last.
Another example is if you want to check if it IS the last iteration of a loop.
New function: $index
Use this function to print the current index of the loop you are iterating over.
New filter: Search
You can use this filter to search for a value in a string and return the results (substring) if found.
New filter: Index
You can use this filter to access an item in an array using its index number.
Sort on custom tags and custom fields
We have now made it easy to perform a custom sort based on your custom tags or custom fields!
New Functionality
Create a report with selected vulnerabilities only
You can now select one or more vulnerabilities, can create a custom report with only that selection.
This is useful when you need to get a report out to different teams, with only the context for vulnerabilities which are relevant to that team.
Rich-text editor for writeups
We have now added rich-text support for your writeups!
You can now have more detailed and styled information for your vulnerabilities.
You can also include the styled versions in your reports using the following tags:
{@description_styled}
{@attack_scenario_styled}
{@remediation_recommendation_styled}
Configurable CVSS scoring for writeups
You can now independently configure CVSS Baseline, Temporal and Environmental scores for your writeups.
Simply select the relevant option from the drop-down when creating or editing your writeups.
The score will be used as a baseline when creating new vulnerabilities.
Link vulnerabilities between projects
You can now link vulnerabilities from one project to another.
This is useful when you want multiple projects to have a view of a particular vulnerability, or set of vulnerabilities, for example to consolidate for a round of retesting.
Linking vulnerabilities does not duplicate/clone the vulnerability, therefore your dashboards and analytics will be preserved.
Also, when linking vulnerabilities, any changes on the vulnerability, for example its set to Closed, will be applicable to all projects it is linked to.
This makes it easy to fix it in one place, and have the results propagate everywhere.
However, if you intend to create a clone of a vulnerability, you can do that using the duplicate vulnerability feature instead.
Configure your table preferences for test cases
You can now set your table preferences for when viewing test cases on a project.
This includes ability to configure:
Default page size
Default sort column
Default sort order
Which columns to display (including custom fields), and in which order
Specify delimiters for Affected Endpoints during vulnerability creation
You can now specify which delimiters you want to use on your Affected Endpoints when creating a new vulnerability.
This is useful if you have a delimited list which is not using commas, semi-colons or line separated; and is URL encoding friendly as you can switch semi-colon off.
AttackForge will also now show you how many vulnerabilities are going to be created based on your Asset and Affected Endpoint selections.
Preserve tags when importing vulnerabilities
You can now opt-into preserving the tags on your vulnerabilities when using the import vulnerabilities feature.
This is different to the standard behaviour which inherits the tags from the writeup it is matched with during import.
This is useful if your vulnerabilities have unique tags which you need to preserve.
This option can be enabled in the import parameters section, prior to importing.
Updated Qualys parser to support new web application scan xml format
We have updated Qualys parser to include support for the new Web Application Scan XML format.
Duplicate vulnerabilities including its asset
When you duplicate a vulnerability, you now no longer need to specify the asset.
This makes it easy to select a bunch of vulnerabilities and create an exact clone of the vulnerabilities.
You can then re-assign them to other projects if needed or adjust them using bulk actions.
Toggle vulnerability id in table columns
When viewing vulnerabilities in tables, you can now click on the View System Id button to see the system id for each vulnerability.
You can then toggle it back to view the custom id.
Toggle datetime for SLA and remediation plan table columns
When viewing vulnerabilities in tables, you can now click on the View Date button to switch the view from a countdown (e.g. 5 days) to an actual date.
User Experience Improvements
Self-Service APIs are now grouped and include search bar.
We have now grouped all Self-Service APIs to make them easy to categorize, and also included a search bar to make it easy to find particular APIs.
Renaming images will automatically update your proof of concept
Now when you rename an image you have uploaded to your vulnerabilities, AttackForge will automatically update your proof of concept for you, saving you the hassle of having to manually change that to reflect the new image name.
Importing vulnerabilities is now filterable by tags
When you import vulnerabilities, you can now filter your selection down using tags.
This is useful for selecting certain vulnerabilities only, for example only exploitable vulnerabilities based on properties in the tags; or only patching or operating system related vulnerabilities.
Hide expressions are now fully documented
We have now updated the documentation on our Support Centre to include full mappings for hide expressions, and examples for each data type and system field.
This makes it easier to create custom logic to hide your form fields, and only show them when the logic conditions are met.
Improved modal and error handling for JIRA exports
We have updated the user experience when exporting vulnerabilities from a project into your JIRA project.
Now it will preserve your data in case there are any errors, so you can make quick changes. We have also improved the error handling and provided a new look form.
Informational vulnerabilities now included on project dashboard
The project dashboard will now include informational vulnerabilities by default.
You can also opt to switch it off to not display them in case there are too many informational vulnerabilities on the project
Vulnerability created event now shows in revision history
When a new vulnerability is created, the event is now registered in the revision history.
Updates to Self-Service API
In this release, we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.
Updated all applicable REST endpoints to support various custom field types
We have updated all relevant APIs to now support string arrays and arrays of objects for custom fields.
