Every week, a Dradis user somewhere is thinking: “Damn, it would be nice if I could get my screenshots in the Word report”. The problem has been discussed in the forum and the mailing list before, it is quite simple actually, we need a way to get our screenshots (stored in Dradis as attachments) into the final report.

Up until now I though that any solution to the problem would go through several layers of Word and WordML magic, packing and base64-encoding of the images, however, last week I realised that a simpler solution may exist. We are going to use a Word macro to do the heavy lifting.

The first thing we need is to upload our screenshot as an attachment in Dradis:

Then we need to include a reference to it in the text of our note. To do this, just double-click on the uploaded attachment and copy the URL assigned to it:

Note that in Textile (the markup language understood by Dradis) images are referenced by their URL between exclamation marks (!!). Make sure that the preview panel renders the image correctly. Otherwise review the URL:

(By the way, the screenshot is of the first entry from Google when searching for “Index of”)

So, the last thing we need to do is to assign this note to the WordExport ready category and generate our Word report (export > Word export > Generate report):

And here comes the magic. I have created a Word macro (DradisScreenshot) that parses your document, searches for !! and pulls the corresponding images from your Dradis server.

I’m working on a separate post describing the inner workings of the macro, including for instance why I could use a simpler approach (e.g. ) [hint, bad SSL cert + HTTP authentication]. In the mean time, you can just grab the code from GitHub: etdsoft/dradis-macros and start using it.

The result:

I’ve also added this as an icon in my “Quick Access Toolbar”:

Hope you find this quick tip useful. The code of the macro is sparsely documented but it should do the trick. Remember to assign the temporary directory and if you find any issues, please report them in the issue tracker.

TL; DR;

1. Grab the Word macro from GitHub: etdsoft/dradis-macros
2. Enjoy

Update May/26: An updated installer has been published that fixes the issue described below and is available through the download page.

The Dradis 2.7.1 Windows package (dradis-v2.7.1-setup.exe) that we released yesterday contains a typo in in one of the batch files: server.bat.

If you try to run the file directly or through the Start menu start server icon, you will get an error message:

Windows cannot find ‘blundler’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

In order to fix this open the file in an editor (go to the Start menu icon, right click > Edit) and adjust it to:


@echo off

::If the script doesn't work, uncomment and adjust the following:
set PATH=c:\Ruby187\bin;%PATH%
set RAILS_ENV=production
set BASE=%~dp0
cd %BASE%\server\

start "Dradis Framework Server (Ctrl+C to terminate)" bundle exec rails server webrick


Thanks to Doug Ipperciel for bringing this to our attention.

5 comments:

1. Unknown said,its not working on my windows 8 version
   ON 16 DECEMBER 2012 AT 15:38
   
2. Unknown said,my message says
   
   bundle
   windows cannot find ‘bundle’.Make sure you typed the name correctly and then try againON 16 DECEMBER 2012 AT 15:41
   
3. Unknown said,hey got it to work thanks my bad i install it on xp very simple then 7 then 8 pretty goodON 16 DECEMBER 2012 AT 17:20
   
4. Anonymous said,not working on v 2.9 yetON 26 SEPTEMBER 2015 AT 04:36
   
5. Unknown said,It works. Thank you for sharing. If you have problems with dll files, look there http://fix4dll.com/mfc110u_dll. I had a problem with it, do not run the program’s. After fixes dll files, everything worked. Good luck.ON 2 JUNE 2016 AT 15:40

This bug-fixing release features:

• Several closed issues: #3, #4, #6, #7, #8 and #10.
• A cleaner, leaner note editor:

And all the goodness introduced in 2.7.0:

• Improved command line API with Thor (thor -T to view all commands)
• New Configuration Manager to handle all plugin config settings
• New Upload Manager that runs uploads in the background and updates the interface through Ajax
• New plugins:
  
  • Metasploit import
  • NeXpose (.xml) upload
  • OpenVAS (.xml) upload
  • SureCheck (.sc) upload
  • w3af (.xml) upload
  • Web Exploitation Framework (wXf) upload
• Updated plugins:
  
  • Nessus plugin supports .nessus v2
  • Vuln::DB import updated to support the latest release
• Bugs fixed: #2888332, #2973256
• Update Rails to 3.0.6

download now

This week we are releasing Dradis Framework 2.7.1 which closes several bugs and brings a new note editor.

