How long did it take you to create your last pentest report? Days? Hours? Sounds like too much effort for something that should be 80% automated!
Lets see how you can use Dradis Pro and VulnDB HQ to create a pentest report in minutes.
Tracking progress with Dradis Pro
Everybody tracks progress and makes notes while conducting an assessment. However, using Dradis Pro has a few advantages over other methods (e.g notepad).
First you can use testing methodologies to define the steps you need to cover and track your progress:
Of course this is useful both when you’re working alone and when you’re part of team to ensure there is no overlapping.
If everyone is adding their findings to Dradis Pro’s shared repository, generating the report is one click away (keep reading!).
Adding a few findings from your VulnDB account
Say that today is your lucky day, LDAP injection on the login form! You don’t think this is in your private VulnDB HQ repository but search anyway:
Well, it was not in your private repository, but there is an LDAP injection entry in VulnDB HQ’s Public repository that you can use as a baseline. You import it.
You continue with you hack-fu, find a bunch of issues: cross-site scripting, some SQL injection, Axis2 testing servlet, header injection and a few SSL issues. For each of these, you spend 30 seconds searching VulnDB HQ, importing the issue to your project and tweaking the particulars.
Assign everything to the AdvancedWordExport ready category, and you’re done. Fairly painless, no?
And if Dradis is not your cup of tea (?!) you could always connect your VulnDB HQ account to your own tools using our RESTful API (or the convenient vulndbhq Ruby gem).
Report template
Now, the report. We want a high-quality Word 2010 document that we can easily edit and adapt as time passes.
I won’t get into the nitty-gritty details of template building here (there is a Creating Word reports with DradisReports guide in our support site with step-by-step instructions).
We will use a fairly simple approach, I’ve created a template based of one of Word’s default styles (Home > Styles > Change Style > Formal). Just add the headings you need and a few Content Controls. Here is what ours look like:
It starts with a table with some information about the project (name, client, dates, team, etc.).
Then the Exec Summary with a Conclusions section (sorry, you’ll have to adjust this with your own conclusions!) and a Summary of Findings list which will contain just the Title of each finding.
Then a Technical Details section that contains issue descriptions for each of the vulnerabilities we’ve identified during the report.
Note that you only have to create the template the first time, and then reuse it for every project. The template you see above took me about 10 minutes to create.
One last thing: the properties
Yes, we could add the project specifics like the client name and dates and everything else by hand. However, chances are that your report template is a bit more complex than the one in this example and that you’ll have your client’s name in multiple places and that some of the other information will also be repeated.
Thankfully we can define document properties from within Dradis Pro (see the DradisReports: using custom document properties guide for more information):
There you go. Now we can re-export and voila, the report is complete:
- Total reporting time: 1 click.
- Overhead during the test for importing issues from your VulnDB HQ account: ~30 seconds each?
We rest our case.
Would you like to know more?
We recommend you start with:
