July 2023 Release is out!

2023-07-30
Written By Stas Filshtinskiy

This is summer in the Northern Hemisphere and quite a few of our customers are leaving for Vegas Summer Camp – attending Black Hat, Defcon and BSides LV!

At the same time our engineers have launched AttackForge July 2023 Release. And this release is as big as ever!

Here are some of the big features included in this release:

  • New and improved Workflows for Infrastructure Pentesting.

    • Improve vulnerability importing with ability to group assets,

    • Options to link multiple affected assets to each vulnerability,

    • Capture and retain the relevant asset and component data on the vulnerability,

    • Track action status for each affected asset

  • Huge update to ReportGen – new free templates, custom styles, new filters, etc.

  • ReportGen GitHub Community site

  • Import of results from NMAP and Masscan

  • User Experience improvements

    • Improvement of Search Writeups capabilities,

    • Thumbnails and Preview for Images – right in the relevant forms,

    • Bulk Archiving for Writeups and Bulk Assignment of Assets to Test Cases

    • Ability to send Test Email Notifications - for Custom Emails

    • Performance and Search improvements

  • New functionality withing existing workflows

    • New Custom Field type – List

    • Ability to select vulnerabilities when exporting a projects’ JSON file

    • View Asset Module Data with Project Scope screen

  • As always – updates to Self-Service API

And we have added another brilliant senior engineer to our team – so I would expect more features in the next releases…

New Workflows: Grouped Assets on Vulnerabilities

We generally run monthly catchups with our Enterprise customers. The main purpose is to listen. This workflow is the direct result of that. Our customers requested ability to have flexibility how infrastructure pentesting results are captured on AttackForge.

Introducing the concept Grouped Assets on Vulnerabilities. You know – when you found a single vulnerability that affects a few dozen (or thousands) of IP addresses…

Using grouped assets on vulnerabilities can help you to:

  • Increase efficiency when working on infrastructure penetration tests;

  • Reduce the overall number of vulnerabilities, whilst not losing the affected asset data;

  • Reduce QA efforts;

A single vulnerability can now have many affected assets assigned to it. Without losing the ability to include detailed information for each affected component on every asset.

You now have a choice for how you want to create and track those vulnerabilities:

  • Create unique vulnerabilities on a project - and assign relevant affected assets to each unique vulnerability.

  • Create individual vulnerabilities for every asset; or

  • Create a combination of unique vulnerabilities and individual vulnerabilities – for ultimate flexibility! All depending on how it would work best for your organisation!

Improve vulnerability importing with grouped assets

When you import vulnerabilities on your project – you will have a choice between selecting option for Individual or Grouped.

Individual will allow you to import your vulnerabilities as you always have – one asset per vulnerability. So you can track each of them individually.

Whereas Grouped will allow you to automatically group affected assets for each vulnerability.

Using this option would allow to focus on the bigger picture, and preserve the same amount of data. You can capture notes and actioned status against each asset, in addition to any remediation notes at the vulnerability level.

You can view all of the affected assets, and for each asset – see related data for its affected components.

You can configure the Grouping options to adjust the rules for how the grouping is performed.

Import Assets from NMAP and Masscan

Another great feature for those of you who work on Infrastructure pentesting - you can now import assets directly to your projects from your NMAP and Masscan files. This will save you tons of time having to create assets manually!

You can also take advantage of the additional Hostnames and Ports fields if you are using the AttackForge Assets Module.

These fields will be stored against the Asset in the AttackForge Asset module, so you can monitor and manage Hostnames and Ports centrally (outside of your projects). You can also view and modify the data prior to importing.

We have plans to add even more tools that you can import data from, to make your lives even easier!

ReportGen v2.7

Did we have any releases without updates AttackForge ReportGen: The ultimate pentest reporting tool? Did I forget to mention that it is also free? It is free.

Our great engineering team have just released another massive update for ReportGen.

GitHub Community Support Site

As part of our mission to support the growing community of AttackForge users, we have released a new dedicated Support Site for AttackForge ReportGen.

Here are some of the information you can found there:

  • How to get started with ReportGen;

  • Multiple free template examples – so you can see what ReportGen can do for you, address the most common use cases and reporting needs; and

  • Place to ask questions and receive tips and help from our support team and AttackForge community in general.

We hope the new Support Site for ReportGen will make it easier for everyone to build awesome testing reports, with minimal effort! After all – does anyone know a pentester who would not appreciate more time hacking – and less time writing and fixing reports?

You can access the new ReportGen Support Site from https://github.com/AttackForge/ReportGen.

