Author Archives: Tabatha DiDomenico

New in Dradis Pro v3.12

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Instance Notifications

All notifications now display at the instance level so you don’t have to open each project to see notifications. These Dradis instance-wide notifications include notifications from updates in Remediation Tracker tickets too.

Accessibility Improvements

Dradis font and element contrast are adjusted to meet Level AA WCAG 2.0 standards. Also, screen reader and alt-text are added and a few broken Aria references and missing labels are fixed. All of these improvements make Dradis easier for everyone to use.

Emojis 🥳

We 💖 love emojis on the Security Roots team and use them all the time working together. 😤 It was frustrating that we couldn’t use them in Dradis, so we added them 🎉! Now you can use emojis in any input field of Dradis to express yourself or within projects details for additional context. 😎

ServiceNow Integration

Create a ServiceNow Vulnerable Item from a Dradis Issue in a few clicks. The new ServiceNow integration allows the owner of the system to receive critical finding details so they can handle remediation outside of Dradis.

Release Notes

  • Add avatar and user’s name to project navbar
  • Comments:
    • Load feed asynchronously
  • Configuration Kits
  • Emojis! Update the database collation to allow emojis
  • Improve accessibility:
    • Add alt text to any linked images
    • Add screen reader only text to forms
    • Adjustments to font and element contrast to meet at minimum Level AA WCAG 2.0 standards
    • Fix any broken Aria references
    • Update element label association & add missing labels
  • Mintcreek notifications:
    • Add notifications dropdown in mintcreek navbar
    • Add project and plugin notifications in the view
    • Authors and contributors will now be notified when assigned a project
  • Replace deprecated font-awesome-sass gem with vendor asset files
  • Rule Engine: include rule name in upload console
  • Subscriptions:
    • Load feed asynchronously
  • Truncate long hostnames when viewing evidence in an issue
  • Upgraded gems:
    • Rails
  • Bugs fixed:
    • Fix attachments base64 encoding for filenames with symbols
    • Placeholder gravatars appear if gravatar is not available
    • SMTP file will take configuration precedence again
    • Update the HelpScout beacon in the instance admin
  • Integration enhancements:
    • Remediation Tracker:
      • Add activity and comment feed
      • Users can now be subscribed to tickets
  • Reporting enhancements:
    • Fix exporting formatting in content controls without Crazy Triangles
    • Fix exporting captions with non-alpha characters
    • Fix URLs breaking textile table formatting

Not using Dradis Pro on your team?

New in Dradis Pro v3.11

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

JIRA Sync

Details added to JIRA tickets will now sync back to Dradis Issues and Remediation Tracker tickets making it easier to keep all of the project details together to speed up remediation tasks.

Ruby 2.7.2 and Rails 6.1.1

Sometimes we have to roll up our sleeves and take care of the less flashy bits of development. In this version, it was due time to update Ruby, Rails, and a handful of other gems. There won’t be a noticeable difference on your side but this sets up the team to make future improvements.

Improved Caching

When the projects listing or Issue Library contained thousands of entries, it became slow to load and in some cases wouldn’t load at all. This update improves caching to make it much faster to load those long lists.

Release Notes

  • Upgraded DradisPro to run on Ruby 2.7.2 and Rails 6.1.1
  • Add view hooks for the export view
  • Increase secondary sidebar width for medium viewports
  • Projects page: Add caching to speed up slow loading when thousands of projects are present
  • Upgraded gems: bundler, papertrail, rails
  • Bugs fixed:
    • Correct position of sticky editor toolbar in fullscreen source view
  • Integration enhancements:
    • Integrate JIRA ticket/status details into Remediation Tracker
    • IssueLib: Add caching to speed up the issuelib table when thousands of entries are present
    • Add remote JIRA Comments to Issues#show and Tickets#show
  • Security Fixes:
    • Medium: Authenticated (admin) persistent cross-site scripting in Business Intelligence Custom Properties search

Not using Dradis Pro on your team?

