You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/Custom Security Report Templates.md
+30-1Lines changed: 30 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,13 +2,17 @@
2
2
date: 2023-12-17
3
3
tags: [Reporting, Customize, Variables]
4
4
---
5
-
5
+
6
6
7
7
The Faction Report Designer allows you to create custom security report templates for each assessment type. When building reports you need to use the variables listed below. Entering these into your DOCX reports will auto-replace the assessment and vulnerability text when the report is generated. You can even use the same variables in many of the assessor input fields outside of the report template (like Risk Assessment Summaries) and it will auto-populate the fields when the report is generated.
You should disable spellcheck in your template document while adding variables. The spellcheck can cause the variables to contain attributes that will make the variable unrecognizable to the Faction document parser.
14
+
15
+
12
16
## GENERAL VARIABLES:
13
17
14
18
All of these variables can be used anywhere in the DOCX template. Those with a star ⭐️ can be used in the web interface to assist in creating common reusable templates.
@@ -34,12 +38,15 @@ All of these variables can be used anywhere in the DOCX template. Those with a s
34
38
-**${asmtAccessKey}** – Guid to access the client retest queue. ⭐️
35
39
-**${today}** – Day the report is generated ⭐️
36
40
-**${cfXXXXXX}** – Custom Fields are ones you specify in the admin interface. These are all prefixed with “cf” ⭐️
41
+
-**${totalOpenVulns}** - Can be used in retest reports to show a count of open vulnerabilities. (Since 1.3)
42
+
-**${totalClosedVulns}** - Can be used in retest reports to show the total count of closed vulnerabilities. (Since 1.3)
37
43
38
44
## VULNERABILITY TABLES VARIABLES:
39
45
40
46
These are only available inside tables.
41
47
42
48
-**${vulnTable}** – This defines a table to be a vulnerability listing table.
49
+
-**${vulnTable Section_Name}** – This defines a table to be a vulnerability listing table for a section of vulnerabilities. See [Reporting Sections](https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#Reporting-Sections-(Enterprise/Paid-Feature))(Paid Only Feature).
43
50
-**${vulnName}** – The Vulnerability name
44
51
-**${rec}** – Vulnerability Recommendation
45
52
-**${desc}** – Vulnerability Description
@@ -52,12 +59,16 @@ These are only available inside tables.
52
59
-**${count}** – Row Count of the vulnerability
53
60
-**${tracking}** – Tracking number of the vulnerability
54
61
-**${vid}** – Vulnerability internal database id
62
+
-**${openedAt}** - The date the vulnerability began tracking (Since 1.3)
63
+
-**${closedAt}** - The date the vulnerability was closed (no longer tracked) (Since 1.3)
64
+
-**${remediationStatus}** - Displays only "Open" or "Closed" (Since 1.3)
55
65
-**${cfXXXXXX}** – Custom Fields are ones you specify in the admin interface. These are all prefixed with “cf”
56
66
-**${color key=value,key=value}** – The color of the text is based on key-value pairs. [See below for how to set up colors.](https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#setting-severity-colors)
57
67
-**${cells key=value,key=value}** – The color of the table cell is based on key-value pairs. [See below for how to set up colors.](https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#setting-severity-colors)
58
68
-**${loop}** – This variable tells the report generator which row will be repeated.
59
69
-**${loop-*}** – This allows multiple rows to be repeated. Example ${loop-1} will repeat the row but the one below it.
60
70
-**${details}** – This will insert screenshots and exploit steps for each vulnerability.
71
+
-**${noIssuesText}** - This is the default text displayed in the section if no vulnerabilities are reported. (Since 1.3.28)
61
72
62
73
### Example Table Summary Table
63
74
@@ -89,6 +100,7 @@ These are only available inside tables.
89
100
**For when you do not want to use tables to display your vulnerability information. You can use the following variables for inserting vulnerability information outside of a table**
90
101
91
102
-**${fiBegin} / ${fiEnd}** – Block to repeat against all findings.
