serpicoproject / serpico Goto Github PK

All Serpico default findings should have a Nessus Vuln ID associated with them.

Attempting to Add Finding from Template to a Report without choosing a finding throws an error. A POST with no finding should just ignore the submission.

To Recreate:
Create/Edit Report > Add Finding From Templates > Click 'Add' with no finding

From @parzamendi-r7

if you add a user defined variable with variable data containing a backslash (including newline) it will display the escaped characters within their form on the user_defined_variables page. This will also cause an escape of death by escaping the additional backslashes upon adding another user defined variable or post.

to recreate:
add variable name: test1234
add variable data: test1234\test1234 (or hit enter between words)
save
view additional backslash characters in variable data

Currently the findings list is ordered by type of finding followed by DREAD. It would be better if the list used DREAD only.

Currently when a user adds or creates a finding they score/rate the risk based on DREAD. This enhancement would add the capability to score the finding using CVSS.

It would be useful to see and compare revision histories of an edited finding. We often tweak our existing findings and it would be nice to see those changes. Similar to a wiki revision history, highlighting what as changed recently.

Running on Kali Linux 64-bit.

Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.

    /usr/bin/ruby1.9.1 extconf.rb 

checking for sqlite3.h... no
*** extconf.rb failed ***
Could not create Makefile due to some reason, probably lack of
necessary libraries and/or headers. Check the mkmf.log file for more
details. You may need configuration options.

Provided configuration options:
--with-opt-dir
--without-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/usr/bin/ruby1.9.1
--with-sqlite3-dir
--without-sqlite3-dir
--with-sqlite3-include
--without-sqlite3-include=${sqlite3-dir}/include
--with-sqlite3-lib
--without-sqlite3-lib=${sqlite3-dir}/lib

Gem files will remain installed in /var/lib/gems/1.9.1/gems/do_sqlite3-0.10.12 for inspection.
Results logged to /var/lib/gems/1.9.1/gems/do_sqlite3-0.10.12/ext/do_sqlite3/gem_make.out
An error occurred while installing do_sqlite3 (0.10.12), and Bundler cannot continue.
Make sure that gem install do_sqlite3 -v '0.10.12' succeeds before bundling.

It would be useful to have text based status update for use in e-mails. This could be generated in the UI, making it easy to copy and paste as an update to a client.

Currently when importing findings the finding have to be approved manually after import. This was a design decision but makes it difficult to import large finding sets. I think it would be preferable to have an "Approve on import" checkbox that is bordered in red.

"As a user I would like feedback in the UI after I have imported Nessus results. It should list the findings that were imported and those that were not."

A user requested that Finding's results could be trended. For example:

• How many assessments have found a specific finding (xss)
• How many assessments have found a combination of findings (i.e. sqli + xss)

Currently this can be done with DB queries. This feature would show this in the UI.

As a user I would like to be able to edit the Nessus IDs associated with a templated finding.

Add a way to notify admins what a findings needs to be reviewed. Right now, there is no way to tell without logging into the application and checking the findings database.

It would be very useful to be able to export a report in the UI and then import this report into another version of Serpico. For example, as a user I would like to be able to work on a report in one version of Serpico (say a local copy) and then import it into another version (say a master shared version of Serpico).

Create a wiki entry for how to import Nessus Report. Include associating Templated Finding with Nessus ID.

Ruby has a native AsciiDoctor library, which is a pure-ruby open-source implementation of AsciiDoc.
http://asciidoctor.org/

Instead of relying on .docx formats, by exporting findings via AsciiDoctor, the generated AsciiDoc output can easily be converted to a variety of formats. This includes exporting to HTML5, Docbook, PDF (via asciidoctor-pdf), or even to a pure AsciiDoc format which itself can be exported to many other formats via the binary AsciiDoc program (including exporting to ODF): https://github.com/dagwieers/asciidoc-odf

Adding AsciiDoc as a supported output would make reporting more flexible.

Similar to Nessus it would be nice if there was an option to auto create a finding from a burp import

Serpico requires Ruby 1.9.3. We should support a more modern version of Ruby.

Would like the ability to collapse types of finding not looking for such as physical and such.

All ready did this but dorked up repo will fix and submit pull request.