New in Dradis Pro v3.10

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

User on, User off

Users can be toggled between disabled and re-enabled. Disabled users cannot access the app, aren’t available to mention in comments, and will not receive notifications. Content from disabled users won’t be deleted and they will need to be re-enabled before modifying any permissions.

Bye for now, Bones

Word Report Export Tune-Up

Bunches of things happen under the hood in Dradis when you are kicked back waiting for the magic to happen to generate a Word report. Some of those inner workings got a tune-up to get Dradis in a better position for future improvements in this version. Imagine how excited we were when we saw some small performance gains as a byproduct of this refactor!

Fancy Output Logs

Export log files are not only fancier looking, but the updated formatting makes them much easier to review. Indents indicate nested items and coloured lines of text are a snap to scan to keep an eye out for any problems and when items finish successfully.

So Fancy!

Change Project Owner

“Change is inevitable” and now, you can change project owners in Dradis. Project owners can be updated in both the web app on the “People on the Project” and through a new API endpoint.

Spock is the project’s new owner

Release Notes

  • Disabled users enhancement
    • Allow admins to disable and re-enable users and contributors
    • Removed disabled users from comment mentions list
    • Stop disabled users from receiving notifications
  • Main sidebar improvements:
    • Labels added under icons
    • Removed animations and transitions while expanding and collapsing
  • Migrate bootstrap to v4
  • Navbar dropdown menu’s are no longer locked to the right side of the browser
  • New item menu in sidebar: isolate Default entry (from template) with a divider
  • Update logo assets
  • Project owners can now be updated
  • Bugs fixed:
    • Christmas easter egg Santa hat blocking clicks on input element plugins
    • Rules Engine: make sure tag auto-complete works on page render
  • New integrations:
    • dradis-nipper
  • Integration enhancements:
    • Allow viewable image attachments for Gateway contributors
    • IssueLib: ability to seed with the starter set
  • Reporting enhancements:
    • Performance:
      • Re-work Word export processing top to bottom
      • Faster hyperlink processing
      • Faster numbering processing
      • Faster screenshot processing
    • Remove unused nested content controls from all resource types (issues, content blocks, evidence etc.)
    • Introducing the new and improved servicesEntries and ServicesTable content controls with full support for filtering and sorting
      • When nested inside a Node control you can get direct access to Services attributes with a servicesEntries control, and child attribute controls eg. Protocol, State, Port, etc.
      • The existing services control that produces pre-formatted table-based data can now be labeled ServicesTable in your template
    • Enhance report export log in both the CLI, and Web Console
      • Indented log lines to enhance readability and make it simple to follow nested processing. ex. Evidence within a Node.
      • Colors! Make use of colours to show
        • Green: when processing is successful
        • Yellow: when filters filter out all resources
        • Red: when something bad happens like a control has no placeholder
  • REST/JSON API enhancements:
    • Add new endpoint to update project owner

HackFu: Community Edition

Leave a reply

We are excited to share that we are working with the team at chronyko to present the first-ever HackFu: Community Edition – Friday 29th January 2021 – 9am – 5.30pm GMT.

HackFu is an award-winning immersive learning event designed by chronyko for cybersecurity professionals. Set in a dystopian world in the late 21st Century, participants are tasked with supporting the next phase of humanity’s journey back from the brink.

Participants will each receive a Survival Pack in the post containing items essential to their mission. They will also be provided with access to exclusive pre-event activities to learn more about their mission and the world they will be entering.

The event will run from 09:00 to 17:30 GMT on the 29th January 2021 and will primarily be accessed via web conferencing software and a browser. However, other cybersecurity software and tools (eg a VPN client) will be required to access and complete the technical challenges.

courtesy of the HackFu Website

Check out the full event details at https://chronyko.com/services/hackfu-community-edition/ .

Enter to win a place at HackFu

Think you have what it takes and want to win a place in HackFu courtesy of Dradis? Thanks to all that entered – winners have been notified!

