Dradis 3.0

Packed with goodness

By Daniel Martin / @etdsoft


  • New interface
  • Gemfile.plugins
  • Client bindings
  • New plugins: Qualys, PDF reports...

You will ask questions

New interface


Issue is the part that rarely changes

Evidence is different each time

Issues Library

Shows the list of issues in the project

At the Node level

Notes, Evidence and Attachments


Gemfile controls Ruby dependencies.

In Dradis 3 we're adding Gemfile.plugins.

Each plugin in its own repo.

Easy to add custom plugins.


# General add-ons
gem 'dradis-api'

# Export plugin
gem 'dradis-html_export', github: 'dradis/dradis-html_export'
gem 'dradis-pdf_export', github: 'dradis/dradis-pdf_export'

# Import plugins
gem 'dradis-mediawiki', path: '../dradis-mediawiki'

# Upload plugins
gem 'dradis-burp', path: '../dradis-burp'
gem 'dradis-nessus', path: '../dradis-nessus'

# Themes
# gem 'dradis-theme_snowcrash', path: '../dradis-theme_snowcrash'


In Gemfile.plugins



  • application/json
  • Versioned API via Accept header:
    Accept: application/vnd.dradisapi; v=1

    Not needed to use for the current version.

Endpoints: Nodes

To get the list of nodes:

 $ curl -u 'user:password' 'http://dradisframework.dev/api/nodes'

Requires authentication:

 $ curl -i http://dradisframework.dev/api/nodes
 HTTP/1.1 401 Unauthorized
 Content-Type: application/json; charset=utf-8
 X-UA-Compatible: IE=Edge
 Cache-Control: no-cache
 X-Request-Id: c03e3fc10ea5af6e3da30b47e7ce668c
 X-Runtime: 0.006424
 Date: Tue, 29 Apr 2014 09:12:13 GMT
 Connection: close
 {"message":"Requires authentication"}

Endpoints: Nodes

To get the list of nodes:

 $ curl -u 'etd:dradis' http://dradisframework.dev/api/nodes
   {"id":3,"label":"Getting help","parent_id":1,"type_id":null},
   {"id":2,"label":"What's new?","parent_id":1,"type_id":null},
   {"id":1,"label":"Dradis Framework v2.10.0","parent_id":null,"type_id":null}

Endpoints: Notes

To get the list of notes for a given node ID:

 $ curl -u 'user:password' \

 $ curl -u 'etd:dradis' \
     "author":"First time wizard",
     "text":"h1. Getting Help\n* Project Site...",

Endpoints: Evidence

To get the list of evidence for a given node ID:

 $ curl -u 'user:password' \

 $ curl -u 'etd:dradis' \
     "content":"#[Port]#\r\ntcp/80\r\n\r\n#[Description]#\r\nList of affected location:\r\n\r\n/backup\r\n/setup\r\n",

Client bindings

  • Implemented as a Gem.
  • Thin wrapper around the API.
  • Talk to Dradis from your own tools.
  • Get it at: dradis/dradis-client

Using the client lib


Client configuration

 require 'dradis-client'
 dradis = Dradis::Client::Endpoint.new(
                           host: 'http://dradisframework.dev',
                           user: 'adama',
                           shared_secret: 'shared_password'


 client = Dradis::Client::Endpoint.new do |config|
   config.host          = 'https://dradisframework.dev'
   config.user          = 'adama'
   config.shared_secret = 'shared_password'

Query the server

irb> client.nodes
 => [
     #<Dradis::Client::Node:0x007fd5f899b788 @attrs={:id=>29, :label=>"child", :parent_id=>28, :type_id=>nil}>,
     #<Dradis::Client::Node:0x007fd5f899b738 @attrs={:id=>28, :label=>"clientapp", :parent_id=>nil, :type_id=>nil}>,
irb> node = client.nodes.last
=> #<Dradis::Client::Node:0x007fd5f90ebec0 @attrs={:id=>1, :label=>"Dradis Framework v2.10.0", :parent_id=>nil, :type_id=>nil}>
irb> node.label
=> "Dradis Framework v2.10.0"
irb> node.notes
=> [...]

Adding content

 client.add_node('child', parent_id: 28)
 client.add_note("#[Title]#\nAdded from API", category_id: 1, node_id: 29)
 dradis.nodes.each do |node|
   puts "%02i: %-30s (pid: %02i)" % [node.id, node.label, node.parent_id || 0]
   dradis.notes(node.id).each do |note|
     puts "\t- #{note.title}"

 29: child                          (pid: 28)
  - Added from API
 28: clientapp                      (pid: 00)
 03: Getting help                   (pid: 01)
  - This Note doesn't provide a Title field
 02: What's new?                    (pid: 01)
  - This Note doesn't provide a Title field
 01: Dradis Framework v2.10.0       (pid: 00)
  - Con captura
  - .NET assemblies were not obfuscated 2
  - Insufficient SSL validation
  - Persistent cross-site scripting (XSS)
  - Out-of-date Apache server
  - This Note doesn't provide a Title field

Dradis plugin for Metasploit

Dradis plugin for Metasploit

 # The list of commands we make available to the ./msfconsole
 def commands
     # meta commands
     'dradis_config'   => "Show Dradis API configuration (#{config_file})",
     'dradis_help'     => 'Displays help',
     'dradis_version'  => 'Displays version information',
     # API commands
     'dradis_add_node' => 'Add a new Node to dradis',
     'dradis_nodes'    => 'List all nodes'

Dradis plugin for Metasploit

 def cmd_dradis_nodes
   return missing_config unless configured?
   dradis.nodes.each do |node|
     print_line "%02i: %-30s (pid: %02i)" % [node.id, node.label, node.parent_id || 0]

Dradis plugin for Metasploit

New plugins

Your own?

Thank You

Daniel Martin / @etdsoft

- don't forget your stickers! -

You will ask questions now