It'd be nice to have the ability to attach screenshots to individual findings. The age-old adage "a picture is worth a thousand words" often applies.

And thanks for the great tool!

After following readme instructions and installing on Kali and running "ruby serpico.rb" and attempting to browse to the web interface over HTTPS on Iceweseael, I get an HTTPS error, and the web interface doesn't load:

ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=unknown state: http request

Ive tried looking this up and am seeing various issues, not 100% sure why this is happening but is there a known fix for it, or a workaround?

I think this may be related to the self-signed cert, ruby, and OpenSSL compability, but not totally sure.

Apologies in advance if this is a silly question and easily solvable.

Thanks

This would take Nessus results as input and populate a Report. This could either be as a script or as a connector to a remote system via the UI.

Submitting to the upload attachment menu without actually attaching a file causes an error in the UI. A POST with nothing attached should just ignore the submission.

"As a user I would like to be able to search the finding titles. Using the browser search includes the finding description which is annoying."

The easiest way to do this is with a javascript based search on the template pages only.

It would be cool if Serpico could create PresentationML files as an option. Most of this would begin with a template, but incorporate things like the names of the penetration tester(s), the client, the finding titles, the dread scores, etc. into a workable presentation.

http://www.ecma-international.org/publications/standards/Ecma-376.htm

The attachment menu is not linked from the Report menu

It would be really awesome if Serpico allowed one to use the NVD scoring system instead of DREAD
http://nvd.nist.gov/cvss.cfm?calculator&version=2

40 was chosen as an arbitrary number but it's better than just saying we should support "more" findings. Possible seed sources suggested were OWASP, CWE, and Nessus.

Switching between IDEs the indentation has become a horrific mess. This issue is really two things; decide on consistent style and fix across the board.

We should consider to require something like rubocop.

I just came across this project while looking for an alternative to Dradis and must say this is very impressive. I can see this becoming a very useful tool in my playbook.

It appears based upon my limited testing that, in order to import findings from Nessus or Burp the associations must be defined by an ID in an existing vulnerability in the database. In the case of an internal vulnerability assessment this could require the manual creation of hundreds of vulnerability database records before a Nessus report could be successfully imported. It would also mean that Nessus reports would have to be manually cross referenced to identify any new vulnerabilities that may not be present in the Serpico vulnerability database.

Would it be possible to add an option for the Nessus importer to create new vulnerability database entries for vulnerabilities in the .nessus file that do not have a corresponding record already in the Serpico database or perhaps some other means of bulk populating the database and correlating with scanner findings (Nessus DB import, OVAL, CVE)?

Currently the finding types (Wireless, Physical, etc.) are hardcoded into the application. It was requested that this be configurable.

When using bullet tags shown below. Two spaces are added before each bullet.

*-bullet-*

when adding references to a finding then pushing that finding to the db, finding waiting approve has not references. However remediation section seems to retain bullets.

There is no indication the information is saved.

I plan to add the following code on success below the <h2>Consultant Information</h2>:

<h4 class="text-success">Saved!</h4>

I noticed from another post Kali linux was not tested and there appear to be issues there. What platform do you recommend and what are the dependencies (with versions) I need to install before installing Serpico?

There are bugs in the way that UDV handles and santizes input.

1. create a proper santization method rather gsub'ing on the spot
2. anticipate the impact of to/from json, this is different from other parts of serpico

Currently when a user adds or creates a finding they score/rate the risk based on DREAD. This enhancement would add the capability to score the finding more generically (e.g. High, Medium, Low).

First let me start by saying thanks for making the product - I just stumbled across it the other day and can already see benefits of using it in the dreaded documentation process.
I thought it would be nice to include a list of IP addresses/ranges. I was thinking it could be used for summary/scope sections of the document and also in the findings - we could tag which hosts had finding.
Also, I would like to see us be able to add a field to the finding (may already be an option that I haven't seen yet).

*** added to this to ask a stupid question: how do we factor in formatting into the findings? I see bullets are *- but how do we get italics, headings, etc?

In the top menu the template database should be called finding database. Template database is misleading.