Hands on Hacking

Leave a reply

The team over at Hacker House has recently released their first book, Hands on Hacking. The book is an incredibly accessible guide for learning pentesting and purple teaming and includes often-overlooked subjects like building a business case for hacking, ethical guidelines, and report writing. 

Report writing, you say?

Needless to say, when authors Matthew Hickey and Jennifer Arcuri reached out to let us know they were featuring Dradis in the chapter on reporting, we were delighted. Since the book’s release, I’ve been able to chat with Matthew to ask about writing this book, his start in hacking and growing a career in the industry, and his favorite reads. 

You can read the full interview with Matthew Hickey at the Dradis Academy.

Hands on Hacking takes a holistic approach to hacking appropriate for those just getting started as well as for management and sysadmins wanting a deeper understanding of the attacks their organization and systems face. 

Want to win a copy of Hands on Hacking?

The team over at Wiley sent us a few copies to giveaway. To enter, share your email address with us below. Winners will be selected at random on October 9, 2020 and contacted at the email address provided to collect shipping information.

The contest is now over, thanks for entering!

New in Dradis Pro v3.9

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

MS Word Filters – OR, NOT

Filtering content using OR and NOT hasn’t been possible until now! Now you can add OR and NOT operators to create a dizzying amount of control for your report output. As always, you can string together multiple filters to get the results you want to populate your report.

Imagine That!

We’ve added the ability to upload an image anywhere the editing toolbar appears. Dragging and dropping into the editing area works too, saving you a few steps to add images in your project to show evidence, support your statement, or even add a meme to your comment.

Even More Validation

Meme of cartoon shouting validate all the things

Validating your project before generating it has long been available as a good step to preventing some of the most common report errors. Now, view additional validation in summary views and a panel to help avoid those errors as you are working with report content to catch problems early.

For an at-a-glance way to see what needs a bit more work, the issues and evidence tables include a column showing if that item contains the correct information.

Looks like something needs to be modified…

Issues, evidence, and content blocks now have a validation panel that will highlight problems as you work.

That missing vector could cause problems, glad we caught it now!

Release Notes

  • Add a validation panel for Issues, Evidence, and Content Blocks
  • Add a validation column for Issues and Evidence table
  • Auto upload attachments and screenshots without requiring the use of the staging area
  • Cards, Evidence, Issues, and Notes now have their own attachment support
  • Displays a notification badge in the browser tab when there are unread notifications
  • Editor: Allow drag & drop, copy & paste, and direct image uploading
  • Increase the node properties column size by changing it to LONGTEXT
  • Layout: Breadcrumbs have a fixed position
  • Upload Manager: better validation
  • Bugs fixed:
    • Live filtering of templates (methodologies, notes & projects) via sidebar
    • Use absolute send times in notification emails instead of relative
  • Reporting enhancements:
    • Excel: Fix report generation exceeding the maximum cell limit
    • Word: Add NOT and OR operation for filtering content control
    • Word: Allow non-English localization documents to be exported

New in Dradis Pro v3.7

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Formatting Toolbar

Formatting text is even easier now with the editor toolbar. The toolbar makes it simple to enter and format text in an issue, evidence, notes, comments, and methodologies without needing to use Textile markup. The live preview updates with your formatting changes as you work.

Form Editor

Manually create issues and evidence using the form view, rather than using Textile field names and details. Name the form field and add in details for each item and the live preview updates as you work on the side.

If your project has a predefined template, using that template will create those form fields ready to populate.

Prefer to work with Textile? The source view is still available so you have the best of both worlds.

Dots Menu

In order to make the most of the available screen space, some item options – including edit, delete, and subscribe – have been moved to a single “dots” menu. The dots menu is located to the top right of the item and includes the actions available for that item.

Methodology Improvements

Cards in methodologies no longer require a due date. This is helpful for cards that are templates or hold information that doesn’t need to be locked to a specific date.

