doc updates

Author: summitt

docs/Faction App Store Extensions.md

@@ -14,4 +14,4 @@ Below is a List of Approved Faction Extensions. These all work with Faction 1.2+
 
 
 # Submit an Extension
-Send an email to develop [ at ] factionsecurity [dot] com with a link to to your github and a brief explaination of what it does. 
+Send an email to develop [ at ] factionsecurity [dot] com with a link to your github and a brief explanation of what it does. 

docs/How to Use BurpSuite with Faction.md

@@ -0,0 +1,90 @@
+---
+tags: [burpsuite, integrations, api]
+date: 2024-06-19
+---
+
+Faction has a tight integration with [BurpSuite](https://portswigger.net/burp) and you can now find our extension in the [BApp Store](https://portswigger.net/bappstore/f4048e6291214e99a92ca555abee0f74). Here are a few things you can do with the Faction Burp Integration.
+1. See your assessment and retest queues.
+2. Instant access to your assessment scope and other details.
+3. View all findings you and your co-pentesters are reporting.
+4. Replay payloads from other pentesters.
+5. Add issues in Faction directly from BurpSuite. 
+
+## Install the Burp Faction Integration
+You can install the Faction Integration directly from the BApp store. 
+1. Open Burp then Click Extensions->BApp Store
+3. Search for Faction
+4. Click Install
+![](/files/Pasted%20image%2020240619150257.png)
+
+## Set Up Faction
+In BurpSuite navigate to the Faction tab after you have installed the Faction Integration. From here you need to enter the URL and API key for your user. 
+
+The URL will be your domain plus `api`. Ex `https://faction-test.factionsecurity.com/api`
+
+![](/files/Pasted%20image%2020240619150830.png)
+
+You can retrieve your API Key in Faction by accessing your profile in the upper right corner of the Faction Web Interface. 
+![](/files/Pasted%20image%2020240619151123.png)
+
+## Access Your Assessment Queue
+Now that Faction is configured you should be able to see you current assessment queue as shown below:
+![](/files/Pasted%20image%2020240619151342.png)
+
+Clicking on an assessment will show you the scope, any vulnerabilities that have been reported, and notes that your team has shared with you. 
+![](/files/Pasted%20image%2020240619151525.png)
+
+If you select one of the vulnerabilities you can see its full details including screenshots.
+![](/files/Pasted%20image%2020240619151631.png)
+
+## Enter Findings into Faction From Burp
+
+Lets say you find an XSS attack and have verified it with BurpSuite. You can add the finding to Faction without ever leaving Burp. Just select the request or response that you want to enter into the report and select "Add New Finding" as shown below:
+![](/files/Pasted%20image%2020240619152503.png)
+
+Now you will be presented with the vulnerability findings dialog. Here you can search for an existing vulnerability template to auto populate the details and recommendations. 
+
+Next ensure its being sent to the right assessment. The option will default to the last assessment you selected in the previous section on [Access your Assessment Queue](#Access%20Your%20Assessment%20Queue)
+
+Next you have several options. 
+- Select the severity or leave the default
+- Check or uncheck to include the request and/or response. When checked it will include these options in code blocks in the final report.
+- "Snip cookies" when checked will remove all cookies from being added to the report and replace them with `[...snip...]`
+- "Extract Selection" when checked will only add the portion of the code you selected in Burp to the report. This is most useful trying to only show the reflected script in the response instead of the full response. 
+- Exploit Steps can be included and supports MarkDown Syntax. *Note Screenshots are available though the Burp Extension currently. For this you still need to add them to the Web UI.* 
+
+![](/files/Pasted%20image%2020240619152829.png)
+
+Now you can click **Save** to add it to Faction. All this allows issues to be added seamlessly without breaking your flow. The final result will look something like this.
+
+![](/files/Pasted%20image%2020240619153743.png)
+
+
+## Replay Findings
+The Faction Burp Integration has the ability to replay findings if you included the request in the details. Notice the hyperlink above the request when you select a vulnerability in the Faction BurpSuite Integration. 
+
+![](/files/Pasted%20image%2020240619151840.png)
+
+If you click the hyperlink it will add it to your Burp Repeater. This allows you to replay your own findings and findings from your co-pentesters. The same feature is available for retests!
+
+![](/files/Pasted%20image%2020240619151923.png)
+
+## Add Scan Findings
+Anything found in the BurpSuite Scanner can be added directly into Faction using the BurpSuite Integration as well. Just select the issues you want to add and then choose "Send Issues to Faction"
+
+![](/files/Pasted%20image%2020240619154354.png)
+
+Below shows that all issues were combined into two distinct issues.
+![](/files/Pasted%20image%2020240619154637.png)
+
+Notice that if you select more than one of the same issue that it will aggregate the URLs into one finding:
+
+![](/files/Pasted%20image%2020240619154521.png)
+
+
+## Wrapping Up
+
+All of these features have been implemented to make adding issues to pen-testing reports easy and to not break your flow. Nothing worse that being in the zone and then have stop to mess with report formatting or ensuring you capture all the right data in your notes to use later. With Faction you can just add the issues as you find them and move on with your pentest. 
+
+
+

