[Feature Request] Apply Markup to UDV's
Closed this issue · 9 comments
It would be useful to be able to add a custom section in a template under findings.
E.g., There is a "note section" under the finding. I'd like to create a section called "Tools Used" where I can list the tool and procedure used to identify/exploit the finding. Then in the template report, I could call that section using a custom user defined variable.
This would allow authors to create multiple sections that go beyond the boiler plate finding template currently available.
@aconite33 thanks for the submission. Have you tried adding markup to a finding? For example adding to the overview section of a finding:
[== Tools Used ==]
sqlmap
Will render a section header with tools used in the report. The MS Word style is applied at the template level.
I haven't tried that yet. The feature came out of the fact that I'd like to call specific sections in my report. For example, I'm building a table out that I'd like to have a row dedicate to "Tools Used". I can't enter data directly in there via markup (or from your suggestion, listing the entire section that contains the markup). Having customization would allow me to call out only specific sections into tables or other areas of interest.
in conversations with @aconite33 on IRC, applying markup to UDV's would be helpful.
For example a UDV should support bullets or paragraphs:
*- bullet -*
I have a need for some functionality that I think would be fulfilled by this feature request.
We have an "appendix" section of our report that contains things very similar to the "Proof of Concept" field in a finding...but they are things that were discovered that don't fit into a specific finding.
We'd like to be able to have a field for which we can format text, as well as include screenshots. I actually think the screenshot functionality works for UDVs, but being able to format the field by paragraph doesn't.
If this request were implemented, I could it to create and format my "appendix" field.
Thanks!
I'll start working on a mack up this weekend.
Is there anything I can do to help? I've been spending some time trying to figure out how the system works. I don't want to start trying to implement it myself not knowing what you're planning on trying.
I looked at the XML of the report data. "Top level", or pre-defined fields, are stored completely differently from UDVs. The UDV syntax looks like it would be more difficult to make formatting work in. So I'm curious what path you were considering going down.
@JASKevinWhite,
I don't have a good answer for ya right now. I'm trying to figure out the best way to implement this. I want to make sure what ever we come up with is flexible enough to also cover plugins like the UDV one (https://github.com/SerpicoProject/SerpicoPlugins/tree/master/UDV_Worksheet).
@JASKevinWhite I did some testing tonight and turns out this functionality already exists it was just a little hidden =).
To apply markup to a UDV, use a foreach similar to a finding except use the name of the UDV. For example, say my UDV was named appendix:
¬report/udv¬
¬appendix/paragraph¬
µCONDITIONALµ π.π
ƒcodeƒ π.π
ƒitalicsƒ π.π
÷ π.π ≠
∆
Obviously you will want to apply the same formatting that is used in a finding. The above markup was copied from a finding with the two small changes:
- The outer foreach loop is report/udv
- The inner foreach loop is [UDV_NAME]/paragraph
I am creating a plugin issue for functionality in adding a field to a finding and have it accessible in the report.
Also, it's untested but screenshots should work. I would try it and see how it goes.