This makes it possible to import data in various formats, for example:
Strings
Strings are used to store data for Input fields, Text Area fields, Date-picker fields, Select fields and Rich-Text fields
String Array (string[])
String Arrays are used to store data for Multi-Select fields, User fields and Group fields
Array of Objects
Array of Objects are used to store data in tabular format for Table fields.
Custom fields do not need to be configured in the administration settings in order to be created or updated via the APIs.
However, if the custom field Key matches one that is already defined in the admin settings, it will be automatically typed to that setting when presented in the user interface.
Import historical vulnerabilities
We have updated the following APIs to support the ability to provide a created parameter, which overrides the default created timestamp.
Create Vulnerability
Create Vulnerability Bulk
Create Vulnerability With Library
This allows you to set the date and time when a vulnerability was created, which is useful if importing historical vulnerabilities.
Advanced query filtering support for REST endpoint: Get Vulnerability Library Writeups
We have added support for advanced query filtering for REST endpoints: Get Vulnerability Library Writeups
Advanced query filtering is used to select the exact data set you would like the API to return. The filter works like a database query, where you can specify fields & operators - these help to narrow down the results to the data you would need. This filter is only supported for selected API endpoints. Please check the documentation for each endpoint for more details.
For example, you can use this filter to return:
Writeups with title SQL Injection:
curl -G -X GET 'https://YOURAFTENANT/api/ss/library' --data-urlencode 'q={title: { $eq: "SQL Injection" }}' -H 'Host: localhost:3000' -H 'X-SSAPI-KEY: ***' -H 'Content-Type: application/json' -H 'Connection: close'
Writeups with the tag pluginID:53360:
curl -G -X GET 'https://YOURAFTENANT/api/ss/library' --data-urlencode 'q={tags: { $in: "pluginID:53360" }}' -H 'Host: localhost:3000' -H 'X-SSAPI-KEY: ***' -H 'Content-Type: application/json' -H 'Connection: close'
Writeups with the custom field NessusID and value 53360:
curl -G -X GET 'https:// YOURAFTENANT/api/ss/library' --data-urlencode 'q={custom_fields.name: { $eq: "NessusID" }, custom_fields.value: { $eq: "53360" }}' -H 'Host: localhost:3000' -H 'X-SSAPI-KEY: ***' -H 'Content-Type: application/json' -H 'Connection: close'
The query filter supports the following operators:
And
Or
Equals
Not Equals
In
Not In
Greater Than
Greater Than or Equals
Less Than
Less Than or Equals
Regular Expression
The query filter also supports datetime function, which allows you to modify the time and date to suit your query requirements.
For example, you could ask it to show you all writeups in past 24 hours or past 7 days.
Update to Get Groups REST endpoint: added option for all groups
We have added the option to get all groups if the user is an admin user, instead of just the default behavior which is to return my groups.
Update to Get Project Report REST endpoint: exclude binaries
We have updated this endpoint to have an option to exclude binaries from the response, for example data related to evidence files for vulnerabilities.
This is useful for integrations where the evidence data is not needed.
2023-01-23
Introducing AttackForge Version 2!
AttackForge Version 2 is now generally available for Enterprise and Core customers!
AttackForge Version 2 sets an even higher benchmark for Pentest Management Platforms; further improving the way security and engineering teams, service providers, and customers interact and collaborate with each other on pentesting projects and programs.
We have redesigned the user interface to make it simpler to perform daily tasks, whilst providing more flexibility when you need it.
We have also made significant improvements to address feedback from customers over the years.
Some of the changes to AttackForge includes:
Overall improvements to efficiency of daily workflows for pentesters, security managers, engineering and application teams.
Redesigned user interface to make it faster and easier to perform many tasks, as well as addressed many previously reported limitations in version 1 interface.
Lays the framework for many of the future roadmap enhancements we have planned for AttackForge.
Reduced the number of screens and clicks required to perform many workflows.
Performance improvements when using the application.
Analytics has been improved to provide more information and comparison options.
Portfolios has been redesigned to make it easier to track and analyze different portfolios and streams.
Projects have been overhauled to have new dashboards; easy-to-access options; new quick actions; modals for easy data entry and access to data.
New Vulnerabilities module, providing greater insights into your vulnerabilities.
Administration has been redesigned to make it easier to apply configuration options.
Self-service API documentation is now Open API v3 compliant, including more API reference documentation inside the application.
More options in more places i.e., you can archive/clone projects from multiple areas, download reports from multiple areas, etc.
Addressed feedback on wording and terminology to make user interface more consistent.
New user interface components for rich-text editors, tables, dashboards, menus, forms, etc.
And much more!..
New Project Dashboard
New Portfolios
New Analytics
Our Support Centre has been updated for version 2.
ReportGen v2.5
We have just released version 2.5 for AttackForge ReportGen: The ultimate pentest reporting tool!
This release includes six (6) new filters; three (3) new functions; and updates to existing filters.
New Filter: Resize
You can use this new filter to resize images. It works by setting a max-width value in pixels. The height will be automatically adjusted to match the same ratio.
Example resizing images in Steps to Reproduce (Proof of Concept) to 300 pixels wide:
New Filter: Replace
You can use this new filter to replace data.