There are two new Pentest Report Templates (so you can start using ReportGen immediately)

  • Pentest Report v3.1 - a template showcasing the features available in ReportGen v2.7+

  • Pentest Report v3.2 - a template with minimal logic which can be used out-of-the-box, and has support for grouped assets on vulnerabilities

We have also released an updated example JSON test file which can be used for testing your templates.

New Option: Custom Styles for Individual Rich-Text Fields

You can now assign individual rich-text fields to different custom styles used in your template.

This feature can be used with {@execSummaryNotesStyled}, {@description_styled}, {@attack_scenario_styled}, {@remediation_recommendation_styled} or any styled custom fields.

New Option: Image Options Supported For All Styled Tags

In the previous release of ReportGen, we added support for including custom options to configure how your image descriptions are displayed in reports.  You got capability to configure the images to either show captions, prefer captions, show image filename, or show nothing at all.

This release - we extended this feature to support any styled tags, including your own custom rich-text fields.

Add Figures for Images

All images will now automatically prefix Figure X: to the image description. Just as one would expect in the document.

This means you no longer need to manually inject figure numbers for each of your images inserted dynamically by ReportGen.

Figure numbers take advantage of Microsoft Word dynamic fields so you can easily update them if you need to manually insert any new images.

Styled Custom Fields

In this release, we added support to render custom rich-text fields in ReportGen.

Styled and labelled $help – for easer debugging

To make debugging easier, we have added styled and label-supported $help functions.

Now when you use the $help function, the browser console will style and color-code it according to whether it relates to Scope or Variables.

In addition, you can pass labels to every $help function to make it easier to debug your template and is especially useful when printing multiple $help statements.

Also - we added support for using Test Case Workspace Notes in reports, two (2) new options, seven (7) new filters and a new function, and improved how line breaks work along {@rawXML} tags. The last one was a peeve for some time…

Improved User Experience

Search All Writeups Across All Writeup Libraries on Vulnerability Create/Edit

Now when you create a new vulnerability; or edit an existing vulnerability – you can search all of your Writeups which you have access to, without having to first select a library.

  • Image Thumbnails and Preview

You can now view the images you uploaded right there – in the interface, as thumbnails or preview within the browser (instead of having to download it).

  • Bulk Archive Writeups

You can now bulk archive writeups via the Writeups module. This makes it easy to remove unwanted writeups.

Archiving writeups will not impact any of your existing vulnerabilities which already reference those writeups.

  • Bulk Assign Assets to Test Cases

You can now bulk assign assets to test cases on a project. This is useful when you need to specify which assets in-scope for testing apply to each test case.

  • Send Test Email Notifications for Custom Emails

AttackForge has a great feature – highly configurable custom email notifications. Now you can test those emails for any of the time-based messages configured in your Administration options – before sending them for real. This makes it easier to verify that your custom email rules are correctly applied and ensure your emails are looking exactly the way you need them to be!

More functionality

  • Download Vulnerability Selection as JSON

You can now export a JSON file for a selection of vulnerabilities only. This will include all of the reporting data for those vulnerabilities.

  • New Custom Field: List

You can now create custom fields using the new ‘List’ type. Lists are great for assigning multiple inputs for a field, creating your own tags or actions. And you will need this field when choosing to include Hostnames and Ports on Assets using the new NMAP and Masscan import options.

  • View Asset Module Data on Project Scope

Privileged users can now view all of the asset data for in-scope assets directly from the Project Scope page. No longer you will need to jump to the Asset Module to get the data, and you can use the advanced filters to search your projects assets!

Updates to Self-Service API

There has been no release without new Self-Service API functionality! After all – capable and secure Self-Service API is one of the reasons why AttackForge is the best Pentesting Management Platform for Enterprises!

This time we have improved our Self-Service REST APIs to provide more flexibility and options when interacting with AttackForge.

New capabilities for existing end points

  • GetProjectsAndVulnerabilities now supports advanced query filtering on projects and vulnerabilities,

  • GetVulnerabilities now supports advanced query filtering on writeups,

    Advanced query filters allow you to create database-like custom queries which give you the power and flexibility to get the exact data that you need from AttackForge – without writing your own sophisticated filtering code – saving your time and efforts.

New REST Endpoint: DownloadWorkspaceFile

We created a new RESTful API endpoint - DownloadWorkspaceFile - which can be used to download a file from a projects’ workspace.

For more information on how to use this API – please visit this Support Page.

I definitely missed a few features – to get the full picture please check the Release Notes.

Stas Filshtinskiy
Previous

AttackForge ReportGen CLI tool is out!
Next

April 2023 Release is out!