If a card has moved from one list to another, the original card link will redirect you to the card at its current location. Previously the link to the card would be broken, leaving you to hunt around until you found it (or didn’t and gave up looking).

Making it easier to find the board you are looking for, you can click on a methodology in the project dashboard or the board name in the activity feed to go to that board.

Release Notes

  • Add author to evidence and notes views
  • Add dynamic columns, sorting and filtering to Projects list
  • Add team name link to project navbar
  • Adjust Uploads layout to provide more visibility to the output console
  • Allow renaming and deleting boards through their dots menu
  • Avoid browser pre-populating password fields when editing users
  • Card improvements:
    • Not require a mandatory due date
    • Redirect to new url if the card has changed lists
    • Show board name and link in the Activity Feed
  • Card, Evidence, Issue, and Note form data will not be lost even if the form is not saved
    • Clear the form when the “Cancel” link is clicked
    • Remove prompt to restore data and instead persist and restore any changes seamlessly
  • Comments
    • Add Textile markup
    • Not lose changes even if the comment is not saved
    • Update comments feed to show author’s name instead of email
  • Display note and evidence titles in breadcrumbs
  • Display the Dots-menu in all views
  • Editor improvements:
    • Formatting toolbar to help with markup
    • New form-view to edit each field individually
    • Side-by-side editor preview that auto-updates
  • Generate consistent URLs in emails
  • Increase the size of output console
  • Let Admins be added or removed after a project is created
  • Link to Methodology from project summary chart
  • Move resource action links to dots-menu in breadcrumbs
  • Persist the state of the navigation sidebar in projects while navigating across different views
  • Remove tag color from issue titles in issue summary
  • Update code element style
  • Use shared noscript partial
  • Use user model reference for activities instead of user email
  • Upgraded gems: puma, rack, rails, sass-rails
  • Bugs fixed:
    • Allow Authors to set project permissions on project creation again
    • Fix Board partial broken structure
    • Fix ItemsTable extra whitespace causing unnecessary vertical scrolling
    • Fix Long items_table dropdown menus not scrollable
    • Fix Long project names interfering with search bar expansion
    • Fix breadcrumbs in cards under node boards
    • Fix textile preview not showing on issues with very long text
    • Prevent repetitive prompt when images are pasted after navigating multiple views.
    • Prevent report ‘Download’ button becoming a disabled ‘Processing…’ button once clicked
    • Render Textile preview of issues with very long text
    • Render avatars in the activity feed
    • Set :author when creating Evidence from an Issue
    • Show active state of Sidebar items properly
    • Bug tracker items: #560, #634
  • Integration enhancements:
    • Issue Library: sortable columns
    • Nexpose: better cipher wrapping coverage
    • Nikto: support new nested format
  • Reporting enhancements:
    • Custom Properties are now updated on document open
    • HTML reports now use main app’s markup rendering
  • Security Fixes:
    • Medium: Authenticated persistent comments cross-site scripting
    • Low: Authenticated (admin) persistent methodology template cross-site scripting

Not using Dradis Pro on your team?

New in Dradis Pro v3.6

Leave a reply

Dradis Framework is a collaboration and reporting tool for information security teams to manage and deliver the results of security assessments, in less time and with less frustration than manual methods.

Hello, good looking.

screen showing the project summary in Dradis Tylium theme
Tylium is included with Dradis Pro v3.6 and CE 3.16

We’ve introduced a new project theme for Dradis. Tylium* is more than sprucing up the design with sleek lines and modern styles. It incorporates thoughtful details to improve your workflow and provides us greater flexibility to address your UI feedback moving forward.

This is a big visual change, but you won’t have to hunt for the Dradis items you rely on since they haven’t gone too far from the previous theme, Snowcrash. We’ve minimized the impact on your day-to-day use of Dradis by keeping the feel and flow of the app familiar. 

