PeTeReport : An Open-Source Application Vulnerability Reporting Tool

PeTeReport (PenTest Report) is an open-source application vulnerability reporting tool designed to assist pentesting/redteaming efforts, by simplifying the task of writing and generation of reports.

Focused in product security, the tool help security researchers and pentesters to provide detailed findings, appendix, attack paths and manage a finding template database to avoid wasting time spent in the reporting phase.

PeTeReport (PenTest Report) is written in Django and Python 3 with the aim to help pentesters to manage a finding repository, write reports (in Markdown) and generate reports in different formats (HTML, CSV, PDF, Jupyter and Markdown).

Architecture

Features

• Customizable reports output
• Customizable reports templates
• Findings template database
• Possibility to add appendix to findings
• Possibility to add attack trees Deciduous to findings
• HTML Output format
• CSV Output format
• PDF Output format
• Jupyter Notebook Output format
• Markdown Output format
• CVSS 3.1 Score
• Docker installation
• DefectDojo integration
• User management

Installation And Deployment

Docker

Environment

$ sudo apt install docker.io docker-compose

Deployment

• Clone repository

$ cd /opt $ git clone https://github.com/1modm/petereport $ cd petereport

• Customize reports and configuration in app/config/petereport_config.py
• Build environment

$ docker-compose up –build

• Go to https://127.0.0.1/
• Login with any of users created admin/P3t3r3p0rt (administrator) and viewer/v13w3r (viewer) or the user credentials configured in the configuration file
• Try harder
• Create a report

Django Installation

Prerequisites

PeTeReport requires Python ≥ 3.8. Recommended installation requires pip. As a base requirement, the following packages are needed:

• Ubuntu/Debian: $ sudo apt-get install python3-pip python3-venv build-essential
• OpenSuse: $ sudo zypper install python3-devel gcc
• CentOS: $ sudo yum install python3-devel gcc

Environment

It is strongly recommended to set up the installation in a virtual environment (Pipenv):

Pipenv

• Linux: $ sudo apt-get install pipenv
• pip: $ python3 -m pip install pipenv
• MAC: $ brew install pipenv

Dependencies

Easiest way in Linux (ubuntu): $ sudo bash scripts/ubuntu_environment_install.sh

Latex

Linux:

$ sudo apt-get install texlive-full

Mac:

$ brew remove basictex $ brew cask install mactex

Pandoc

Linux:

$ sudo apt-get install pandoc $ sudo apt-get install python3-pypandoc

Mac:

$ brew install pandoc $ brew install pandoc-citeproc

Eisvogel

$ python3 -m pip install pandoc-latex-environment

1. Download the latest version of the Eisvogel template from the release page.
2. Extract the downloaded ZIP archive and open the folder.
3. Move the template eisvogel.tex to your pandoc templates folder and rename the file to eisvogel.latex. The location of the templates folder depends on your operating system: /Users/$USER/.pandoc/templates/eisvogel.latex or /home/$USER/.pandoc/templates

PeTeReport

• Clone the project and cd into PeTeReport: cd petereport/
• Create a new virtual environment and installing dependencies: pipenv install
• Run the virtual environment: pipenv shell
• Go to Django PeTeReport App: cd app/
• Create the database: python manage.py migrate
• Make the latest database changes: python manage.py makemigrations
• Super user admin/P3t3r3p0rt will be created, but you can create a new super user: python manage.py createsuperuser
• Populate the CWE data python manage.py loaddata config/cwe-list.json

Start The Server

1. Run the virtual environment: pipenv shell
2. Go to Django PeTeReport App: cd app/
3. Start the django server: python manage.py runserver or python manage.py runserver 0.0.0.0:8000
4. Go to http://127.0.0.1:8000/
5. Login with any of users created admin/P3t3r3p0rt (administrator) and viewer/v13w3r (viewer) or the user credentials configured in the configuration file
6. Try harder
7. Create a report
8. Close up and stop the server: Ctrl + C

Upgrade PeTeReport

1. Stop the server if it’s running: Ctrl + C
2. Pull the latest code base via git: git pull or download the source and replace the files.
3. Setup any additional dependencies: pipenv install
4. Run the virtual environment: pipenv shell
5. Make the latest database changes: python manage.py makemigrations
6. Make the latest database changes: python manage.py migrate
7. Start the server: python manage.py runserver
8. Try harder again

Clean PeTeReport

• Stop the server if it’s running: Ctrl + C
• Run the virtual environment: pipenv shell
• Go to Django PeTeReport App: cd app/
• Run cleaner: python clean.py
• Make the latest database changes: python manage.py makemigrations
• Make the latest database changes: python manage.py migrate
• Start the server: python manage.py runserver
• Try harder again

Configuration

1. Stop the server if it’s running: Ctrl + C
2. Customize reports and configuration in app/config/petereport_config.py
3. Start the django server: python manage.py runserver or python manage.py runserver 0.0.0.0:8000

Default Credentials

• Administrator: admin/P3t3r3p0rt
• Viewer: viewer/v13w3r

User Management

The user module facilitate the management of users and roles in the application. There are 2 builtins roles: administrator and viewer.

• Administrator role has full permissions access
• Viewer role
  • Projects: view
  • Reports: view, generate output
  • Findings: view
  • Finding templates: view

List of users and roles

Create new users

Products

The products module facilitate the management of products. A product is defined by:

• Product Name
• Product Description

List of products

Create new products

Reports

The report module facilitate the management of products. A report is defined by:

• Product
• Report ID
• Report Title
• Executive summary
• Scope
• Out of scope
• Methodology
• Recommendation
• Report date

List of Reports

Create new reports

Report Details

Findings

The finding module facilitate the management of findings in the reports. A finding is defined by:

• Title
• Status
• Severity
• CVSS Score
• CWE
• Description
• Location
• Impact
• Recommendation
• References
• Appendix
• Attack path

List of findings

Create new findings

Add Finding From Templates

Can be added findings to a report from the template list previously created.

Import Findings From DefectDojo

We can import the findings from DefectDojo, first of all we need to edit the configuration file in order to add the API endpoint and the API key of our DefectDojo deployment.

Edit configuration in app/config/petereport_config.py

DEFECTDOJO_CONFIG = { ‘DefectDojoURL’: ‘https://demo.defectdojo.org’, ‘apiKey’: ‘Token Key’ # Format Token Key }

Import Findings from CSV

Can be imported from a CSV findings following the next format:

// Comma-separated values (CSV) file format
“ID”,”Status”,”Title”,”Severity”,”CVSS Base Score”,”CVSS Score”,”CWE”,”Description”,”Location”,”Impact”,”Recommendation”,”References”,”Appendix”,”Appendix Description”
“2834q345-b24e-4ghf-r86d-ftue38af5480″,”Open”,”Finding 1″,”Low”,”3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)”,”3.7″,”73″,”Description”,”127.0.0.1″,”Impact”,”Recommendation”,”References”,”Appendix”,”Appendix Description”

CWE List

When a finding is created must be selected a CWE in order to create a category of findings, for reference has been populated the next CWE list from Mitre:

• Software Development
• Hardware Design
• Research Concepts