103
+
-**${fiBegin Section_Name} / ${fiEnd Section_Name}** – Block to repeat a section of findings. See [Reporting Sections](https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#Reporting-Sections-(Enterprise/Paid-Feature)) (Paid Only Feature)
92
104
-**${vulnName}** – The Vulnerability name
93
105
-**${rec}** – Vulnerability Recommendation
94
106
-**${desc}** – Vulnerability Description
@@ -101,17 +113,34 @@ These are only available inside tables.
101
113
-**${count}** – Row Count of the vulnerability
102
114
-**${tracking}** – Tracking number of the vulnerability
103
115
-**${vid}** – Vulnerability internal database id
116
+
-**${openedAt}** - The date the vulnerability began tracking (Since 1.3)
117
+
-**${closedAt}** - The date the vulnerability was closed (no longer tracked) (Since 1.3)
118
+
-**${remediationStatus}** - Displays only "Open" or "Closed" (Since 1.3)
104
119
-**${cfXXXXXX}** – Custom Fields are ones you specify in the admin interface. These are all prefixed with “cf”
105
120
-**${details}** – This will insert screenshots and exploit steps for each vulnerability.
106
121
-**${color key=value,key=value}** – The color of the text is based on key-value pairs. [See below for how to set up colors.](https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#setting-severity-colors)
107
122
-**${fill key=value,key=value}** – The color of the background elements is based on key-value pairs. [See below for how to set up colors.](https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#setting-severity-colors)
123
+
-**${noIssuesText}** - This is the default text displayed in the section if no vulnerabilities are reported. (Since 1.3.28)
108
124
109
125
### Example Block Findings
110
126
111
127
112
128
113
129
**Why is the heading yellow?!?! Check [here](/Custom%20Security%20Report%20Templates/#setting-severity-colors)
114
130
131
+
## Reporting Sections (Enterprise/Paid Feature)
132
+
You can put findings into different sections of your report for paid versions and certain sponsored tiers of Faction. You may want to use sections if you are doing different types of pen tests in one report and need to keep these sections separated. For example, you can segregate findings into Application Security and Network Security Sections.
133
+
134
+
To use sections you need to create the section names in the Faction Report Designer:
135
+
136
+
137
+
Once the sections are created in the UI, you can add them to the report in two ways.
Faction's open-source versions will not automatically update the Table of Contents page numbering though the hyperlinks all work as expected. You can do this manually by clicking the table and selecting update numbering you to update it manually once you generate the report.
7
+
8
+
9
+
The enterprise versions of Faction will automatically update the numbering for you as well as provide other additional reporting features like different finding sections (i.e. Application Security Pen Test Findings Section and Network Security Findings Section) and DOCX and PDF export options.
10
+
11
+
12
+
[Contact us here to learn more.](https://www.factionsecurity.com/enterprise)
When exploiting a vulnerability in a penetration test it is important to capture your attack steps quickly and thoroughly so you don't have to spend extra time remembering and re-validating what you did when it's time to report on the finding. Nothing can break your flow more than having to stop what you are doing to format text, fix hyperlinks or build numbered lists of steps. Markdown is one of the quickest ways to type formatted text and capture these details effortlessly.
5
+
When exploiting a vulnerability in a penetration test it is important to capture your attack steps quickly and thoroughly so you don't have to spend extra time remembering and re-validating what you did when it's time to report on the finding. Nothing can break your flow more than having to stop what you are doing to format text, fix hyperlinks, or build numbered lists of steps. Markdown is one of the quickest ways to type formatted text and capture these details effortlessly.
6
6
7
7
!!! note "Pro Tip!"
8
8
9
9
The API fully supports Markdown. This makes it easy to develop automated tools that can add issues or other text to Faction with formatted text via the API.
10
10
11
11
12
-
Here are some examples of how you can use markdown in Faction.
12
+
Faction supports markdown by default in all editors. Here are some examples of how you can use markdown:
13
13
14
14
## Exploit Steps
15
-
You can enter Markdown directly into the details editor when adding a new vulnerability. Once you enter the text, highlight just the part you want to convert to markdown and click the Markdown button in the toolbar.