docs/Managed FACTION Setup.md

@@ -55,4 +55,4 @@ The higher-level tiers allow you to configure other options like LDAP and OAuth.
 
 - [Integrate Faction Into OAuth Solutions](/Integrate%20Faction%20into%20OAuth%20Solutions/)
 - [Customizing Faction for Self Hosting](/Self-Hosted%20FACTION%20Setup/)
-- [Extending Faction](/Extending%20FACTION/)
+- [Extending Faction](/APIS/App%20Store%20Extension%20API/)

docs/Using the Faction Burp Suite Extension.md

@@ -0,0 +1,61 @@
+---
+tags: [Burp Suite, API, Penetration Testing]
+date: 2024-03-28
+---
+The Faction [BurpSuite](https://www.portswigger.com) Extension makes much of what is available in the Web UI available right inside Burp Suite. With this extension, you can:
+
+- Access all assessments and retests assigned to you
+- Access Assessment notes
+- Create and update findings 
+- Extract parts of the request and responses to add to the assessment report
+- Add finding details in markdown
+- Replay requests you or other assessors have reported
+
+
+## Configure the Extension
+You can download the extension [here](https://github.com/factionsecurity/Faction-Burp/releases) . We also hoping to have it added to the BApp store soon. 
+
+Once installed in Burp, Navigate to the config tab. You need two things to configure:
+
+1. **Your API key**- This can be found in the Faction Web UI, under your profile (top upper right). If you do not have an API key then your administrator needs to give you the API permission.
+2. **API URL** - The API URL is most commonly something like `https://myserver.com/api`. If you login to something different like `http://myserver.com:8080/myfaction`, then your API URL will be `http://myserver.com:8080/myfaction/api`
+
+Once configured, It should look something like this:
+![](/files/Pasted%20image%2020240328085325.png)
+
+### Severity Mapping
+![](/files/Pasted%20image%2020240328085409.png)
+
+**Severity Mapping** is used to convert vulnerability severities that Burp Suite Reports to the custom severities you set in Faction. More on setting custom severities can be found [here](/Faction%20Severity%20Rating%20and%20CVSS%20Scoring/#native-severity-ranking)
+
+Let's say your process requires that Criticals are called P1s and Highs are called P2s. Burp's Vulnerability Scanner finds a Critical issue that you want to report in Faction. You can now simply right-click the finding and add it to Faction and the extension will map the Critical to P1. 
+
+## Viewing the Queues
+
+![](/files/Pasted%20image%2020240328095032.png)
+
+When you select **Queues** you will see both your assessments (left) and retests (right) queue. You can select an item in either table to view the data. This gives you all the information you need to start your assessment or verification without even logging into the Web UI. 
+
+## Selecting an Assessment
+
+From the **Queues** page, select your currently working assessment. This will set this assessment as the default assessment for all other dialog boxes, for example when adding a new vulnerability it will be reported in this assessment. 
+
+Once you select the assessment in the table, click **Assessment**. Now you will see the scope and shared notes about the assessment. 
+
+![](/files/Pasted%20image%2020240328095629.png)
+
+This keeps all the common information about the assessment handy, like in-scope URLs, test credentials, and even notes you want to share with other assessors on the same project. 
+
+## Enter a New Finding
+
+## Update an Existing Finding
+
+## Selecting a Retest
+
+
+
+
+
+
+
+