If you’re new to Dradis or upgrading from an older (2.6.x, 2.5.x…) release, go ahead and download the full package from the downloads page.

However, if you already have a working install of Dradis 2.7.0 maybe you don’t want to run the Windows installer again, or wait until your distro prepares an updated version of the package (did you know that BackTrack 5 shipped with Dradis 2.7.0?). Here is how to get the latest 2.7.1 code up and running.

Go to your install location:

In Windows:

c:\> cd %APPDATA%\dradis-2.7


In BackTrack:

# cd /pentest/misc/dradis


Backup the old server folder:

# mv server 2.7.0-server


Now you have a decision to make: upgrade to 2.7.1 or clone the Dradis repository so you can upgrade to 2.7.1 but also to any forthcoming releases (recommended)

Upgrading to 2.7.1

Download and uncompress the tarball for Dradis server 2.7.1 from GitHub:

https://github.com/dradis/dradisframework/tarball/REL-2.7.1

Uncompress in the drads-2.7 folder renaming the extracted directory to just server.

Using git repository for easy upgrading

From the current folder, clone Dradis git repository and point it to the latest release:


# git clone https://github.com/dradis/dradisframework.git server
# cd server
# git checkout -b REL-2.7.1 REL-2.7.1
# cd ..


Reset the environment and run the server


# ./reset.sh
# ./start.sh


If everything goes according to plan, you can now access Dradis on https://localhost:3004/ and in the top-right corner the version number will be 2.7.1.

A couple of weeks ago, BackTrack 5 was released and it shipped with Dradis 2.7 out of the box. You can find your Dradis install in:


/pentest/misc/dradis


Run ./reset.sh to prepare the environment and ./start.sh to start the Dradis server.

Kudos to the BT team.

After a few days of testing, your Notes view can become a bit cluttered. Although we are already discussing how to fix this for future releases in this blog post we will see what can be done about it.

So image that you currently have something like this:

It is difficult to make some sense out of that mess. It would be nice if we could filter the Text shown for each issue and display just the Title field:

We are going to do this using a renderer function for our Text column. Fire up your editor and open


./server/public/javascripts/dx/dradis.notes.NotesBrowserPanel.js


At around line#170, replace the existing renderer line with the following function:

	// ./server/public/javascripts/dx/dradis.notes.NotesBrowserPanel.js
	// […]
	columns: [
	{
	id:’text’,
	header: ‘Text’,
	width: 180,
	sortable: true,
	dataIndex: ‘text’,
	//renderer: Ext.util.Format.htmlEncode
	renderer: function(value, metaData, record, rowIndex, colIndex, store) {
	var re = /#\[Title\]#/;
	if (re.test(value))
	{
	value = value.substring(9, value.indexOf(“#”, 10)) + ” [more…]”;
	}
	return Ext.util.Format.htmlEncode(value);
	}
	},
	{
	header: ‘Category’,
	width: 40,
	sortable: true,
	dataIndex: ‘category_id’,
	scope: this.categories,
	renderer: this.categoryRenderer,
	editor: this.categories.editor()
	},
	// […]

view rawgistfile1.js hosted with ❤ by GitHub

What the new renderer does is look for notes that have a #[Title]# field defined and then extract the value of that title. Feel free to adjust the regular expression / extraction code to suit your needs.

After making the change, you need to delete the JavaScript bundle (autogenerated) and reload your browser:

$ rm ./server/public/javascripts/all.js


That’s it, nice an easy. Now we have a much cleaner notes grid.