15
+
Entering exploit steps is easier with markdown. You can enter the following text and it will automatically show you the formated view on the right.
16
+
```
17
+
__Steps to Reproduce__:
18
+
1. Go to the home page.
19
+
2. Click Login.
20
+
3. Enter `<script>alert(123);</script>` in the username parameter.
21
+
```
16
22
17
-
23
+
18
24
19
-
After you select the Markdown button your text will be converted to rich text as shown below:
20
-
21
-
22
-
You can also perform this in a code block if you want to write your Markdown in a monospaced font. First, select `Code` as shown below:
23
-
24
-
25
-
Then start entering your text in the code block as shown here.
26
-
27
-
28
-
Select the text in the code block and click the Markdown button
29
-
30
25
31
26
## Faction Burp Suite Extension
32
27
If you find a vulnerability while using the Faction Burp extension, you can add the finding and all details directly through the extension. Below is an example of cross-site scripting:
@@ -43,17 +38,6 @@ Now if we navigate back into Faction and view the details we will see the exploi
43
38
44
39
45
40
46
-
## Executive Summaries and Scoping
47
-
You can use Markdown in your Executive Summaries as well to quickly type up your high level assessments of the application and provide guidance on how to prioritize the findings.
48
-
49
-
50
-
Select the text and click Markdown to convert!
51
-
52
-
53
-
You can also add scoping information in tables without messing with table editors and setting hyperlinks which can be a pain sometimes.
Copy file name to clipboardExpand all lines: docs/index.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,4 +1,5 @@
1
1
---
2
+
tags: []
2
3
date: 2023-12-17
3
4
---
4
5
# Welcome to FACTION
@@ -67,7 +68,7 @@ You can find out more information about creating your own custom report template
67
68
68
69
69
70
## Don't want to host it yourself?
70
-
We can provide hosting for your instance. All instances are single tenants so you don't have to worry about sharing infrastructure with untrusted parties. Navigate to [https://www.factionsecurity.com to learn more](https://www.factionsecurity.com).
71
+
We can provide hosting for your instance. All instances are single tenants so you don't have to worry about sharing infrastructure with untrusted parties. Hosted versions also come with other features like enhanced reporting. Navigate to [https://www.factionsecurity.com to learn more](https://www.factionsecurity.com).
<li><strong>${openedAt}</strong> - The date the vulnerability began tracking (Since 1.3)</li>
1097
+
<li><strong>${closedAt}</strong> - The date the vulnerability was closed (no longer tracked) (Since 1.3)</li>
1098
+
<li><strong>${remediationStatus}</strong> - Displays only "Open" or "Closed" (Since 1.3)</li>
1094
1099
<li><strong>${cfXXXXXX}</strong> – Custom Fields are ones you specify in the admin interface. These are all prefixed with “cf”</li>
1095
1100
<li><strong>${color key=value,key=value}</strong> – The color of the text is based on key-value pairs. <ahref="https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#setting-severity-colors">See below for how to set up colors.</a></li>
1096
1101
<li><strong>${cells key=value,key=value}</strong> – The color of the table cell is based on key-value pairs. <ahref="https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#setting-severity-colors">See below for how to set up colors.</a></li>
<li><strong>${openedAt}</strong> - The date the vulnerability began tracking (Since 1.3)</li>
1211
+
<li><strong>${closedAt}</strong> - The date the vulnerability was closed (no longer tracked) (Since 1.3)</li>
1212
+
<li><strong>${remediationStatus}</strong> - Displays only "Open" or "Closed" (Since 1.3)</li>
1205
1213
<li><strong>${cfXXXXXX}</strong> – Custom Fields are ones you specify in the admin interface. These are all prefixed with “cf”</li>
1206
1214
<li><strong>${details}</strong> – This will insert screenshots and exploit steps for each vulnerability.</li>
1207
1215
<li><strong>${color key=value,key=value}</strong> – The color of the text is based on key-value pairs. <ahref="https://docs.factionsecurity.com/Custom%20Security%20Report%20Templates/#setting-severity-colors">See below for how to set up colors.</a></li>
0 commit comments