docs/blog/posts/Faction App Store.md

@@ -0,0 +1,52 @@
+---
+tags: [App Store]
+date: 2024-03-25
+---
+✨ We are excited to release the first iteration of the Faction App Store! ✨
+
+The App Store is where developers can build custom integrations with Faction. These can be anything from sending vulnerabilities to external bug trackers to adding custom graphics to your automated pentest reports! 
+<!-- more -->
+We want to make this process really easy and took inspiration from [Burp Suite](https://portswigger.net/burp/documentation/desktop/extensions/creating) on the design. If you have ever made an extension for Burp then you should be able to get up and running pretty quickly. 
+
+### What Can Be Extended?
+With this initial release, you can extend Faction by:
+
+- Including your own application inventory database to the application search features and populate results in Faction like the Application ID, Distribution Lists, and Application Name. 
+- Triggers when an assessment state changes (created, updated, or finalized). You can use this to send emails to a distribution list that an assessment has been scheduled for certain dates. When the assessment is finalized you can choose to send only the vulnerabilities of a certain criticality to an external tracking system as well as send to different tracking systems depending on the type of assessment. 
+- Triggers when a vulnerability state is changed. When a tracked vulnerability is retested and pass/fail, you can create a custom workflow and alert key stakeholders that the issue succeeded or failed. 
+- Update reports when they are generated. You can use this to add custom variables to your reporting templates and replace the contents with data from an external system or add custom charts and graphics to give your reports a more polished look. 
+
+The full documentation on the API can be found [here](/APIS/App%20Store%20Extension%20API)
+
+### Custom Settings
+Extensions are built so that you can add your own configuration options that can be stored in the Faction Database. Things like a user-editable hostname or API key can be configured in your extension. Based on how you set up your configuration you can make data like passwords and API keys hidden in the UI and encrypted at rest. 
+
+![](/files/Pasted%20image%2020240325105733.png)
+
+### Extension Chain
+Extensions can be chained in any order. Once you add apps and enable them in Faction, the UI allows you to drag the extension to anywhere in the list. This allows you to create one extension that processes data and returns a result that can be processed by the next extension. 
+
+| Before Order Change | After Order Change |
+| --- | --- |
+| ![](/files/Pasted%20image%2020240325105756.png) | ![](/files/Pasted%20image%2020240325105827.png) |
+
+
+You can use this to create one extension that returns a JIRA Tracking number for all vulnerabilities in the finalized assessment, they take those numbers and process them into another system and on and on down the chain. 
+
+
+### Example Extensions
+You can review the source code for our initial apps [here](/Faction%20App%20Store%20Extensions). This list will grow over time but currently, there are 2 (JIRA Integration, Vulnerability Bar Charts). 
+
+### Submit Your Own
+We can't think of everything! We encourage developers to submit their own extensions and we will add them to our list of Approved Extensions. Send an email to develop [ at ] factionsecurity [dot] com with a link to your GitHub and a brief explanation of what it does. 
+
+### Conclusion
+We hope you enjoy the new  App Store and other new features that are part of this 1.2 Release. Faction is open-source and free to use. Please leave us feedback in either our GitHub [Discussion Boards](https://github.com/orgs/factionsecurity/discussions) or by [submitting Issues](https://github.com/factionsecurity/faction/issues). 
+
+If you want to help support the project and ensure its longevity then consider being a sponsor... It's good karma!  ❤️
+
+__Sponsor Options__
+
+- [GitHub Sponsor](https://github.com/sponsors/factionsecurity)
+- [Patreon](https://www.patreon.com/null0perat0r)
+- [Open Collective](https://opencollective.com/faction)