A comparison of two different project summary themes
Snowcrash vs Tylium

Tylium optimizes your workspace, keeping the purpose of each view in mind. It adds space where you need more real estate for updating findings and resizes or rearranges elements when you need to see the big picture. An example of this can be seen with the collapsible sidebar that adds roughly 20% more space and keeps all sections of the app quickly accessible, even adding a dashboard link to the project summary.

animation showing a navigation bar collapsing.
Now you see it, now you don’t!

As always, we’re eager to hear what you think. If you have feedback on Tylium drop a comment here, send it via email, or share it in Slack.

*It is SOP at Security Roots that we honor our nerdoms where we can. Snowcrash, the previous theme, is a nod to Neal Stephenson’s cyberpunk novel of the same name. Our love of Battlestar Galactica continues on with the new theme, paying homage to the powerful fuel source used in the series – Tylium.

Report Generation Errors

Everyone knows that validating your report before generating it will save you a headache tracking down problems with the report later. Now, the validator is more helpful by providing additional context to help locate the problematic evidence. While we are preventing headaches if your report has errors that are detected during generation the option to download it won’t be displayed.

Oooh, there’s the problem!

Release Notes

  • Update app to new Tylium layout
  • Add the ability for kits to update an instance’s Plugin Manager templates
  • Add revision history for cards
  • Bugs fixed:
    • Updated support beacon. Legacy support was dropped for older versions
    • Fix errors on content overwrite flash messages
    • Fail and redirect to login instead of raising an error when attempting to log in as a user that has been removed
    • When a report export is invalid and errors we disable the download button to prevent further errors
    • Fix the mail initializer not finding existing configuration settings from the db
    • Fix Cancel link path for the Note Edit page
    • Fix services_extras not being excluded from Excel exports
    • Fix Rule checking for non-existent fields
  • Integration enhancements:
    • CVSSv3 calculator provides access to all Temporal/Environmental fields
  • Reporting enhancements:
    • Add support for ellipsis
    • Better Evidence references on failed validations
  • REST/JSON API enhancements:
    • Add team (team id, team name, team_since) in the teams API endpoint
  • Security Fixes:
    • High: Authenticated author can no longer continue to make project changes and will be logged out after being disabled by an admin
    • Medium: Prevent admins from updating other user’s comments

New Dradis Integration: WPScan

Leave a reply
WPScan logo

When the WPScan team approached us in late 2019 offering to create an integration for Dradis, we were excited to work together. What goes together better than a WordPress security scanning tool and an easy way to turn those findings into a customized report? Maybe chocolate and peanut butter, but the Dradis WPScan integration is much more likely to result in a more secure website.

A screenshot of Dradis showing Issues created by the WPScan integration
Time to update WordPress 😬

WordPress powers 35% of the Internet’s websites from hobby blogs to Fortune 50 companies. WordPress’ ease of use, well-established community, and extensive plugins offerings (55,457 as of this post) make it an attractive option for creating a presence online. Unfortunately, these same charms also make WordPress an easy and frequent target for attack. 

In 2011, while investigating his own blog’s security, Ryan Dewhurst created a script that combined testing for WordPress’ vulnerabilities into a single tool. This script, now WPScan, enumerates usernames, plugins, and themes, performs brute force password attacks, and identifies the version of WordPress on a target. 

WPScan contributors went on to create WPVulnDB to manage the ever-growing list of known WordPress vulnerabilities in an online database. When used together, WPScan and WPVulnDB API provide realtime detailed vulnerabilities and recommendations in your scan results.

This new Dradis WPScan integration makes it a snap for you to import the results of your WPScan directly to a Dradis Project. Each target maps to a node within your Dradis project, any vulnerabilities found in a plugin, theme, or setup become Dradis issues, and when evidence is available – like a list of enumerated usernames – it is pulled into Dradis as evidence.

Ready to get started with Dradis and WPScan?

The steps to add the Dradis WPScan integration to Dradis CE or Dradis Pro are similar for both editions.