And you wanted to remove the https:// part, so it appears as follows: application.com
You could do the following:
New Filter: ReplaceRegExp
You can use this new filter with a regular expression to replace data.
You could do the following:
New Filter: Split
You can use this new filter to split data based on a separator - and return a list of items.
For example, assuming you have tags in this format: tag1:value
And you only want to show the right-hand-side (value), you could do the following:
This example makes use of this filter to split the tag based on colon (:) as the separator. It also uses functions as a way to instruct the logic to skip over the first iteration of the loop (tag1) and then print everything after that (value).
New Filter: SplitRegExp
You can use the splitRegExp function to split data based on a Regular Expression separator - and return a list of items.
For example, if you wanted to only display the 1st paragraph of the vulnerability description, you could do the following:
New Filter: Trim
You can use this new filter trim the whitespace before and after a tag as follows:
Updates to Filters: Includes & Excludes
We have updated the Includes and Excludes filters to include support for Scope and Variables.
Includes Scope Example:
Includes Variables Example:
New Function: $includes
You can use the new $includes function to check if a value exists or does not exist (excludes) within a variable.
To check if data exists:
{#$includes[variable][value]}{/}
To check if data does not exist (excludes):
{^$includes[variable][value]}{/}
The following example creates a unique list of affected asset names, then prints the list.
New Function: $append
You can use the new $append function to append data to an existing variable.
{$append[variable][value]}
Example below will create a new variable, then append the vulnerability title to it.
New Function: $sort
You can use the new $sort function to sort the data within a variable.
To observe the variables available for sorting - use the $help function.
Example 1: Sort A List
Example 1: Single-Key Sort
Example 2: Multi-Key Sort
New Functionality
Customers/Engineers can set vulnerabilities to Not Ready for Retesting
Sometimes vulnerabilities are assigned for retesting, only to discover that engineers have jumped the gun and further adjustments might be needed before they are retested.
Customers/Engineers can now reassign vulnerabilities as Not Ready for Retesting in such cases.
Customers/Engineers can bulk assign vulnerabilities to Ready for Retest & Not Ready for Retest
Assignment of vulnerabilities as Ready for Retesting and Not Ready for Retesting can now be applied in bulk by customers.
Hide Conditions now supported on all Project Request system fields
The project request form is an integral part of the pentest project lifecycle. It is the important first step of the process, where customers can request a new project or assessment.
We have now made it possible to add hide conditions against the system fields.
This means you can extend the logic of your project request form to customise when and how the system fields are displayed during a new project request.
This provides more personalisation and better user experience for your customers.
Ability to disable every Project Request system field
Following on from the enhancement above, we have taken this one step further to now support ability to disable all system fields in project request form, if desired.
This allows you to create a fully custom project request form, tailored to your needs, without any implicit fields for your customers to complete.
Updates to Self-Service API
In this release, we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.
New REST endpoint: CloneProject
This endpoint can be used to clone an existing project. This is an effective way to:
Prepare for a new round of testing
Track vulnerabilities for specific assets across projects
Focus retesting on open vulnerabilities
When cloning a project, the new project will get access to:
Project settings, which can be adjusted for the new project - this includes name, codes, test suites, scope, email templates, portfolios, custom fields & project team
Project workspace, included all notes & files previously uploaded / created (OPTIONAL)
Project notes previously created (excluding private notes) (OPTIONAL)
Executive summary, including uploaded files (OPTIONAL)
You can also select which vulnerabilities (if any) you would like to carry forward into the new project. This is useful for performing a retest on existing vulnerabilities, as part of the new round of testing.
Advanced Query Filtering Support
We have added support for advanced query filtering for REST endpoints: GetVulnerabilities, GetProjectVulnerabilities, GetVulnerabilitiesByAssetName, GetVulnerabilitiesByGroup
Advanced query filtering is used to select the exact data set you would like the API to return. The filter works like a database query, where you can specify fields & operators - these help to narrow down the results to the data you would need. This filter is only supported for selected API endpoints. Please check the documentation for each endpoint for more details.
For example, you can use this filter to return:
Critical or High vulnerabilities only:
Open Critical or Open High vulnerabilities only:
Critical or High Ready for Retest vulnerabilities only:
Critical or High vulnerabilities discovered in past 24 hours:
The query filter supports the following operators:
And
Or
Equals
Not Equals
In
Not In
Greater Than
Greater Than or Equals
Less Than
Less Than or Equals
Regular Expression
The query filter also supports datetime function, which allows you to modify the time and date to suit your query requirements.
For example, you could ask it to show you all vulnerabilities in past 24 hours or past 7 days; or filter all vulnerabilities with SLA expiring in next 24 hours or next 7 days.
Query projects by asset(s) tested/in-scope
We have added support for querying projects by specific asset(s) which were in-scope for testing, for REST endpoint: GetProjects
This is useful if you need to perform analysis on which projects a given asset was tested, or if it has not yet been tested.
The filter supports:
exact name match
partial name match
case sensitive match
case insensitive match
single asset
multiple assets
any combination of the above
Last updated