All of the documentation is currently in the README.md. It should be moved into the Wiki.

sudo ruby serpico.rb

[2014-07-16 19:41:48] INFO WEBrick 1.3.1
[2014-07-16 19:41:48] INFO ruby 1.9.3 (2012-04-20) [i486-linux]
[2014-07-16 19:41:48] WARN TCPServer Error: Address already in use - bind(2)
[2014-07-16 19:41:48] INFO
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:7b:55:4b:26
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=MD, L=MD, O=MD, CN=serpico
Validity
Not Before: Jul 16 22:58:25 2014 GMT
Not After : Jul 16 22:58:25 2015 GMT
Subject: C=US, ST=MD, L=MD, O=MD, CN=serpico
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d1:d0:a3:50:ce:e5:61:5b:cb:82:f9:2c:e7:c4:
10:40:4b:0e:d9:b8:ff:29:65:31:bc:dc:2c:69:bd:
b3:39:79:a7:b7:51:45:a0:13:87:39:5f:ea:70:17:
da:06:2f:3f:82:2b:9a:e3:94:e5:71:60:7c:63:03:
a8:7a:fb:a0:01:53:c7:dd:00:43:c3:61:f7:4f:23:
16:be:e3:c2:c0:94:e1:e7:bf:36:c5:d3:9d:0a:b9:
4e:13:78:bc:75:9c:00:1d:43:63:1e:64:da:bf:d2:
59:77:15:1d:c8:f7:be:4a:c5:39:31:48:72:06:2e:
be:eb:39:b5:71:42:9a:12:fb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
21:A9:75:83:E1:50:8A:67:77:EF:5D:6D:03:AC:4F:39:A5:DE:73:E9
X509v3 Authority Key Identifier:
keyid:21:A9:75:83:E1:50:8A:67:77:EF:5D:6D:03:AC:4F:39:A5:DE:73:E9
DirName:/C=US/ST=MD/L=MD/O=MD/CN=serpico
serial:01:7B:55:4B:26

Signature Algorithm: sha1WithRSAEncryption
     1e:b4:82:48:63:4f:55:6e:fe:c2:62:c4:65:44:bb:5f:bb:0e:
     b2:14:99:d8:8c:e0:d7:ec:8f:32:f7:f3:97:2a:3c:ff:45:71:
     ed:c2:3e:39:7e:db:97:3f:01:a1:79:e8:fb:d5:a7:8a:27:98:
     1f:09:41:cd:bd:c1:7d:a4:91:c3:22:91:bf:ed:b0:90:74:71:
     20:5f:1b:16:60:8d:e1:51:29:f4:cb:c0:9e:95:cf:01:2e:9a:
     50:64:ed:f8:c6:cf:e5:43:57:d2:2b:08:3d:b8:60:71:fc:db:
     27:da:12:d6:41:60:83:15:c6:a3:dd:3f:6b:18:c5:aa:60:94:
     41:2c

[2014-07-16 19:41:48] INFO WEBrick::HTTPServer#start: pid=7900 port=8443

Code replace work fine however not sure word doc is parsing info as it should be.

#convert h4
v = v.gsub("[==","<h4>")
v = v.gsub("==]","</h4>")

new_text = new_text.gsub("<h4>","[==").gsub("</h4>","==]")

# same for the h4
findings_xml = findings_xml.gsub("&lt;h4&gt;","<h4>")       
findings_xml = findings_xml.gsub("&lt;/h4&gt;","</h4>")

The user administration page does not correctly read the level of user (i.e. User or Administrator) when performing a GET request.

When creating a new finding, if dread is enabled, the dread score should default to zero.

When a user wants to make a change to the default settings they have to edit serpico.rb. This is not ideal. Instead, we should support command line options.

For example:

• listening port (defaults to 8443)
• AD enabled (disabled by default)
• cert (defaults to cert.pem)

It would be useful if we could edit the titles of the report. :)

The variables included in a template report are hardcoded. This feature would allow a user to specify a variable in the UI and allow this variable to be used in a template. This needs to be robust enough to allow the user to specify the name of the variable while only requiring a limited change to the model. It should also allow the user to store templated "global variables".

For example a user could add a "Executive_Summary" variable in the UI and then use this as ΩExecutive_SummaryΩ in the Report template.