  • Add or edit the Gemfile.plugins file. The file locations for each edition is listed below
    • Dradis CE: top-level Dradis CE directory
    • Dradis Pro: /opt/dradispro/dradispro/shared/addons/
      • This file should be symlinked to /opt/dradispro/dradispro/current/
  • Append gem 'dradis-wpscan', github: 'dradis/dradis-wpscan' to the file
  • Save Gemfile.plugins
  • $ bundle install
  • Restart Dradis
  • 🎉 All done!

If you run into any snags with the process, reach out on the community forums, the CE or Pro Slack workspaces, or directly to support.

TL/dr: Import WPScan findings into Dradis with the new Dradis WPScan integration

Dradis version 3.5

New in Dradis Pro v3.5

Leave a reply

This post references an older release of Dradis Pro. You can find the most current version here:

Email Notifications

Now you can have your notifications emailed to you when you aren’t working in a Dradis project. Each user can adjust their notification settings to receive them individually as they happen, in a daily digest, or not at all. Get started using email notifications by configuring the mail server on your Dradis Pro instance.

A few @mention enhancements are in this release, including loading an @mentioned user’s profile photo or gravatar so you quickly spot who is in the conversation.

Burp Suite Issue severity

The way that Burp Suite handles severity is different than other integrations. Burp assigns severity to each instance of an issue as evidence and doesn’t assign severity to the issue directly. As a result, this was leading to several pieces of evidence with different severity levels for an issue with no assigned severity in Dradis. Now, Dradis will assign the issue severity using the highest evidence severity level.

Table Sorting

Finding the information you are looking for in a long table is easier with table sorting. Tables in Dradis can be sorted by any column. Click on the column heading of your choice and presto, change-o the table is sorted.

animation of a table of security findings sorting by column heading

Release Notes

  • Email notifications
  • Add notification settings to decide how often to get email notifications
  • Add a smtp.yml config file to handle the SMTP configuration
  • Preserve SMTP configuration on updates
  • Various mention related improvements:
    • Enhance the mentions box in comments to close when it is open and the page is scrolled.
    • Fix bug that prevents the mentions dialog from appearing after navigating through the app.
    • Fix elongated avatar images so they are round once again.
    • Added avatar images to mentions in comments.
    • Load Gravatars for users whose email has been set up with gravatar.
  • Add and update methodology download links to Dradis Portal
  • Enhancement when adding new nodes to copy node label data between the single and multiple node forms.
  • All tables can be sorted by column
  • Bugs fixed:
    • Fix handling of pipe character in node property tables
    • Fix projects count not updating in teams view
    • Fix error on team page when showing primary team
    • Fix overflow issue where the content would expand out of view
    • Fix page jump when issues list is collapsed
    • Fix conflicting version message when updating records with ajax
    • Fix hamburger dropdown menu functionality.
    • Fix node merging bug when `services_extras` properties are present
    • Fix cross-project info rendering
    • Prevent content block group names to be whitespaces only
    • Fix displaying of content blocks with no block groups
    • Limit project name length when viewing a project
    • Removed bullet style in node modals
    • Validate parent node project
  • Integration enhancements:
    • Burp: Make `issue.severity` available at the Issue level
    • Nessus: Fixed bullet points formatting to handle internal text column widths
    • Nexpose: Wrap ciphers in code blocks
    • Netsparker: Fix link parsing of issue.external_references
    • Jira: Loading custom (required) fields from JIRA by IssueType and Project
  • REST/JSON API enhancements:
    • Fix disappearing owner when assigning authors to a Project using the API
    • Set the “by” attribute for item revisions when using the API
  • Security Fixes:
    • Medium: Authenticated author mentioning an existing user outside of the project will subscribe that user to the note/issue/evidence
    • High: Authenticated author was able to access unauthorized projects using the API
    • Upgraded gems: nokogiri (CVE-2019-13117)